Defense+ Events questions

Since upgrading to CIS 3.5 from CFP 3.0 (firewall only), I note that on the Summary page>Proactive Defense panel there is this line:
The Defense+ has blocked n suspicious attempt(s) so far. (where n is a number)

When I click on the n, I see the following applications listed many times in the Defense+ Events:
…\BOC427.EXE
…\WinPatrolEx.exe
…\Malwarebytes’ Anti-Malware\mbam.exe

In the Action column, in every instance, is Access Memory.

In the Target column, is variously listed:
…\cfp.exe
…\cmdagent.exe
…\cfplogvw.exe

I use BOClean, and also MBAM and WinPatrol PLUS (neither of the last 2 are resident, however) and obviously none of these are suspicious programs. I use NOD32 2.7 as my resident AV, and Windows Defender as my resident anti-spyware.

Interestingly, running on-demand scans with my NOD32, Windows Defender, or a-squared Anti-Malware, do not trigger a “suspicious attempt” entry in D+ Events log.

My question is, why are BOC, WinPatrol, and MBAM blocked as suspicious attempts? And how should I configure the Defense+ Settings>Monitor Settings tab (currently, all boxes are checked by default after upgrading)?

This is normal behavior. When other scanners are scanning your PC, some also scan memory objects (processes in memory). Some scanners like MBAM and BOC do this. CIS has built in protection and protection from Defense+ itself to not let ANY other processes “mess” with its processes (cfp.exe,cmdagent.exe, etc. ). Scanners need inter process memory access to scan files in memory, so CIS is just defending itself from all other applications, incase one of those is malware trying to shut it down and disable it.

And even allowing inter process memory access to these scanners, CIS will still block their scans on the CIS processes. Goes to show the level of protection that CIS has. :wink:

:slight_smile:

Thank you, .FaZio93.

:-TU

No problem. :slight_smile: