Windows Messages Default Action setting is changed by CFP (V3.0.14 X32) [Fixed]

Suppose the Windows Messages Process Access Rights Default Action setting for a given process is set to Ask. When an alert is raised about a windows message being sent by the given process to another process, and the user chooses Allow and Remember, the firewall changes the Default Action setting for the process from Ask to Allow.

Version: V3.0.14.276
CPU: 32 bit
OS: Win XP SP2
Other security programs running: Returnil, NOD32
Defense+ Security Level: Paranoid Mode
Firewall Security Level: Custom Policy Mode

Issue still exists in v3.0.16.295.

Issue still exists in v3.0.18.309.

I confirmed this doing the following:

  1. Set Windows Messages access rights to Ask with no allowed/blocked entries

  2. Launch Thunderbird

  3. Block and remember Alert for modify interface

  4. Windows Messages was still set to Ask and CSRSS.exe was added to the Blocked Applications

  5. Set Windows Messages access rights to Ask with no allowed/blocked entries

  6. Launch Thunderbird

  7. Allow and remember Alert for modify interface

  8. Windows Messages was set to Allow instead of CSRSS.exe being added to Allowed Applications


[attachment deleted by admin]

Issue still exists in v3.0.20.320.

Issue still exists in v3.0.21.329.

This bug report has been closed and is not going to be fixed. Here is egemen’s explanation:

“Windows messages, because of their frequency are handled specially by CFP. When
D+ alert is shown for a Windows Message, the parent application is granted the
full access rightsrather than for a specific target.”

“This is to reduce the unnecessary D+ popups. So it has been left to security
experts to configure it manually if they want more control over windows


Thank you adric and egemen for your explanation :). Perhaps the wording in the Windows Message D+ alert could be changed so it’s clear this is the desired behavior and not a bug?