Too many alerts "Direct Disks Access" with CIS 6 [M183] [v6]

TOPIC TITLE
Too many alerts “Direct Disks Access” with CIS 6


A. THE BUG/ISSUE:

  1. What you did: Double click of a text file or open any document by Menu File/Open of any program, or simply the start of some programs.
  2. What actually happened or you actually saw: CIS 6 alert that the program is trying to access the disk directly!
  3. What you expected to happen or see: No warning, (as with CIS 5), but warnings only if the program is really accessing directly to disk (for example: format, defrag, writes to the MBR, etc.)
  4. How you tried to fix it & what happened:
    I’ve tried several configurations (internet, proactive, firewall and imported the old CIS 5): just imposed HIPS in paranoid mode bug reappears.
    Enable enhanced protection mode on / off: no change.
    I removed and reinstalled CIS 6: no change.
    Activate “Create rules for safe applications”: no change, (and unexpectedly even does not create rules).
    Activate “Do NOT show popup alerts”: Simply it does not show the bug, but do not care.
    Turn off the disks in the options “Monitor Direct Access”: this work around the bug, but (imho) it does remain HIPS, without a very important defense.
  5. If a software compatibility problem have you tried the compatibility fixes (link in format)?:
  6. Details & exact version of any software (execpt CIS) involved (with download link unless malware):
  7. Whether you can make the problem happen again, and if so precise steps to make it happen:
    Start WordPad (or NotePad), and click on “File” menu, click “Open” → alert
    Simply start Firefox or LibreOffice or 7-Zip File Manager or Adobe Reader → alert
  8. Any other information (eg your guess regarding the cause, with reasons): My guess from incompetent? Regression after bugfix/improved in CIS 3.10.102363.531 ? :wink:

B. FILES APPENDED. (Please zip unless screenshots).:
0. A diagnostics report file (Click ‘?’ in top right of main GUI) Required for all issues):Appended

  1. Screenshots of the 6.0 Killswitch Process Tab (see Advanced tasks ~ Watch Activity) or 5.x Active Process List. If accessible, required for all issues::Appended
  2. Screenshots illustrating the bug:Not Appended
  3. Screenshots of related CIS event logs:Not Appended
  4. A CIS config report or file:Not Appended
  5. Crash or freeze dump file:Not Appended
  6. Screenshot of More~About page. Can be used instead of typed product and AV database version:Not Appended

C. YOUR SETUP:

  1. CIS version, AV database version & configuration:6.0.260739.2674, 14685, proactive
  2. a) Have you updated (without uninstall) from a previous version of CIS: Yes
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?: Yes
  3. a) Have you imported a config from a previous version of CIS: Yes
    b) if so, have U tried a standard config (without losing settings - if not please do)?: Yes
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):HIPS in Paranoid Mode
  5. Defense+/HIPS, Autosandbox/BBlocker, Firewall & AV security levels: D+=Paranoid, Sandbox=Enabled, Firewall=Custom Ruleset, AV=Stateful
  6. OS version, service pack, number of bits, UAC setting, & account type:Windows 7, SP1, 64, enabled, Admin
  7. Other security and utility software currently installed:Malwarebytes, Spybot and Microsoft Defender, but all set up with no real time protection enabled.
  8. Other security software previously installed at any time since Windows was last installed: CIS 5.10 + Avast 6.0.1367, avast 7(for testing), CIS 5.x (various version but I do not remember all).
  9. Virtual machine used (Please do NOT use Virtual box):Virtual Box is installed but CIS is on the host machine, and in any case there were no virtual machine running during the problem.

[i]
I always used CIS 5.x in paranoid mode, and alerts for direct access to disks were presented only for some programs, which really have direct access to the disk, (disk formatting, defragmenting, low-level analysis, etc.).

After upgrading to CIS 6 (paranoid mode) the alerts are for almost all the programs.
Alerts for Notepad, WordPad, Firefox, LibbreOffice, 7zip, etc, in short, any program that can open/save file on the file system.

(Is implied that the option “Do Not show popup alerts” in HIPS setting is disabled. :wink: )

Merry Christmas!

CIS 6.0.260739.2674
Windows 7 x64 sp1
NTFS[/i]

[attachment deleted by admin]

This seems an important issue, one which certainly need clarification.

We would greatly appreciate it if you would fill out a bug report in the standard format here.

Sorry for my bad English, but I hope I have understood and done correctly what you’ve requested :stuck_out_tongue:

Safe mode is affected too. When it asks about games etc.

The report is great, thanks

Mouse

Some older versions of CIS had this problem and it was fixed after I reported it. It is annoying as direct disk access is a good thing to block but you cannot do that if there are too many false positives.

Can you please check and see if this is fixed with the newest version? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Unfortunately, the problem still persists even with the latest version. (6.1.276867.2813)

I really hope they can find the cause of the problem and fix the bug as soon as possible, because having that hole in the proactive defenses in paranoid mode makes me paranoid. :wink:

Thanks!

Confirmed it still exists in 2813.

After a short discussion with Mouse we wonder if the alerts are being used for another purpose, if so they should really change the alert text to something more appropriate.

Alert for dllhost.exe during a file delete which I blocked, which resulted in the file not being deleted.

There was also a alert for keyboard access this made no difference if blocked or allowed for the failed delete.

If I allowed dllhost.exe access the file was deleted correctly.

Screenshots of alert and failed delete and keyboard access.

Dennis

[attachment deleted by admin]

@QA could you confirm what expected behavior is please?

Meanwhile leaving open

TRacker updated, thanks

I just tested the version 6.2.282872.2847 and still confirm the presence of the bug of this topic.

Thank you.

I have updated the tracker.

I have received feedback from the devs that apparently this is by design.

Thus, I will move this to Resolved.

Thank you.

By design?

This is inconceivable to me, why change a correct behavior of the old version by design? ???

Why then did not remove option “Direct Access Disks” because that version 6 CIS by design does not allow to run it really?

  • In safe mode, also activating the above option does not give any warning and allows direct access to the disk to any “thing” without asking permission, so in addition to being useless is also dangerous because it gives a false sense of security.
  • In paranoid mode instead, CIS6 mistakenly believe that ALL processes have direct access to the disk, and continuously sends warnings, making it almost unusable system, and forcing the user to turn off the option to control direct access to the disk.

Considering this, (IMHO) to the limit would mark the topic as WONTFIX but certainly not as resolved. :wink:

After many upgrades to version 6, I inform you that with version 7 the bug has been finally RESOLVED! :wink:
(by design or something else) :stuck_out_tongue:

That’s great to hear. Let me know if you do run into any problems.