i have been using CIS for over a year now, switched over from ZA and its been a pleasurable experience.
there is a problem tho…
i have configured the CIS firewall to the “strict policy follwing paranoid mode” and have configured most of my applications on how their internet access is to be handled.
I have noticed that whenever and executable file changes ( in size/contents ) it is still allowed to run by the defence + and is also granted internet access by the firewall (provided the previous same named, same location file was also given internet access)
this means that if some file renames itself “firefox.exe” and places itself in the default firefox directory, it will be able to access the internet ??
You are PARTIALLY right. CIS doesn’t check hashes (MD5, SHA1), you can do a search in the forum for it. This was discussed A LOT about 1,5 years ago and the conclusion is: it’s not necessary, b/c every change made in a executable file is going to be under D+ supervision/rules (only allowed app’s can do it silently, like updaters group - otherwise D+ will pop-up).
so if we trust an application and allow it to update… say App X
it can change ANY executable in my system which may have more liberal internet rights than APP X
and theoreticall use that to get OUT of my system
if you make a rule for that AppX to be able to change the whole system, it will be able to do! This is NOT CIS fault! Otherwise, not. I mean… if you “trust” a malware, it will do its works IF CAV doesn’t catch it (you have another protection layer, CAV).
AppX will only change app’s wich it was allowed to, without D+ pop-up.
The only ones wich works in silence (pre-allowed) are those from “update group”, AFAIK.
So, use “Trusted Application” predefined policy ONLY FOR REALLY TRUSTED APP’s, not like browsers, edition app’s… Rather than that, always do preference to answer the pop-up’s in “CUSTOM POLICY”, IF YOU WANT TO STAY WITH “Paranoid Mode”. I myself don’t see a point to use “Paranoid” if you use “Trusted App’s” a lot…