I had CIS go flunky on me and had to disable HIPS out of paranoid mode. CIS and a majority of Win 7 went non-responsive. I went into safe-mode and checked the logs, and for hours there were all sorts of HIPS alerts logged but never visible on the screen.
For example, countless items such as: \Device\GLOBALROOT\Device\HarddiskVolume2\Windows\System32\drivers\cdrom.sys, and perhaps about 50 other incarnations of things in that folder. What’s up with the protected-volume device name reference? These alerts are all for SVCHost - which I took out of Windows System Applications default group, and it has its own custom rules.
What I did was manually put the missing entries to the protected files / folders access name resource permission list, along with all the other alerts for it and other apps, and reenabled HIPS into paranoid mode. So far so good.
One thing that seems to be a prollem is that the machine won’t log off. There are no errors in the event log, there are no alerts in CIS log, but I must power-off and then get the improper-shutdown message (along with the unexpected shutdown in the event log).