thomas486
08-23-2007, 09:35 AM
If I create a custom rule and set it to automatically quarantine/deny the specific process.
[ By creating a condition that trigger the rule, checked "Remember this answer" and press Quarantine as shown. ] ----(*)
http://www.sjc.edu.hk/~thomas486/ThreatFire/Remember%20no%20log.jpg
For those who is curious why "What happened?" is blanked in my screenshot:
I erased that description part with Image editor just for privacy reason.
Moreover, the image does not relate to the rule I will mention below (++)
BUG:
After that, ThreatFire successfully quarantined/denied the process but failed to log it ( I could not find any log in the Protection log section for auto-denied/Quarantined items).
Moreover, nothing was found in Quarantine Section.
However if I have not configed TF to auto-Quarantine as mentioned at (*)
and quarantine the process and relevant file,
( i.e. just click Quarantine but not to "Remember this answer"),
logs were recorded and files were quarantined )
One of the custom rules that affected by this bug is ( other rules may be affected too,haven't tested yet )
When and email program or web browser
tries to create|TriggerAccessFlags a file
named *.bat or *.exe or *.pif or *.rar or *.scr or *.vbs or *.zip|TriggerFiles
except when the source process is in the system process list
or the source process is in the trusted process list(++)
For reference only,
OS: Windows XP SP2 Home
My Security Set up:
as shown in my signature.
Comodo=Comodo Personal Firewall 2.4, with "component montior" and "application behavior analysis" OFF
But I strongly believe the mentioned problem does not related to my security set up as the configuration of these programs always remain the same in both conditions ( faulty condition and the condition that logging and quarantine functioned well ) .
Note:
cyberhawk v2.0.4. has this “BUG” as well.
[ By creating a condition that trigger the rule, checked "Remember this answer" and press Quarantine as shown. ] ----(*)
http://www.sjc.edu.hk/~thomas486/ThreatFire/Remember%20no%20log.jpg
For those who is curious why "What happened?" is blanked in my screenshot:
I erased that description part with Image editor just for privacy reason.
Moreover, the image does not relate to the rule I will mention below (++)
BUG:
After that, ThreatFire successfully quarantined/denied the process but failed to log it ( I could not find any log in the Protection log section for auto-denied/Quarantined items).
Moreover, nothing was found in Quarantine Section.
However if I have not configed TF to auto-Quarantine as mentioned at (*)
and quarantine the process and relevant file,
( i.e. just click Quarantine but not to "Remember this answer"),
logs were recorded and files were quarantined )
One of the custom rules that affected by this bug is ( other rules may be affected too,haven't tested yet )
When and email program or web browser
tries to create|TriggerAccessFlags a file
named *.bat or *.exe or *.pif or *.rar or *.scr or *.vbs or *.zip|TriggerFiles
except when the source process is in the system process list
or the source process is in the trusted process list(++)
For reference only,
OS: Windows XP SP2 Home
My Security Set up:
as shown in my signature.
Comodo=Comodo Personal Firewall 2.4, with "component montior" and "application behavior analysis" OFF
But I strongly believe the mentioned problem does not related to my security set up as the configuration of these programs always remain the same in both conditions ( faulty condition and the condition that logging and quarantine functioned well ) .
Note:
cyberhawk v2.0.4. has this “BUG” as well.