Serious flaw in Defense deafault rule


I do not want to be rude or offensive but I really need to know why it is possible that on clean Windows 7 32bit install with only CIS and its default setup

any executable can connect to the internet right through a default browser.

As I said, my PC is clean and empty and only CIS installed. First I did was that I changed the default rule for 'trustable" and ‘windows installer’ etc. rules (sorry my bad translations but I use the German GUI). I changed their behaviour that way that CIS has to ask me whether those files in those groups may access the DNS:

So my anger and wonder arose since I just attached a new USB flash drive into my PC and then this popped up a window in my browser:

So, autorun allowed to start an exe that derives from Kingston, my USB flashdrive producer, and this had no problems to access my browser and to get onto a webpage. ???

Well, I do not want to know what else is possible this way. As far as I reckon any executable can in this way reach a www ftp or whatever service on the net and give some ‘feedback’.

Eventually, could you please tell me which ‘rule’ in Defense+ and/or Firewall has to be altered and how so this is no more possible without questioning and confirmation, please?

thank you

First change your Firewall/Firewall Behaviour Settings to Custom with Alert settings to at least High. In this mode you should receive an alert for anything which trys to connect out and doesnt have a rule created for it in “Network Security Policy”.
When answering alerts you can select “remember my answer” and a rule will be created (remember if you block something with it ticked a blocked rule will be created). You can edit these in Network security policy, i like to use Outgoing Only for most things.

Some info on the monitor settings Here



This isn’t a flaw,

There is no use of the DNS/RPC Client here
It did what you have set :slight_smile:
What is happening that a autorun/exe opened a browser or accessed the memory of a browser so it could provide a http command (Thus it navigated to that webpage)

Most likely if you set Inter-process Memory Access to ask; this probably most likely won’t happen again (I’m curious if you have safe mode enabled?)


Dear Jacob,

so, could you explain exactly I could do then, please?

Oh, yes, normally,so for 2 years or so, I used ‘safe mode’ but since I reinstalled Windows I use the paranoid Defense setting. Under this setting the abobe occured.

Using paranoid setting I can tell CIS that unknown stuff is treated as

partially/fully/more than fully, ahem, restricted or so


Since I only found blocked, trusted and restricted rules in the Defense default rule set
I went for the restricted one.

As you suggested I changed or made sure that for these files/hits interprocess memory access is prohibited.

The result is:

I am asked! Well, that should be default not?

Anyway, I hope I did everyything right and that the paranoid setting in Defense with treating unknown stuff as restricted will not interact wrongly with some other Windows stuff like setup & install things or update processes.

If on safe mode, because urdrive.exe is an safe application thus will be allowed to do such activity without being bothered;

I’m having a tough time understanding your post; could you modify it and clear it up just a tad?



As tried to make clear I did not use the safe mode but the paranoia mode.
Since the stick was not connected earlier to my PC urdrive.exe could not have been tagged as safe file!

So, what I tried to do is that CIS does not allow unknown applications to access my browser and then accessing the internet without letting me now.

Since I am using the paranoia mode every executable that has no own specific rule in Defesene+ - set up by me! - should be able to acces Internet via my browser (and hopefully, by no other means as Microsoft .dll; svchost.).


Do you have ‘create rules for safe applications’? checked?

CIS > D+ > D+ Settings >


Dear Jacob,

no I dont.

I hope, as I said, that Defense+ now treats everything without a rule, since I use paranoia mode, as unknown. Cause I told Defense+ to treat furthermore unknown stuff by default rule for restricted stuff, that I alterered in that way that I am aksed now…, I hope I am on the correct road.

But I would really like to have an OK from you experienced users and may be there is an easier way. At least I had to dig a bit deeply into CIS to find all the switches.

I can’t really comprehend your message;

Please Run This
If you are still having issues and report it back here…



may be I will have to install the English version of CIS so I use the right terms and you can decipher my log that I hopefully attach, so you can help me.

[attachment deleted by admin]