Hello all,
I found a strange case that exclusions of CyberCapture is not working as expected, see attached picture.
Note that I use 12.3.2281 beta, while similar issue was reported in the Japanese forum whose OP uses 12.3.2280.
File "kinza.exe" is digitally signed, and DeepScreen did NOT interfere its execution. Executed then immediately captured by CC even if the path of the file is in the exclusion list.
When I add the path into File System Shield exclusion list, then CC stops capturing it.
Moreover, CC never stops capturing it how many times CC says "The file is clean".
The captured app "kinza.exe" is a web browser based on Chromium.
https://www.kinza.jp/en/The file itself is not downloaded from the web, but installed by the installer downloaded from the web.
So, "Downloaded from the web" flag must be inherited.
I found these strings in avast log.
From
Autosandbox.log2016/11/15 21:35:51 Autosandbox candidate: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0x00020000]
--> Result: Not sandboxing (because the file is trusted).
2016/11/15 21:59:58 Autosandbox candidate: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0x00020000]
--> Result: Not sandboxing (because the file is in the exception list).
From
custody.log2016/11/15 21:36:34 Blocked: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0]
2016/11/15 22:00:32 Blocked: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe
[Source: local://*C:\Windows\System32\services.exe ]
[Opened by: C:\Sandbox\NON\DefaultBox\user\current\AppData\Local\Kinza\Application\kinza.exe]
[Reason: 0]
I'll provide more information if needed.
Thanks.