- Apr 1, 2017
- 1,782
AltBo the tool has an informative log but I cant find hwo to stop it from auto whistling my digitally signed files.
Shinobi Defense System
- Thread starter show-Zi
- Start date
- Status
- Jan 28, 2018
- 2,464
very nice. You seem to be a trainer for this program! I was frustrated before creating 100 rules. On PCs used on a daily basis, that pop-up was just an obstacle.
Regardless of the digital signature, this software warns everything except Microsoft's. My memories may be wrong, but there may have been the option to bulk whitelist all those running in the current environment
- Dec 29, 2014
- 1,716
I see that it does this, but it's not 100% clear what is or isn't being blocked to me in many cases. Have you tried the split view in logs? I think it helps because you can see how many allowed rules you have for each application and see the application's actions at the same time.
When I look at the rules, I am getting duplicates in the Logs area. I guess that's to be expected for history, but then the application also creates multiples of the individual settings until a choice is made I guess (every time the action occurs). History is full of duplicates, but I get like 15 settings duplicates
This is looking good in many ways, but it monitors even Chrome like say NoScript or whatever. I don't mind at all, because I think it's mostly blocking extranneous connections. Not sure about that. It's generating hoards of alerts though.
Looks like the best way to get to good settings is to look over "All settings" and then look at your Whitelisted applications. If there are any application type rules that should be not set (only the action rule allowed), then they can be deleted. Like, for example, get rid of command prompt rules that are set to whitelist the application. Then wait for the action to happen again and whitelist the action only. This can be done with all of the vulnerables that come down the line like CScript, WScript, cmd.exe primarily. There are others if anyone would care to go that far for DeP I can provide a list one processes to look for. Unfortunately, no way to preconfigure the free at least. With NVT ERP, it's possible to add vulnerables any time.
- Jul 3, 2015
- 8,153
So wait, if you are already at 800 rules, that means you will reach your quota of 1000 pretty soon. What happens then?
- Dec 29, 2014
- 1,716
Well, I guess the rules don't exist yet (most of them). Looks like they back log and then trickle through. I get one once in awhile now, almost all related to some java thing in Chrome or some connection there. Maybe the ones in queue won't show up sometimes if the page isn't loaded or whatever, not sure.
One other thing. I still have to look over the logs area better to determine how the alerts are spaced around the applications. Probably, I will go for a couple of more hours and then remove the app and start over. I suspect I'll end up somehow with fewer rules. I can see that some of the apps chewed up rules when I misappropriated an application allow or blocked something like a Google connection.
I notice there is a setting in Advanced Settings for allowing the browser java by default. It's on, so I'm not sure why I am getting those alerts. Maybe resetting the rules is the answer for me.
One thing I think may be true. Seems like it might be best to shut everything down (not just security) with this application when installing it at first. It starts right away with the alerts (one at a time which is good), so having them occur one by one with applications as they are opened might be the best way to get good clean rules with no mistakes. Otherwise, looks to me like it can create a mess.
One other thing. I still have to look over the logs area better to determine how the alerts are spaced around the applications. Probably, I will go for a couple of more hours and then remove the app and start over. I suspect I'll end up somehow with fewer rules. I can see that some of the apps chewed up rules when I misappropriated an application allow or blocked something like a Google connection.
I notice there is a setting in Advanced Settings for allowing the browser java by default. It's on, so I'm not sure why I am getting those alerts. Maybe resetting the rules is the answer for me.
One thing I think may be true. Seems like it might be best to shut everything down (not just security) with this application when installing it at first. It starts right away with the alerts (one at a time which is good), so having them occur one by one with applications as they are opened might be the best way to get good clean rules with no mistakes. Otherwise, looks to me like it can create a mess.
- Apr 1, 2017
- 1,782
Ye, i did.
Although I like the product but
The log is good but I got headache:X3:
- Dec 29, 2014
- 1,716
Yeah, I know what you mean. Here are things I have noticed:
First time through when didn't know what exactly to expect:
1. Delete a rule and save and reopen log and the rule plus maybe more are back.
2. The rules pile up fast
Second time through knowing more:
1. Keep the browser closed so far and created the rules I want. Probably would still be issues with deleting rules and don't see a way to edit one also (forgot to mention that before). Have to wait to see with the rules.
