Deepguard - block connections without block/allow the program
When I run a not so common software, deepguard is monitoring it without asking me if I want to block it or not. That's fine!
But when the program tries to connect to Internet, then suddenly Deepguard says the program might be harmful just because it tries to connect to Internet. I then have a choice to block or allow/trust the program.
If a trust/allow, will Deepguard keep monitoring the program? I guess No.
What I would like to do in this kind of situation is: Block the program only from making connections.
In that way I never have to decide between blocking or allowing the program completely, and I still have Deepguard monitoring it.
This seems impossible to accomplish with current settings for Deepguard.
EDIT: To clarify the problem, I MUST allow the program in order to be able to continue using it after it's tried to make an internet connection. If I don't allow the internet connection then my only option is to block the program, which means it can't run anymore at all.
I guess I can remove the program from Deepguard and start it again. It'll work until the program tries to connect to the internet again........
Comments
-
I think you should submit that as an idea here: http://community.f-secure.com/t5/Idea-Exchange/idb-p/Idea_Exchange
-
Good suggestion! Although I'm first hoping for some kind of explanation from FS of how this is supposed to work. There must be others who have noticed this strange behaviour with Deepguard?!
Why am I forced to allow/trust an uncommon software as soon as it tries to connect to the internet? (in order to keep continue using it)
-
Yes maybe, but if so and as long as Deepguard hasn't detected anything malicious about the program, I feel I should be given an option to block the program from making connections only, and have Deepguard continue monitoring it. So I can at least continue using the program.
With the current solution Deepguard is forcing me to trust the program. If I don't allow the connection I can't run the program at all anymore.
-
Funny you asked, I'm actually doing that. I felt forced by Deepguard. BUT still I'm forced to allow/trust the program in Deepguard
Most users don't wanna filter outbound connections, it's to complicated. Many people doesn't even know it's possible. What I want is a modification to Deepguard so all users can benefit from it.
I see it like this: If Deepguard is able to detect connections, and other F-Secure parts like banking protection is capable of blocking connections, and not to mention that F-Secure used to have it's own excellent firewall solution for many years, then this should be a simple modification to Deepguard.
You can even get this problem with known software, if you are among the first to test a new version or beta. Say you're testing a new version of a program that works like CCleaner, a program that does all it's work locally. Deepguard is monitoring it. When the program tries to connect to internet, for example to just check for updates, you MUST allow/trust the program in Deepguard to be able to continue using it. It doesn't make sense to me.
-
But it doesn't always ask. I have CCleaner, and it's not in my list of monitored programs, so I can only assume it allowed it automatically. I know you were just using that as an example, but I was just making the point that most known programs would automatically be allowed, and the user would be none the wiser.
I agree, DeepGuard does definitely need some manual options so that users can choose to allow or block programs for themselves. Sadly, the current trend seems to be to remove user options, rather than add them, and that's not just with F-Secure. Maybe it would be worth seeking out the 2011 version that still had the fiirewall and parental controls on board!
-
Hi NikK,
If a trust/allow, will Deepguard keep monitoring the program? I guess No.
>>> The answer is yes. Please refer an excerpt from "Deepguard whitepaper" that should be able to answer most of your questions regarding Deepguard
:http://www.f-secure.com/static/doc/labs_global/Whitepapers/deepguard_whitepaper.pdf
=================
4. How DeepGuard works
DeepGuard’s behavioral analysis is activated by two events. When
a program is launched for the first time, DeepGuard analyses it to
determine if it is safe to run. Subsequently, DeepGuard continues
to monitor the program while running.=================
---
Best regards,
FendyHas somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
-
Fendy, thanks. But it doesn't really say that Deepguard will continue to monitor it AFTER I've been asked and allowed it.
But if that's the case, then is it fair to say that allowing a program in Deepguard is mainly about allowing the program to make internet connections? I mean considering that Deepguard continues to monitor the program after I have allowed it.
I'm talking about programs of type "d", so there's no confusion:
a) The file is malicious and blocked
b) The user is given the option to allow or deny the launch
c) The file is clean and allowed to execute
d) The file’s status as clean or malicious is still unknown
Also I assume Deepguard is only monitoring GUI programs, and not possible services that are installed along the GUI program?
-
Have read the whitepaper without getting any clarification, and I really want to understand Deepguard better:
- Is allowing a program in Deepguard mainly about allowing the program to make internet connections? (assuming Deepguard continues to monitor the program after I have allowed it)
- Is Deepguard only monitoring GUI programs, and not possible services that are installed along the GUI program?
-
2 posts in this thread was lost when the site went down last friday. I had forgotten I changed my email notifications to include both subject + body so here are the posts 2 in 1.
Thank you @Siltanen I'm satisfied with this answer so I'll mark this as accepted, and provide an idea to improve Deepguard.
Please vote for this idea if you want better protection when trying out unknown programs:
http://community.f-secure.com/t5/Idea-Exchange/Improve-Deepguard-security-for/idi-p/36795
----------------------------------------------------------------------------------------------------------------
If the not known good program is still monitored after I've allowed it, the only difference from before I allowed it is that now it's allowed to make connections?
Siltanen: The programs are still being monitored and their reputation is regurlarly checked from the cloud.
Great that it monitors service executables too, although I have never gotten a Deepguard question about one, which is strange.
Siltanen: It's not that strange that you haven't had a prompt about a service, since it's highly likely that you've only had good, known, services running.
I mean if the GUI exe is not known, then the specific service exe that came with the GUI isn't known either, right? Or does Deepguard only ask about GUI exe's?
Siltanen: Each and every executable are individually handled regardless of whether they have a traditional "GUI" or not. Though it's within the realm of possibilities that an unknown GUI application is shipped with an unknown executable (which acts as a service.)
Siltanen: To sum it up:
DeepGuard doesn't differenciate between what type of an application the executable is.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!