Rule for DeviceDisplayObjectProvider.exe?

Just curious… In ZoneAlarm, I was always being asked to allow DeviceDisplayObjectProvider.exe internet access, whenever I “safely removed” an external drive. In CIS, I don’t see any rule for DeviceDisplayObjectProvider.exe (for network access), and I don’t use any generic “system application” rule to allow internet access – yet I haven’t been asked to allow outgoing access for it. What am I missing here?

Are you running default firewall settings?
as this exe is ‘trusted’ (Signed by M$) it is allowed to access the Internet if it needs to download a icon for the type of device connected.

You can try to set ‘create rules for safe applications’ and then see if it turns up in the Firewall policy after connect/disconnect.

Nope, no default settings in Firewall area (especially not application rules for predefined groups) – it’s getting heavily customized. 8) That is a trusted file (in Defense+), but there is nothing about it in Firewall / application rules. I suppose I should get a popup or a log entry at least?

Perhaps you could post more details of the settings you’re using for the firewall. I get the alert without a rule having been created. I use Custom Policy Mode with Alerts on very high. All default firewall rules removed.

[attachment deleted by admin]

If firewall is in ‘custom policy’ it should not follow Trusted auto allow rules.
So yes if it tries to connect it should alert.

I have it on my policy, so somewhere it did alert on my system.

But I’m not sure if it connects to the internet every time you connect a device, I think it caches the images, and only loads for ‘new/unknown’ deviceID’s.

It does cache. You should find details of any device that’s been added in this way via Control Panel/Devices and Printers and also an entry in Device Manager.

Well, the firewall is on Custom policy, Alert settings is on Low, I have no generic application group rules (only per-application rules for now), except for System which is allowed to access and receive from local/trusted group (a few local IPs as well as localhost).
I checked the logs archives and saw that I was asked about DeviceDisplayObjectProvider.exe roughly two days ago, only once so far, and I never checked “remember rule”.

If a connection has already been made and the metadata updated, it shouldn’t need to connect again until something changes. here’s something you can try:

Go to - C:\Users\Username\AppData\Local\Microsoft\Device Metadata

Move the contents of that folder to a temporary location, just in case ;D Then:

Open Control Panel/Devices and printers

Hopefully it will generate the alert, assuming that’s what you’re after…