I have CIS installed with Defense+ disabled (this is not the PC where D+ crashes on boot, but another PC where D+ works but I don’t want it to…)
I also have a Dameware agent (www.dameware.com) installed. This is a remote access server so I can connect into this box from 72 miles away. Naturally, CIS detects this as slightly dodgy and blocks it via the firewall. I’ve told the firewall it’s a trusted application, so that’s ok.
However, every time the PC boots the AV detects DWRCS.exe in ~/system32 and gives me the red box. I elect to ignore it, adding it to exclusions. But next boot it’s re-detected and again I add it to exclusions. I now have two entries for the same file in the exclusions list, and I bet I could fill up several pages worth of exclusions with this one file.
Shades of AVG here. That used to do this sort of thing, and sure enough if I try to add DWRCS.exe manually I’m told I can’t because there’s already an entry.
So, how do I tell CIS not to keep detecting this? It’s in the exclusion list, after all.
[2 mins later…]
Duh! I added it to exclusions and my safe files thing, but after posting here I tried to add it to the security policy as a trusted app and couldn’t because it already existed. Ah, but it existed as not a trusted app and was set to ask about everything. So I changed that to really trusted and now it’s fine.
I installed DWRCS on another PC running CIS and ran into exactly the same problem - even after having just gone through the above and knowing what the fix was, it toook more than one round of ignores, and telling CIS DWRCS is trusted, to achieve a happy state. I think there’s something very sub-optimal in the way this is handled.
And… whilst on this subject, I installed CIS when re-installing XP for someone, replacing the AVG she used to use. I ran through how to ack alerts and all that with her, but the latest I hear is that she’s rather put out with CIS because it keeps telling her things she doesn’t know to deal with. I wonder if this is a similar thing to what I’ve had here, where one thinks one knows what to do but it just doesn’t happen right, and then you end feeling not in control and not understanding what’s going on any more.
On the first one, the firewall was in safe mode, I think, and D+ disabled. On the second D+ was enabled but I remembered to put CIS into installation mode first.
The new 3.8 in Clean PC mode should not give you to much alerts though.
Please understand that the “Install mode” is only active for programs marked as “Installer/Updater” if you would the CIS to learn the users/application behavior set it to Training mode for a few days and then switch back to Clean PC mode.
If you install software make sure you answer the first D+ Alert with “Installer or Updater” and untick “Remember”, D+ will ask you to switch to Install mode and after you finished installing you can switchback to “Previous mode”.
