Not all predefined policies available in alerts [Resolved]

Not all predefined policies available in alerts
I have defined my own predefined policies, but when CIS gives me an alert, they are not avalable for selection in the combo box.

The bug/issue

  1. What you did: I created new Predefined Policies, as shown in the attached image Policies.png. Then, I did an action that caused CIS to alert (like execution of an unrecognized file)
  2. What actually happened or you actually saw: At the alert dialog, the combo box “Treat this application as” did not contain all the predefined policies. In fact, it didn’t contain all the default policies, either. See the attached image Alert.png
  3. What you expected to happen or see: I expected the combo box to offer me the new policies I defined before.
  4. How you tried to fix it & what happened: -
  5. If its an application compatibility problem have you tried the application fixes?: -
  6. Details (exact version) of any application involved with download link: CIS 5.0.163652.1142
  7. Whether you can make the problem happen again, and if so exact steps to make it happen: Yes, the behaviour is easily repeatable, as described above.
  8. Any other information (eg your guess regarding the cause, with reasons):
    The selection of the policies offered in the combo box seems to depend on the event that caused the alert. Or may be random.

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug: See attachments
  2. Screenshots of related CIS event logs and the Defense+ Active Processes List: -
  3. A CIS config report or file. -
  4. Crash or freeze dump file: -

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS 5.0.163652.1142, CAV not installed;
  2. a) Have you updated (without uninstall) from CIS 3 or 4: yes
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?: no
  3. a) Have you imported a config from a previous version of CIS: I don’t know
    b) if so, have U tried a standard config (without losing settings - if not please do)?: yes
  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )
  5. Defense+, Sandbox, Firewall & AV security levels: D+=safe , Sandbox=on , Firewall=safe , AV=Avast!
  6. OS version, service pack, number of bits, UAC setting, & account type:
    Windows Xp Pro SP3, 32-bit, logged in as administrator
  7. Other security and utility software installed: Avast! antivirus Home ed.
  8. Virtual machine used (Please do NOT use Virtual box): -

[attachment deleted by admin]

Someone else has the same problem:

This behaviour is by design. It has been like that ever since v3. When an executable starts another executable there are only three choices.

What’s the rationale behind that design? I can later set my chosen policy in Defence+ Rules anyway, so why is this dialog restricting me to only these three options? What are the custom policies then for? Could you explain, please?


I’m adding another screenshots, one showing only two policies, the other all of them. In my opinion, there cannot be any rational design decision behind such behaviour.

[attachment deleted by admin]

I see three different situations for starters.

First situation is Far.exe trying to start HOLDER.DND. Safe application is trying to start a safe application. Gives three choices. On a side note. What settings did you change to have a .dnd file seen as an executable? It is also seen as safe. Did you add it Trusted Files?

Second situation. Explorer.exe trying to start an unrecognised (not safe) application. Given behaviour in the past I would have expected three choices but apparently there are two. Don’t know why that is.

Third situation. CIS asks with what rights you want to run an executable. It gives the expected 5 choices.

Situation 1 and 2 are one category of alerts and situation 3 is another one. As such you could expect different choices; and CIS has always been designed to give different choices.

Situation 1 and 2 are about executable starting other executables and deals with what rights the parent gets over the child. I recall that traditionally you would get three choices; but (and that may be a change, it always was like that (and I forgot) or a bug) with explorer starting an application you will get two choices.

Situation 3 is about rights of individual applications and will give 5 choices.

For me it boils down to the question whether it was intended behaviour to give explorer.exe two choices when starting another application or a bug. If it were choice then I would be interested in the reason behind it as I assume it was three choices before.

Thank you, Eric, for your answer. When I was formulating an answer to you, I made a few experiments that clarified the CIS behaviour to me. The key information that I was missing all the time is that all D+ alerts ask what to do for the program on the left, never for the program on the right hand side. Even when a safe program executes an unrecognized program, like in the situation 2. I haven’t found this information anywhere, so I thought that CIS always asks how to treat the program being executed, which is never true. (See also the P.S. below.)

Knowing this, it is easy to see that in “Treat this application as”, CIS omits those policies that do not answer the alert question with either “Allow” or “Block” (i.e. they answer with “Ask”), and this is logical.

Thus a new question arises: With which policy CIS treats the newly executed unrecognized programs? With “ask on everything”?


P.S. The documentation for Safe Mode says:

For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add [i]that new application[/i] to the safe list by choosing 'Treat this application as a Trusted Application' at the alert.
The second sentence is clearly misleading and not true.

