CIS fails CLT :(

Operating System - WIndows 7 (whatever latest Service pack)
Version of CIS: the latest version of the 5.0 edition
Real time scanner: I use MBAM :slight_smile: and CIS
CIS settings - Same as the CLT guide in addition to having put the image execution control to untrusted / restricted
CLT score - 270

Note: I got bad results earlier aswell but this is a fresh install of 5.0 (prior to the 4.0 I had)


Date 01:36:04 - 01.01.2011

OS Windows Vista SP0 build 7600

  1. RootkitInstallation: MissingDriverLoad Protected
  2. RootkitInstallation: LoadAndCallImage Protected
  3. RootkitInstallation: DriverSupersede Protected
  4. RootkitInstallation: ChangeDrvPath Vulnerable
  5. Invasion: Runner Protected
  6. Invasion: RawDisk Vulnerable
  7. Invasion: PhysicalMemory Protected
  8. Invasion: FileDrop Vulnerable
  9. Invasion: DebugControl Protected
  10. Injection: SetWinEventHook Vulnerable
  11. Injection: SetWindowsHookEx Vulnerable
  12. Injection: SetThreadContext Protected
  13. Injection: Services Vulnerable
  14. Injection: ProcessInject Protected
  15. Injection: KnownDlls Vulnerable
  16. Injection: DupHandles Protected
  17. Injection: CreateRemoteThread Protected
  18. Injection: APC dll injection Protected
  19. Injection: AdvancedProcessTermination Protected
  20. InfoSend: ICMP Test Protected
  21. InfoSend: DNS Test Vulnerable
  22. Impersonation: OLE automation Protected
  23. Impersonation: ExplorerAsParent Vulnerable
  24. Impersonation: DDE Vulnerable
  25. Impersonation: Coat Vulnerable
  26. Impersonation: BITS Protected
  27. Hijacking: WinlogonNotify Protected
  28. Hijacking: Userinit Vulnerable
  29. Hijacking: UIHost Protected
  30. Hijacking: SupersedeServiceDll Vulnerable
  31. Hijacking: StartupPrograms Vulnerable
  32. Hijacking: ChangeDebuggerPath Protected
  33. Hijacking: AppinitDlls Vulnerable
  34. Hijacking: ActiveDesktop Protected
    Score 190/340


Disable sandbox, set to proactive, make sure all the required settings is checked(see sticky). Delete all internet browser cache and history. Restart then test again.

I have done this test so many times.

All of the above is done EXCEPT the browser cache.

How big of an impact can the browser cache be?.

I think it may affect impersonation: Coat result.

When I started using CIS in XP then I used to get very low leak test score.

I just assumed that my PC was compromised which is hardly surprising since I hadn’t been using any firewall for years then.

An OS reinstall fixed the problem just fine! :slight_smile:

Does this test tell the truth then. WIth my configs will I actually be as secure as anyone else though the test scores are different?. I have done everything :slight_smile: except browser cache. Even though if I did that and received 320 I would actually be just as secure as otherwise or NO?

From the guide…
3. Delete the Internet Explorer (IE) browsing history cache. Run IE, click on the “tools” menu, then select “internet options”. Click on the “general tab” and then click on the “delete” button under browsing history. You can also delete the browsing history using cleaning programs such as CCleaner or Cleanup! The reason why you need to clean the IE history: If CLT was previously run and previously failed “Impersonation: Coat”, IE will open the target webpage from the IE cache, and not through the leak, leading to a false failure of “Impersonation: Coat”. Erasing the browsing history ensures that IE cannot load the webpage from the cache and forces IE to load the webpage through the leak.