According to my test, new beta version has changed the priority of rule in programs’ Exclusions. Now the priority, “Allow”<“Block”.
I think, someone may think that it can get more safty. Maybe they are right. But I believe that there is just very little to enhance the safety. And on the contrary, it makes huge inconvenience to make Exclusions of rules.
For example, I block firefox.exe to create “.exe” in all of my partitions, but only my download folder. As before, I only need to make a rule in Exclusion of block, “*.exe”, and make a rule in Exclusion of Allow, “x:\download*”. That’s ok because with priority, “Allow” >“Block”.
But with new beta CIS, I cannot make rules easily. And what’s more, I don’t know how to make rules to accomplish my such purpose.
Or is it avaliable to add an option to let users choose the priority?
In 5.8beta, CIS firstly executes the rules in “block”, *exe; and then does the rules in “allow”. So go to my sample. When I download A.exe from a website by FF, now CIS execute the rules that blocks to create A.exe because the rule in “block” is *.exe. Now there is no chance to execute the rule in “allow”, “x:\download*”, so FF has no chance to create A.exe in x:\download.
But before 5.7 (including 5.7), CIS firstly execute the rules in “allow”. So FF can download A.exe in x:\download.
Now the problem which the 5.8beta makes is very huge because the change of priority makes some rules impossible.
For another example, I need x.exe cannot creat, modify and delete any file in x:, including subfolders, but x:\a\ and its subfolders.
With 5.7 and earlier version, it is very simple. the rules are follows, only two rules,
in x.exe’s exclusion “allow” rule, to create rule, “x:\a*”
in x.exe’s exclusion “block” rule, to create rule, “x:*”
But with 5.8, you have no idea to achieve it. The change of priority makes it impossible.