P.P.S. When CIS alerts, if you choose “Treat this application as”, you easily overwrite the policy the application had at that time. Without any warning. This might be dangerous, if the application had a special policy assigned. The alert should display the currect policy the program has assigned in order to warn you that you’re going to change it.

This is complex but explained almost correctly in the help text: here.

P.S. The documentation for [url=]Safe Mode[/url] says:The second sentence is clearly misleading and not true.
Yes the whenever is incorrect. Please report this under Help text issues in the stickies.

Confusing in another sense too. There is a difference between the Trusted Application policy and the Trusted File policy. The help link is referring to the trusted application policy. But the statement is more true for the Trusted Files policy, when the sandbox is enabled. The Sandbox FAQ defines the difference.

It would be logical to have the ability to make Right Hand Side files ‘Trusted Files’ on such an alert, since trusted files can be executed by all other trusted files without alerts. You’d need another drop down though I suppose.

I do wish C would clear up the terminology

Best wishes


This is complex but explained almost correctly in the help text: [url=] here[/url].

I haven’t found the answer for my question here. Yes, the text describes that unrecognized files are scanned and sandboxed etc., but does not explain what happens when such files try e.g. to write into a protected folder. Will CIS ask or block?

Please report this under Help text issues in the stickies.
You'd need another drop down though I suppose.
Sorry, I don't understand this English phrase. What did you mean?

OK so we have two questions:

With which policy CIS treats the newly executed unrecognized programs? With “ask on everything”?

To this my link provides the answer

With which policy CIS treats the programs executed by newly executed unrecognized programs? Your best starting point for this is the introduction to the sandbox. Please see my signature.

Best wishes


Oh ‘drop down’ is short for drop down or pull down menu.

Sorry I abbreviated

Best wishes


With which policy CIS treats the newly executed unrecognized programs? With "ask on everything"?

To this my link provides the answer

Sorry, mouse1, perhaps I’m blind or dumb, but I cannot find the answer in your link. Can you, please, point me to the exact paragraph? Thank you.

The answer to the second question was known to me.


I’m afraid I don’t understand your question then. Could you phrase it more explicitly please? We are dealing with the perils of international communication I think!

This is the answer (from the link) to the question I think you are asking:

(Remember that unrecognised apps are automatically sandboxed.)

Automatically sandboxed applications are run with ‘Partially Limited’ restrictions. More detail: Sandboxed applications are allowed to run under a specific set of conditions or privileges. In CIS, these are known as ‘Restriction Levels’. There are four levels – Partially Limited, Limited, Restricted and Untrusted (‘Partially Limited’ is the default level for applications that are automatically placed in the sandbox). In part, sandbox restriction levels are implemented by enforcing or relaxing the native access rights that Windows can grant to an application. For example, the ‘Partially Limited’ setting applies some of the supported operating system restrictions and grants it access rights somewhat similar to if the application was run under a non-admin user account. These restriction levels are fortified with certain Defense + restrictions that apply to all sandboxed applications (for example, they cannot key log or screen grab, set windows hooks without asking, access protected COM interfaces without asking or access non-sandboxed applications in memory. Automatically sandboxed applications are not virtualised, however, since version 5.0 of CIS they cannot write to protected registry keys and files/folders.

The bits in red are my corrections. NB when the above corrected text says you can’t do something it means the action is blocked.

OK so now I understand why you couldn’t find it. Had forgotten how bad the help text is :slight_smile:

Intro to the sandbox, and the sandbox FAQ are pretty much accurate and up to date I think. But even they have coverage limitations.

Update to the help file is ‘assigned for action’ :slight_smile:


Mouse1, thank you for the clarification. But when the help will be updated, it would be fine if a table could be added - table that would show which access rights from the application policy are allowed, blocked or do ask, and which protection settings are active or inactive - for the unrecognized files. Moreover, the documentation deals with unrecognized files only in the context of sandbox. How are these files treated when sandboxing is not enabled?

BTW, the form of the documentation is very good, the documentation is very descriptive and reads well. Unfortunately, the documentation is also at many places incorrect, misleading and whole areas are missing. IMO, if these deficiencies are fixed, quality of the CIS documentation will be highly above the average.


Yes I agree. It’s pretty detailed and the language is good. Just needs to be correct and complete as well.

Please do add your additional suggestion re tables to the GUI/Help topic - edit or further post as you will.

BTW there’s a valid revised issue here if you want to raise it. You should be able to make files trusted files from quite a lot of D+ alerts. On execution alerts this is a LHS (subject) issue, but on com and hook alerts which you get in the case of sandboxed files its a RHS (object) issue. OK you can do this from the sandbox alert, but many times this comes up later than the D+ alert or times out .

OK moving to resolved. Thanks for an interesting discussion.