OS & CIS slow to unworkable level if Windows group policy set to custom [NBZ]

Hmm complex but interesting. Could you post a new bug/issue report on this, in standard format, now you've explained it in more detail? That way we can discuss it carefully.
Following
I'd need to understand what version of CIS is doing what in this, as there's two versions involved or at least mentioned.
As i said, 2 distinct xp installations on two different harddisks, each booting independantly either from boot.ini multiboot or bios harddisk choice. C: is running cis3 with no firewall and avira and works fine D: is running cis5 including av (but not relevant) and is the one hanging

I did not react before because it know seems to work, but i am running this D: disk only for testing purposes and nothing or so is installed: i have good reasons to think that, as soon as i shall again install and run another software, the phenomenon shall occur again, so the question still is “on the surgeon’s table”.

TOPIC TITLE
Customizing cis5 default rule groups: getting thrown out of windows


The bug/issue

  1. What you did:
    Installation of cis5 last rc to my second harddisk (multibooting the same os as a test one, almost nothing installed: firefox 3.6, 7zip, foxit, xplite, autoruns, procexp, Regseeker,filezilla, aptdiff and other “cis report” utilities).
    Uninstalling cis5, finishing the uninstallation by manually cleaning a few leftover files and registry writings (Regseeker).
    Now making a fresh install of cis5 final (but doesn’t change anything speaking of what follows).
    -setting cis to proactive
    -wiping trusted editor list
    -disabling the cloud and updates
    -setting firewall and defense+ to highest level (every image execution setting checked, no ics).
    Everything works fine.
  2. What actually happened or you actually saw:
    Shifting a default rule group, e.g. windows operating system, from “windows system application” to “custom”.
    The system immediately becomes unworkable: there’s no bsod, no anormal cpu consumption, but no windows program or icon is accessible anymore.
  3. What you expected to happen or see:
    Custom permissions asked to run system applications (e.g. svchost).
  4. How you tried to fix it & what happened:
    No access to the system anymore, even the power off button does not work anymore.
    AC unplugged, reboot to the first partition, deleting from there the cis drivers on the second one (cmdGuard.sys, cmdhlp.sys, inspect.sys, guard32.dll).
    Rebooting the second partition, cis does not load anymore: deleting comodo files and registry writings (uninstall,autoruns, manual registry editing) and making a fresh standard installation again.
    This situation becomes partially workable if first setting everything to custom but windows operating system and running whatever installed software and third-party/windows built-in utilities so as to create and remember some custom rules.
    In this last situation, windows utilities work, but firefox and cis do not; cpu ressources show consumption larger then 98% by “idle process” and cis prompts for a defense+ rule every 10mn: everything behaves like cis is overflooded by the such great number of simultaneous rules asked to it.
  5. Details (exact version) of any software involved with download link:
    none
  6. Any other information you think may help us:
    none

Files appended

  1. Screenshots illustrating the bug:
    Impossible: system not accessible anymore and no bug “stricto sensu” (no reaction from cis whatsoever).
  2. Screenshots of related event logs or the active processes list:
    Also impossible to take a screenshot in the first set of tests.
    However, the 2 only things still working are a right click to an empty desktop location and ctrl-alt-del.
    Made them after gaining partial access:
    -before setting windows operating system to custom:

http://brucine.hostoi.com/online/process11.jpg

http://brucine.hostoi.com/online/process12.jpg

-after:

http://brucine.hostoi.com/online/process21.jpg

http://brucine.hostoi.com/online/process22.jpg

  1. A CIS config report or file.
    before setting windows operating system to custom:
    http://brucine.hostoi.com/online/cis1.cfgx
    after:
    http://brucine.hostoi.com/online/cis2.cfgx
  2. Crash or freeze dump file:
    not relevant

Your set-up

  1. CIS version & configuration used:
    cis 5 fr, proactive, sandbox, cloud, updates and trusted editor list disabled.
    defense+ and firewall set to highest level, no ics, every image execution settings checked.
  2. Whether you imported a configuration, if so from what version:
    none.
  3. Defense+ and Sandbox OR Firewall security level:
    refer to point 1
  4. OS version, service pack, no of bits, UAC setting, & account type:
    xp pro sp3, french, 32 bits, administrator.
    1 MB SDRAM, 3.06 Ghz Celeron processor.
  5. Other security and utility software running:
    None.
  6. CIS AV database version:
    last one 21 september, but not relevant: no av intervention.

