Every file that I download from the web or save from my email is a file that I intentionally want to run. If I don’t intend to run it, I will not save it and it will never reach VS in the first place.Not for most files executed by the user. The users often execute the files that are several weeks/months on VT.
I agree (mostly). So, you can make it easier and simply instruct the user to run the file if it was started intentionally and block otherwise.
I believe there is a naming convention for these files, am I wrong?
This golden rule creates - very simple and dangerous algorithm. Everything gets divided in 2 groups - the “I wanna run it, cuz I just downloaded it” group and “I don’t wanna run it cuz I was watching a movie and it appeared”...
All malware will fall into the first group, while some legit programs, upon downloading an update will go to the second one. More intelligence is needed here than this rule.
Imagine your hard configurator had an auto-update component running via a service. You have discovered critical bug somewhere in the settings and you try to push me an update while I am looking to buy sunglasses. Suddenly I see something popping up and I apply this rule. Do I intend to run it? No, I don’t. I have configured my Windows once, why will I run this software again? I block your update and the bug remains.
File can popup out of the blue only if dropped or downloaded by malware. If you instruct the user clearly, you will eliminate the root cause and nothing will be dropped/downloaded.
By telling me “run it if you intend to run it” what good are you doing to me? That’s what Everyone will do without any advise as well... what benefit does VS bring in this case? You are still not protecting me against social engineering which is known to be the best malware gateway... why am I paying you?
Last edited by a moderator: