Oh for crying out loud, i’m not gonna use the stupid “standard” bug report format, because it’s just dumb. And if you don’t want to fix the issue if i don’t use it, then F… it.
I’ve noticed that HIPS will lock up system entirely with NO way of recovering it except with System Restore.
How to reproduce the bug:
Enable HIPS, also enable “Enable enhanced protection mode” and delete ALL rules in all subsections.
This way, at least in theory should mean that if there are no rules, no rules should be triggered or blocked.
Everything will work well until you switch the HIPS mode to “Paranoid”. When you do that, in a few seconds, you won’t be able to do ANYTHING with the system. Mouse will move but you won’t be able to click anything or open anything. Also no way to change HIPS level to anything less than Paranoid mode.
Only way to get system back is to use System Restore…
What should happen or what i expected?
Nothing. Nothing should happen because if there are no rules, nothing should be triggered or blocked. But CIS apparently blocks EVERYTHING if there are no rules on the HIPS list, be it allow or block rules. Empty list in paranoid mode means LOCK EVERYTHING DOWN. And by everything, it means EVERYTHING, even CIS itself and the OS. Which makes no sense at all. I wanted to use HIPS as an extension for a very specific file protection and because of this, i can’t do it at all because it will either trigger bunch of other rules that i DON’T want or if i remove them, it will lock the system completely. I also don’t want to use “Safe Mode” to avoid signed malware from tricking CIS into allowing it access to protected stuff.
Only thing that i don’t get it is, how come it doesn’t lock up if you keep HIPS in “Safe Mode” mode? For as long as i keep it in “Safe Mode” it will work perfectly fine. But as soon as i flip the setting to “Paranoid”, it locks down the system.
System config:
- CIS 6.2.282872.2847 (AV and FW)
- Sandbox level set to “Limited”
- Windows 7 SP1 64bit (fully updated)
- No other security apps installed
Anyone willing to try and test this (either on real system or in VM)? Just make sure you create a System Restore point before testing. When it locks down the system, boot into Windows Safe Mode and use System Restore there to gain access to the system again. I’ve tried it twice and it restored perfectly in both cases…
EDIT:
I’ve disabled “Enable enhanced protection mode” and it still locked up entire system when i set CIS to Paranoid mode…