CIS and TrueCrypt started from USB device

Hi all,

I’ve installed the latest Version of CIS 3.5.57173.439. When I insert my USB stick which hosts a traveller version of TrueCrypt then TrueCrypt starts, mounts the volume and tries to lauch explorer.exe. I defined TrueCrypt to be a trusted application. When I dismount the volume and mount it again without unplugging the USB device then all works fine. When the USB device is unplugged and plugged again the I’ve to confirm a Defense+ alert (message is: Truecrypt is trying to access explorer.exe in memory) again and again. Checking my Computer Security Policy I can see that TrueCrypt.exe (location USB drive) is a trusted application.

What’s going wrong here? Is the very same USB drive even mapped to the very same drive letter being considered different, so that the executable seems to unknown.

Any help is appreciated.


Hello Carlos,

If you give the alert again a “trusted application” + remember, will there be 2 rules for Truecrypt in the D+ Policy ?

ANY/EVERY executable run from a removable drive is considered unsafe by CIS, even if you have selected “Trusted Application” in the past.

Comodo made a design decision very early on to never allow executables on a removable device to be considered safe. Their line of thinking, and I can’t argue with it, is that the removable device could have been inserted into an insecure PC and the application could have been modified/infected.

Trustedness for apps on a removable device is purely on a per session basis.

Ewen :slight_smile:


no there is only one rule, but with Ewen’s explanation it’s sounds reasonable to me.


thanks for your answer. That’s something I nearly expected. But I couldn’t find any statement about this behaviour.
And it’s just to be sure that I didn’t miss something.