Why is there no warning when a program that is not on the whitelist is updated\modified?
I had to allow internet access for my audio player myself (i.e. it is not on the whitelist). I just allowed the requested connections and did not make it a trusted application. After replacing the exe with an older version with a different file size, there was no warning and a connection could be made without a problem.
It seems my question will not be answered, just like before.
What good does performing well in leak test do when an updated\modified\replaced program is not even detected? I replaced this audio player with a registry cleaner that is not on the whitelist either. As expected is was able to check for updates, no questions asked. But when I ran the program from another location CPF did pop up the usual questions.
Conclusion, there are no or inadequate checks for programs after they have been given permission to access the internet. Any third-rate firewall can do this properly.
BTW, at the moment Defense+ is disabled, but that should not make a difference.
I hate to say it, but after enabling HIPS (train with safe mode) it is clear that this is not correct. Once a program has been granted permission (to run), without making it a trusted application, a replacement of the exe file is not detected. Not even when the replacement is not on the whitelist.
I have tested a bit more. This time with a program that is not on the whitelist, compressing it with UPX to get different file sizes. There was no warning about an update when running any of these versions.
It looks very much like, CPF: allow once, allow always.
AFAIK the file checking function of version two has been moved to defense+ module of v3. So with defense+ disabled you loose almost all outbound protection (correct me if I am wrong). But I saw somewhere in the forum that if there is a firewall rule for an app you will receive an alert if the app is modified even if defense+ is disabled. To confirm this try to make a permanent rule for your audio player (ie tick ‘remember’) and check again. I hope it works.
BTW for those who don’t like defense+ and want to use only the firewall mode with version2-like-behavior it has been stated that in a future update their will be such operating mode of cfp3.