I just want to know if this is a bug or is intentional:
I made a .bat in C:\Program Files.. and put this file in “Trusted Files” (no rule in Defense+, which is in “Safe Mode”); today I modified the .bat and Defense+ warned me on its launch, but the file is still in “Trusted Files” and I didn’t modified its path or filename!
Restoring a previous version of the file and deleting its rule from Defence+ doesn’t trigger any alert.
(I have version 5 by the way)
Since defense+ uses file hash to recognize a file, when a file has changed it will no longer be recognized even if it was previously in your trusted files list. This is intended behavior.
If CIS didn’t do this, you would be a risk if malware altered one of your trusted files.
Thank you.
It’s surely a good thing, but don’t you think it would be better if some tag like ‘modified’ would be displayed on the file? It makes some confusion…