I’m using a software (Firefox) that has a digital signature from a “Trusted Software Vendor” of mine, and I want to grant less permissions to the software without deleting that “Trusted Software Vendor”. But it seems the permissions are automatically granted shortly after I changed the permissions. Are there any ways to override “My Trusted Software Vendors” without deleting it?
Hi RichardGv
Have you tried un-checking the Defense+ option Trust applications digitally signed by Trusted Software Vendors (Defense+ - Advanced - Defense+ Settings)? I think this might help, but it would have a global impact (not just Mozilla).
I don’t want to do that! That would cause a lot of trouble if I want to install something new! No way except that?
It should be possible to edit the policies and set explicit block permission (even using modify button to finertune the override ) even for safelisted/signed applications.
Oops, you are right, “Block” does the thing well. But “Ask” doesn’t work, and “Ask” is what I need. How make “ask” work on a file with digital signature?
The only option left would be to use D+ in paranoid mode without switching back to the other modes that make use of safelisted auto-learning.
This way it is possible to initially configure the policy for many applications in other modes and then apply additional changes in paranoid mode.
In paranoid mode it is still mentioned if an app is safelisted, so it would be possible to also create custom predefined policies and assign them to any application regardless if safelisted.
This way it is possible to choose how many additional alerts safelisted apps are going to trigger as soon an alert is displayed.
Installing some new trusted application can be addressed using Treat as Installer or updater as usual, whereas it would be reasonable to not use that option for unknown applications.
Some members also prefer to temporarily switch to an alternate configuration with CleanPC mode enabled when they are installing new apps.
This will allow them to monitor what files are created during an installation (in cleanpc mode the pending file list is updated automatically and list all unknown/non-safelisted files)
As policy changes and settings are stored in the active configuration, switching configurations will not retain policy changes and in those cases it is only meant to have the installers to work seamlessly.
OK, it’s working under Paranoid Mode. Thanks a million.