App Review ReHIPS against Ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Yeah, it pretty much stops everything. Make sure to delete the isolated environments from rehips-settings-programs when it's a real system because when you run the malware it might be copied there. Also, don't do copy user data in case it's a file grabber that will steal your files.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
The video shows that the weakness is the user. The default option is to allow the ransomware. ReHIPS protected the system because the tester/user chose the programs to run isolated. So, without changing or choosing anything other than the default, the system might have been infected.

But even then, I think that the HIPS part would have done all the protection once the "allow" was chosen.
 
Last edited:
D

Deleted member 178

The video shows that the weakness is the user. The default option is to allow the ransomware. ReHIPS protected the system because the tester/user chose the programs to run isolated. So, without changing or choosing anything other than the default, the system might be infected.

You are right because he was on default settings, if the user selected Lockdown Mode , all will be automatically blocked.

But even then, I think that the HIPS part should do all the protection once the "allow" was chosen.

yes if the ransomwares generate child processes we would have popups.

Just to mention, ReHIPS devs are paranoids Russians lol , when you know that you can trust them for your security :p
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
You are right because he was on default settings, if the user selected Lockdown Mode , all will be automatically blocked.



yes if the ransomwares generate child processes we would have popups.

Just to mention, ReHIPS devs are paranoids Russians lol , when you know that you can trust them for your security :p
I'm confused on one thing.

If a user runs it on default isn't the file/app being ran in isolated mode? If yes, even if that file/app is malicious then it's still being isolated and the system protected, no?

As for Lockdown mode (for any other program) sometimes it's not the user intentionally want to run a malicious file. If he unknowingly ran the malicious file then the program (in Lockdown mode) should detect and lock the system down, right?

Isn't the system protected in both cases?

Thanks
 
Last edited:
5

509322

I'm confused on one thing.

If a user runs it on default isn't the file/app being ran in isolated mode? If yes, even if that file/app is malicious then it's still being isolated and the system protected, no?

As for Lockdown mode (for any other program) sometimes it's not the user intentionally want to run a malicious file. If he unknowingly ran the malicious file then the program (in Lockdown mode) should detect and lock the system down, right?

Isn't the system protected in both cases?

Thanks

As long as you run an unknown\untrusted file isolated, it will be OK for the most part. If you've copied over all real User profile data to the isolated environment, then that isn't so great when dealing with any kind of data stealer. What damage the data stealer can do depends upon what data the stealer is mining - how, where and for what data it searches for. If it is looking specifically inside User data, then it is a problem if you've copied it all over to the isolated environment. It is also dependent upon what datas you have stored in your User profile.

Also, if you download an unknown\untrusted file to the real user profile desktop and execute it, allow it in the initial and any subsequent HIPS alerts, then your goose can be cooked.

Bottom line: run any unknown\untrusted files inside its own isolated enviornment.

Learn how ReHIPS works. Master it. Use it as recommended. The likelihood of a major problem is slim.

TIP: It is best to download a file into an isolated environment and then execute it - as opposed to downloading it to the desktop and then right-click > Run isolated in ReHIPS

Why ?

Because there are writeable directories in Windows, and since you launched the program in the real User profile, files can be written to those directories in the real User file system. They're no big deal as they are inert on the system unless you navigate to the directory to which the file was written and manually execute it. Also, you will have to manually clean-up the files system in the real User profile.

Ain't got a clue ? -- ask fixer -- he will explain in-detail.
 
Last edited by a moderator:
D

Deleted member 178

I'm confused on one thing.

If a user runs it on default isn't the file/app being ran in isolated mode? If yes, even if that file/app is malicious then it's still being isolated and the system protected, no?

Default setting still give you the choice : block/isolate/allow; so yes it can be still isolated and the system protected.

As for Lockdown mode (for any other program) sometimes it's not the user intentionally want to run a malicious file. If he unknowingly ran the malicious file then the program (in Lockdown mode) should detect and lock the system down, right?
Isn't the system protected in both cases?

In Lockdown, non-whitelisted processes are auto-blocked (no prompts , just an alert) if it was a FP , the user have to go in the logs and change the rule.

Lockdown said:
If you've copied over all real User profile data to the isolated environment, then that isn't so great when dealing with any kind of data stealer.

Indeed, but luckily this option is disabled by default.
 
5

509322

Indeed, but luckily this option is disabled by default.

  • They need to learn how the soft works.
  • They need to understand how the soft protects the system.
  • They need to use their security softs with discipline.
  • They need to learn what not to do.

This is not difficult. Study your security softs. It will avoid a lot of nonsense. And there is no excuse with fixer giving details at forum.re-crypt.com.
 

erreale

Level 9
Thread author
Verified
Content Creator
Malware Hunter
Well-known
Oct 22, 2016
409
The video shows that the weakness is the user. The default option is to allow the ransomware. ReHIPS protected the system because the tester/user chose the programs to run isolated. So, without changing or choosing anything other than the default, the system might have become infected.

