I downloaded the HIPS and Firewall DLL Injection test from http://www.testmypcsecurity.com/securitytests/firehole.html. I ran firehole.exe to see what kind of warning I would get from CIS. In Safe mode, CIS gives no warnings, apparently because firehole.exe is now considered a Safe executable. Does it seem reasonable for it to be considered Safe?
I did an online lookup of firehole.exe from the Active Process List. The resulting lookup says firehole.exe is Safe and automatically added it to the Trusted Files list.
Screenshot of Online Lookup Results attached.
Thank, Vaishnavi. I overlooked the “AV” in the forum title when I posted. If it makes any difference, I’m not using the AV – just the firewall and D+ in the Firewall Security configuration. By Safe Mode I mean D+ Safe Mode.
Thats not related to AV by anymeans bcoz thats just a sample test tool, it should be alerted by first D+ for running and if said yes to D+ by user, Firewall Should block its outgoin…
With AV database 7275, the Firehole exe and its dll are correctly intercepted (whereas on another partition, Avira 10 is silent).
Let us disable the AV to run the test, the sandbox itself is always disabled.
Defense+ correctly intercepts the access to the “malware” dll, its tentative to launch Firefox, and to run a global hook: passed.
The culprit is therefore only the sandbox white listing (another occasion to say that i have no confidence whatsoever in the sandbox, and it is the reason for it to be disabled).
Thank you, FlorinG. I never installed the AV, but firehole.exe is now detected as malicious.
CIS now alerts me that firehole.exe is malicious and logs it as a malicious detection in the D+ events log. Online lookup from the Active Process List now flags it as Malicious instead of Safe.
CIS protected me. The issue seems to be resolved.
I removed firehole.exe from Trusted Files before running this last test, in which CIS detected it as malicious. I added it back to Trusted Files and now there is no detection. firehole.exe is allowed to do its thing. This is in Safe Mode with the sandbox completely disabled. Changing to Paranoid Mode seems to cause D+ to ignore the Trusted Files whitelist – as expected – and I get alerts. CIS protects me from erroneous whitelist entries only in Paranoid Mode.
That said, when I use D+ at all, I run it in Safe Mode without the sandbox. I use D+ for the information it supplies me from the cloud and about a program’s behavior, but I don’t rely on it to protect me from malware. I trust no new program, even if CIS says it’s Safe.
The firewall won’t block it, Ishaan. In this case, Firehole phones home by infecting my browser and making my trusted browser phone home for it. That’s the whole point of Firehole.