[FAQ] What programs should I isolate?

Started by fixer, August 11, 2017, 02:32:52 PM

Previous topic - Next topic


You installed ReHIPS, you have everything up and running. Default rules for known programs are installed. But wham, you start some new program, and ReHIPS shows you an alert, whether to Allow this program to execute, to Allow it in isolation or to Block it. So what programs should be isolated?

At first I should note that it's not some rule written in stone. It's just a recommendation.

1. Browsers. I always recommend isolating browsers. They're always internet-facing. And that's where most of the threats come from. They're the first and foremost to be isolated.

2. Office programs. I mean MS Office here, Libre Office, Open Office, etc. They're not so critical as browsers, but there are a lot of exploits within office documents targeting office programs. So it's recommended to isolate them.

3. PDF readers. Actually they're similar to office programs already mentioned above. But as they often come as separate programs like Adobe PDF Reader, I decided to make a separate paragraph about them. There are a lot of exploits targeting Adobe PDF software. Software of other vendors is less wide-spread, not so vulnerable and not so targeted, but better safe than sorry, so why not isolate them too.

4. Mail software. I mean Outlook, Bat, etc. In my opinion it's quite safe to allow them to execute without isolation. Just don't forget to inspect their children, just in case. Though if you feel insecure, you can isolate them too.

5. Software working with files. I mean audio or video players here that work with audio and video files, archivers like WinRAR that work with archives, etc. There are some exploits, though quite a few that target this type of software. The more software is wide-spread, the more people try to find some secure holes in it to exploit them. On the other hand these holes are more likely to become public and get patched. Unknown software may not be interesting to exploit researchers, but if you're expecting a targeted attack (that happens really seldom), security holes in such software may live for years. I wouldn't recommend isolating this type of software for an average joe, but if you're on high alert, deliberately using some insecure software or aware of some unpatched holes, some programs are worth isolating.

6. Other software. Other software will most likely not need any isolation. But it's always good to assess a security risk before allowing them. Consider the following questions:
-Is it an internet-facing software?
-Does it work with data or files that come from untrusted sources?
-Are there known unpatched vulnerabilities?
-Has there been many vulnerabilities found? How fast were they fixed?
-Is this software still supported and updated?