Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

fixer

Rules export-import feature is in our TODO list. Though due to some internals it isn't possible to extract all information from database to recreate the same isolated environments from scratch on a clean PC. If you read my blogpost about RulesManager here https://forum.rehips.com/index.php?topic=9530.0 I mean Special Folders here. They're just copied and no information about them is stored in ReHIPS database. So the best course of action here is to modify RDB-file with RulesManager and then distribute it and recreate rules from this file with RulesManager, that's what it's meant for.

Thumbprints are possible. But do we need it? Thumbprints tend to change with each certificate reissue, and that may happen every year. And it'll be hell of a job to always keep them up-to-date. Names on the other hand usually remain the same. We also try to keep this trusted list small with only really trusted vendors, so it shouldn't be a security risk. Besides if you really worry about that list, you can edit it or enable Expert Mode, the list is ignored in that Mode.

perisanboy

Hello :D so it's on your to-do list.I know what you mean I read your post before thnx for the info fixer.so it can't be done.the only way is to create it again it's not hard for everyone to create them again btw. I just thought if there is a way to consider it as an option
I know that Thumbprints is cancer but I thought it's safer to have it.so its pain I see and understand.ye the small and handy trusted list is also better I already edit it :)even removed Comodo and some other from that list.i know the list is ignored in expert mode i just wanted to play with a standard mode for a while because I think is the best and its the power of Rehips it will do the job for me :D
many thnx for the answer ; :D :P

perisanboy

#602
path wildcard
fixer what is it? and can you pls tell me home users need it or not?if we don't use it means we are losing some security guards? :)

Umbra

wildcard are special characters made to replace other characters in command lines ; you didn't read my post on MT, huh?

because some command line will always change part of their line for the same action, so using wildcard will allow you to whitelist/blacklist  all the variant of the same command line.

fixer

It's mostly for programs with changing path. For example Windows downloads and runs updates from C:\Windows\SoftwareDistribution\Download folder. You can't know their names, but know that this folder and write-protected, so you can allow execution of exe files from this folder.
Or metro applications have version in the folder name which is constantly changing.
So no security here, just usability, so you don't get swamped with Alerts.

perisanboy

Quote from: Umbra on August 02, 2017, 02:24:55 PM
wildcard are special characters made to replace other characters in command lines ; you didn't read my post on MT, huh?

because some command line will always change part of their line for the same action, so using wildcard will allow you to whitelist/blacklist  all the variant of the same command line.
thnx for the answer and your time  I read but I didn't understand command lines.so many explanations and I'm not good in eng.

perisanboy

Quote from: fixer on August 02, 2017, 02:27:32 PM
It's mostly for programs with changing path. For example Windows downloads and runs updates from C:\Windows\SoftwareDistribution\Download folder. You can't know their names, but know that this folder and write-protected, so you can allow execution of exe files from this folder.
Or metro applications have version in the folder name which is constantly changing.
So no security here, just usability, so you don't get swamped with Alerts.
thnx for the info and explanation I see so there is nothing about security its usability I guess I will not bother to it :) btw this is good stuff... can we have it in GUI in next versions?I mean smth easy to use not everyone knows how to work with? and *  :)

fixer

Some pre-installed rules (that come with RulesManager) will have wildcards. Other than that, you can use ReHIPS without having any knowledge of wildcards and you'll be fine. But yeah, you can always use them if you want adding wildcarded rules from either RulesManager or Control Center.

perisanboy

Many thnx fixer so everyone is safe even if he/she doesn't know how to use wildcards and just use Rehips without these wild cards.I just wanted to know this. :)

perisanboy

#609
Hello,
While I'm using the learning mode, if I open smth and that thing needs modifying one of the processes into the program rules in the Rehips database it will change the settings for those process too? I mean change the default rules for each process

fixer

Hello. From upcoming blogpost:
QuoteLearning Mode. This one is quite simple. If a program is already in the ReHIPS database, these existing rules are used. If a program is not in the ReHIPS database, it's allowed and added to the database with Allow setting. In other words, ReHIPS is learning of programs on your PC that are started and adds them to allowed without any alerts.

perisanboy

Hello, thnx for the answer.
so when a program is already in the ReHIPS database, these existing rules are used,
it means those default rules you set for the process will not change?! let say I want to run smth related to cmd.exe and cmd has alert alert alert rules if I run my tool it will change the  default cmd rules? or still, the alert rules remain?
thnx

fixer

If you have Alert, it's the same as if you don't have this field set.
So Can Execute Programs will become Alert->Allow with children inspection.
And Can Be Executed will become Alert->Allow.


perisanboy

#614
ok there is smth wrong  I just wanted to play with my rules with rehips in learning

set these rules for cmd :
alert
allow
alert
ran mini tool box because this tool uses cmd.set allow for the mini tool box In rehips data base for every action
ran it but cmd got block,i noticed if you set alert rule for cmd and run rehips in learning mode if smth want to run cmd it will get a block!
alert rule for learning  mode doesn't work!and rehips don't ask you if smth want to run the cmd( same for other processes its only example)

P.S: fast blocked the cmd! so what is the point with learning mode?