Thanks Brucine very much

Will have a more careful look at this tomorrow

Best wishes

Mouse

Note that a similar behavior is observed with cis3 with an equivalent level of security settings.

Set defense+ svchost and explorer to custom, and therein access rights for com interfaces to ask (not block, ask): now, you are unable to connect wherever anymore and to shutdown the system by any other means then the AC plug.

It was said, in this same forum and by a user claiming his experience (and speaking of videos as far as i remember) that, inter alia, svchost requests for com interfaces should be systematically blocked: pure insanity, as svchost also is needed for local process.

But, coming back to the issue, one should be allowed to choose the said connexions.

Thanks Brucine.

This needs careful thought, but initial thoughts are that this is a result of the HIPS preventing the OS from functioning normally when not allowed appropriate privs. It is in a way a consequence of the power of CIS - it can control just about everything including the OS.

Further examination would need to determin whether you hit ‘apply’ before this happened and what the default ‘custom’ setting are, and whether you changed these before hitting apply.

If you changed nothing, then hit apply, and the default settings custom settings are restrictive, then I think you have your explanation perhaps?

The follow-on question is what CIS should do if asked to cripple the OS. Difficult for CIS to tell whether a set of custom settings is sensible. Maybe custom settings should default to prior settings until you change them? (Don’t think they do?)

I’ll await your feedback.

Best wishes

Mouse

Of course, the “culprit” is HIPS controlling the OS, but not asked to block it, only to ask.
In this regard, i joined the cfgx files “before” and “after”, aren’t they enough to read the settings?

Joining the now working defense+ tabs, so everything is clear:

http://brucine.hostoi.com/online/defense1.jpg

http://brucine.hostoi.com/online/defense2.jpg

I maybe need to remind what i did:
1)installation of xp to a new partition, of which the only goal is to test cis5
2)installation of the only software and utilities able to monitor its previous crash from the same situation in cis 5 rc (thoroughly uninstalled, uninstallation monitored by cis itself and by regseeker and manual disk and registry browsing)
3)fresh installation of cis5:
-immediately set to proactive
-cloud, sandbox, updates disabled
-firewall advanced, alerted settings very high
-defense+ paranoid, no trusted editor, no safe rules, unknown non trusted, every image exceution settings checked.

If i try in such an installation to immediately set windows operating system and other default rules to custom, the os immediately hangs.

Now (and after uncrashing from the first partition, again thoroughly uninstalling and reinstalling fresh), don’t touch them: only run firefox, xplite and whatever third-party utility i can think of, and make the appropriate and usual rules: everything works fine, nothing is set at even “ask” in the virgin default group of rules.

The trick is, as my screenshot shows, to create one by one each rule included in the said groups, and to set them, only one by one, to custom: now, the system asks for rules, and i give the proper authorizations.
For each rule, i open whatever windows utility i can think of (notepad, explorer, task manager, msinfo, services…) until all permissions are asked and written, and i repeat it until i have no rule anymore.
When done, i delete all predefined groups but cis and windows update, last themselves set to custom.

Now, it works (i am presently writing from the cis5 partition).

Of course, there was no system block setting before making the customization, and i applied the changes i made (if not, i wouldn’t have changed anything and hanged in the first place).
The custom changes didn’t have any restriction, the only initial change was to switch a group to custom, everything default set and checked to only be at “ask”.

cis was therefore not forced to cripple anything, but only to ask what it should do: everything, as i said, behaves as if cis was overflooded by the number of requests to treat in order to do so, as shown by achieving the working state by writing each rule one by one so cis has, at the end of it, only few requests to handle to answer to the group customization modification.

-defense+

Thanks Brucine

Given this “everything default set and checked to only be at “ask””, and your experiment in setting rules from ‘allow’ to ‘ask’ one by one, it seems you have correctly diagnosed the issue. I suppose CIS should ideally know to do this itself, and display a progress bar. Warn in advance too, potentially.

OK forwarding this to verified reports. And thanks for all your extremely careful work.

Mouse

Issue is valid and interesting, but few users will be affected by it, and there is a work-around. So setting to NBZ. Devs may still decide to address it.

What’s the signification of your NBZ/WBZ hieroglyphs?

Sorry Brucine. Explanation here.

Best wishes

Mouse