Hi everybody,
CIS is really a complex piece of software providing max, security. however this security comes at a price of distrupting your work sometime.
I have used CIS for long time and in my (humble) opinion confusion in terminology used by CIS in defining safe/unknown/whitelist has prompted many users to click on wrong choice while answering alerts.
I also feel(I could be 100% wrong) that this confusion had led to sandboxing with many levels of restrictions too.
For example CIS says it has a long list of whitelisted animals or we can say a large database of most used softwares which are not malware but may or may not trigger D+ alerts. this can also be viewed as some legit software performing illegal activity( but they are not malware as they are not disrupting users machine unusable or putting significant risk to users privacy).
Next logical qustion is, Are whitelisted apps safe, if safe then why generate a D+ alert (Its OK you did a commendable job of providing control over whitelisted apps, I love this feature very much) a very detailed logging of changes performed by whitelisted apps should be created so that user can undo what they have done. for this a tick box should be provided in D+ setting asking user what they want logging of action or alerts for fine control.
- Here at this point i am compeled to think CIS does not have a database of safe app but this word is used interchangebly for whitelisted applications.
if user choose to allow a whitelisted apps to execute unresticted no entry under computer security policy should be made this will reduce Nos. of rules and impact on system . On the other hand if he has answered some D+ alerts entries are must. firewall part should be separate( entries are reqd.)
In my opinion entries should always be made for unknown apps in computer security policy settings.
Let us come to the problem of sandboxing.
As per CIS Help manuals a file which is not known malware /not known whitelisted apps ,will be sandboxed till analyzed.
at this point CIS help manual is sielent, if unknown file triggers a breaches D+ boundaries will it be placed in sandbox( i presume yes) on the other hand even if unknown file does not violet D+ policy it is still placed in sandbox .
the proble is autoSanbox is placing a quite a high restrictions on apps. this is resuting in many users complaint and apps failures.
the problem to avoid this is to impose the OS restrictions for less prieveleged account but cuurently CIS auto sandboxing is placing more restrictions.
also the file and registry virtualization should be enabled for unknoen apps and their security policy and registry acess data should be placed in Xml file( Instead of registry) to reduce system impact( It is the biggest problem at prsent).
similarly for whitelisted applications firwall rulkes should only be stored in registry as network traffic takes faster.
whereas all other policies should be stored in memory files occasionaly synchronising them with disk file.
now its time to quit as my post has become incohrent, but do consider it as it has many wishes,
regards
Adi