B-have Exclusion Rules. How To?

SwampCat

Hi Guys,

I am interested in "B-Have behavior" regarding excluding process from monitoring

First, is there any source of info I can read, like Help file or on-line tutorial, which explains that?

Can anybody, please point where such readings can be found?

What I am interested in particular:

- Can the exclusion manage things like Parent and Child processes (main exe invoking other executables / DLLs etc.)

- or I need to know what all those Child processes are and add them one by one into exclusion list.

That may be difficult. We may not know all of them straight away.

Thank you in advance

Find more posts tagged with

Comments

cbeiu

If you are actually referring to the "Behavioral Scanner" part of the real-time protection you can either "Allow" the application if you know it when the alert appears or you can manually add it by clicking the "+" button in "Excluded Applications". Processes will be analyzed if they are not in the list (doesn't matter if the parent process is allowed).

For help you can simply press "Help" in the security center or use the online version of the product documentation (please check /index.php?/topic/12273-bitdefender-offline-installation/#comment-52273" rel="">this post).

- Can the exclusion manage things like Parent and Child processes (main exe invoking other executables / DLLs etc.)

- or I need to know what all those Child processes are and add them one by one into exclusion list.

That may be difficult. We may not know all of them straight away.

Just curious what kind of application launches other processes with names that you cannot previously determine?

SwampCat

..... Processes will be analyzed if they are not in the list (doesn't matter if the parent process is allowed).

....

Just curious what kind of application launches other processes with names that you cannot previously determine?

Hi Corneliu,

Thank you for reply.

The first part and approach is understandable (how it is implemented)

So I have to Add anything I want EXEs/ DLLs /OCXs etc any executable I want into that list.

I hope I got it right.

As fot the second part... well, sure eventually I can get all needed children processes, It is just not easy for everybody.

Few examples:

1) on one stage (fixed now) some security software was crashed as soon as you start Miro media player. It was established that the main module was not involved. The advice was - add DLLs belonging to Miro. That helped indeed as workaround until fix came. But there are 226 DLLs in different directories which Miro can make active any time. Plus DLLs and other exes are not necessarily reside in Parent's directory ...you go search in \windows\...\system32\ etc.

2) There are Applications which will copy needed module into temporary location in order to work.

Interestingly enough that will never be the same subfolder under \Temp\ or whatever is set in SYS Environment for that...go figure!

3) There are applications that are creating EXEs dynamically if the don't exist... go figure again.

You may argue, but my opinion - if such management is not implemented it is very hard for ordinary user completely isolate needed Application from being controlled by behavioral analysis.

I am not a computer gamer at all but here is another example:

What gamers do in such situation? - they would shutdown real-time module and go crazy playing on-line leaving their PC vulnerable. What's the point of having this layer of security in this case?

My regards

cbeiu

As fot the second part... well, sure eventually I can get all needed children processes, It is just not easy for everybody.

Few examples:

1) on one stage (fixed now) some security software was crashed as soon as you start Miro media player. It was established that the main module was not involved. The advice was - add DLLs belonging to Miro. That helped indeed as workaround until fix came. But there are 226 DLLs in different directories which Miro can make active any time. Plus DLLs and other exes are not necessarily reside in Parent's directory ...you go search in \windows\...\system32\ etc.

2) There are Applications which will copy needed module into temporary location in order to work.

Interestingly enough that will never be the same subfolder under \Temp\ or whatever is set in SYS Environment for that...go figure!

3) There are applications that are creating EXEs dynamically if the don't exist... go figure again.

You may argue, but my opinion - if such management is not implemented it is very hard for ordinary user completely isolate needed Application from being controlled by behavioral analysis.

I am not a computer gamer at all but here is another example:

What gamers do in such situation? - they would shutdown real-time module and go crazy playing on-line leaving their PC vulnerable. What's the point of having this layer of security in this case?

My regards

Thank you for answering my question. Your arguments are valid and such a feature seems to me like a great idea. I will contact product management with a feature request for improving the functionality of the "Behavioral Scanner" in such a way that would allow the user to decide whether the child processes of an allowed application would be allowed as well.

I am not a computer gamer at all but here is another example:

What gamers do in such situation? - they would shutdown real-time module and go crazy playing on-line leaving their PC vulnerable. What's the point of having this layer of security in this case?

When in Game Mode the "Behavioral Scanner" is indeed disabled (however the user is still protected by the Real-time protection). I don't know why exactly it's disabled (could have something to do with resource consumption and the fact that it makes use of popups that would interfere with the gaming experience) but I will investigate and follow up with a better answer.

SwampCat

Thank you for answering my question. Your arguments are valid and such a feature seems to me like a great idea. I will contact product management with a feature request for improving the functionality of the "Behavioral Scanner" in such a way that would allow the user to decide whether the child processes of an allowed application would be allowed as well.

When in Game Mode the "Behavioral Scanner" is indeed disabled (however the user is still protected by the Real-time protection). I don't know why exactly it's disabled (could have something to do with resource consumption and the fact that it makes use of popups that would interfere with the gaming experience) but I will investigate and follow up with a better answer.

Hi Corneliu,

I'm glad that you found some questions and my explanations reasonable.

Sorry for few typos I made.

I may add s bit about the games, despite it would be more valuable if gamers themselves express their thoughts.

But from what I know and heard:

- yes, the resource consumption could be the factor, but that is not what in many(some) cases is the main concern.

- the games could be interrupted by alerts. Whether those alerts are FPs or have other nature is a different story. They don't want them. It can break and basically ruin many-hours session, when their cursor is "stolen" all of a sudden ... I cannot know all details.

- in some cases they are stated that since the game by itself is checked we don't want those alerts, so here we go - the parent and child processes of the game could be excluded in one go;

- some of the thoughts is different: what if there is a special learning mode where all is monitored actually and alerts concerning the game can be retrieved and analyzed later,... but only real danger (alerts not related to the game modules) are still shows up.

- definitely there are other situations not related to the problem discussed here but are very close.

Say some policies were set for notifying about events. Those are fine in "non-gaming" environment but unwanted during the game. Those are "behavioural alerts", but there could be others, for example pop-ups from security software about "successful or failed update", "necessity to restart" if some module parts of security were downloaded according to the scheduler, "news pop-ups", etc.

Many things to consider to make gamers happy , and not forcing them to switch security Off completely

Sure that is not all and cannot be considered as very deep analysis, but I hope that some thoughts could point to the right direction.

My regards