Quirky

CLOSED Folder monitoring exclusion still doesn't work

Recommended Posts

As in version 11, if I add a folder in the "Exclude from monitoring" list, all programs (.exe processes) that are inside that folder and its subfolders will still be reported as Monitored ('Yes') in the Protection/Behavior Blocker list.

 

The only way to *not* have all processes inside a single folder -and its subfolders- monitored is to add them one by one in the Exclude from monitoring list.

 

Folder exclusion seems to only work for scanning, not monitoring (same problem in v11).

Share this post


Link to post
Share on other sites

Hi CBMan,

 

I did not understand fully your problem, but I could imagine that probably is GUI related and doesn't affect real exclusion work.

 

If you exclude a folder of a program that is in application rules as "Monitored" and then you run that program will be excluded (correctly) from Behavior Alert (even if application rules label marks it as "monitored"), could you please confirm this? 

 

Thank you,

Orlando

Share this post


Link to post
Share on other sites

No, it's not UI-related. What you are describing (Behavior Alert? - this is not about alerts) seems differrent from what I'm reporting here. Firstly, let me say that I see no relation between the Behavior Blocker setting in the Application Rules, and the Monitored status in the Behavior Blocker window. They seem unrelated because there are many processes in the latter that are reported as Monitored (Yes) and they also have everything allowed in their respective Application Rule (Behavior Blocker/Firewall In/Firewall Out - All Allowed).

 

Back to this issue, here is an example. Let's say we have a folder named "My Program" inside Program Files and that this folder contains "myp1.exe" and "myp2.exe". If I go to Settings/Exclusions/Exclude from Monitoring and add myp1.exe and myp2.exe separately by using the "Add Program" button, then these processes will not be monitored after being restarted, which is correct (Monitored/No in the Behavior Blocker window)

 

Now, if I remove these two processes from the Exclusions and use the "Add folder" button to add the "My Program" folder to the exclusions, then these two process will still be Monitored/Yes in the Behavior Blocker window - which basically means that folder exclusion doesn't do anything, at least in the Monitoring section (I think the Scanning folder exclusions work normally but this is about Monitoring exclusions).

Share this post


Link to post
Share on other sites

My fault, I was referring to "Allow all"/"Custom" of Behavior Blocker in Application Rules. Thanks for clearing this out.

 

A part from this, could you please check to run an application inside an excluded folder and check if you encounteer in any Behavior Blocker alerts? This because Exclusions work always on top of Application Rules and other modules so the program will be ALWAYS allowed and if it is not, then we would look for a possible bug. If it is allowed correctly, and if it is connected to Monitored/Yes/No, is then GUI related as the real work of exclusions work properly.

 

Thanks,

Orlando

Share this post


Link to post
Share on other sites

Ok, but I'm not sure how to try and trigger those alerts. I tried with a program that I thought could trigger them, deleted its application rule but not getting any alerts, whether its folder is excluded or not.

Share this post


Link to post
Share on other sites

Ok, I replaced all of my single .exe exclusions with folder exclusions and report back if required but this is probably something you need to test internally. Please note that all these processes are now being reported as monitored ('Yes'), contrary to what happened before when they were excluded as individual processes.

 

I cannot tell for sure whether the real-time monitoring is actually taking place or not, I can only rely on what the UI reports.

Share this post


Link to post
Share on other sites

Hi again,

 

Yes we do these kind of tests internally and we can't reproduce any problem related to the real work of exclusions, that's why I asked you if you could try to do so. Anyway as I could see, the Monitor/Yes/No is just a visual/GUI label that is connected to modules like behavior blocker, so the application is managed there in that way. But as I said before, Exclusion feature works at top, so it wil prevail and work as expected.

 

To summarize: Application Rules or Behavior Blocker setting for fixed application are managed by modules, but Exclusion will always overtake then and it is just a visual discrepancy on modular level.

 

Orlando

Share this post


Link to post
Share on other sites

...could you please check to run an application inside an excluded folder and check if you encounteer in any Behavior Blocker alerts? This because Exclusions work always on top of Application Rules and other modules so the program will be ALWAYS allowed and if it is not, then we would look for a possible bug. If it is allowed correctly, and if it is connected to Monitored/Yes/No, is then GUI related as the real work of exclusions work properly.

