Hi, I started using CIS wirh AV + D+, although I told D+ to look at more subjects than only Files plus Registry, it still keeps generating rules with only those two.
Explanation
D+ monitors FIle / Registry and all direct access (disk/Screen/MemoryKeyboard), after an intrusion of say the keyboard, it does not generate a rule for Keyboard Allow and Screen/Memory/Disk and File/Registry, instead it sets everything to allow execpt the my Files and Regsitry.
I think Generated rules, should not depend on the defense mode you once started with, but using the current D+ settings.
This meand when you start with the AV, you can not grow into Pro-Active, because the newly generated rule after an intrusion is way more permmitting than you D+ monitored items.
I have added a lot of registry keys in my rules set, also changed the general protection of executables to a few specific directories, so I do not want to select Pro-Activve, because I lose all my changes and additions.
Please allow users to ‘learn’ and grow into Active Defense, by not basing teh default rule on some hidden value, use the currentguarded/monitored D+ settings.
Regards