- Dec 25, 2017
Even the settings that block all unsigned processes in appdata could probably be enabled by most users, but only if the user is ready to disable OSA when installing and updating programs. Otherwise, he will be very frustrated.
This IS a very important thing that Joe/Jane will encounter. I was installing an app (Zoek) and forgot to turn OSA off. (I was only running OSA as a security app at the time to ensure other SecApps were not interfering.)
OSA (running on default settings) blocked the app, but that caused some windows errors and a loop that took me a bit to figure out. Average Joe/Jane would be quite frustrated and likely blame it on OSA.
I am sure that some of the default rules will cause such problems with other progs - particularly when installing.
In this case the program was Zoek (a useful tool for advanced users, but dangerous in the hands of newbies).
Here are the first two Log entries:
Date/Time: 1/9/2018 12:49:41 AM
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\David\AppData\Local\Temp\zoek.hta"
Date/Time: 1/9/2018 12:49:43 AM
Rule Name: Block execution of suspicious command-line strings
Command Line: reg.exe add "HKEY_CLASSES_ROOT\.hta" /f