This is a request to implement new category named “My own unsafe files” as opposition to category “My own safe files”. New category is supposed to have higher privilege than “My own safe files”.
Purpose of “My own unsafe files” is supposed to force Defense+ in Safe/CleanPC mode to treat safe files as unknown files, hence preventing autolearning of activities of these files.
Basic logic of operation of “My own unsafe files” when Defense+ is in Safe mode:
During file execution Defense+ checks if executable is safe. If so, Defense+ checks “My own unsafe files” list if the executable in question is present there. If file is in the list, then Defense+ treats it as unknown, despite it is signed by trusted vendor or in the “My own safe files” list.
Why Defense+ (and CIS) would benefit if such feature would be implemented.
User-friendliness would increase significantly. Because currently Defense+ does not provide a compromise: either bunch of alerts in Paranoid mode, or uncontrollable (in terms of restriction) whitelist in Safe/CleanPC mode.
“My own unsafe files” could be such compromise.
As a result number of CIS users could increase (significantly).
Moreover, such feature allows to preserve all initial engineering decisions for Safe/CleanPC mode because:
it is completely autonomous (could be removed from Defense+ in any time if found inappropriate);
it is an optional feature, which should be enabled by a user manually otherwise current Safe/CleanPC mode would not be altered in any way, hence all users that are happy with current Safe/CleanPC mode would not be affected.
P.S.: Almost same suggestion here.
P.S.2: Moderators, please don`t move this thread to Wishlist board at least currently.
I like to vote so I picked “This feature could be useful.”… Sounds like something for advanced users… But if you are going to start something “suspicious” and you are afraid/know its white-listed and want to make sure you get the option to customize the rules for this application then there’s always an option to switch to paranoid a short time… All current rules are still there, so you will probably not get a ass-load of popups from CIS about whats already running if you had CIS for a while and can make sure you get to controll this one/two applications the way you want to… 8) :-TU
Not saying its a bad idea but there seems to be ways to achieve this… If I understood you correctly…
Never mind the achieve thing… English is not my native language either. :-TU What I was trying to say that I don’t think this enhancement is extremely necessary and it seems mostly aimed to advanced users in safemode but yeah it could make some tasks easier for some. That’s why I vote “This feature could be useful.”. Since I believe it could be useful to some…
Real examples are (my candidates for “My own unsafe files” list):
cmd.exe; to prevent malicious batch scripts from destroing system if i accidentally launch one of them from Windows Explorer (see this thread for more details); * services.exe; to prevent third party (and malicious) drivers being loaded silently by D+ (see this thread and linked posts there). ??? i`m sure that was the case previously, but my recent tests disprove this; now D+ in safe mode display alerts for drivers being loaded by services.exe if .sys file is not in the whitelist…
In order to not sacrifice protection against mentioned threats one is forced to struggle with Paranoid mode. If there would be “My own unsafe files” these problems could be solved rather elegantly.
I usually likes enchantments that helps improve interception against “real threats”… But looks like the main reason for this is lost if your testing are correct…? ;D And that other reason seems to be getting fixed (at least to some extent) in version 4… But yeah, “This feature could be useful” for advanced-users who like something in-between safe and paranoid mode…
CIS assumes that safe applications are always safe. Who is to know that there is not some safe application that, when you download some macro, codec, addon etc, suddenly becomes dangerous. The assumption is that it will always download a new exe to do its dirty work which CIS will block but does this have to be true?
I would be happier if I got an alert for any application, assumed safe or otherwise, that tries to load a driver or do direct disk access. This would lead to very few addition alerts but give greater peace of mind. At the moment this can only be done with paranoid mode which I cannot use. The problem at the moment is lack of choice. You can block whatever you want but you cannot force a pop-up for just certain things.
As for driver loading alert: it will be consistent once they fix autolearning issue. I will write about it laterHere is related post.
As for direct disk access, i agree that could be very useful in some cases.
I was wrong. Issue with services.exe remains in Safe mode. See this post.
…And my request in first post is fully valid again. I want to run usable Defense+ (Safe or CleanPC mode), but to guard config from unpredictable autolearning.
I guess your suggestion is a consequence of wrong decision with CIS design.
I use safe mode for Defense+ and, unhappily, it allows almost everything, including those ones that aren’t required for certain applications. This is give too much unnecessary power to an application!
I really prefer see a pop up telling me that the application is safe or digitally signed but asking me what to do than learn app behavior without prompt! I don’t feel in control, and safe apps can do unsafe things…
Nope. Scenario #2 is a buggy behavior (i updated that post): D+ tries to trigger alert for “services.exe is trying to load driver”, but fails due to bug…and autolearns ;D
Scenario #1 and #2 should provide SAME results because what we do is merely add executable to the whitelist, but with different ways.
I don`t think there is wrong decision with design. I would say design improvement is needed: compromise between full Paranoid and full Safe\CleanPC modes.
…and sometimes i do not fully understand questions 
But yeah, “This feature could be useful” for advanced-users who like something in-between safe and paranoid mode…