Few questions about application rules.

[Maniak2000 1]

On default settings

1)  For unknown programs rule "Behaviour Blocker = custom, Firewall in = custom, Firewall out = All alllowed" is created,  and for trusted programs rule "Behaviour Blocker = All alllowed, Firewall in = All alllowed, Firewall out = All alllowed" is created,  is that correct?

2) Are application rules self-clean (meaning rule is deleted if the program doesn't exist anymore)?   If not, wouldn't large amount of "dead" rules  slow things down?

3) If the unknown program is started (and rule for unknown programs is created)  but after a while the program is declared safe \ trusted,  does the "old" (for unknown programs) rule get replaced by "new" (for trusted programs) one?

4)  Is there (or will there be) a way to "re-scan" application rules list in order to hide fully trusted files (that were previously unknown),  or is it automatic process?

[GT500 564]

7 hours ago, Maniak2000 said:

1)  For unknown programs rule "Behaviour Blocker = custom, Firewall in = custom, Firewall out = All alllowed" is created,  and for trusted programs rule "Behaviour Blocker = All alllowed, Firewall in = All alllowed, Firewall out = All alllowed" is created,  is that correct?

That sounds accurate. For untrusted programs, the only thing automatically allowed should be outbound traffic.

 

7 hours ago, Maniak2000 said:

2) Are application rules self-clean (meaning rule is deleted if the program doesn't exist anymore)? ...

Yes. Rules are not kept for programs that do not exist.

 

7 hours ago, Maniak2000 said:

3) If the unknown program is started (and rule for unknown programs is created)  but after a while the program is declared safe \ trusted,  does the "old" (for unknown programs) rule get replaced by "new" (for trusted programs) one?

In that scenario the existing rule would be modified to reflect the fact that the program is now "trusted".

 

7 hours ago, Maniak2000 said:

4)  Is there (or will there be) a way to "re-scan" application rules list in order to hide fully trusted files (that were previously unknown),  or is it automatic process?

Fully trusted programs are hidden automatically in the Application Rules list if the option to hide them is enabled. The list is updated on-the-fly, so it always hides applications considered "trusted" when the option is turned on.

[Maniak2000 1]

Why do I have a bunch of programs  with   "Behaviour Blocker = All allowed, Firewall in = custom, Firewall out = All alllowed" rule set?

Are they trusted programs? If so, why are they in the list (aren't they supposed to be hidden from the list)?

If they aren't trusted, why "Behaviour Blocker = All allowed"  rule is there?

It's a bit confusing.

[GT500 564]

The rules are that way because the programs were allowed when they performed some sort of behavior that our Behavior Blocker monitors. The firewall settings aren't necessarily changed when behavior is allowed.

[Quirky 6]

On 2/26/2017 at 6:44 AM, GT500 said:

On 2/25/2017 at 11:32 PM, Maniak2000 said:

2) Are application rules self-clean (meaning rule is deleted if the program doesn't exist anymore)?   If not, wouldn't large amount of "dead" rules  slow things down

 

On 2/26/2017 at 6:44 AM, GT500 said:

Yes. Rules are not kept for programs that do not exist.

About rule self-cleaning, I'd like to ask if this is also valid for scanning/monitoring exclusions. For example, if I've added a folder/file exclusion that it's no longer there (the excluded file or folder), would the exclusion be auto-removed at some point?

[GT500 564]

On 3/19/2017 at 10:17 AM, CBMman said:

... if I've added a folder/file exclusion that it's no longer there (the excluded file or folder), would the exclusion be auto-removed at some point?

No, exclusions are not automatically removed.