[HJLBX Feedback] ReHIPS 2.1.0

Started by HJLBX, November 10, 2015, 01:39:15 PM

Previous topic - Next topic

HJLBX

During testing I experienced some problems:

When enabling isolation mode, files were blocked and eventually I was locked out of my system; I had to clean install OS to regain control of system.

It appears to me that ReHIPS was not detecting system critical files during rules installation.  I did not experience the same issues with the previous version of 2.1.0.  For whatever reason(s), I think fewer rules were loaded upon installation of ReHIPS in most recent version.  I could be completely wrong, but that is how it appears to me.

Suggestions:

1.  Alerts should have direct access to Rules Wizard.  This will enable user to create allow rule(s) for safe, but blocked file directly from within alert.
2.  Rules Wizard should not be buried inside Settings.
3.  Training [Learning] Mode for ReHIPS to learn file behavior and auto-create rules.
4.  You will get very good perspective of optimized user interface by viewing NoVirusThanks Exe Radar Pro.  Playing around with the soft will demonstrate to you a very popular user-interface... much more than any of us can explain.

http://downloads.novirusthanks.org/files/EXERadar_Pro_x86_x64_v3.1_15052015_BUILD1.exe

I am NOT suggesting to you to make ReHIPS a copy of NVT ERP.  I am suggesting a close look at the user interface.  Lots of users, particularly beginner's learn it quite easily.  Just give you some ideas.

5.  A smaller, more simplified widget for access to isolated applications:

Something like

X|->

X closes virtual desktop
-> takes user to virtual desktop from regular Windows desktop and also returns user to regular desktop from inside the virtual desktop

Shamelessly, I illustrate one from Comodo...





schelkunov

Thank you for the feedback.

> When enabling isolation mode, files were blocked and eventually I was locked out of my system; I had to clean install OS to regain control of system.

Could you give us more information about environment you launch ReHIPS in? (Windows version, installed software, installed AV-software etc). Did you try to disable protection in the Main window or disable isolation mode?

Enabling isolation mode is not recommended at first time of usage as it may block some useful software. ReHIPS Control Center should start without any restrictions in isolation mode too, so disable isolation mode if something goes sideways. If something went really wrong and OS became unusable, you can always boot in safe mode and disable ReHIPS Service thus disabling protection.

> Suggestions:

Tnank you. We'll think about increasing of usability.

HJLBX

Quote from: schelkunov on November 11, 2015, 12:19:53 PM
Thank you for the feedback.

> When enabling isolation mode, files were blocked and eventually I was locked out of my system; I had to clean install OS to regain control of system.

Could you give us more information about environment you launch ReHIPS in? (Windows version, installed software, installed AV-software etc). Did you try to disable protection in the Main window or disable isolation mode?


  • W8.1 x86-64 OEM (Toshiba)
    Installed ReHIPS 2.1.0 immediately after a clean install of Windows OS + drivers.
    No other security software installed.

At this point in time, you have insufficient rules for Windows System32 and SysWOW64 files.  Plus, OEM and 3rd-Party driver software presents a real challenge for you.  I will give you one example, Synaptics or ELAN touchpad driver software.

When I enabled Isolation Mode, ReHIPS blocked ELAN touchpad driver software.  That, in and of itself, made system inaccessible.

I recommend at very least that you collect Blocked File data from user systems via some type of Telemetry.  Now, I know this will not be very popular because of the whole "Privacy" issue, but you really should do it on your beta versions (or at least on these very early betas)... just for you to get a perspective on what ReHIPS is doing on user systems.  It will enable you to improve ReHIPS much faster than without it.

HJLBX

Default isolated applications will be good, but should be option.  I think does not place excessive burden on user if you can further refine interface and navigation to virtual desktop.

If on a per-application basis user can enable ("forced" isolation") for increased security\disable for the application if there is problem.

Getting to the isolated desktop is inconvenient.  That is the number 1 problem I see with ReHIPS; back-and-forth navigation to\from virtual desktop is not so user friendly.  It will be same problem with default isolated applications\files.

Therefore, I suggest that when user launches default isolated application, it takes user directly to virtual desktop.  Exiting application take user directly back to desktop.

