CIS Firewall doesnt block processes after update [Issue Report]

The bug/issue

  1. What you did: Updated CIS to version 5.4.189822.1355
  2. What actually happened or you actually saw: windows processes (lsass.exe, system) opening connections
  3. What you expected to happen or see: no open connections from those processes, an entry in the log stating it was blocked
  4. How you tried to fix it & what happened:
    I tried to block lsass.exe by adding a block rule, no effect
  5. If its an application compatibility problem have you tried the application fixes here?:
  1. Details & exact version of any application (execpt CIS) involved with download link:
    Win 7 64 Ultimate SP 1
  2. Whether you can make the problem happen again, and if so exact steps to make it happen:
  3. Any other information (eg your guess regarding the cause, with reasons):
    Lsass.exe and system were never allowed access before and now suddenly they seem to manage to bypass my set rules.
    I also verified that Lsass.exe is the windows process and not the trojan

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug: -attached
  2. A CIS config report or file. - config export attached

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS: 5.4.189822.1355
    Firewall: Custom policy
    Defense+: Safe mode
  2. a) Have you updated (without uninstall) from CIS 3 or 4: Update from the previous 5.?? version
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: -
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
    Standard always allowes these processes to access the internet, that’s exactly what I do not want to happen :slight_smile:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):
    only added the block rule
  5. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =
    Firewall: Custom policy
    Defense+: Safe mode
  6. OS version, service pack, number of bits, UAC setting, & account type:
    Win 7 64bit Ultimate SP1, UAC, admin
  7. Other security and utility software installed:
    Microsoft Security Essentials
  8. Virtual machine used (Please do NOT use Virtual box):
    None used

Edit: updated format as requested

[attachment deleted by admin]

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation


Thank you for your Issue report in the correct Format.

Moved to verified.

Thank you


I think these are now in the D+ Windows System application group, and so will not be separately logged, they should be logged as ‘windows operating system’ so long as you have F/W alert settings on Medium or above.

Best wishes



Now noticed that the ones logged under Windows System are not the same events, they are all internal network stuff. Logically, what I said is what should be happening, but it isn’t.

However I’ve just added svchost ask and log app rule and put it above all other rules. Alerts on medium. Did not seem to log for the first few minutes, despite the fact that I had alerts, then it suddenly started


Best wishes