ReHIPS forum

English Subforum => ReHIPS => Topic started by: Stephen on July 17, 2019, 12:52:45 PM

Title: Separate questions about netsh.exe and powershell.exe
Post by: Stephen on July 17, 2019, 12:52:45 PM
What should one do about netsh.exe? Currently I'm benig cautious and allow it to only run once (Expert mode), but this could soon become a bit irritating.

Also I read somewhere that powershell should be disabled, if possible, in order to better protect a PC from malware attacks. I allow to to run sometimes, but I'm almost never sure about it. What could I do to minimize risks?
Title: Re: Separate questions about netsh.exe and powershell.exe
Post by: fixer on July 17, 2019, 11:05:06 PM
If my memory serves me, ReHIPS already has a preinstalled rule for netsh.exe.

And a preinstalled rule for powershell also. It should alert about any scripts it tries to automatically execute. It should be enough for security. But if you really want to tighten security, you can try to disable powershell. But who knows, maybe some update will try to use it and fails. Some rare used fetures are often poorly tested.
Title: Re: Separate questions about netsh.exe and powershell.exe
Post by: Stephen on July 18, 2019, 06:56:19 AM
Thank you for the information. I'll try to use my best judgment and bear in mind the ReHIPS rules for these programs.
Title: Re: Separate questions about netsh.exe and powershell.exe
Post by: Umbra on August 02, 2019, 05:08:25 AM
may i suggest rehips to be able to import rules from a text file, it will be very useful for people like me who block most of the MS LOLbins. they are so many it took ages to list them all in ReHIPS.
Title: Re: Separate questions about netsh.exe and powershell.exe
Post by: fixer on August 02, 2019, 08:47:50 AM
We have export/import settings in our TODO list, so this one should be covered too.
BTW, don't wildcards cover this use-case?
Title: Re: Separate questions about netsh.exe and powershell.exe
Post by: Umbra on August 02, 2019, 10:43:39 AM
Quote from: fixer on August 02, 2019, 08:47:50 AM
We have export/import settings in our TODO list, so this one should be covered too.


QuoteBTW, don't wildcards cover this use-case?
for those both in system32 and syswow64 yes, but you have around a hundred of those useless LOLbins to block, and making/modifying a rule for each of them is an hassle i prefer to avoid.