CIS fails to prevent programs from launching browser [v6] [~]

CIS version: 6.0.260739.2674 /Database 14829

OS version: Windows 7 Professional 64-bit (no SP-1)

What you did: Uninstalled a program which then launched browser connecting to program's web site. The program (Total Uninstaller) can be found here: http://www.martau.com/ CIS was setup to have hooks monitoring active as well as window messaging. All settings were in "Ask" mode, and also tried "Block" mode, but none of that solved the issue.

What you actually saw. A screenshot is a great help: None, no CIS activity (unfortunately)

What you expected to happen or see: Expected to see warning from CIS that a program is trying to launch a browser (Firefox in this case) and ask for permission to do so. This happens not only with program mentioned above, but has been happening with multiple other programs over the years. None of the recent CIS version performs as expected under the given scenario and NEVER prevents the browser from being launched OR web page from opening if the browser is already running.

P.S. just remembered another good example of a program that launches browser without warning and without permission: http://www.mediacoderhq.com/

PM reminder sent

Thank you, but the bug report format you requested is too elaborate and many of those questions don’t pertain to the bug. I honestly don’t have all that time on my hands to go through such an elaborate report. What I described is pretty straightforward and the issue had been there for years now, I just never bothered to report it and surprised very few did. If someone wants to try to fix it they will.

If you’d like to see for yourself what happens and perhaps do the full report, just install this program and watch what how it launches the browser right past CIS’s nose:

It’s not the only one, just one of many.

That’s OK it’s very much up to you

Best wishes

Mouse

Thanks very much for your issue report. We have moved it to the non-format bugs board for the moment, because too much of the information we normally need to replicate a problem and fix it is missing, or it is not in the format we request.

We realize some people may not have the time to do bug report in standard format, and therefore offer the option of a non-format report instead. But the problem is much more likely to be fixed promptly if you edit your first post to create an issue report which meets all criteria in the Checklist and Format. (You can copy and paste the format from this topic). The general reasons why are summarized in that post, the reasons we ask for specific pieces of information are given in this detailed post.

You can get your report moved to the format verified issues board simply by ensuring that it is correctly formatted and all criteria are met, and PM’ing a mod who is active on the bug board.

Best wishes

Mouse

I think, before a proper bug report can be submitted, some clarification about exactly what the ‘Protection Settings’ tab in Defense+ custom rules really does.

The help guide says:

ii. Protection Settings - Protection Settings determine how protected the application or file group in your ruleset is against activities by other processes. These protections are called 'Protection Types'.

And one of the choices, is protecting against Windows Messages, which as far as I know - I’m not a programmer - are responsible for the kind of invocation we’re seeing here.

Having now tried this with versions 5 and 6, I’ve found I can, in version 5, prevent the web site from being opened in IE, although I can’t stop the browser opening. However, in firefox, I can’t prevent either the browser opening or the website from being displayed.

You can also use access rights (execution) on the invoking program to stop a specific program doing this.

Or I think sandboxing unknown files as limited may stop unknown files doing this.

Best wishes

Mouse

Indeed, and that’s fine if one wishes to create rules against multiple applications to preven them opening one or more browsers. However, it would be so much easier to create a rule for the browser that prevents anything from opening it (this is just a generic example)

Or I think sandboxing unknown files as limited may stop unknown files doing this.

Best wishes

Mouse

But if the application is known and you’ve simply installed it for testing, you may not want trying to call home when it’s subsequently removed. It’s also possible the sandbox is not being used.

Anyway, i appreciate the suggestions but it still leaves me wondering just what Protection Settings actually does. I’m sure it works, I just don’t understand how.

I agree with Radaghast. It is counterintuitive to have a security program NOT prevent starting any apps (incl. browsers) by default rather then individually giving permissions to apps that you do want to exhibit such behavior. Seems like CIS is designed backwards in this respect.

I think it’s probably execution. And CIS has no execution protection right, unfortunately.

If one could work out the execution mechanism, there might be a key one could protect/block. Blocking browser executables via a browser group and then creating exceptions… maybe. Lots of work though.

There’s a test exploit ‘leakout’ (Mark0.net from memory) which uses browser invocation to transmit PC data. We had a discussion with Egemen about it, so he is aware

Best wishes

Mouse

Thanks for that mouse. I think you’re probably right. I created a dump with process monitor and tried a few things based on the output but didn’t get very far. The weird thing is, I have this vague recollection of doing something similar a couple of years ago and what ever we did, we got it to work. I’m pretty sure there was a thread somewhere…

No problem. Yes there usually is a way in HIPS, maybe the Leakout traces might give a hint, though that was mainly raised as a sandbox issue. There are the anti-executable traces as well, they got quite deep.

Can you please check and see if this is fixed with the newest version (version 6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments, so I can forward this to the devs and get this problem fixed.

Thank you. PM sent.

The OP has confirmed that this is fixed for CIS version 6.2.282872.2847.

Therefore, I will move this to Resolved.