CIS went off on several MS files - why?

The last two days when I have booted my machine (W7 x64), the desktop comes up then a long delay. After several minutes, CIS starts complaining about and sandboxing several MS files (e.g. wmiprvse.exe, taskeng.exe, mscorsvw.exe, wmpnetwk.exe and more). I ran SysInternals sigcheck against several and all was OK. Why has CIS suddenly started complaining about these? CIS version 5.10.22857.2253, AV 13740.
Has anyone seen anything like this? Comments appreciated. Thanks and enjoy, John.

EDIT: When I right click these files in the D+ events log and click “Add to trusted files” I get the message “File is already in the trusted file list”.

Do the Windows logs bring any insight here? Are they logging errors? The logs can be found in Control Panel → Administrative Tools → Event Viewer → Windows Logs → System.

EricJH, thanks for your reply. Nothing remarkable in my System Log. This occurred two days in a row on a power up. The last two days have seen no such behavior. I am assuming that it was a suspect signature database. Today CIS is on 13764. Thanks and enjoy, John.

This happened again today. It showed the same files plus dllhost.exe. My system is usable for several minutes after a cold boot. How do I stop this behavior? Anyone else seeing this? Signature data base is 13796 today. Thanks and enjoy, John.

Are the offending file on the Trusted Files list?

EricJH, they always have been. CIS complained about files today that were on the list when I had my last episode. I have seen this same behavior with some AMD RAIDExpert files. I cured the repeated complaints (every boot in that case) by setting them as Trusted Installers. I hope I do not have to do that for a bunch of Windows standard (signed) files that everyone has. Thanks and enjoy, John.

This occurred again on first boot today. I hope someone can suggest a solution, reboot was OK. Thanks and enjoy, john.

This may be due to some sort of problem with your installation. If you like reinstalling CIS will probably solve your problems.

However, if you do decide to reinstall it please follow the advice I give in this post.

Please let me know if you have any questions.


Chiron, thanks for your reply. I will keep your procedure in mind, but I prefer to install a fresh copy of W7. I have an unattended procedure that allows me to install W7 and most of the applications I use in a little less than one hour. What I would really like to know is what has gone wrong with my installation and how to avoid it in the future? Thanks and enjoy, John.

Try downloading it again and check the MD5. Ensure the file didn’t become corrupt.
Beyond that. No answer at this time.

John Buchanan, thanks for your reply. I always check the hash codes on DLs when they are available. Why would CIS do this one day and not again for a month? Enjoy, John.

Recently my system suffered a crash (Bug Check) but rebooted OK. CIS started going off on many things that made no sense (eg, shell32.dll). The manual scanner quit running (right click - Scan with CIS failed with unable to initialize). I uninstalled CIS and reinstalled it and it seems to be without these bad messages. Apparently CIS got corrupted during the crash. Enjoy, John.

Did you get any warning or info from CIS like CIS is corrupted run diagnostics?

I think in such scenario CIS should inform/warn user of corruption & offer to run diagnostics.

naren, thanks for your reply. I got no warning just plenty of sand boxing of applications that I have run many times. I had to make them 'Installer/Updater" to stop the messages and allow the applications to run. I agree with you but even more basic, why did CIS get corrupted in the first place? None of my other applications got corrupted. IE9 and Adobe reader both said they had quit working and Free Download Manager (FDM) gave a severe error message but none required removal/install cycles. This is kinda scary. Enjoy, John.

Sometimes when cmdagent.exe of cfp.exe crashes this can damage the rules as they are stored in the registry.

This problem may also be solved by importing and activating a factory default configuration. It will save you from the reinstall. However you still start from scratch.

Thanks, EricJH . Where do I import a factory default configuration? I usually run the Proactive configuration. If I switch to another, then back to Proactive, will this do the trick? Will importing a factory default configuration repair the failing cavscan.exe I got? BTW, I tried Help but since it has been changed to a web site, I have found it much less than useful. Thanks and enjoy, John.

I asked this coz on my family & frds system who are average users, I have disabled show notification for autosandbox coz at times they simply click dont isolate again which could be risky. So in this scenario they may not know instantly the prob is with CIS as they will not get autosandbox notification.

Anyway, I strongly think CIS should know if there is any corruption & offer diagnostics, etc…