My CIS Wishlist thread

I’ve been using CIS6 for a few years, and I’ve come up with a list of features/bugs/improvements/annoyances that I’d really like to see. I’ll eventually create a proper new thread for each suggestion, but first let’s discuss these entries a bit. I know there are likely existing threads for some of these entries, so feel free to point them out. I’ll perform a more thorough search later. Let me know what you think.

  • Cloud lookup: Cloud lookup adds safe files to trusted files list and bad files to blocked files list. There should be an option to disable the service from adding safe files to trusted list, but still allow bad files to be added to blacklist. This way CIS/HIPS would show up alerts for applications even though they are considered safe by cloud service. This behavious may be desired in some cases i.e. I’d like to have HIPS rules for all unknown and safe applications, but don’t want to give up the protection from bad files that the cloud service offers.

  • Paths: Apparently the trusted files list in CIS6 works by hashing files. Please add back the feature that works by path name alone. This may be desired in some cases. If you’re worried that users may use this unsafe feature then perhaps make the hash default and add a warning for when adding trusted files by path.

  • HIPS process policy inheritance: Suppose we have a computer and that there is application/process A currently running on it. So I got this idea that there should be a feature that allows HIPS to add rules for a given file/process where this rule allows HIPS to classify all child processes that were executed by the existing process (in this case process A) to be treated under a specified ruleset.

Let’s say that process A.exe has a new custom policy. Very soon process A spawns a child process B.exe. Instead of treating this new child process as unknown by HIPS, the ruleset of process A dictates that all processes spawned by process A should be treated as something pre-defined i.e. “Text editor”. But this only works when these executables were invoked by process A. If a process C.exe (that does not have any equivalent HIPS ruleset) executed process B in the same manner then process B would now be treated as unknown.

We can take this idea even further. Suppose we add a list of child process rules for a given ruleset. Process A spawns three child processes E, F and G. Now since we have a list of rulesets it means that we can now tell HIPS to treat process E as “Trusted”, process F as “Blocked” and process G as “MySecretRuleset” policies. But all these rules would only apply for child processes that were spawned by process A. If any other application i.e. process Z would attempt to spawn/run the very same executables (E, F and G), they would ofcourse be treated differently. If no sub-rulesets are set for process Z then the child processes get treated as unknown.

This approach would be most useful for applications like Atmel Studio 6 that spawns and runs *.bat files with random file names to compile the C code into binary data. Currently only the installer policy seems to treat the main process and all child processes as trusted. There is no way to configure this on a per-application level.

  • Custom sandbox policies: There should be a way to configure sandbox policies similarly to how HIPS rules are made. Currently we’re only allowed to choose from a small number of options in a drop-down menu.

  • Firewall popup buttons: In the firewall popup menu, the block button should not open up a sub menu. Instead there should be two separate buttons - one for block only and another for block and terminate. I get annoyed by having to click twice to block an application. Maybe this wouldn’t be the best approach though - what if an user accidentally/unexpectedly clicks the terminate button as soon as the popup appears? Perhaps add a checkbox to also terminate the program?

  • Protected Registry Keys: HIPS should have an option to allow an application to access a certain group of reg keys, but not others. Is this already possible???

  • WHOIS: The firewall popup should have an option to display whois / reverse DNS lookup. Maybe add a link or a button that needs to be clicked for this info to be displayed.

  • Sound: Playing sound when alert is shown - add an option to choose which sound to play (browse for .wav files).

  • Hack tools: Add an option to anti-virus to ignore “hack tools”. They’re basically tools that are somehow on the dark side, but aren’t themselves viruses or dangerous. I use some of these tools on a regular basis to debug/administrate/maintain/clean/etc my PC. I’m annoyed by the fact that you cannot disable these as a group - you have to add every individual one to the AV exception list. I think ZoneAlarm had an option to disable them all with a single checkbox.

  • Consecutive antivirus popups: They are annoying. I know there is an option that allows you to ignore a threat once… except that it doesn’t work! Each time I get an AV alert, and choose to ignore the threat once I get multiple more consecutive popups for the same threat that follow soon after. The “ignore once” option should really ignore the threat once and not display any following alerts for the same ignored file at a given time.

