CIS Says 'Microsoft Windows' Is Not Whitelisted

The bug/issue

  1. What you did:
    Nothing. The alert just popped up like alerts sometimes do. This particular alert has appeared a few times, sporadically.
  2. What actually happened or you actually saw:
    I got an alert for shell32.dll saying that the file was signed by ‘Microsoft Windows’, but not yet whitelisted.
  3. What you expected to happen or see:
    I expected there to be no popups because ‘Microsoft Windows’ is a digital signature that is whitelisted by Comodo.
  4. How you tried to fix it & what happened:
    This isn’t something I can fix. I just answered the alert and the popup went away.
  5. If its an application compatibility problem have you tried the application fixes?:
  6. Details (exact version) of any application involved with download link:
    It’s file version 6.1.7601.17678.
  7. Whether you can make the problem happen again, and if so exact steps to make it happen:
    I cannot make it happen again. It’s sporadic, and doesn’t happen often.
    Files appended. (Please zip unless screenshots).
    I have attached a picture of the alert and the file itself.
  8. Screenshots illustrating the bug:
    One is attached.
  9. Screenshots of related event logs and the active processes list:
  10. A CIS config report or file.
  11. Crash or freeze dump file:
    Your set-up
  12. CIS version, AV database version & configuration used:
    CIS Premium 5.8.213334.2131
    AV Database version is 10810
    I have it configured as described here.
  13. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?:
  14. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?:
  15. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )
    Described in my article.
  16. Defense+ and Sandbox OR Firewall security level:
    Described in my article.
  17. OS version, service pack, no of bits, UAC setting, & account type:
    Windows 7 x64 fully updated. UAC is disabled. Account is admin.
  18. Other security and utility software running:
    No other real-time scanners besides CIS. See log file for any other processes.
  19. Virtual machine used (Please do NOT use Virtual box):
    Not a virtual machine

[attachment deleted by admin]

[attachment deleted by admin]

Hi Chiron,

A fix will be available with future CIS virus database updates. Thank you for reporting this!


I think this is caused by the script scanner, some script is spawning a shell32 command, it’s the ‘elevated privileges’ alert that’s still valid for default sandbox setups.
What it should show is the real process behind it that causes this.

Can you try to see with Process Explorer which parent executes shell32 at that time and with what ‘command-line’ it does that?

I’ve got the same CIS and database versions as does Chiron, and CIS has been popping up weird alerts about Microsoft modules for the last couple of days. It is not just when a script spawns something. CIS didn’t like AOL or any of its submodules that had been OK before and have not been updated, warned me about IE8 (I’m still running WinXP SP3 on this PC) which also had no updates, the shell32 module and lots more, including seaport.exe from Microsoft. Defense+ has listed all of these instances as “intrusions.” Something recently went whacko in the CIS code, guys… you need to be looking for it to correct and nottake the position that it is some other problem.

Hi Wrapper,

Was this behavior persistent over reboot? Did you by any chance change the Image Execution ‘Treat unrecognized files’ setting or check ‘Block all unknown request’
It’s pretty important it can be reproduced before they can fix this.

Hi Ronny, No I didn’t make any changes to any CIS settings or to anything else for that matter. The PC where this is happening is one that I mostly use for media files, and it is rarely rebooted. In this case however, the PC was rebooted because of a power outage, and I believe but cannot swear that the spurious alerts were happening before the reboot. They are certainly happening after that power-related reboot, and I have just rebooted the PC again as the result of your message. I’ll work with it for a few hours to see if the weird behavior continues and will report my fondings at that point.

You should be able to find the ‘alerts shown’ in the advanced logfiles, open a log and press the “More” button to get in to the advanced logging.
Maybe that gives a clue about when this dementia has started.

In my case it started on December 11, 2011 at 9:35:36 AM CST Dallas, Texas, US (should be GMT -6) stating that DfrgNtfs.exe is not digitally signed, but I know it is a Microsoft module. The problem alerts continued until today, but have not reoccured after the reboot you suggested. Let me know if you need more info.

I suspect that cmdagent.exe has died somehow, that is the only reason cfp.exe could fire so much alerts.
Could you try to verify the Windows Evenlog to see if it has records of cmdagent during the time the alerts started on the 11th?

I’ve used the event viewer in the Administrative Tools control panel application and viewed all of the logs looking for cmdagent.exe, but didn;t find any entries.

If I’m looking in the wrong place, please be more specific as to how to get to the information on a XP SP3 system and I’ll be happy to do it.

I haven’t seen errors of late, but then I’ve been shuting down the PC where I would normally be leaving it running, so the restarts may be masking what ever was the problem.

Well I would just leave the PC running and if it starts to alert again, please verify the Taskmanager and see if cmdagent.exe is running.
You can verify this now just to see how that looks. You can start taskmgr via Start, Run, Taskmgr [ENTER]

OK, I’m very familiar with task manager. If and when it starts to give bogus alerts I will check to see if cmdagent is running and let you know.

I just had it happen again with CIS V 5.9.
cmdagent.exe is running.

I walked away from my computer for a while, and it went to sleep. When I woke it up again it had this alert. I’ve attached it.

I’ve also attached a pic of the Defense+ logs, which does have a log with a related alert for shell32.dll.

[attachment deleted by admin]

I just had this happen on another computer.

This one was also running CIS V5.9 on Windows x64, but it was configured different. The only difference from default was that I had added some files to the trusted files list, changed the manual AV scanning settings, and changed Stealth Ports Wizard to Block all and Stealth all. Also EPM was enabled.

This also happened after resuming from sleeping.

This is fixed with version 6.1.275152.2801.