The bug/issue
- What you did: Clicked a link from external application (PuTTY Tray) to make it open in default browser (Opera).
- What actually happened or you actually saw:
Got an alert popup “opera.exe is trying to modify the user interface of ctfmon.exe”. I allowed this request with selected “remember” option. The effect was that application policy “Window Messages” for opera.exe changed from “ask” to “allow” (allowing all further requests) without adding ctfmon.exe onto exclusions list.
- What you expected to happen or see:
After accepting such request CIS should remain in “ask” state and add exclusion for ctfmon.exe onto “Allowed Applications” list for “Window Messages”, similar to explained below other situations.
- How you tried to fix it & what happened: Not repairable by user.
- If its an application compatibility problem have you tried the application fixes?: N/A
- Details (exact version) of any application involved with download link: PuTTY Tray 0.60r3, Opera 10.63, Process Explorer 12.04 (however bug is in internal logic in CIS).
- Whether you can make the problem happen again, and if so exact steps to make it happen:
- make one app send other one winmsg
- allow & remember on alert
- check access rights policy
- Any other information (eg your guess regarding the cause, with reasons):
I wanted to be sure that this is indeed a bug, so I produced other events which have exception lists (“Interprocess Memory Accesses” and “Processes’ Termination”) through killing any application in Process Explorer (SysInternals). As I expected I got two separate alerts: “procexp.exe is trying to access opera.exe in memory” and “procexp.exe is trying to terminate opera.exe” - both I allowed with remember. Now checked the access rights for PE and both events remained in “ask” state with added entries for opera.exe in theirs exclusion lists.
Conclusion: The “Window Messages” CIS’ event handler now incorrectly behaves similar to events without exclusions like “Keyboard”, “Disc” or “DNS Client Service” (state is changed from “ask” to “allow” on accept&remember).
Files appended
- Screenshots illustrating the bug: Did not attached, but I might reproduce this bug any time and attach such on a request.
- Screenshots of related event logs or the active processes list:
- A CIS config report or file:
- Crash or freeze dump file:
Your set-up
- CIS version, AV database version & configuration used: 5.0.162636.1135 / 6370
- Have you updated (without uninstall) from CIS 3 or 4, if so have you tried reinstalling?: N/A
- Have you imported a config from a previous version of CIS, if so have U tried a preset config?: Customized “Proactive Security”.
- Defense+ and Sandbox OR Firewall security level: D+:Paranoid (monitoring settings: all checked)
- OS version, service pack, no of bits, UAC setting, & account type: XP SP2
- Other security and utility software running: None.
- Virtual machine used (Please do NOT use Virtual box): None.