updated exe not detected

Why is there no warning when a program that is not on the whitelist is updated\modified?

I had to allow internet access for my audio player myself (i.e. it is not on the whitelist). I just allowed the requested connections and did not make it a trusted application. After replacing the exe with an older version with a different file size, there was no warning and a connection could be made without a problem.

That can’t be right, or can it?

Hi Toxteth, how’s the bogey? ;D

What is the audio player your using, I’ll give it a shot.

After all this time it is still doing fine. (:LGH)

I have reported this before, it could just be that i am doing something wrong.

But if you want to give it a try:

I have uploaded an older version (for testing\comparing) here:

Tried that and had the same outcome as you.

Here’s the list in the custom section of Defense +

Think we need some info from someone who knows what they’re doing!

[attachment deleted by admin]


It seems my question will not be answered, just like before.

What good does performing well in leak test do when an updated\modified\replaced program is not even detected? I replaced this audio player with a registry cleaner that is not on the whitelist either. As expected is was able to check for updates, no questions asked. But when I ran the program from another location CPF did pop up the usual questions.

Conclusion, there are no or inadequate checks for programs after they have been given permission to access the internet. Any third-rate firewall can do this properly.

BTW, at the moment Defense+ is disabled, but that should not make a difference.

Yes it will Defense+ disabled means no file checking or anything else all you have depending were you have set Network Defence and alert settings is just a simple firewall.

Too simple, for an “industrial strength firewall”, if you ask me. Detecting these modifications has nothing to do with HIPS.

I hate to say it, but after enabling HIPS (train with safe mode) it is clear that this is not correct. Once a program has been granted permission (to run), without making it a trusted application, a replacement of the exe file is not detected. Not even when the replacement is not on the whitelist.

From what I remember you should have a alert that process (xyz) is trying to replace a file in folder (xyz).
EDIT Would one of the moderators please post a correct explanation is I am wrong.

That would mean it is impossible to disable defense+, because the firewall itself can’t do the job properly.

I have tested a bit more. This time with a program that is not on the whitelist, compressing it with UPX to get different file sizes. There was no warning about an update when running any of these versions.

It looks very much like, CPF: allow once, allow always.

AFAIK the file checking function of version two has been moved to defense+ module of v3. So with defense+ disabled you loose almost all outbound protection (correct me if I am wrong). But I saw somewhere in the forum that if there is a firewall rule for an app you will receive an alert if the app is modified even if defense+ is disabled. To confirm this try to make a permanent rule for your audio player (ie tick ‘remember’) and check again. I hope it works.
BTW for those who don’t like defense+ and want to use only the firewall mode with version2-like-behavior it has been stated that in a future update their will be such operating mode of cfp3.