CIS 5.x Early started safe processes becomes sandboxed upon system startup[Issue Report]

The bug/issue

  1. What you did:
    System reboot.

  2. What actually happened or you actually saw:
    Early launched Safe/Trusted applications are not recognized as “safe” by CIS and automatically sandboxed while services and environment are being loaded upon system startup if “Block all unknown requests if the application is closed” checkbox in Defense+ settings is checked. “Don’t isolate it again” link in sandbox popup has no effect, on next restart those apps are becomes sandboxed again. Firewall is unable to verify “safe” application status also and connection alerts for these apps (i.e. when system is trying to establish NetBIOS connections) appears in some cases.
    All those files are clean, safe, digitally signed by trusted vendors, well known by CIS to be safe and never been sandboxed under “normal” circumstances.

  3. What you expected to happen or see:
    Safe/Trusted apps shouldn’t be sandboxed and should be treated as safe (without alerts) by firewall (when safe FW mode is enabled)

  4. How you tried to fix it & what happened:
    The only way to work around this behavior I’ve found is to uncheck “Block all unknown requests if the application is closed” checkbox. Or to disable sandbox, of course.

  5. If it’s an application compatibility problem have you tried the application fixes here?:
    No, it’s appears to be not an application compatibility problem.

  6. Details & exact version of any application (except CIS) involved with download link:
    Any windows process that was started early enough (I think, “between” services.exe and cfp.exe), including MSSQL Server, NVidia services, ctfmon.exe, Windows Search and searchindexer on WinXP, VMWare service and tray icon app and even GeekBuddy tray icon. Probably svchost.exe is not affected.

  7. Whether you can make the problem happen again
    Sure.
    and if so precise steps to make it happen:
    a) Check “Block all unknown requests if the application is closed” checkbox in “Defense+ settings” dialog on.
    b) Enable Sandbox & Defense+ (if disabled)
    c) Reboot the computer.

  8. Any other information
    I suspect digital signature verification problem.

Files appended

  1. Screenshots illustrating the bug: Appended

Your set-up

  1. CIS version
    All 5.x versions seems to be affected by this bug.
    firewall settings have no effect on this bug.
    AV is not related to the bug.
    Proactive and Internet security configurations are affected. Firewall security seems to be working as expected.

  2. a) Have you updated (without uninstall) from CIS 3 or 4:
    No

  3. a) Have you imported a config from a previous version of CIS:
    No

  4. Ave you made any other major changes to the default config
    No

  5. Defense+, Sandbox, Firewall & AV security level:
    D+=Safe, Clean PC, Paranoid, all are affected
    Sandbox=Enabled,
    Firewall=any mode
    AV=any mode

  6. OS version, service pack, number of bits, UAC setting, & account type:
    Windows XP SP3, Windows 7, Windows 7 SP1 (x86/x64) (perhaps, any supported OS)
    UAC: Enabled, Disabled, Not applicable.
    Tested under admin account.

  7. Other security and utility software installed:
    None

  8. Virtual machine used:
    Yes/No (Bug seems to not be affected by hardware configuration)

[attachment deleted by admin]

Thank you for your Issue report.

Moved to verified.

Thank you

Dennis

Hey, I have the same issue here…will this be fixed…?

No you should not have the setting ticked (Block all unknown requests if the application is closed) in all versions of CIS 5.0.**. or later.

One of egemen numerous post about this below