[FAQ] ReHIPS best practices (part 2)

Started by fixer, July 16, 2018, 05:13:29 PM

Previous topic - Next topic


3. There are a couple of "windows" when ReHIPS doesn't provide protection.
   a. ReHIPS Control Center isn't connected to Service. Unless Lock-Down Mode is enabled ReHIPS doesn't filter processes without its main GUI as it won't be able to ask user and silently blocking processes may not be a good idea. Connection to Service is usually lost because Control Center isn't running (who could have thought?) or if it's a remote connection and because of network issues. Don't forget that sometimes Windows 10 autostarts processes (including ReHIPS Control Center) with a delay, so it'll probably be a good idea to enable Lock-Down Mode without GUI.
   b. ReHIPS Service is down. Service does all the filtering and heavy-lifting, so it should always be up. Unlike GUI ReHIPS Service is supposed to be always running, so unless you manually stop it or it violently crashes it shouldn't be much of an issue.
   c. Initial rules are being installed. When ReHIPS is installed or when a new user logs in for the first time, ReHIPS installs initial rules. Until these rules are completely installed ReHIPS doesn't filter processes as we don't want to block something critical.

4. Make sure you check alerts before allowing them. ReHIPS supports unicode. So on one hand it has no problems with file names in different and exotic encodings. And on the other hand it's susceptible to unicode-based spoofing. One of them is right-to-left mirroring. For example unicode has a control character 0x202e, it's invisible to the eye, but mirrors the remaining part of the string. So file with real name pic#gpj.exe which has this control character in place of # will visually look like picexe.jpg . It may confuse inexperienced users making them believe it's a harmless picture while it's an executable file. Or for example letter "o" may look exactly the same in english and russian encodings, so file like svchost.exe with russian "o" will visually look the same while it's not standard svchost.exe. It's not possible to filter all these tricks automatically, so keep your eyes opened and don't just click Allow in alerts getting bored.