- Oct 22, 2016
- 409
ReHIPS against Ransomware
- Thread starter erreale
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Nov 19, 2014
- 2,350
Yeah, it pretty much stops everything. Make sure to delete the isolated environments from rehips-settings-programs when it's a real system because when you run the malware it might be copied there. Also, don't do copy user data in case it's a file grabber that will steal your files.
- Sep 9, 2012
- 470
It even does not expect anything else when using UMBRO .-).Well thank you video. I want to see AppSamvid against these ransomware Thanks.
- Mar 1, 2014
- 1,708
The video shows that the weakness is the user. The default option is to allow the ransomware. ReHIPS protected the system because the tester/user chose the programs to run isolated. So, without changing or choosing anything other than the default, the system might have been infected.
But even then, I think that the HIPS part would have done all the protection once the "allow" was chosen.
But even then, I think that the HIPS part would have done all the protection once the "allow" was chosen.
Last edited:
You are right because he was on default settings, if the user selected Lockdown Mode , all will be automatically blocked.
yes if the ransomwares generate child processes we would have popups.
Just to mention, ReHIPS devs are paranoids Russians lol , when you know that you can trust them for your security
I'm confused on one thing.You are right because he was on default settings, if the user selected Lockdown Mode , all will be automatically blocked.
yes if the ransomwares generate child processes we would have popups.
Just to mention, ReHIPS devs are paranoids Russians lol , when you know that you can trust them for your security
If a user runs it on default isn't the file/app being ran in isolated mode? If yes, even if that file/app is malicious then it's still being isolated and the system protected, no?
As for Lockdown mode (for any other program) sometimes it's not the user intentionally want to run a malicious file. If he unknowingly ran the malicious file then the program (in Lockdown mode) should detect and lock the system down, right?
Isn't the system protected in both cases?
Thanks
Last edited:
As long as you run an unknown\untrusted file isolated, it will be OK for the most part. If you've copied over all real User profile data to the isolated environment, then that isn't so great when dealing with any kind of data stealer. What damage the data stealer can do depends upon what data the stealer is mining - how, where and for what data it searches for. If it is looking specifically inside User data, then it is a problem if you've copied it all over to the isolated environment. It is also dependent upon what datas you have stored in your User profile.
Also, if you download an unknown\untrusted file to the real user profile desktop and execute it, allow it in the initial and any subsequent HIPS alerts, then your goose can be cooked.
Bottom line: run any unknown\untrusted files inside its own isolated enviornment.
Learn how ReHIPS works. Master it. Use it as recommended. The likelihood of a major problem is slim.
TIP: It is best to download a file into an isolated environment and then execute it - as opposed to downloading it to the desktop and then right-click > Run isolated in ReHIPS
Why ?
Because there are writeable directories in Windows, and since you launched the program in the real User profile, files can be written to those directories in the real User file system. They're no big deal as they are inert on the system unless you navigate to the directory to which the file was written and manually execute it. Also, you will have to manually clean-up the files system in the real User profile.
Ain't got a clue ? -- ask fixer -- he will explain in-detail.
Last edited by a moderator:
Default setting still give you the choice : block/isolate/allow; so yes it can be still isolated and the system protected.
In Lockdown, non-whitelisted processes are auto-blocked (no prompts , just an alert) if it was a FP , the user have to go in the logs and change the rule.
Lockdown said:
Indeed, but luckily this option is disabled by default.
- They need to learn how the soft works.
- They need to understand how the soft protects the system.
- They need to use their security softs with discipline.
- They need to learn what not to do.
This is not difficult. Study your security softs. It will avoid a lot of nonsense. And there is no excuse with fixer giving details at forum.re-crypt.com.
- Oct 22, 2016
- 409
I ran the test with the default settings. As said Umbra if you enable Lockdown Mode behavior would be different.
- Mar 1, 2014
- 1,708
You did run the test with the default settings, except when you chose the "Allow in Isolated Environment". The default selection was "Allow", not "Allow in Isolated Environment". So, going by default all the way meant that you just let the selection be.
That's why the weak link is the user. Running a questionable file to isolation is the best course of action (apart from "Block"), but not all users would select "Allow in Isolated Environment". Most of them would answer "Okay" to the prompt, without selecting other options.
Last edited:
- Oct 22, 2016
- 409
No problem. Later I send a message
No you misunderstanding Xhen, default setting means that the options/settings of the program are at default, means not modified by the tester. The prompt can't be used at default ! it is user decision. if not why asking ?
Your mistake is assuming that the every user will run only malware. The prompt is set as allow because most of the time the user "decided" to execute the program, which is supposed to be "safe" because no one will knowingly execute malware on their machine.
Prompts are made to be read then a choice have to be made, if the user is an idiot happy clicker, blame him not the soft.
Last edited by a moderator:
- Apr 13, 2013
- 3,224
I knowingly execute malware on my system all the time!
- Mar 1, 2014
- 1,708
The selections on the prompt are by default. You can't say they're not default, because they are there, already selected, just waiting for the user to click "Okay".
The similar thing is the word "Recommended" (e.g. in Emsisoft's). When it says in the prompt that this selection is recommended, that is the default choice for the user.
No, I don't assume that every user will run only malware. I assume that most of the users will go by default or click "Okay", just like when they encounter a HIPS alert.
I agree that prompts are there for the users to have choices of what to do. But clicking "Okay" is also a choice, a choice of choosing, maybe blindly, the default selections of "Permanent" and "Allow".
So, yeah, what you said in the last part that I should blame the user, not the software, is spot on. Have you forgotten what I said that the weak link is the user?
Last edited:
By "default" we refers only about the settings, prompts are not settings , you can't change the way a prompt behave in the setting tabs. That is it.
We all know users are the weakest links, the option is set to allow for convenience as in every security softs , Average Joe don't want run things isolated all the time, they will choose isolated if they are not sure about the soft.
Only security geeks like us runs almost everything isolated.
- Mar 1, 2014
- 1,708
I know. But you have to understand that those options of "Permanent" and "Allow" are already selected when you have the prompt. That makes them selections by default, chosen by the developers to be the default selections of the prompt. But the prompt would still leave the final decision to the user, whether the user wants to change the selections or not.
Yeah, I completely agree that the selection "Allow" is for convenience. In fact, I have really nothing against this, but given the video, it makes me question whether it should be selected by default.
Maybe, fixer can change the prompt, so as not to allow users to click "Okay" without selecting manually "Block", "Allow in Isolated Environment", or "Allow".
But even then, I already said this, the HIPS part is the one that should play the role when the user clicks "Okay" with the default selection.
That is another story , i recommended to the team already to set it as isolated.
Similar threads
