How does CIS Handle Malware Detected before the GUI Starts

grahamcopley · April 20, 2009, 7:00pm

If the CIS Service (cmdagent.exe) has started and detects something (say a program with no existing rule or suspected malware) before the GUI (cfp.exe) has started :-

what does it do with the program or malware?
how does the user know that an incident has occurred (especially if it blocks a valid program)?

patrice58 · April 20, 2009, 7:16pm

What a excellent question. I will PM the developer.

HeffeD · April 20, 2009, 7:46pm

I believe I read somewhere that with no GUI, it is default block.

I have no idea how the user would know the incident occurred if it was malware, but if it was a valid program, the user would obviously know it failed to start.

egemen · April 20, 2009, 7:51pm

During booting:
If Defense±>Advanced->Defense+ Settings->Block all unknown requests if the application is closed options is selected, everything unknown will be blocked.

If it is not selected,(by default), it will be allowed bu learned so that the next time there wont be such a case.

After booting, if CIS is not properly closed, e.g. terminated etc., it will be blocked.

Egemen

Citizen_K · April 21, 2009, 12:27am

Does that also apply when CIS is set to Proactive?

jebuchanan · April 21, 2009, 12:43am

It would be, Eric. As the GUI is not yet active at this point, everything not with a rule would be considered default deny.

egemen · April 21, 2009, 1:49pm

Yes.