Change 'Allow List' to support ignore an entry only for a single detection

[rmhumphries]

Good Morning,

I have had a search on the forum, but I can't see any way to currently do this / this having been suggested already/

At the moment, when a file is detected against a certain rule (e.g. PUP.Optional.BundleInstaller) then you can remove it, ignore it once or ignore it always. There are use cases I have where I have an application that is detected as 'PUP.Optional.BundleInstaller'; which I want to keep - however if in a future update that application then started containing a non-PUP malware (due to a supply chain attach or similar) I would want that to be detected and/or removed. I also still want to detect PUP more widely; so I can't just ignore that detection type.

 

As such, would I like the functionality to do is for a file/registry entry/etc on the Allow List is have the ability to set it to allow any detection or only a sub-set. You could have a system-setting that controls the default behaviour when you ignore a file/etc (current detection / all), allow the user to choose each time or even default to adding the current detection only as the normal of cases where a file/etc will legitimately meet multiple detections over time is likely to be low.

 

Thanks,
Robert

[Porthos]

5 hours ago, rmhumphries said:

I have an application that is detected as 'PUP.Optional.BundleInstaller'; which I want to keep

What program is it?

[rmhumphries]

Afternoon - the program is uTorrent; some of the development machine images and similar I use are shared via bittorrent.

[Porthos]

5 minutes ago, rmhumphries said:

Afternoon - the program is uTorrent; some of the development machine images and similar I use are shared via bittorrent.

I suggest qbittorrent if you want a clean torrent program.