I’m having this problem, and so does some of my clients.
If CIS detects a virus/malware and you’re not around, it will block that file without leaving a note, except on the AV log. It also happened that I was on the pc and saw a small window on the bottom-right which disappeared too quickly for me to read it, was saying it detected a virus on a file.
I then checked the AV log and saw a detection, then tried to allow that file because it was a false positive or anyway something not that bad (like an unwanted application). I then scanned that single file and the scan reported the virus/malware, I then told it to ignore it but the file was still locked (you know, the executable doesn’t show the icon and running it will tell you that it cannot access it).
Sometimes I could fix it by turning off the AV and then on again (it’s set to stateful), but I’m right now having a problem with a file, that gets locked again whenever I turn AV on again.
The file appears on the exclusions list and it’s not in the AV log, not even as detected, but still it’s locked by CIS whenever I turn on the AV.