What follows is going to be quite long, let me first specify the configuration in order for everyone to understand what i am speaking of.
I am still, and happily, running cis v3 (third-party av) on my “production system”.
In order to participate to the translation of cis 5 in french (still a long road to go…), and as i have 2 physical harddisks, i installed the same os to the second harddisk, and cis 5 therein.
I am now able to double boot xp cis3 or cis 5.
Both OS are xp pro sp3, french, 32 bits, fat32.
I have first installed on the second disk the last cis 5 RC.
I uninstalled it yesterday, and it’s rather a good point: cis built-in uninstaller almost leaves nothing behind, excepting half a dozen of registry writings (mostly legacy drivers) i got rid of with Regseeker.
Next, i downloaded and made a fresh cis 5 final installation, and the behavior i describe therafter is common to both situations.
Let’s assume that my initial concern is to run firewall and defense+:
-the av is set to disabled or low, not changing anything for what we are concerned with
-the configuration is set to proactive
-the sandbox and cloud are disabled
-every trusted editor is deleted
Now, i don’t want firewall and defense+ to take whatever decision i am not myself approving or denying, including default svchost behavior:
-the firewall and defense+ are both set to highest degree
-every preset group of rules (windows operating system…) is switched to custom, but i check that no deny rule exists: the different defense+ items are set only to ask.
Everything goes smooth as long as i select my wished settings for firewall and defense+, excepting a dramatic behavior recently reported on this same forum, and never corrected since v3:
when you allow a firewall rule, the rule is not only allowed for a local subnet, as reported in the thread i am speaking of, but for everything in the web.
This is indeed a very dangerous behavior.
Of course, you shall argue that, if i customize, i exactly know what i am doing, and i actually do:
But probably not everyone in such a situation knows that he should soforth amend the new rule according to what should be allowed in terms of ip and ports, and even if he does, he still needs a piece of paper to note what has to be allowed: totally unacceptable.
Now, every daily use is set, the browser and mail client are allowed as they should, system, svchost, lan rules were made and amended according to their requests:
time to go to the last item on the right side, i don’t know how you call it in english, “summary”, “preferences”, or something alike.
As soon as entering, the gui crashes without asking anything: the only working thing is a right click in an empty desktop location, and everything behaves as if cis had blocked both the monitor and mouse, altough nothing is ever asked.
The cpu usage is normal, but nothing works (including ctr-alt-del, not allowing you even if it did to kill cis).
cis might actually be “overflowed”: ctr-alt-del answers with a cis request 10 mn after (i really mean 10 mn).
You are stucked, even the power off button does not work anymore, and even if you plug off, when plugging on again, you face the same situation, leading to the next bug:
The only solution is to reboot your working system, and from there to delete only the cis drivers on the faulty system, and then reboot it… and it works, meaning that anyone with access to your working partition from another one or an external booting device is able to throw cis out in 2 mn:
don’t be overconfident, the situation would be exactly the same with ntfs unless folder rights and passwords are enforced, and is not dependent of windows shares (there isn’t any in my configuration):
scary, isn’t it?