I noticed that when i run a malware (trojan) that is not recognized by the AV, it’s automatically sandboxed. Its normal ! great ! But when the malware process closes or is killed , the cmd is not killed by cis and stays in memory. Then the computer is incredibly slowing down because of that cmd process (see img below).
Cis should be able to free the memory from these malware cmd process :-TD.
the example below is after running 2 trojan sandboxed but not recognized by the av-> result : 2 cmd process using 67% of the processor…
CIS leaves cmd malware process : slowing down the pc
The bug/issue
What you did: ran 2 fresh trojans from MDL
What actually happened or you actually saw: Trojans were not caught by AV or cloud. They were sandboxed as expected. They started and created cmd process (one for each trojan) after 2 seconds, the parent trojan process stopped BUT the cmd REMAINED using 67% of the processor activity. The computer became sooooo slow I had to reboot.
What you expected to happen or see: CIS should be able to kill cmd when the parent trojan process stopped
How you tried to fix it & what happened: kill cmd processes or reboot : ok
Details (exact version) of any software involved with download link: almost any fresh exe.exe from MDL ;D
Bugzilla id (mods use only):
Files appended
Screenshots illustrating the bug: cf first message of this thread
Screenshots of related event logs or the active processes list:
A CIS configuration report:
Crash or freeze dump file:
Your set-up
CIS version & configuration used: v5.0.162636.1135, proactive security
Whether you imported a configuration, if so from what version: no, clean install
Defense+ and Sandbox OR Firewall security level: D+ secure mode / Sandbox activated / FW secure mode
OS version, service pack, no of bits, UAC setting, & account type: win xp SP3 32bits / uac disabled / administrator
Other security and utility software running: MBAM free / Hitman pro
I’ve split brucine’s post out to the comment on the format topic, and replied to it here. Basically he’s wrong - CIS config report is not obligatory, just advised, & does not need MS passport!
THanks if you could try it I would appreciate it. The devs are likely to argue that if CIS did not kill it, CIS cannot control the implications of killing it.
I too think there should be an option to control CPU % in autoosandboxed apps. I use process tamer to control this as an addition to CIS. Works OK with it.
I think the parent malware file close itself leaving the cmd.exe cosuming high CPU. Inded, i somtimes don’t even have time to close manually the parent process.
OK. I’ll transfer to verified issues then. An id for a file that definitely shows this problem would be appreciated. You cannot post links of course.
This is timely, as we have recently been discussing what to do about CPU usage.
Meanwhile try process tamer (just google it) making sure to exclude CFP and cmdagent and any other security software. Basically it retro engineers a form of pre-emptive multi-tasking into Windows, which as you probably know is really based on co-operative multi-tasking…