- Dec 23, 2014
- 8,598
Yes, I found it (Ask User), but this is only for Certified applications, and the user will be alerted only for the suspicious applications (not for all applications). This feature is not for blocking the malware, but rather for avoiding blocking the legal applications.If you use Application Execution Control, you need to use also "Ask user" mode, because if you don't, it eventually will make a * in some of the key applications, for instance, Explorer, thus allowing all future processes started by Explorer. This will ruin the default/deny.
.
Anyway, I found one useful feature related to folders:
"Exclude existing files and any future files in this folder - This option will exclude all currently existing files in the folder as well as all future files. It is less safe than first option; however, it might be useful for users who often modify files."
.
The above can be used for whitelisting/blacklisting folders.
There is an option 'Make it denied", that will apply all SpyShelter rules to this folder (I think). This would work as default-deny for suspicious applications. Yet, if the malware can behave like the legal software, then SpyShelter HIPS (deny template) can be bypassed, so this kind of security is only close to default-deny. The alerts can be suppressed by ticking the option 'Auto-block suspicious behaviour'.
One should test such setup to know how strong it can be.
.
Edit.
I think that the same thing can be done with Sandboxie (paid), by sandboxing disks or folders in a highly restricted sandbox.
Last edited: