Unblock a blocked application from respective blocked component doesn't work.

Unblock a blocked application from respective blocked component doesn’t work property.

1. The full product and its version:
10.0.2.6346 - BETA

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
WinXP SP3 on VirtualBox.

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Proactive Security; HIPS - Safe Mode, block w/o alerts; Firewall - Custom Mode, block w/o alerts; Antivirus - Cumulative, move to Quarantine w/o alerts; Auto-Sandbox - OFF; Viruscope - OFF; Website filtering - OFF.

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
Uninstalled 10.0.1.6294, installed Beta then import previous configuration.

5. Other Security, Sandboxing or Utility Software Installed:
No.

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1: run any unrecognized app
2: unblock it
3: try to run it again

7. What actually happened when you carried out these steps:
App still is blocked.

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
App blocked by HIPS must be added as Trusted to Rating Files List not to HIPS rules.

9. Any other information:
After running unrecognized app, blocked list shows both apps, i.e. parent app too. It’s a bug.
After unblocking app, blocked by HIPS, only creating a rule in HIPS rules, similar to “Allowed”. It’s a bug.
Created rule doesn’t solve nothing, because app rating is not changed. On described configuration no needs of any rule, add app to Trusted list only.
After unblocking parent app, blocked by HIPS, also creating a rule in HIPS rules, similar to “Allowed”. It’s a big bug.
Parent app, in described configuration, already has rating “Trusted”, it doesn’t need any rule. Moreover, the parent app should not appear in the list of blocked files.

After running unrecognized app, blocked list shows both apps, i.e. parent app too. Parent app, in described configuration, already has rating "Trusted", it doesn't need any rule. Moreover, the parent app should not appear in the list of blocked files.

Because you set HIPS to automatically block requests without showing alerts, then parent app is being blocked from executing the unknown in which you would have received an alert to allow the execution. In proactive explorer is set to ask when it attempts to execute an unrecognized file, which increases user awareness that an unknown is about to be executed, proactive is consider the more advanced security config compared to others.

After unblocking app, blocked by HIPS, only creating a rule in HIPS rules, similar to "Allowed". After unblocking parent app, blocked by HIPS, also creating a rule in HIPS rules, similar to "Allowed"

More of a wish enhancement to change created rule to 'Windows System Applications'.

Created rule doesn't solve nothing, because app rating is not changed. On described configuration no needs of any rule, add app to Trusted list only

If you unblock only by the component, then changing the rating to trusted means it really gets unblocked from all components, thus overriding user selection to only unblock from the component it was blocked by.

I know how it works. But parent app having “Trusted” rating shouldn’t present in Blocked list to prevent ability of creating any rule for it, completely unnecessary.

Sorry, I couldn’t understand the meaning of this phrase.

Why? Firewall in ‘Custom Mode’ doesn’t use rating, Antivirus module is not considered because malware detection is separate theme.
One’s more: Created rule doesn’t solve nothing, because app rating is not changed, it still ‘Unrecognized’. Therefore it doesn’t work.
In addition, created rule exclude app from check for change in future.

Because in proactive config compared to Internet security config, explorer is set to ask for image execution and when HIPS is set to safe mode, will ask to allow executing an unrecognized application. But because it was blocked from executing an application by HIPS, it gets listed in unblock task.

Sorry, I couldn't understand the meaning of this phrase.

You want to change the HIPS rule that is set when you select unblock, currently it sets the rule similar to "allowed application" ruleset, you suggest it should create a rule similar to "Windows System Applications" ruleset. Correct?

Why? Firewall in 'Custom Mode' doesn't use rating, Antivirus module is not considered because malware detection is separate theme. One's more: Created rule doesn't solve nothing, because app rating is not changed, it still 'Unrecognized'. Therefore it doesn't work. In addition, created rule exclude app from check for change in future.

Unblock applications does not cover all configuration differences that a user might use. It is mostly for those who use the default safe mode. Antivirus ignores trusted rated files so if you choose unblock for single component and it also changes rating to trusted, then it really gets unblocked from AV (skip because rated trusted), firewall (in safe mode), HIPS (in safe mode), auto-containment (trusted do not get contained by default rules), VirusScope recognizer (ignores trusted rated). So that is why rating does not change when you choose to only unblock from selected components.

[b]In addition, created rule exclude app from check for change in future.[/b]

Exactly, if file gets updated and it changes rating to unrecognized, user expects to still be able to use application because they had already told CIS to unblock, thus rules are created for future changes. Otherwise you would have to keep changing the rating to trusted when hash changes and becomes unknown again, thus inconvenient for usability.

Nevertheless, the parent app should not be in blocked list. The reason was described earlier.

OK, I understood. No, I don’t want any additional rules in HIPS. It’s completely not necessary in ‘Safe Mode’.

(i.e. it’s another ‘bells and whistles’ unusable in most cases?) >:-D
Well, I know how modules works with trusted files…
However, the created rule for HIPS will only work in the ‘Internet Security’ configuration, where explorer.exe has ‘System Application’ permissions and explorer.exe as parent.
If you want really unblock app, you need also add appropriate permissions to parent app.

Rules for ignore changes must be created manually and most carefully otherwise application integrity control is lost. I can’t see inconvenient for usability here. Usability should not prejudge over security.

UPD.
Tested completely unblock:

Firewall Allow All Inbound/Outbound connections HIPS Allowed Application AutoSandbox Ignore Rating Trusted Scan Exclusions Excluded Path

Only I see here the redundancy of permissions?

Only reason parent application is listed under unblock is because you have do not show alerts block requests, if you disable that setting chose allow for explorer to execute an unknown, it would not be listed in unblock app.

Rules for ignore changes must be created manually and most carefully otherwise application integrity control is lost. I can't see inconvenient for usability here. Usability should not prejudge over security.

Then there would be no use for unblock if it only just changed the file rating without creating rules.

Overall unblock is targeted for non-advanced users or those that have configured CIS with the highest security settings. It is meant for average users who want to easily and quickly get their applications they want to use to work with CIS.

It’s a harmful and dangerous recommendation.

Then there would be no use for unblock if it only just changed the file rating without creating rules.

In 'Safe Mode' HIPS creating allowing rule for unrecognized app doesn't allow to run it but rating change do it.

Overall unblock is targeted for non-advanced users or those that have configured CIS with the highest security settings. It is meant for average users who want to easily and quickly get their applications they want to use to work with CIS.

Well, I already understood it. But the described situation, however, is a bug, because the function doesn't work, as stated, which will cause inexperienced users additional troubles. The efficiency of a function that is operable only with certain configuration is zero. The function must be adaptive.

If you don’t consider the described situation as a bug - I daren’t insist.