Installing new softwares

[SparknLight]

I did some tests with the installations.

1/
Some users will certainly do the following path, I am sure,  because the ease :
Right clic on the tray icon-> Learning or Disable; installation of the softs; Once done, Right clic on the tray icon-> Learning, for some times.
Without downloading suspicious things, I got like that a Chrome browser in the temp folder and also a "trojan downloader" in the temp folder.
Of course, chrome.exe and the downloader (a "gxxxx.tmp.exe") were included in the ReHIPS programs list. After verification, the "gxxxx.tmp.exe" had a yellow middle Trust Level - file without signature.

Once the bad program is behind the defense line, the worm is in the apple.
In this case, a classic antivirus (MBAM for my case) has detected the problem during an on demand scan.
Chrome.exe was not detected as a malware (MBAM, HitManPro); I detected it because the CPU usage and thus, the laptop fan was spinning fast (3 chrome.exe process running, without visual interface, strange ...Chrome is not installed on this laptop).

2/
With the DeployHelper, if I am not wrong, the installation will attribut an isolated environnement, which will not be necessarly wanted. The fact to cancel the last reHIPS window then (DeployHelper window which propose the 'Isolated Environnement' creation) is the good way ?


---

- Security holes in HIPS softs comes from the users for the major part. I saw your "ReHIPS 1.2: software installation with DeployHelper" Youtube video and the "Applications Installation Using DeployHelper" in the manual.
If people will do error in this part, they will ruin the ReHIPS efficiency, transparently and without doubt.

- I notice sometimes a long delay when using the DeployHelper, some seconds or some minuts before proposing the installation of the selected soft. All tests done with small porgrams: text editors like EditPad, NP++, etc.

- Maybe reporting the Trust Level, in a column, between "Program" and "Lock Status", for each line, could be useful and reduces errors/suspicious .exe by a visual indicator. With hundreds of lines, we will not check conscientiously what is in place. Sorting by date, or by "Trust Level" or something else could be reassuring.

[aDVll]

I will just comment about the general complaint and not the suggestions. Will leave those to the devs. As a user i believe i am responsible for actions happening on my computer. If i allow something to run then it should run. No software can help me get common sense which is what is required in this case.
If the user is inexperienced and not able to decide then rehips should be run on standard protection level with lockdown mode on after he runs learning mode for a while so he can't mess anything on his pc. if something needs to be installed later it should be done by someone that know what he is doing and from where to download what is needed.

[SparknLight]

Hi aDVII,

There is no complaint. I am in beta testing situation, on a laptop dedicated for tests.
I try to be in a "general situation", in the skin of the common users.
Of course, right, if the user is inexperienced, softs like ReHIPS are not advisable.
On the other hand, and for my part, if I install "big" softs, some which needs reboot, or drivers, etc, I will not use the DeployHelper. Maybe I'm wrong.
The last point, get down the protection mode level for an installation could be a reflex (from AppGuard, etc).

For the story, I get the chrome.exe and the malware with Iron Portable browser and their self extracting exe from a known website, thus you see .....

[aDVll]

I see.
I personally install everything on my normal account and if needed I later run them isolated. Don't really use DeployHelper.
About the inexperienced user i already told you what i believe and after that it's pretty easy to use. I tested it with a kid but maybe there are people in worse situation, i don't know.
About appguard i assume you mean the install mode it has. In my opinion appguard is a lot more difficult to use especially when you dare to try and run anything from a non system drive.
About Chrome tbh i have no clue what you mean but on the other hand i never tried any Chrome not from Google.

[fixer]

DeployHelper's only purpose is to install programs in isolated environments. So use it only if you're going to use the program being installed in isolation. And DeployHelper doesn't provide isolation by itself. So if you execute some malicious setup in DeployHelper, this may end up badly. So this is not a part of security, it's more of a helper utility for programs you intend to use in isolation.

The files DeployHelper proposes to add to the database should always be carefully examined as DeployHelper isn't a security tool, but a mere helper utility. But it's not that dangerous. If you add some malicious program with DeployHelper, it should be executed in isolation, so it won't be able to impact the system, but it may affect other programs executed in the same isolated environment.

And keep in mind that Trust level is not an indicator of indisputable trust. For the moment it relies on digital signatures. And there were some incidents where malware was using valid digital signatures. Of course these certicates were quickly revoked, but nevertheless.

So hard to say what can be improved here. In the end it's up to the user should some file be allowed to run or not. ReHIPS may give some hints, but it won't decide for the user like it knows everything better.

[SparknLight]

Thank you fixer. I missed the fact, in the ReHIPS Admin Guide, that DeployHelper is for installing programs in isolated environments only.
Help included with ReHIPS is more detailled. My fault if not read before. Fully understood now.

Trust level is not an indicator of indisputable trust, as all tools, VirusTotal and their xx antivirus engines included.

"ReHIPS may give some hints, but it won't decide for the user ..."
Otherwise reHIPS would be with AI, with a dedicated IBM Watson behind each users.

I thought a report, last access and trusted level, could be interesting in the programs list - informations already available in each program window and on the log - instead of a nude text list of hundreds of lines.
ok Just a suggestion.

http://www.macrumors.com/2016/03/07/transmission-malware-downloaded-6500-times/
The users were responsible for this actions happening on their computers ?
The "common sens" is a subjective thing, by definition, and users are not necessarily obedient kids.
The error is human and even machines make mistakes.

As it is subjective, I will say that the training mode should not be used then.
ReHIPS installed on a Windows, ok, but this Windows is clean ? Absolutely certain ?

For my part, I will not use a Gimp and kinds programs in a sandbox.
The level of paranoia is a matter of psyche as thus, also a subjective question.

[fixer]

ReHIPS should be installed on clean Windows. This is strong recommendation. So training mode utilizes this requirement and accomodates ReHIPS to the computer to minimize number of alerts. But for example I, being paranoid, don't use training mode at all I prefer to respond to a couple of alerts (maybe using Only once or Session only options so programs won't be permanently saved to the database) rather than lose control over execution.

- I notice sometimes a long delay when using the DeployHelper, some seconds or some minuts before proposing the installation of the selected soft. All tests done with small porgrams: text editors like EditPad, NP++, etc.

Let's take a program with the longest delay. Is it reproducable? What program is it?

- Maybe reporting the Trust Level, in a column, between "Program" and "Lock Status", for each line, could be useful and reduces errors/suspicious .exe by a visual indicator. With hundreds of lines, we will not check conscientiously what is in place. Sorting by date, or by "Trust Level" or something else could be reassuring.

Do you mean ReHIPS programs tab or list of program files in DeployHelper? I guess you mean the former. But for the sake of security it'd be better to mark out untrusted programs before they're added to the database. So maybe DeployHelper list of programs needs it?