Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

aDVll

Quote from: shmu26 on August 30, 2016, 11:52:30 AM
thanks.
I like that future option.
Yep it is useful for some users. I personally always run in lockdown mode. I don't do alerts and if something is blocked i will sort it manually at some point when i have time.

shmu26

but even with lockdown, when does the protection actually start?
malware might try to run very early, before the protection kicks in...

aDVll

Quote from: shmu26 on August 30, 2016, 12:17:58 PM
but even with lockdown, when does the protection actually start?
malware might try to run very early, before the protection kicks in...
It starts on system boot. First of all malware doesn't appear from thin air. For a malware to start at boot it means you allowed malware to run, not even isolated on your system. The least of your worries is starting again at boot. You are already infected and it's your fault. You either had rehips off or you allowed it and it's in whitelist now.
Assuming rehips was off and the malware is not whitelisted it might run before rehps or after. It all depends on the kind of malware and how it achieves boot. Rehips starts really early when in lockdown mode so there is a chance it gets blocked if you didn't whitelist it.

shmu26

this is a problem that all security softs face.
I have set ReHIPS to block powershell and script interpreters, which I personally don't use, as a second line of defense. This is just in case I mistakenly allowed malware to execute.

I would suggest that ReHIPS offer various templates to the user, when the program first installs.
the template for the home user would block powershell and script interpreters by default, and template for IT pros would allow them by default, and would also allow other processes that power users need, such as the windows mounting process that Shadow Defender uses.

aDVll

Quote from: shmu26 on August 30, 2016, 05:02:17 PM
this is a problem that all security softs face.
I have set ReHIPS to block powershell and script interpreters, which I personally don't use, as a second line of defense. This is just in case I mistakenly allowed malware to execute.

I would suggest that ReHIPS offer various templates to the user, when the program first installs.
the template for the home user would block powershell and script interpreters by default, and template for IT pros would allow them by default, and would also allow other processes that power users need, such as the windows mounting process that Shadow Defender uses.
In the future versions you will be able to create your own templates and rules. It's in the works to provide a tool to do so and it works pretty well. Then if you wish you can maintain your own rules between release and even make rules for the specific programs you use.
You need to remember this is beta. Program is really solid and offers perfect protection but things related to ease of use will come with future release versions.

shmu26

cool
glad to hear that my ideas are already in the works...

aDVll

Quote from: shmu26 on August 30, 2016, 05:14:46 PM
cool
glad to hear that my ideas are already in the works...
Devs have many ideas and they are already implementing them but us users suggesting things never hurt anyone. We might get an idea they didn't think so keep the suggestions coming.  ;)

shmu26

okay, so here's another one that you guys have probably thought of already:
when you click on "install rules", you should get a window asking  if you are sure you really want that.
It is too easy to mistakenly click on install rules, instead of on settings.

aDVll

Quote from: shmu26 on August 30, 2016, 05:50:49 PM
okay, so here's another one that you guys have probably thought of already:
when you click on "install rules", you should get a window asking  if you are sure you really want that.
It is too easy to mistakenly click on install rules, instead of on settings.
Yeah HJLBX suggested it already. That and a thousand more suggestions he made.  ;D

Umbra

mostly all usability suggestion has been made by either hjlbx, ADVII, or me  :D

btw i was the one who mentioned the bad placement of the Install Rules button  :p

there is the thread i created for "usability" suggestions : https://forum.re-crypt.com/index.php?topic=2105.0 , feel free to adress suggestion there.

i think now, now most of the new suggestions will be related to specific softwares.

aDVll

Quote from: umbrapolaris on August 31, 2016, 05:44:02 AM
mostly all usability suggestion has been made by either hjlbx, ADVII, or me  :D

btw i was the one who mentioned the bad placement of the Install Rules button  :p

there is the thread i created for "usability" suggestions : https://forum.re-crypt.com/index.php?topic=2105.0 , feel free to adress suggestion there.

i think now, now most of the new suggestions will be related to specific softwares.
My bad then. I found the other topic and didn't check open topic.
OK to set things clear umbrapolaris  spammed devs with a million suggestions also.  :P

Umbra

i was just kidding, us three have added a phonebook of suggestions/recommendaions to the dev. until they sort them all, it will be ReHIPS v3  rofl

aDVll

Quote from: umbrapolaris on August 31, 2016, 02:38:24 PM
i was just kidding, us three have added a phonebook of suggestions/recommendaions to the dev. until they sort them all, it will be ReHIPS v3  rofl
I know mate i am also joking around. The losing side is fixer side that has to code all this suggestions. We did the easy part.  :)

harsha_mic

I was trying to play an episode in netflix UWA in W10 64 bit. However, it failed to play with some error code.
Upon inspecting the logger, i see below is wrongly blocked causing the issue.

Quote9/2/2016 17:50:18 PM: Program C:\Windows\System32\WWAHost.exe with PID 8228 executing program C:\Windows\System32\mfpmp.exe with PID 4752 - blocked
9/2/2016 17:50:18 PM: Program C:\Windows\System32\mfpmp.exe with PID 4752 terminated

So, i set WWAHost.exe to "inspect children" from "blocked", for the field "Can execute programs".

Perhaps we have to add it in the whitelist?

fixer