[solved] Question About Intrusion Detection

Situation: Intrusion Detection alerts about possible threat and asks whether to allow or block some process execution.


Now if I choose to allow and tell IDS to remember that, IDS adds a process to trusted list.


On a contrary, if I tell IDS to block the process and check to remember that, IDS adds process to untrusted list.


In both cases IDS will never ask about that process again.


What if I make a mistake?


How can I remove a process from one or another list mistakenly put on?


Appreciate any help...

Comments

  • Hello Viscon,


    You cannot tell IDS what process to allow or block. It will check the Firewall white list for the processes that belongs to trusted application, or it will check if the processes are digitally signed and it will automatically allow the corespondent application to connect to the Internet . It is a feature that have common components with BitDefender Active Control and it will add extra protection against any attempts to access your network, attempts to stop the BitDefender processes and any attempts from a malware application to inject into processes.


    Thank you .

  • Hmm... sorry but I don't quite get it then.


    Let's see an example.


    I start Sandboxie, and the process SbieSvc.exe is automatically caught by IDS


    sandb-alert.jpg


    I scanned the whole Sandboxie folder before and BDIS didn't detect anything suspicious.


    But what do those Allow and Block buttons mean?


    If I click Allow, Sandboxie starts.


    And every next time IDS alerts me with the same pop-up, unless I check Remember this action... box.


    However, what if I check Remember this action... box, and click OK?


    Will IDS stop this service from running for good?


    If yes, how can I unblock it?


    TIA

  • Hello Viscon,


    Usually, if BitDefender detects a program through the Intrusion Detection System and you choose to block the program, a new rule will be created in the Active Virus Control Exclusion list and it will have the action Blocked. From that moment you will not be able to execute this program. If you change its action to Allow, you should be able to work with that program without any problems.


    Unfortuantely, it seems that there is an incompatibility between the Sandboxie program and the BitDefender Intrusion Detection System. If you choose to block the program, you will not be able to use it after that, even if you change its action to Allow. We are currently investigating this issue and a fix should be released soon .


    Thank you .

  • Thnx Alex,


    I'll keep this in mind.

  • I am also facing this issue and put forward this issue against "Ticket ID:200911241004892", but get no response yet.


    And now the issue becomes more "Severe" and Bitdefender detects legitimate applications which are even listed in its "Whitelist".


    Regards

  • alexcrist
    alexcrist
    edited February 2010

    Futher questions about AVC and IDS should be psoted here: http://forum.bitdefender.com/index.php?showtopic=16865


    This topic will be closed, since the original question (from the first oost) has been answered.


    Cris.


    == CLOSED ==


    == Solved issue ==

This discussion has been closed.