Started by shmu26, January 06, 2017, 11:56:50 AM
Quote from: shmu26 on January 06, 2017, 11:56:50 AMtrying to understand how this setting works.If I search in windows explorer for a process that has this setting, and I click on it to run it, it will start up without triggering an alert.why is that?
Quote from: aDVll on January 06, 2017, 12:47:23 PMremoving MS from trusted vendor list is a bad idea. Too many alerts.
Quote from: fixer on January 06, 2017, 03:06:47 PMThanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.Quote from: aDVll on January 06, 2017, 12:47:23 PMremoving MS from trusted vendor list is a bad idea. Too many alerts.It gives alerts for programs absent in RulesPack. Can you give a list of these programs so we could add them to RulesPack?
Quote from: shmu26 on January 07, 2017, 07:58:44 PMokay, so here's an idea for the devs, based on what I was trying to do here:ReHIPS will detect when the user disables isolation for a key app, and will activate a vulnerable processes list, along the lines of NVT ERP. This will make ReHIPS much for flexible for a wide base of users, some of whom will inevitably will want to disable isolation for certain apps
Quote from: shmu26 on January 07, 2017, 09:17:16 PMfixer's proposed change is great. The idea here is to take the work out of it, for intermediate users who disable isolation on some apps . ReHIPS could build them a nice vulnerable processes list, to trigger execution alerts for whatever they need to keep themselves safe. The pros on the ReHIPS team know what processes need to be alerted when you don't have isolation.Just an idea, take it or leave it...
Quote from: shmu26 on January 07, 2017, 11:11:05 PMI want it not to block powershell, but to alert upon execution.why? Because maybe powershell -- or another process -- will be abused by an exploit to make certain system changes such as modifying the registry, or loading dlls, or disabling all security softs from startup. These are changes that, as far as I understand, do not necessarily require executing a second process, so they won't be blocked or alerted, as things stand now. Once you take away the isolation, you become vulnerable to this kind of thing.Please correct me if I am out to lunch on this issue
Quote from: shmu26 on January 07, 2017, 11:32:48 PMokay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.