Author Topic: [TO DO] Command Line Function as Allow Rule  (Read 3405 times)


  • Active Testers
  • Sr. Member
  • *****
  • Posts: 496
[TO DO] Command Line Function as Allow Rule
« on: April 13, 2016, 05:32:44 am »
For Expert User it will be of benefit to be able to add a child process execution command line to the Trusted Command Lines - and - have it act as an Allow execution rule for Child Program.

For example, I add command line for cmd.exe > conhost.exe (\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1).

By adding the above command line to Trusted Command Lines, ReHIPS will not prompt when cmd.exe executes conhost.exe.

Trusted command line could be an explicit, specific Allow to Execute Child Programs rule ?

See attached image.

* * * * *

All the HIPS that I have used allow Expert User to define all Parent-Child execution rules (application execution - beginning with explorer.exe).

For example,

explorer > cyberfox
explorer > peazip
explorer > snippingtool
explorer > cmd
cmd > conhost
cmd > net stat

* * * * *

What I am concerned about is security in the real user profile; I am not really concerned about the isolated environment - unless user is running multiple apps together in same isolated window.

I want to allow execution of known safe processes on a per-program basis, like conhost.exe, so that there is no ReHIPS alert for that process.

Basic concept:  Allow A (trusted), disallow everything else (treat as untrusted).

So option to allow certain\individual processes by command line or some other way would be a nice opt-in user option.

* * * * *

I thought I could do it by whitelisting command line.

Experimenting with ReHIPS to see its full capabilities...
« Last Edit: April 13, 2016, 11:01:19 am by HJLBX »


  • Active Testers
  • Hero Member
  • *****
  • Posts: 604
  • Beta tester
Re: ReHIPS 2.2.0 Feature Request - Command Line Function as Allow Rule
« Reply #1 on: April 13, 2016, 05:59:55 am »
i agree.


  • Administrator
  • Hero Member
  • *****
  • Posts: 1520
Re: ReHIPS 2.2.0 Feature Request - Command Line Function as Allow Rule
« Reply #2 on: April 13, 2016, 10:57:07 am »
Trusted Command Lines concept was introduced for Suprogram alerts only to suppress superfluous alerts. But we'll think about expanding it further on Parenting alert. And ultimately fine-grained parenting is added to our TODO list for each parent program individual list of allowed child processes and trusted command lines. But it'll require considerable architecture changes, so I think it'll be planned for 3.x release.