CIS 7 doesn't display alert during the update of Windows Defender definitions


I don’t use the “Trusted” Vendors feature and my list of trusted files is empty.
My configuration is :

  • Firewall : custom ruleset
  • Auto-sandbox : disabled
  • HIPS : paranoïd mode
    With CIS 6 (Firewall only), I had an alert during the update of Windows Defender (Windows 8.1) but not with CIS 7.
    Could you, please, tell me why ?

Thanks a lot.

Best regards

(Sorry for my poor English)


I am still trying to understand this issue. :-
To update the Windows Defender definitions, an executable (called is downloaded to the C:\Windows\SoftwareDistribution\Download\Install directory.

  • When this program is executed thru the Windows Update process, there is NO ALERT from CIS.
  • But, if I try to manually execute this app, then I receive a CIS popup (“ is trying to create a new file or directory”). And, in I my opinion, this is the correct behavior of CIS.

Any idea ?


Windows update is considered an installer/updater, hence it’s allowed to run anything it wants and essentially do anything it wants (except run detected malware etc) and anything run by it will also be considered an installer/updater which is why you don’t get any alerts when you use Windows updater to update the definitions. The reason you get alerts when you launch the executable manually is probably because the file is unknown and not signed and you aren’t running it from another application with the installer/updater policy, so you will get questions by HIPS.

The reason you got questions in V6 even if you updated using the Windows updater was because the installer/updater policy was bugged and HIPS would still give alerts for child processes (this was fixed (at least partially) in version 7)

Does that answer your question?

Thank you very much for the explanation. :-TU

Best regards.