[FAQ] Different Working Modes

[fixer]

ReHIPS has 4 different Working Modes (well actually 5, but Disabled doesn't count): Learning, Permissive, Standard and Expert. And it has an additional option in Settings on Protection tab called Lock-Down Mode. So what's the difference between these modes?

Learning Mode. This one is quite simple. If a program is already in the ReHIPS database, these existing rules are used. But if you have Alert option set, it's the same as if you don't have this field set:
-Can Execute Programs will become Alert->Allow with children inspection;
-Can Be Executed will become Alert->Allow;
-Can Execute Sub-Programs will remain Alert, but command line will be added to the Trusted Command Lines list.
If a program is not in the ReHIPS database, it's allowed and added to the database with this setting. In other words, ReHIPS is learning of programs on your PC that are started and adds them to allowed without any alerts.

Permissive Mode. If a program is already in the ReHIPS database, these existing rules are used. But if you have Alert option set, it's the same as if you don't have this field set:
-Can Execute Programs will be treated this one time as Allow with children inspection;
-Can Be Executed will will be treated this one time as Allow;
-Can Execute Sub-Programs will be treated this one time as Allow.
If a program is not in the ReHIPS database, it's just allowed once. So new programs are allowed without any alerts, but only once, nothing is automatically added to the database.

Expert Mode. We'll jump over Standard Mode here and come back to it later. Like in the previous case if a program is already in the ReHIPS database, these existing rules are used. But if a program is not in the ReHIPS database, it shows alert to the user and awaits for his/her decision. According to the user choice in Settings Duration, this rule may be added to the database. Trusted Vendors list is ignored in this Working Mode. But Trusted Command Lines list is honored.

Standard Mode. It's mostly similar to Expert Mode, but shows less alerts. It doesn't show alerts in the following situations:
-It honors Trusted Vendors list, allowing processes and allowing children of these processes with inspection.
-When file is changed and signed by the same vendor as before, it's allowed.
-Children of immersive (metro, modern UI, whatever they're called) programs are allowed.
-Children of already isolated programs are allowed.
-Children signed by the same vendor as parent are allowed.
-Immersive (metro, modern UI, whatever they're called) programs are allowed.
-Subprocesses of already isolated programs are allowed.

Non-Expert Working Modes are also less restrictive in terms of access:
-Insecure File Systems access checkbox in Media Access Rights on Privileges tab is automatically checked for programs from insecure file systems;
-Removable Media access checkbox in Media Access Rights on Privileges tab is automatically checked for programs from removable media;
-CD-ROM access checkbox in Media Access Rights on Privileges tab is automatically checked for programs from CD/DVD/BD-ROM media;
-Network File Systems access checkbox in Media Access Rights on Privileges tab is automatically checked for programs from network media;
-Allow Network Access is checked;
-Copy User Data is checked.

Lock-Down Mode. This mode can be used with any other mode. But it's basically useless for Disabled, Learning and Permissive Modes. It suppresses any alerts returning Block instead. It's useful for unattended or headless ReHIPS usage like administrator installed and configured ReHIPS once and left, even no ReHIPS Control Center running is required. Or to cover some small windows of opportunity like when Windows has just booted and ReHIPS Control Center hasn't started yet.
It's not recommended to enable this mode during the first several runs or if you're not sure what you're doing. If some system or critical process is not in the ReHIPS database or not allowed, having this mode enabled will block this process causing system instability.