CIS4 Defence Plus has same short-comings as in CIS 3

I tried Defence Plus briefly and I am not happy.

1- Paranoid mode in CIS 4 is NOT PARANOID infact. I want all system processes to be untrusted with full custom rules so I deleted all pre-configured rules and deleted System Group etc but it automatically assigns system processes the permissions to do any thing( except chuild process execution) during a reboot. So there is no way to fully control system processes even with max settings and 100% custom rules, same bug was there is CIS 3 ( in CIS 3 even if u don,t put it in learning mode, it will create rules automatically during system reboot marking system processes as trusted). I guess they might have made it to avoid the situition where a user might make his system un-bootable by wrong configuration but IMO this can be avoided by allowing actions ( with out permannat rules creation) during system boot up, rather than creating permanat rules even when CIS is not in learning mode.

Just an example. In CIS 3, there was almost no way to make a rule that will alert user whenever services.exe tries to load a driver. Everytime u set the rule to Ask, it will be converted to Allow during a system reboot. Same is true of CIS 4. I made a thread about it regarding version 3, sad that same problem is still there in version 4.

I had a malware sample in the apst that used to load its rootkit driver via services.exe.

2- Another bug of CIS 3 still there – in learning mode, even with paranoid settings, the rules made by CIS are not paranoid, rather they are simple allow rules marking applications as Trusted. I remember SSM used to create paranoid rules in such situation with complex parent child relationship.

3- Another design shortcoming of CIS 3 inherited by CIS 4- No clear alerts for driver install/ loading, just a registry access pop up alert.

4- Still more, I tried brontok worm in Sandbox and it seems to make its copies here and there, rather than in virtual Hard Disk. I may be wrong as I did not read about this sandbox yet. Where it keeps its virtual regs and files?

5- Pop up alerts are still not user friendly in advanced mode( more options). Too many clicks needed. Also no way for on-the-fly rules creation via pop up alerts.

From a gross look, CIS 4 seems essentially same as CIS3 with a sandbox added. :-TD

There is only one thing extra to prevent this, you have to set “Block all unknown requests…” on D+ before reboot, this will prevent “auto-learn” stuff and cause alerts for services.exe and not set the permissions back to allow… I know it’s not 100% what you are looking for (And i would like to have this behavior configurable :-TU a bit more easy, like a REAL “don’t learn anything option”).

So there is no way to fully control system processes even with max settings and 100% custom rules, same bug was there is CIS 3 ( in CIS 3 even if u don,t put it in learning mode, it will create rules automatically during system reboot marking system processes as trusted). I guess they might have made it to avoid the situition where a user might make his system un-bootable by wrong configuration but IMO this can be avoided by allowing actions ( with out permannat rules creation) during system boot up, rather than creating permanat rules even when CIS is not in learning mode.

Just an example. In CIS 3, there was almost no way to make a rule that will alert user whenever services.exe tries to load a driver. Everytime u set the rule to Ask, it will be converted to Allow during a system reboot. Same is true of CIS 4. I made a thread about it regarding version 3, sad that same problem is still there in version 4.

I had a malware sample in the apst that used to load its rootkit driver via services.exe.

2- Another bug of CIS 3 still there – in learning mode, even with paranoid settings, the rules made by CIS are not paranoid, rather they are simple allow rules marking applications as Trusted. I remember SSM used to create paranoid rules in such situation with complex parent child relationship.


Agree Learning mode is a misleading name for what it does, it will set all “newly run” applications to predef “Trusted”…

3- Another design shortcoming of CIS 3 inherited by CIS 4- No clear alerts for driver install/ loading, just a registry access pop up alert.

4- Still more, I tried brontok worm in Sandbox and it seems to make its copies here and there, rather than in virtual Hard Disk. I may be wrong as I did not read about this sandbox yet. Where it keeps its virtual regs and files?


If you manually added it to the sandbox, then it should be in c:\sandbox and HKLM\System\Sandbox

5- Pop up alerts are still not user friendly in advanced mode( more options). Too many clicks needed. Also no way for on-the-fly rules creation via pop up alerts.

From a gross look, CIS 4 seems essentially same as CIS3 with a sandbox added. :-TD


It is… just don’t agree on the :-TD part :wink: …It’s still the best in the free division.

Ronny