"Run an Excutable" bug in DEFENSE+.(v3.0.16.295 Vista 32bit)

SSO · February 5, 2008, 7:13pm

“Run an excutable” configuration isn’t functioning.

“Remember my answer” check box is off, “Allow this request” is on and “OK”.
But even if I’m going to get the same behavior next time, an alert isn’t indicated, and execution is permitted.

There were no problems by the previous version 3.0.15.277.

OS: Vista 32 bit
Version: 3.0.16.295
Defense+ Security Level: Paranoid Mode (Image Excution Control Level: Normal)

goodbrazer · February 5, 2008, 8:20pm

Have you tried clean install of CFP (not upgrade) to fix this?

SSO · February 5, 2008, 10:58pm

Thanks for your advice. I’ll do that.
But I hesitate to lose the configurations made so far.
I’m also worried whether an import of setting also works.

Is this the bug about the update?
There were no errors at all during installation.

MaratR · February 6, 2008, 9:17am

I can confirm that in part: the execution permissions you assign to a process without “Remember my answer” box checked are remembered, as long as the process exists. When the process is restarted, they are reset. You can also reset them while the process is running, by opening the Computer Security Policy window and pressing “Apply” there.

CFP 3.0.16.295 x32

SSO · February 6, 2008, 11:56pm

I tried clean install, but a problem wasn’t fixed.

For example, notepad.exe will be executed from a desktop shortcut.

Explorer.exe is trying to launch notepad.exe, and when a rule doesn’t exist,
an alert of Defense+ should be indicated certainly.

But an alert is indicated by only the first time in v3.0.16.295.
When it’s started again after closing notepad.exe, execution is permitted without alert.

In case of v3.0.15, an alert is indicated certainly.

gibran · February 8, 2008, 10:26am

Ok maybe this is a regression bug.

The behaviour you described is exactly like developer meant in many CFP versions.
At one time I read they wanted to change that beaviour but I cannot find that post anymore.

To make it short there is only a test you need to do.
You must use task manager to kill explorer.exe and then reload it. if you didn’t mark notepad execution permission to be remembered you will get an alert.

That is CFP execution permissions are bind to the parent executable (eg explorer.exe) and V3 will remeber them until explorer.exe is closed.
As explorer.exe is one of few processes that usually isn’t closed until a reboot (or logoff) occurs this beaviour may be perceived differently if applied to other processes.

This is the default behaviour as there is no “allow only once” option.
Allow does mean “Allow until the process is closed (killed)”.

SSO · February 8, 2008, 2:12pm

I see. But I can’t accept this behavior.
So I’m using the old version at present.