Because of the above navigation issue, this is why few people use isolated browsers - such as Bitdefender SafePay and Kaspersky Safe Money.  Navigating back-and-forth between desktop and isolated browser is inconvenient... so people use it little, if at all.

schelkunov

Thank you for the feedback.

I'll try to group remarks and suggestions. Could you make sure that I have not forgotten something important?


  • Training mode
    When Training mode is checked on, ReHIPS studies the system and allows all installed applications without any restrictions. These applications stay to be allowed when Training mode is off. What about predefined rules for some applications in this case? I think these applications must work according to their predefined rules. Or may be it's better to allow all? What do you think?
  • Virtual desktops are too unusual. Make it simpler
    In the lot of cases the virtual desktop is the only way (without kernel hooks and other unsafe rootkit techniques) to prevent escape from the sandbox using windows hooks. That is why we'll use virtual desktops for the isolation of some applications, but we'll try to minimize usage of them. I think it could be a good idea to hint a user in some way how to work with virtual desktops when they appear. It could be an arrow with a hint or something the same. About taking user directly to virtual desktop ... It's a good idea. Especially with hints.
  • Expand initial database
    The current initial database can raise problems with Isolation mode and with unknown applications. I think we'll expand this database. Also we'll expand a set of trusted vendors.
  • Working with files from the isolated applications is too complex
    When application is isolated it must not access user's files and directories. Otherwise it's a fake isolation. Pure marketing. That is why we created special directories where isolated applications can save files. We'll try to make work with files from isolated applications simpler. For now we recommend to change default Download directory in the browser in our FAQ.
  • Rules Wizard is located deep inside GUI. Log must be interactive
    We'll think about it. But doing that we seriously complicate GUI for those who is satisfied with Recommended mode and initial settings (which will be refactored and improved).

HJLBX

#5
Quote from: schelkunov on November 17, 2015, 12:58:49 PM

  • Training mode
    I think these applications must work according to their predefined rules. Or may be it's better to allow all? What do you think?

Pre-defined rule better for user - especially novice that does not know what rules to create, how to create rules nor why it is necessary for security.

Big problem for you is creating all the rules.  Of course it will get better with time, but still, huge undertaking for W7 - 10 System32 and SysWOW64 + drivers.

HJLBX

#6
Quote from: schelkunov on November 17, 2015, 12:58:49 PM
2.  Virtual desktops are too unusual. Make it simplerI think it could be a good idea to hint a user in some way how to work with virtual desktops when they appear. It could be an arrow with a hint or something the same. About taking user directly to virtual desktop ... It's a good idea. Especially with hints.

Yes... you understand.

I use Comodo Virtual Desktop.  Small widget as I posted in OP.  It is very convenient.

HJLBX

Quote from: schelkunov on November 17, 2015, 12:58:49 PM
3.  Expand initial database Also we'll expand a set of trusted vendors.

Include only vendors that are critical to system operation on Trusted Vendors list for maximum security.

Digitally signed malware, riskware, scareware, etc is becoming big problem.  Digitally signed Adware and PUPs\PUAs is huge problem.

Consider white-listing by SHA 256 and prompt when file is modified (e.g. via update).

Us advanced users have no real confidence in Trusted Vendors list.  I know all about it since I use Comodo and a Trusted Vendors List is a key part of their local system white-listing process.  Users get infected and CIS allows installs of Adware because of reliance upon Trusted Vendor list.

Difficult problem to eliminate...

HJLBX

#8
Quote from: schelkunov on November 17, 2015, 12:58:49 PM
5.  Rules Wizard is located deep inside GUI. Log must be interactive
We'll think about it. But doing that we seriously complicate GUI for those who is satisfied with Recommended mode and initial settings (which will be refactored and improved).

I am suggesting something simple:

Sorry, BBCode issues on this forum software...


  • Select log entry (for example blocked object)

    • Right-click

      • Select Allow

      and


      • Select log entry (for example allowed object)

        • Right-click

          • Select Block

          and


          • Select log entry (any)

            • Right-click

              • Open rules wizard


schelkunov