Best practice to use ReHIPS in Admin account and Standard User Account

Started by Umbra, June 15, 2016, 04:28:49 PM

Previous topic - Next topic

Umbra

1- install ReHIPS in admin account
2- install initial rules,
3- set learning mode
4- wait until the rules are installed, may take seconds to several minutes.
5- tweak your settings, launch your most used programs,  but dont delete any vendors in the TVL (Trusted Vendor List) in this account.
6- reboot
7- sign in back, to be sure system processes are whitelisted.
8- sign out
9- go SUA
10- on SUA the GUI won't show up, you have have to start REHIPS manually (you may have UAC prompt). create a shortcut will be easier next boot.
11- you will see that ReHIPS reinstall rules, let it do.
12- do step 5 again but this time you can delete unwanted vendors in the TVL.
13- Reboot again
14- sign in SUA, wait some minutes, then quit Learning Mode or keep it if you still need it.

aDVll

What umbrapolaris said  8)

Also if you have a question read the other topics in this forum because most have the same questions and if you still haven't figure it out make a new topic so someone can help.

fixer

Unwanted vendors may be removed from trusted vendor list right away, both trusted command lines and vendors lists shouldn't be updated on subsequent rules installation. This was the case earlier, but should be fixed now.

Umbra

Quote from: fixer on June 15, 2016, 08:33:17 PM
Unwanted vendors may be removed from trusted vendor list right away, both trusted command lines and vendors lists shouldn't be updated on subsequent rules installation. This was the case earlier, but should be fixed now.

Good to know ;)

Umbra

For step 10; you can create a scheduled task , it will launch the GUI at logon.

shmu26

until you launch GUI , ReHIps will run in lockdown mode?
will there be system-tray notifications if something is blocked?

aDVll

Quote from: shmu26 on September 02, 2016, 03:14:47 PM
until you launch GUI , ReHIps will run in lockdown mode?
will there be system-tray notifications if something is blocked?
No gui=No notification

fixer

You can see all ReHIPS events in Windows Event Log-Applications and Services Log-ReCrypt, it has all events, including the ones occurred without GUI.

shmu26

Quote from: aDVll on September 02, 2016, 03:17:23 PM
Quote from: shmu26 on September 02, 2016, 03:14:47 PM
until you launch GUI , ReHIps will run in lockdown mode?
will there be system-tray notifications if something is blocked?
No gui=No notification
but I assume the option in RC3 will still work, for lockdown when GUI is offf

fixer

Before RC3 lockdown mode can be always enabled or always disabled, doesn't matter if GUI is running or not. In RC3 one more lockdown option was introduced: it's enabled only without GUI (it hasn't started yet or was closed) and disabled otherwise.
And this new option doesn't affect notifications in any way.

shmu26

if lockdown is enabled, does protection start before logging into user account, or after?

aDVll

Quote from: shmu26 on September 03, 2016, 10:46:12 PM
if lockdown is enabled, does protection start before logging into user account, or after?
Protection starts when service loads. Services as far as i know start before login but Fixer can confirm for sure.

fixer

Yup, ReHIPS service starts and becomes active and working before any user is logged in.