can be executed: alert

Started by shmu26, January 06, 2017, 11:56:50 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions

shmu26

#15
January 07, 2017, 11:47:59 PM
okay, I don't have a proper background in these things, but I thought that valid windows processes could be used to disable your security softs from startup, download dlls, and make changes to the registry. Then it's gameover.

aDVll

#16
January 07, 2017, 11:56:43 PM
Quote from: shmu26 on January 07, 2017, 11:47:59 PM
okay, I don't have a proper background in these things, but I thought that valid windows processes could be used to disable your security softs from startup, download dlls, and make changes to the registry. Then it's gameover.
It can but it has to execute something not just launch the process. Execution of child and sub programs is monitored for the vulnerable processes. If you see one that is not maybe report it so the defaults can change.
Also i suggest you enabled uac at max and then you stop most of this from start if they try to mess with windows crap getting admin rights.

shmu26

#17
January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?

Ozone

#18
January 08, 2017, 11:17:13 AM
Quote from: shmu26 on January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?
I have similar situation
I am testing nighly (firefox) which has updates almost every day

I think rehips will alert you and than you can replace hash, unless you check ignore file modification

aDVll

#19
January 08, 2017, 11:35:39 AM
Quote from: shmu26 on January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?
Yes, the rules auto update because MS is in the trusted vendor list. They don't change from what you set them.

aDVll

#20
January 08, 2017, 11:36:28 AM
Quote from: Ozone on January 08, 2017, 11:17:13 AM
Quote from: shmu26 on January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?
I have similar situation
I am testing nighly (firefox) which has updates almost every day

I think rehips will alert you and than you can replace hash, unless you check ignore file modification
It will not ask if Mozilla is in the trusted vendor list.

shmu26

#21
January 08, 2017, 11:41:28 AM
so I now noticed that for all those system files for which ReHIPS has default rules, "ignore file modification" is ticked by default.
So I assume that means the rule will stay unchanged, even if the file changes due to a Windows update or whatever.

aDVll

#22
January 08, 2017, 11:43:17 AM Last Edit: January 08, 2017, 11:47:29 AM by aDVll
Quote from: shmu26 on January 08, 2017, 11:41:28 AM
so I now noticed that for all those system files for which ReHIPS has default rules, "ignore file modification" is ticked by default.
So I assume that means the rule will stay unchanged, even if the file changes due to a Windows update or whatever.
Yeah. It would have stayed unchanged anw i believe because of MS being in the trusted file list. I just tested this with another program just now and that was the case. I assume the same would happen with this MS files.

shmu26

#23
January 08, 2017, 11:46:38 AM
that's a very cool setting, I guess it is crucial in order for ReHIPS to keep working as intended after a major Windows update wreaks havoc on the system files.

aDVll

#24
January 08, 2017, 11:47:51 AM
Quote from: shmu26 on January 08, 2017, 11:46:38 AM
that's a very cool setting, I guess it is crucial in order for ReHIPS to keep working as intended after a major Windows update wreaks havoc on the system files.
Check above edit i made. It's not really needed in this case i believe.

shmu26

#25
January 08, 2017, 12:03:36 PM
even if you are in expert mode, the trusted publishers list does something?

aDVll

#26
January 08, 2017, 12:06:08 PM Last Edit: January 08, 2017, 12:15:52 PM by aDVll
Quote from: shmu26 on January 08, 2017, 12:03:36 PM
even if you are in expert mode, the trusted publishers list does something?
Nope, expert mode ignores the trusted vendor list so then the setting to ignore file changes is needed.

shmu26

#27
March 30, 2017, 08:09:41 AM
Quote from: fixer on January 06, 2017, 03:06:47 PM
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Was this implemented in ReHIPS 2.2.0_RC4_prosperity?

Umbra

#28
March 30, 2017, 10:25:02 AM Last Edit: March 30, 2017, 10:28:11 AM by umbrapolaris
Quote from: aDVll on January 07, 2017, 11:37:50 PM
Quote from: shmu26 on January 07, 2017, 11:32:48 PM
okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.
Cool the valid windows process runs. Then?
No windows process does anything malicious without executing something not from windows and not whitelisted.
Exact, i don't see the point to block a valid process if it does nothing wrong. And if it spawn something else, you get the alert. so who cares. If you don't like it to run at first place , just change the rule yourself.
And you should be prepared to use powershell because MS plan to remove cmd.exe and only use powershell...

QuoteReason NVT and programs like that have a vulnerable processes list is that the only way to control issues is by stopping the first execution because they just allow or block. Rehips have an alert mode and an inspect mode which feels that role giving you more granular control.
Exact, first ReHIPS isn't an anti-exe. It is a sandbox with Application Control. if you wan't an ERP feature, just use ERP.
Shmu you are too obssessed with ERP's vulnerable process list, i told you many times already, don't try to push this on every softs you want to use... if you want something similar in ReHIPS, you can build it yourself via rules manager.

ReHIPS has lot of options to make it very tight, just learn to use them before asking features.

fixer

#29
March 30, 2017, 10:55:16 AM
Quote from: shmu26 on March 30, 2017, 08:09:41 AM
Quote from: fixer on January 06, 2017, 03:06:47 PM
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Was this implemented in ReHIPS 2.2.0_RC4_prosperity?
Yup.
Print
Go Up Pages 1 2 3
User actions