[TO DO] Uninstalled Program Rules Do Not Auto-Purge After Reboot

Started by HJLBX, April 07, 2016, 05:55:32 AM

Previous topic - Next topic

HJLBX

Uninstall a program.

Settings > Programs > Nonisolated Programs > Uninstalled programs will be high-lighted (pink\red).

Reboot system.

Uninstalled program rules still remain in Nonisolated Programs.

* * * * *

I am not sure if this is by design or whether these rules are supposed to be auto-purged after reboot.  From the infos I have - and based upon how ReHIPS actually works - it is not clear what is supposed to happen by design.

When a user uninstalls a program do they have to manually delete the uninstalled program rules from ReHIPS - or - is it supposed to be an automated process ?

* * * * *

Double-click on uninstalled program.

It will open alert "Failed to hash file."

OK button should be changed to "Inspect" or "Review" or something similar to be more explanatory to user = user will open GUI to get infos on missing file.  OK doesn't tell user anything and they expect alert to close.

* * * * *

"Failed to hash file" links to the ReHIPS help file.

The ReHIPS help file states:  "One of the ReHIPS components is not responding or is not found. Restart your PC. If this error occurs again contact us (support@re-crypt.com)."

One way to interpret the above statement is that it means that the uninstalled program rules should be auto-purged after reboot - and fix the issue  I think this interpretation is incorrect. 

Another way to interpret it (and the correct one I think) is when an error occurs - involving only the ReHIPS components - that is not related in any way to an uninstalled program.

aDVll

Yes can confirm this. When something is removed rules stays with red color and you have to manually delete it. A purge automatically setting or button would be nice.

fixer

ReHIPS doesn't remove any rules by itself, including rules for programs that don't exist anymore. So it's up to the user to delete the rules if the program is removed for good.
As the program executable file is deleted, ReHIPS can't hash it so it shows this error. The error description in help file is not quite helpful, I agree, we'll elaborate it in the future.
"Add a button to purge pink/red programs" is added to out TODO list.

HJLBX

Quote from: fixer on April 07, 2016, 12:36:40 PM"Add a button to purge pink/red programs" is added to out TODO list.

Some vendors implement a manual rules clean-up.

Datpol (SpyShelter), for example, won't implement auto-purge.  Their argument is that it is not a good idea because a file could be modified by an infection.  So, the old rules connected to the original file by hash are needed for forensic inspection.

This is a weak argument not to implement a feature many users want...

My reply to Datpol: " If it has gotten to that point of manual SpS rules inspection, then it is way too little, far too late. SpS didn't prevent the infection (actually it is most likely the user's fault since SpS is classical HIPS); system and user data has been compromised.  Plus, there are infinitely better forensic methods using proven tools than a manual inspection of SpS rules.  Besides, all the original file data is in the SpS log - so keeping the old rules isn't needed. "

I know some will think "What is the relevance to this ?"

I am just pointing out another security soft vendor's perspective on a rules auto-purge feature.

Umbra