Summary incorrect re blocked intrusions when CIS in (D+ & FW) training mode

I’m currently running CIS (Firewall and Defense) on my Windows 7 64bit PC.
CFP version is 5.0.162636.1135

On the Summary tab, I’ve got (right now):

  • “Firewall blocked 976 intrusion(s) so far”
  • “Defense+ blocked 8 intrusion(s) so far”

Clicking on either number link, I get a completely empty “Firewall Events” / “Defense+ Events” window respectively.


The bug/issue

  1. What you did:
    Switched Firewall and Defense+ to Training Mode for some time.

  2. What actually happened or you actually saw:
    After a while, I got a number of several blocked intrusions.

  3. What you expected to happen or see:
    Not show them being blocked if they are not since I am in training mode

  4. How you tried to fix it & what happened:
    Not a fix in itself, but my intuition told me to press “more” to maybe see more info (in the detailed event log system), but it was empty as well.

  5. Whether you can make the problem happen again, and if so exact steps to make it happen:
    Yes. Switch to training mode and wait till the Firewall or Defense+ blocks some “intrusions”.

  6. Any other information (eg your guess regarding the cause, with reasons):
    The issue is somewhat logical. It shouldn’t log events in training mode (by design) but then again, one shouldn’t see an amount of blocked intrusions/events.

Files appended. (Please zip unless screenshots).
1./2. Screenshots illustrating the bug:

Your set-up

  1. CIS version, AV database version & configuration used:

  2. a) Have you imported a config from a previous version of CIS:

  3. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):

  4. Defense+, Sandbox, Firewall & AV security levels:
    D+=Training , Sandbox=Disabled , Firewall=Training , AV=(different vendor)

  5. OS version, service pack, number of bits, UAC setting, & account type:
    Win7 64bit Ultimate, UAC is OFF, Account is Administrator

  6. Other security and utility software installed:
    Avast 4 on-demand.

  7. Virtual machine used (Please do NOT use Virtual box):
    n/a: Test case ran on native system.

Welcome to the forum Chris :slight_smile:

Please read here;msg455431#msg455431

Also please note Training mode should only be used for short periods only.


Hello Dennis,

I use Training Mode whenever I’m installing a lot of stuff. Going to give that link a look.


You prefer to be unprotected while installing? :o

There a high chance CIS messes things up (eg, disabling some executables or something). In the past I’ve also had system crashes from CIS disabling driver installation causing a system deadlock.

That said, I’ve got no fear installing my stuff…I’d fry vendors alive if I knew my legally-purchased software was infected by some malware. ;D

In my view it’s fine that nothing is logged in training mode. Things are only logged when blocked.

However the summary should not imply that things have been logged?

Therefore please could you make an issue report in standard format. See below.

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation


when you install something, i would not change the firewall mode in the first place! in trainings mode everyone can come in, and more worse, he can come in later again, because your firewall was trained to allow him to do what he did again.

about the setting for defense+: the rules that are needed for installation are not needed again. but in trainings mode they are learned. and all the stuff that happens while in that mode is learned too, for the future. totally pointless and useless and dangerous.

so, when you want to install something, and you are too lazy to press “treat this as an installer, but dont remember my answer”, why dont you put the defense+ in “mode disabled for a while”? you have the same effect of getting no question, but you dont create rules for everything for the future.
do you see the difference?

I’m aware of the consequences and how they affect my computer. I’m also aware what kind of damage an IPS system like Defense+ can do to running process. Keep in mind we are talking about one-time installation procedures, where one can potentially cause fatal issues which can’t ever be reverted even by (un/re)installation.
That said, I fully trust the software I’m installing. Considering the firewall sometimes messes with non-network-stack-related areas, it is more prudent to revert to Windows firewall temporarily.
A realistic issue I’ve come over several times is race-conditions where an application tries to do an action repeatedly while CIS denies it while waiting for my input. Some applications simply abort with an error message. In itself, this is a huge advantage of CIS, but in general I wouldn’t allow CIS to run in parallel with installers. Note that regardless of setting an application type to “installer” or not, CIS still keeps blocking certain application actions (each different sub-policy).


yes, but use DISABLE defense+, instead of trainings mode.
that does the trick and is more safe in the long term. trainings mode is learning!.. but you just dont want interrupts while an installation! so temporary disable is the way to go.

btw treat as installer would affect all child processes too!

This is drifting !ot! guys. Bug/issue discussions are supposed to be very focussed.

Would someone make a bug report please in standard format along the lines I suggest above - ie regarding the fact that the summary and logs are inconsistent. We would really appreciate it if you would.

Best wishes



Thanks much appreciated - good bug report. For completeness are you on ‘proactive’ or ‘Internet security’ config? (See More ~ Manage my configurations). Please edit you post to add this info. AV DB version is irrelevant.

Unfortunately, I’m not currently in front of my pc to check that info.

What’s the difference between them? If I remember correctly, it’s “proactive” (“internet security” includes the anitvirus, no?).

Good question. It’s a bit subtle nowadays - a few D+ and FW settings. I really should work it out and do a FAQ - the help text is wrong I think.

If you’ve left it at default then its normally Internet Security if you’ve downloaded CIS from the forum links.


OK this is good enough considering the bug involved.

Moving for format verified