Author Topic: Can I check my white list? (5 more questions)  (Read 23873 times)

Offline Hyerin Hong

  • Newbie
  • *
  • Posts: 2
  • Kudos +0/-0
Can I check my white list? (5 more questions)
« on: February 03, 2016, 12:13:28 PM »
Hi .
I installed SAP last Monday. After making initial white list, I want to delete multiple files from 'Trusted application'.
I saw all post of 'Support' board. There is only "Right click and change trust level" method to update their trust level individually.

So there is first question.
1. Is there any other way can show all trusted Application (or Trusted Installer or not trusted) like 'Trusted certificate" ?


And other questions are just wondering.

2. When the trusted certificates are added automatically?
Is there initial trusted certificates?
I guess SAP analysis all files's certificates and added while the 'Complete scan' were on.
Is it right?


3. How can you guess "This process seems to be performing installation." ?
Sometimes agent can catch it seems to being installer but sometimes not.


4. Where is Quarantined files are moved to ?
And they will be denied to execute?
I can't test exactly.
Because I don't have viral file can execute.


5. When files are elevated to 2 level from 1 ?
When I view log, there are many files are elevated 1->2 .
And is it temporal or permanent change?


6. How do you handle Window update?
I saw some question about Microsoft Store.
And you reply you allow window updates. don't you?
And that case was deleting all trusted list.
As I understand, then no files can execute.
There are any white list hidden and fixed?


I'm sorry for bothering you.
Thank you.

Offline hendy

  • SecureAPlus Developer
  • Sr. Member
  • *****
  • Posts: 351
  • Kudos +16/-0
Re: Can I check my white list? (5 more questions)
« Reply #1 on: February 03, 2016, 12:35:56 PM »
Hi,

1. To display all, you can right click on the drive letter in Windows Explorer, and choose "Show All Trust Level". Currently it is read-only, but we are planning to make it editable in the future.


2. You are right, during initial full system scan, or whenever a file is trusted, the certificate that corresponding to the file will be automatically added to the trusted certificate list.

3. To understand this, first we have to understand the different between trusted application and trusted installer. All executable files created by a trusted installer will be automatically trusted without any prompting. When a trusted application starts to create an executable file, SAP will offer the user whether they want to promote it to a trusted installer, so that everything that it creates will be automatically trusted.

4. The quarantine files are stored encrypted in a certain location. Since it is encrypted, the files can no longer run.

5. Those are temporary elevation. During run-time, the process will inherit the trust of the parent process (temporarily).

6. We have analyzed how Windows Update works, and set all the necessary files to be a trusted installer to allow Windows Update to perform.

Offline Hyerin Hong

  • Newbie
  • *
  • Posts: 2
  • Kudos +0/-0
Re: Can I check my white list? (5 more questions)
« Reply #2 on: February 03, 2016, 12:46:42 PM »
Thank you for reply.

About 6th question, we can't delete trusted installer for window updates ?


And I change the mode "trust all" in 5 minutes.
I run 5 application in this 5 minute. Then these applications are added to trusted application?


Thank you :)

Offline hendy

  • SecureAPlus Developer
  • Sr. Member
  • *****
  • Posts: 351
  • Kudos +16/-0
Re: Can I check my white list? (5 more questions)
« Reply #3 on: February 03, 2016, 01:48:33 PM »
You can change the trust level. You have to be careful, so that you don't accidentally untrust critical OS files. It may resulting to the Operating System not be able to boot up any more.

For trust all mode, you are right. All files that run within these 5 minutes period will be automatically set to trusted.
« Last Edit: February 03, 2016, 02:18:39 PM by hendy »