2. If you want to block one element of a program, you have to think way ahead (*See question below). Whitelisting any application seems to mean no option to blacklist an action of the application (not sure about this yet)
3. Don't know why, but, even with the browser closed, on the alerts it says I have 890 registered records in the White and Black List. I don't understand why.
4. Going through slowly did well with everything but the browser, but it took a full tedious hour. Also, allowing one thing sometimes meant other rules would magically appear under an application. No way to manage them without split view. This is because you can't make sense of the sequence. Looks like they should eliminate other ways to see rules
5. I actually like this way of doing things. However, the developer would have to get the setting for separating the browser from everything else to work properly. This is not browser protection...no way to manage scripts in a browser this way.
The last one is where ReHIPS has this program. Otherwise, it's more configurable and powerful, like I imagine AppGuard to be. It basically gives you more options (overlooking the option to isolate in ReHIPS) for controlling elements of program. Looks like it will create rules IP by IP with internet connections. This is interesting, but obviously this app needs work to become usable. I think ReHIPS is more on its way at this point for sure, yet I also think this will be different. Even if it's not usable, I think it will succeed long term if development can come up with some creative solutions (a good number of them granted).
*Question from above: Not sure if this application allows user to blacklist behaviors of Allowed applications. I see that there are action rules that haven't been set yet for applications that have been whitelisted. They seem to appear with regularity, like I can still go back in and blacklist one even for a whitelisted application. O/C I guess there wouldn't be any alert, but it's still interesting, even if this is the case.
Nice idea and I wish the best of luck to the developer. Thanks to @show-Zi for bringing this to our attention. I think I will try to use it until I run out of rules or until I find the browser is just too much to manage...
First time through when didn't know what exactly to expect:
1. Delete a rule and save and reopen log and the rule plus maybe more are back.
2. The rules pile up fast
Second time through knowing more:
1. Keep the browser closed so far and created the rules I want. Probably would still be issues with deleting rules and don't see a way to edit one also (forgot to mention that before). Have to wait to see with the rules.
2. If you want to block one element of a program, you have to think way ahead (*See question below). Whitelisting any application seems to mean no option to blacklist an action of the application (not sure about this yet)
3. Don't know why, but, even with the browser closed, on the alerts it says I have 890 registered records in the White and Black List. I don't understand why.
4. Going through slowly did well with everything but the browser, but it took a full tedious hour. Also, allowing one thing sometimes meant other rules would magically appear under an application. No way to manage them without split view. This is because you can't make sense of the sequence. Looks like they should eliminate other ways to see rules
5. I actually like this way of doing things. However, the developer would have to get the setting for separating the browser from everything else to work properly. This is not browser protection...no way to manage scripts in a browser this way.
The last one is where ReHIPS has this program. Otherwise, it's more configurable and powerful, like I imagine AppGuard to be. It basically gives you more options (overlooking the option to isolate in ReHIPS) for controlling elements of program. Looks like it will create rules IP by IP with internet connections. This is interesting, but obviously this app needs work to become usable. I think ReHIPS is more on its way at this point for sure, yet I also think this will be different. Even if it's not usable, I think it will succeed long term if development can come up with some creative solutions (a good number of them granted).
*Question from above: Not sure if this application allows user to blacklist behaviors of Allowed applications. I see that there are action rules that haven't been set yet for applications that have been whitelisted. They seem to appear with regularity, like I can still go back in and blacklist one even for a whitelisted application. O/C I guess there wouldn't be any alert, but it's still interesting, even if this is the case.
Nice idea and I wish the best of luck to the developer. Thanks to @show-Zi for bringing this to our attention. I think I will try to use it until I run out of rules or until I find the browser is just too much to manage...
Last edited:
- Apr 1, 2017
- 1,782
Thanks for the explanation and yes it's not usable.SpyShelter free can be a good alternative for this product but the SpyShelter don't monitor the browser like Shinobi.
Shinobi also monitor Dll files in a better way!
Shinobi also monitor Dll files in a better way!
- Jan 28, 2018
- 2,464
Dear@AtlBo
To teachers who always teach, presents from me
I also look forward to useful lessons.
Thanks to everyone
どうもありがとう
To teachers who always teach, presents from me
I also look forward to useful lessons.
