I downloaded the HIPS and Firewall DLL Injection test from http://www.testmypcsecurity.com/securitytests/firehole.html. I ran firehole.exe to see what kind of warning I would get from CIS. In Safe mode, CIS gives no warnings, apparently because firehole.exe is now considered a Safe executable. Does it seem reasonable for it to be considered Safe?
I did an online lookup of firehole.exe from the Active Process List. The resulting lookup says firehole.exe is Safe and automatically added it to the Trusted Files list.
Screenshot of Online Lookup Results attached.
Thank, Vaishnavi. I overlooked the “AV” in the forum title when I posted. If it makes any difference, I’m not using the AV – just the firewall and D+ in the Firewall Security configuration. By Safe Mode I mean D+ Safe Mode.
Thank you, FlorinG. I never installed the AV, but firehole.exe is now detected as malicious.
CIS now alerts me that firehole.exe is malicious and logs it as a malicious detection in the D+ events log. Online lookup from the Active Process List now flags it as Malicious instead of Safe.
CIS protected me. The issue seems to be resolved.
I removed firehole.exe from Trusted Files before running this last test, in which CIS detected it as malicious. I added it back to Trusted Files and now there is no detection. firehole.exe is allowed to do its thing. This is in Safe Mode with the sandbox completely disabled. Changing to Paranoid Mode seems to cause D+ to ignore the Trusted Files whitelist – as expected – and I get alerts. CIS protects me from erroneous whitelist entries only in Paranoid Mode.
That said, when I use D+ at all, I run it in Safe Mode without the sandbox. I use D+ for the information it supplies me from the cloud and about a program’s behavior, but I don’t rely on it to protect me from malware. I trust no new program, even if CIS says it’s Safe.
The firewall won’t block it, Ishaan. In this case, Firehole phones home by infecting my browser and making my trusted browser phone home for it. That’s the whole point of Firehole.