allow command line versus "trusted command line"

shmu26 · December 27, 2016, 08:45:56 AM

when I see a command line popup, is there a difference between permanently allowing, and clicking on "trusted command line"?

aDVll · December 27, 2016, 11:14:24 AM

You permanently allow all "command lines" instead of the specific one you just saw. Also if you whitelist the command line you can keep the execute program setting to alert and always get notified for everything else except the specific one

shmu26 · December 27, 2016, 11:25:46 AM

tell me if I understood this right: if I choose trusted command line, it does two things.
1 allows all command line strings that are basically similar, for example, it puts a wild card in place of the random string of characters.
2 it removes the "alert" rule from program settings

aDVll · December 27, 2016, 11:29:09 AM

Quote from: shmu26 on December 27, 2016, 11:25:46 AM
tell me if I understood this right: if I choose trusted command line, it does two things.
1 allows all command line strings that are basically similar, for example, it puts a wild card in place of the random string of characters.
2 it removes the "alert" rule from program settings

1. No. If you click whitelist the command line only the specific one will be allowed. Rehips doesn't do wildcards on it's on.
2. If you click always allow it will change from alert setting.

shmu26 · December 27, 2016, 11:42:30 AM

I think I get it now.
If I choose permanently allow, the program won't alert anymore.
If I choose "trusted command line", it will keep alerting, but that exact string will be allowed in the future, without alert.

that's actually makes a lot of sense. I was over-thinking it.

aDVll · December 27, 2016, 12:11:17 PM

Quote from: shmu26 on December 27, 2016, 11:42:30 AM
I think I get it now.
If I choose permanently allow, the program won't alert anymore.
If I choose "trusted command line", it will keep alerting, but that exact string will be allowed in the future, without alert.

that's actually makes a lot of sense. I was over-thinking it.

Yes you got it now. I am not the best person to explain something but you figured it out.

shmu26 · December 27, 2016, 12:17:29 PM

thanks.

now, let's say I take a process like rundll32, and I set it to alert, in all the applicable categories.
then, I whitelist certain strings, by clicking on "trusted command line" when I get a prompt from my printer etc.

Will this mimic the behavior of "vulnerable processes list" in NoVirusThanks ERP?

aDVll · December 27, 2016, 12:22:29 PM

Quote from: shmu26 on December 27, 2016, 12:17:29 PM
thanks.

now, let's say I take a process like rundll32, and I set it to alert, in all the applicable categories.
then, I whitelist certain strings, by clicking on "trusted command line" when I get a prompt from my printer etc.

Will this mimic the behavior of "vulnerable processes list" in NoVirusThanks ERP?

It already does it. Executed processes by rundll32 that are not already whitelisted are blocked that's why it's in inspect.
And if it tries to spawn sub programs it will ask you.

Rehips has lots of rules to protect the system by default you don't need to maintain a huge list of things on your own.

shmu26 · December 27, 2016, 12:29:40 PM

very interesting. I must have changed the default settings for rundll32 by mistakenly clicking in a prompt on "always allow".

aDVll · December 27, 2016, 12:31:18 PM

Quote from: shmu26 on December 27, 2016, 12:29:40 PM
very interesting. I must have changed the default settings for rundll32 by mistakenly clicking in a prompt on "always allow".

Either you did that or you are checking rundll32 rule for System. Take a screen of the menu to tell you if you can't figure it out.

shmu26 · December 27, 2016, 01:03:40 PM

I think the "permanently allow" option that you see in such an alert should be called something else.
The way it is now, the user doesn't know whether he is permanently allowing that command line, as I mistakenly thought, or whether he is changing the alert rule.

alternatively, it can stay named the way it is now, but a question box could pop up, asking: "Do you really want to permanently allow all child processes for this parent process?"

aDVll · December 27, 2016, 01:05:50 PM

Quote from: shmu26 on December 27, 2016, 01:03:40 PM
I think the "permanently allow" option that you see in such an alert should be called something else.
The way it is now, the user doesn't know whether he is permanently allowing that command line, as I mistakenly thought, or whether he is changing the alert rule.

alternatively, it can stay named the way it is now, but a question box could pop up, asking: "Do you really want to permanently allow all child processes for this parent process?"

Hope they never do it like you want. I don't want to reply to useless alerts.

It's pretty simple. You either allow the command line or everything. Pretty clear if you ask me.

shmu26 · December 27, 2016, 01:13:05 PM

how about calling it "permanently allow parent process"

aDVll · December 27, 2016, 01:17:46 PM

Quote from: shmu26 on December 27, 2016, 01:13:05 PM
how about calling it "permanently allow parent process"

Sure, i guess but i think it's pretty clear as it is.

You get an alert that shows that you can whitelist the command line or the whole thing once or permanently. Why is that not clear?

shmu26 · December 27, 2016, 01:21:26 PM

yeah, if you read the title in black at the top of the alert, it all makes sense.