Thanks to everyone
どうもありがとう
- Dec 29, 2014
- 1,716
Thankyou @sushine-boy (no problem!) and to you also @show-Zi. It's a very interesting application. I really like it. ReHIPS is too much for me, because of all the user accounts that are created. It has a long way to go too imo before users will be able to manage all of its elements confidently. Yet, I think DeP and ReHIPS compare in scope, even though DeP doesn't employ isolation (containment). In a way it seems like a bigger challenge to manage activities of applications to the degree DeP does. 
- Jul 3, 2015
- 8,153
I would not compare ReHIPS to Shinobi.
The HIPS component of ReHIPS is not so developed yet. You don't get so many prompts, and you don't have fine-grained control over process execution. For instance, you cannot set it up to allow process A to execute process B and not process C. As long as process C has an allow rule, and process A has permission to execute child processes, A can execute C.
But that is changing with the next version of ReHIPS. There will be much more fine-grained control over process execution. In the mean time, the main strength of ReHIPS is the sandboxing (isolation) of exploitable applications, and a very smart set of default HIPS rules that properly parse command lines and restrict vulnerable processes. That is besides the anti-exe function, of course.
The HIPS component of ReHIPS is not so developed yet. You don't get so many prompts, and you don't have fine-grained control over process execution. For instance, you cannot set it up to allow process A to execute process B and not process C. As long as process C has an allow rule, and process A has permission to execute child processes, A can execute C.
But that is changing with the next version of ReHIPS. There will be much more fine-grained control over process execution. In the mean time, the main strength of ReHIPS is the sandboxing (isolation) of exploitable applications, and a very smart set of default HIPS rules that properly parse command lines and restrict vulnerable processes. That is besides the anti-exe function, of course.
- Dec 29, 2014
- 1,716
It's not like ReHIPS I agree. It's not as developed at this point, and the program doesn't appear to be headed for the same kind of protections However, it reminds me of ReHIPS in the scope (breadth) of the protection and also the novelness of the concept. I think of security largely in terms of firewalling, like say 50% I guess, and this program could be headed toward being something like a combination of Heimdal and a NVT ERP/OSArmor morph of some kind. Who knows, but it's interesting to me that I can block some of the extraneous net connections like Heimdal.
ReHIPS I would define as part of a two program setup, so DeP seems to me to be headed the same direction in that way, assuming the development continues.
All respect to where ReHIPS is going with this, but on a deeper level, I like Comodo's approach here. Comodo HIPS gives me the ability to decide which applications Windows Explorer can start, etc. Carry that over to every application, and it's very powerful. Comodo's HIPS protections of this type flow more naturally from the alerts in this regard than with ReHIPS imo. Also, Comodo actually provides specifically for this type of protection, where it is more or less possible with ReHIPS. Sounds like that will be changing with ReHIPS, so that is interesting for sure, as long as rules creation flows from the alerts like with Comodo.
DeP isn't in the ballpark of either of those programs yet, but it reminds me of ReHIPS in alerts style and operational style, based on where it might be in a few years I guess I would say.
Tried it out in Virtual Box and if I select advanced settings, I can't close the box unless I do a ALT F4. Also noticed the js notifications in my browser.
- Dec 29, 2014
- 1,716
Well, the fun is over. It's neat to see all the garbage the internet spews onto systems. Very educational.
If dev can come up with an efficient way to deal with that such as the adblockers do, great, I might try it again. It's really rough otherwise. Never quite made sense of the settings rules with new unset behaviors appearing under each application, new and multiple instances of the same app, etc. Regret not getting a look at the other mode available, but it was too much for me to bear...
Looks like this experiment PC is going to be 360, NVT ERP and NVT OSArmor. I installed OSArmor (ERP already here) and ticked a ton of the rules. Ran in passive for awhile, and I am satisfied OSArmor should be a big hit. I these rules...
If dev can come up with an efficient way to deal with that such as the adblockers do, great, I might try it again. It's really rough otherwise. Never quite made sense of the settings rules with new unset behaviors appearing under each application, new and multiple instances of the same app, etc. Regret not getting a look at the other mode available, but it was too much for me to bear...
Looks like this experiment PC is going to be 360, NVT ERP and NVT OSArmor. I installed OSArmor (ERP already here) and ticked a ton of the rules. Ran in passive for awhile, and I am satisfied OSArmor should be a big hit. I
these rules...- Status
Similar threads