  • Better handling of SVCHOST process: These are basically one process, multiple services. Is there a way to control and/or apply rules/policies per each service that is running under this process?

  • Fix the darn full-screen freeze already! Where do I begin? I can’t stress enough just how many times I’ve forgotten to disable the HIPS/BB and ran a computer game. The game then switched to full screen and froze the whole computer because it triggered a HIPS popup alert.

When a game is run it normally switches to full-screen, and changes screen resolution. Next the game triggers a HIPS alert that displays a D+ popup which is waiting for user input in the background. This is the problem. The popup alert halts the execution of the app, but since the app is full-screen and/or different resolution, the popup alert is normally displayed off-screen, so there’s no easy way to respond to it. The whole screen is black. This means the computer is frozen until the popup times out. And normally a game will trigger multiple consecutive popups that increase the timeout to the number of popups multiplied by the timeout for a single popup. This can take up to 10 minutes or more before the PC becomes responsive again, and it is sometimes faster to just hard-reset the computer.

Yeah yeah, I know. Use the frigging game mode you n00b! Well, not quite! Just what the heck is wrong with game mode you ask? Everything! For starters it seems to automatically allow most alerts including some firewall events - of which there are many that I would not normally allow (I’ve had some applications bypass the firewall this way). As an addition I’d like to point out that all of us are only human beings. Yes, humans, people! And people are bound to forget things. A lot of times I simply forgot to activate it before double-clicking that icon on the desktop before realizing oh shi… BLACK SCREEN! And did I mention? Just as I forget to turn the game mode on I also forget to turn it back off once I’m done playing. Worse off, the game mode seems to persist over reboots.

So please make sure that HIPS alerts are displayed on-screen when a full-screen game is launched!

There, that’s about it.

EDIT: I have forwarded the relevant ideas into appropriate threads in the wishlist section. Please use those threads to discuss the ideas further. This topic can now be closed.

[[url=]Configurable sandbox[/url]] [[url=]Full screen freeze[/url]] [[url=]HIPS Policy inheritance[/url]] [[url=]Classify by file path[/url]] [[url=]Hack tools[/url]] [[url=]Cloud lookup control[/url]] [[url=]Better SVCHOST handling[/url]] [[url=]Firewall WHOIS[/url]] [[url=]Configurable sounds[/url]]

You can disabled the TVL (Trusted vendor list) by going to Advanced Settings > Security Settings > File Rating > File Rating Settings > Un-tick “Trust applications signed by trusted vendors”
I think this would give the result you want, you might need to clean out the Trusted Files list which is below “File Rating Settings”


:-TU :-TU

:-TU :-TU :-TU


Navigate to HIPS rules, click edit on the application you want, select “Use a custom ruleset” if it’s not already set to that, navigate to “Protected Registry Keys” in the box below and click “Modify (x\x)” under “Exclusions”, I think you’ve got the rest of it.

:-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU :-TU

:-TU :-TU :-TU :-TU :-TU :-TU :-TU

:-TU But warn users when they try to do this.

:-TU :-TU :-TU :-TU :-TU :-TU


Have you tried Alt+Tab? That always works for me.

And actually most people here recommend against using the game mode as it is as you say, it sets the components of CIS into training mode.

Okay, I’ve searched a little, and I came up with a number of existing threads. I’ll vote for these, and I’ll submit new entries for the missing ones. Here are the findings so far.

Cloud lookup:
According to a post from wasgij6 in that thread, the hash-chack cannot be disabled in CIS6. I haven’t tried whether SanyaIV’s suggestion works, as my PC is currently in a state of mess. I haven’t found any wishlist threads suggesting this.

No relevant threads found.

HIPS process policy inheritance:

Custom sandbox policies:

Firewall popup buttons:
This seems to be of a lesser cosmetic importance, so I’ll dump it out for now.

Protected Registry Keys:
Seems to be possible already, haven’t tested it yet, so I’ll leave it out for now.

And a lot of smaller threads!


Hack tools:
No relevant threads found.

Consecutive antivirus popups:

Better handling of SVCHOST process:

Fix the darn full-screen freeze already!