umbrapolaris said:
your setting are correct. an advice, uncheck "automatically trust files from trusted installers" some vendors in the whitelist are not so white ^^
Sorry for the late reply, I've been out of town...
This setting is
very misunderstood... It really has little to do with the whitelist... For longtime CIS users, this is the new incarnation of the extinct Installation Mode.
Like Installation Mode, what this setting actually does is to stop CIS from giving you multiple alerts or possible sandboxing of child processes spawned by an installer. It is
not giving permissions for installers to run if they are whitelisted! It is only telling CIS to be quiet
during installation...
Standard D+ protection still applies with this setting enabled. If a user instantiates an installer, all is well. (You will still be alerted if your settings require all processes to ask your permission) If an application tries to start an installer, you will get an alert.
Trusted installers can mean either installers on the whitelist or an installer the user has given rights to run. If you allow the installer to run, you've just considered it trusted.
With this setting
disabled, whether the installer is whitelisted or not, if the installer attempts to spawn a child process, this process will be intercepted by CIS. Depending on your settings, it will either give you an alert asking if you wish the process to be allowed, or if the process is unrecognized, it will be automatically sandboxed, which could cause the installation to fail.
If this setting is
enabled, the minimum alert you may get is D+ asking if the installer is allowed to run. (Depending on your settings, you may not see this initial alert) Once the installation process begins, every process the installer utilizes will be allowed with no user interaction.
I'm really not sure why anyone would choose to disable this setting because you're only asking for problems. Even if your security settings are such that D+ will ask you if you want the installer to run, unless you're the type of idiot that just clicks
allow on every alert, you purposefully chose to install this application! Why not allow the installer to do its thing unimpeded? If you are the least bit unsure about the installer, you shouldn't be installing it! Instead, running the installer in a Virtual Machine or Sandboxing application would have been a better choice.
My recommendation is to leave
Automatically trust files from trusted installers and
Automatically detect installers/updaters and run them outside the sandbox enabled.
Also, the exclusions under the Execution Control Settings are only excluding those processes from buffer overflow protection. It has no impact on whether or not a process is sandboxed.
If an application is continually being sandboxed, it is because the application is changing in some way. CIS recognizes files by their file Hash, so if there are any changes, CIS will no longer recognize the file. There are numerous reasons a file could be constantly changing, so I don't know specifically what is going on with Steganos. The current workaround for files that do this are to give them the Installer or Updater security policy.