Running Full CIS 6.0.260052.2662 (and CESM 3.0.51212.1). Overall love a lot of the feature additions! Great work ty
BUT few drawbacks:
The old summary screen was the BEST. Real info, straight away - YUM! Can see how the current one works for home users, but love to be able to choose which is default on install.
Activity Monitor seems missing - Is ‘Watch Activity’ in advanced tasks the successor? (Vital in biz environment IMO, ok as plugin for home users).
Defense+ rule creation is far less convenient now. Loved being able to go from summary view to seeing Sandbox and making a new rule to allow based on specific behaviour.
Need to be able to do same for firewalling (ie: convert rules with a tick)
Logging overview is fabby - but again inconvenient to work with and inconvenient to get to. Would prefer logging summary on first home screen with ability to click on the log of interest get immediate, ‘tick to create rule’ breakdown of each event per section (def, firewall, av)
BUG/NIGGLES:
Inbound access alerts no popup
Can seem to enable popups for inbound network access. Am attempting to enable RDP (this should be a tickable rule in main firewall screen IMO).
Settings are as per screeny, and HAVE enabled rule alerts via ‘Stealth’ from main menu.
Firewall log must show actual path to application (ie: Inbound RDP just shows ‘Windows Operating System’ vs svchost.exe). Also ‘Allow an application’ should allow discrete controls (ie: advanced ability to create full fule with TCP/UDP ports etc etc)
Thanks, sorry if some of the things are already doable & keep up the awesome work!
If you’ve selected ‘Block Incoming Connections’ via ‘Stealth Ports’ inbound connections are blocked and discarded, hence Windows Operating System showing in the log. If you want notifications for inbound connections, you’ll need to either set ‘Alert Incoming Connections’ or remove the Block IP In global rule.
HAVE enabled rule alerts via ‘Stealth’ from main menu (CIS1 attached) but still have problem noted.
Ragad, what CIS version are you running?
Also tried:
Setting to blocking mode, and deleted default block rule as you’ve suggested, no improvement (testing by telneting from CESM server on same LAN to port 139).
Disabling local filtering & IPv6 filtering no improvement
Note: Some blocks still show up in logs even though there appears to be no rule to block
DEVS, be nice to be able to DISABLE rules for testing rather then delete
Anything thing else I might be missing as this looks like a bug in the version I’ve downloaded.
Would love feedback on any other items I’ve noted that others have working etc.
Possible Side Bug: CESM Policy = V Slow after login
Imported the config into ESM and created as a policy, applied, rebooted and everything went very very very slow straight after logging in (ie: 2 minutes to right click CIS in tray and get the options, never managed to close). Xencenter shows max RAM usage. Set back to local policy in CESM and forced restart of host, performance Ok again.
“1. The old summary screen was the BEST. Real info, straight away - YUM! Can see how the current one works for home users, but love to be able to choose which is default on install.”
are you working off a VM? The default UI should look like this (see screeny). If you are working directly off a VM try connecting to the vm’d ESM server from a standard desktop/laptop. You may need to installing the ESM cert. into your Trusted Root container.
“2. Activity Monitor seems missing - Is ‘Watch Activity’ in advanced tasks the successor? (Vital in biz environment IMO, ok as plugin for home users).”
Alerts are visible in real-time if you are seeing the display as per the screenshot
3 + 4 - The ESM beta was released with a CIS 6 beta. The next release (2013/01/24) is an ESM RC with an extended CIS beta which allows for pre-deployment firewall rule creation and app whitelisting - watch this space for more…
I think the CESM v3.0 evolutions are overall fabby - I am referring to the CIS v6 agent for the posts above, so I’ve probably put this in the wrong place :embarassed: Apologies for the ambiguity and thanks for the update!