But even then, I think that the HIPS part should have done all the protection once the "allow" was chosen.

I ran the test with the default settings. As said Umbra if you enable Lockdown Mode behavior would be different.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I ran the test with the default settings. As said Umbra if you enable Lockdown Mode behavior would be different.
You did run the test with the default settings, except when you chose the "Allow in Isolated Environment". The default selection was "Allow", not "Allow in Isolated Environment". So, going by default all the way meant that you just let the selection be.

That's why the weak link is the user. Running a questionable file to isolation is the best course of action (apart from "Block"), but not all users would select "Allow in Isolated Environment". Most of them would answer "Okay" to the prompt, without selecting other options.
 
Last edited:
D

Deleted member 178

You did run the test with the default settings, except when you chose the "Allow in Isolated Environment". The default selection was "Allow", not "Allow in Isolated Environment". So, going by default all the way meant that you just let the selection be.
No you misunderstanding Xhen, default setting means that the options/settings of the program are at default, means not modified by the tester. The prompt can't be used at default ! it is user decision. if not why asking ?

That's why the weak link is the user. Running a questionable file to isolation is the best course of action (apart from "Block"), but not all users would select "Allow in Isolated Environment". Most of them would answer "Okay" to the prompt, without selecting other options.

Your mistake is assuming that the every user will run only malware. The prompt is set as allow because most of the time the user "decided" to execute the program, which is supposed to be "safe" because no one will knowingly execute malware on their machine.

Prompts are made to be read then a choice have to be made, if the user is an idiot happy clicker, blame him not the soft.
 
Last edited by a moderator:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
No you misunderstanding Xhen, default setting means that the options/settings of the program are at default, means not modified by the tester. The prompt can't be used at default ! it is user decision. if not why asking ?



Your mistake is assuming that the every user will run only malware. The prompt is set as allow because most of the time the user "decided" to execute the program, which is supposed to be "safe" because no one will knowingly execute malware on their machine.

Prompts are made to be read then a choice have to be made, if the user is an idiot happy clicker, blame him not the soft.
The selections on the prompt are by default. You can't say they're not default, because they are there, already selected, just waiting for the user to click "Okay".

The similar thing is the word "Recommended" (e.g. in Emsisoft's). When it says in the prompt that this selection is recommended, that is the default choice for the user.

No, I don't assume that every user will run only malware. I assume that most of the users will go by default or click "Okay", just like when they encounter a HIPS alert.

I agree that prompts are there for the users to have choices of what to do. But clicking "Okay" is also a choice, a choice of choosing, maybe blindly, the default selections of "Permanent" and "Allow".

So, yeah, what you said in the last part that I should blame the user, not the software, is spot on. Have you forgotten what I said that the weak link is the user? :D
 
Last edited:
D

Deleted member 178

The selections on the prompt is by default. You can't say it's not default, because they are there, already selected, just waiting for the user to click "Okay".
By "default" we refers only about the settings, prompts are not settings , you can't change the way a prompt behave in the setting tabs. That is it.
We all know users are the weakest links, the option is set to allow for convenience as in every security softs , Average Joe don't want run things isolated all the time, they will choose isolated if they are not sure about the soft.
Only security geeks like us runs almost everything isolated.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
By "default" we refers only about the settings, prompts are not settings , you can't change the way a prompt behave in the setting tabs. That is it.
We all know users are the weakest links, the option is set to allow for convenience ads in every security softs , Average Joe don't want run things isolated all the time, they will choose isolated if they are not sure about the soft.
Only security geeks like us runs almost everything isolated.
I know. But you have to understand that those options of "Permanent" and "Allow" are already selected when you have the prompt. That makes them selections by default, chosen by the developers to be the default selections of the prompt. But the prompt would still leave the final decision to the user, whether the user wants to change the selections or not.

Yeah, I completely agree that the selection "Allow" is for convenience. In fact, I have really nothing against this, but given the video, it makes me question whether it should be selected by default.

Maybe, fixer can change the prompt, so as not to allow users to click "Okay" without selecting manually "Block", "Allow in Isolated Environment", or "Allow".

But even then, I already said this, the HIPS part is the one that should play the role when the user clicks "Okay" with the default selection. :)
 
D

Deleted member 178

Yeah, I completely agree that the default selections of "Allow" is for convenience. In fact, I have really nothing against this, but given the video, it makes me question whether it should be selected by default.
Maybe, fixer can change the prompt, so as not to allow users to click "Okay" without selecting manually "Block", "Allow in Isolated Environment", or "Allow".

That is another story , i recommended to the team already to set it as isolated.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top