If the CIS Service (cmdagent.exe) has started and detects something (say a program with no existing rule or suspected malware) before the GUI (cfp.exe) has started :-
- what does it do with the program or malware?
- how does the user know that an incident has occurred (especially if it blocks a valid program)?
What a excellent question. I will PM the developer.
I believe I read somewhere that with no GUI, it is default block.
I have no idea how the user would know the incident occurred if it was malware, but if it was a valid program, the user would obviously know it failed to start.
If Defense±>Advanced->Defense+ Settings->Block all unknown requests if the application is closed options is selected, everything unknown will be blocked.
If it is not selected,(by default), it will be allowed bu learned so that the next time there wont be such a case.
After booting, if CIS is not properly closed, e.g. terminated etc., it will be blocked.
Does that also apply when CIS is set to Proactive?
It would be, Eric. As the GUI is not yet active at this point, everything not with a rule would be considered default deny.