 

Ok, I think I've confirmed this, there are no Behavior alerts in this case. I switched folder exclusion on/off and managed to identify such alerts. Please fix the UI issue though since it reports the wrong status and we can't be sure on what's been monitored and what not.

 

Also, I think that while the new exclusion system is indeed simpler to use, it seems there is also less control over it? In the previous version there were three type of exclusions (in the form of tick-boxes), Scanning, File Guard and Behaviour (I could be wrong on the terminology), now there are only two (Scanning and Monitoring).

 

Can you please confirm this and let me know exactly what is being excluded in each of these two categories and how it relates to the previous versions' exclusion system? Thanks.

Share this post


Link to post
Share on other sites

Ok, I think I've confirmed this, there are no Behavior alerts in this case. I switched folder exclusion on/off and managed to identify such alerts. Please fix the UI issue though since it reports the wrong status and we can't be sure on what's been monitored and what not.

 

If there are no alerts, then it is good. I will make a reminder for us. As I told you before Exclusion is at top of modules, so the management of rules of programs in modules should not be affected by Exclusion. The only thing I can suggest here internally is to change the "No" value under Monitored as "No (exclusions)". For now, please check exclusion first af all, because they decide mainly to allow ALWAYS a program.

 

Also, I think that while the new exclusion system is indeed simpler to use, it seems there is also less control over it? In the previous version there were three type of exclusions (in the form of tick-boxes), Scanning, File Guard and Behaviour (I could be wrong on the terminology), now there are only two (Scanning and Monitoring).

 

We did not removed anything, but we just improved our exclusion management. Control is the same, but we completed re-invented this system. This mean that the four type of exclusions in V11 are still included in the new exclusion system, but now it is more easy to manage.

 

Can you please confirm this and let me know exactly what is being excluded in each of these two categories and how it relates to the previous versions' exclusion system? Thanks.

 

Exclude from scanning (first) listbox excludes programs / files / folders from scans and File Guard (real-time) module. Exclude from monitoring (second) listbox excludes programs / files / folders from Behavior Blocker module.

 

Please let me know if it is not clear yet,

Orlando

Share this post


Link to post
Share on other sites

The only thing I can suggest here internally is to change the "No" value under Monitored as "No (exclusions)". For now, please check exclusion first af all, because they decide mainly to allow ALWAYS a program.

 

Please remember that the UI wrongly reports "Yes", so it's not a mere matter of changing "No" to "No (exclusions)", but from "Yes" to "No" - or "No (exclusions)" which is even better.

Share this post


Link to post
Share on other sites

This because, as said, modules, like Behavior Blocker, work indipendently than Exclusion. I will suggest a more integration between application managemet modules and exclusions. We will discard or approve and then work on this really soon.

 

Thanks for your feedback!

 

I would consider this case closed,

Orlando

Share this post


Link to post
Share on other sites

This because, as said, modules, like Behavior Blocker, work indipendently than Exclusion.

 

Ok, you got me a bit confused now. The difference here is not between how the Exclusions module and Behavior Blocker module work, but between Exclusion (single process) and Exclusion (folder).

 

Exclusion (single process) reports in the UI: Monitored (No) (correct)

Exclusion (folder) reports in the UI: Monitored (Yes) (wrong)

 

I would still consider this a bug, and definitively not a cosmetic issue unless the folder exclusion is supposed to do something different, other than to exclude ALL processes inside the excluded folder and subfolders.

 

Exclude from scanning (first) listbox excludes programs / files / folders from scans and File Guard (real-time) module.

 

Exactly, the new system (first listbox) now excludes BOTH scans AND File Guard. The previous version allowed a separate selection (Scans and/or File Guard). The new version seems a more "all or nothing" approach which I think is less secure. I hope this is reconsidered.

Share this post


Link to post
Share on other sites

Exclusion (single process) reports in the UI: Monitored (No) (correct)

Exclusion (folder) reports in the UI: Monitored (Yes) (wrong)

 

This is the only thing I can see that is not normal. We will check this. As the corrispondence shouldn't be, in any way. We will keep your feedback for future development.

 

Thank you,

Orlando

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.