Defense+ not working if executable is launched from installer

the following issue concerns CISv4 and v5.
When I execute an unrecognized installer, I have to allow it for sure, then the installation process goes normally.
Now if at the end of the install, I tick “run the application x”, then Defense+ is just like disabled, no warnings.
If I run then the application in the normal way, I get all the warnings I should have had.
(My example is PCWizard, you can try). I tried different settings, paranoid mode, etc, but it simply doesn’t work as it should.

What can be done, is it a bug? It’s like if you allow the installer to run, applications launched by it get full
Thanks in advance,

Tested the exactly behavior.
Like you, I wish an improvement.

Not sure what you want you either run the installer as a installer which gives it rights to child process.

Or you have alerts for everything it does.


You’re right. Forgot that: child processes. Sorry.

Thanks for the answer, so the solution is to untick “Automatically detect installers/updaters and run them outside the Sandbox”, not very practical but efficient.

Does this have any side effect? I mean, increasing the number of popups?

Yes it does, since the installer doesn’t get full rights. Moreover, you should disable the sandbox so that all installers are not sandboxed automatically (or untick “treat unrecognized filed as” in execution control settings).

This will decrease the Defense+ protection that much in my opinion.

I think there has been requests for CIS to detect the end of an installation.

The same thing will happen when installing when running Windows as limited user. You will need to elevate for the installer. When you start the application from the installer it will run elevated. When you start the application again it will run limited.

For now; simply don’t start a program from the installer.