ReHIPS

I only extracted the pdf-file from the installer. I won't try to install an old version from 2014

Will there be an updated "ReHIPS Admin Guide" in the final version?

 

I was too much focused on my "Alerts"
I think i should always look if there are new posts, before i ask something. Maybe it was already answered

 

Thank you.

So actually Rehips = HIPS + Isolation (or Sandbox)? Or Rehips = AntiExec + Isolation?

And HIPS is watching all sensitive areas like registry?
If some malicious process sneaked into the OS or some routine process (which isn't isolated and no rules for it) is hijacked then HIPS kicks-in and asks if it can make this suspicious manipulations with registry or sensitive data?

Thank you.

 

I believe the first versions weren't that handy and usable at all, so that's why I wondered if it has been improved.

Is it just as easy to run any app sandboxed, or is it only geared to apps that are vulnerable to exploits? With SBIE I can run about 80 to 90% of all apps correctly. Actually, I sometimes wish that SBIE was less restrictive in order to make more apps work, but I guess you need light virtualization for that.

 

It's relatively easy to configure any program to run isolated in ReHIPS.

If there is any breakage or other problem, report it to ReCrypt staff. If it can be fixed, then they will fix it. In some cases, the issue is with Windows and\or the program itself. In those cases ReHIPS itself is not the problem. So far, I have seen ReCrypt staff report problems to 3rd party vendors. If those vendors correct the problem that's great, but if not there's generally nothing that can be done about it -- although sometimes ReCrypt can devise a workaround.

ReHIPS still needs more usability assessments by users running as widely used programs run isolated. As reports filter in, things get fixed where they can be fixed.

ReHIPS is one of the more capable physical security softs because of its protection model.

 

OK, so I guess it's more meant to protect only a few apps against exploits. That's not what I'm looking for. That's why I like SBIE, it can not only protect against exploits, it can also run just about any app that doesn't deeply integrates into the system. And it does this out of the box, no need to configure anything.

 

OK, so I misunderstood, my bad. It sounds good to me. Obviously, I will not stop using SBIE because I like virtualization, but I assume they will be able to run alongside each other.

 

ReHIPS is designed to protect the system from persistent infection - by running executable code (programs already on system when exploited, freshly downloaded files, browser javascript, etc) in the isolated container using Windows protection mechanisms (different user profiles).

The built-in Windows protections are generic - as opposed to compromise classification specific.

It's just that 3rd party vendors do not always fix reported bugs and problems. That's not a ReCrypt problem...

 

Yes. You can do that.

I sort of know your preferences -- and ReHIPS alters the desktop experience sufficiently that you personally will find it unacceptable...

 

I've chosen not to test these type of apps, since I only have one machine, and I'm not using any rollback or imaging apps. So that's why I'm asking all of these questions. But does it already have a built in list of supported apps?

Let's see what happens, but I wouldn't be surprised if you will be right. I also didn't like GeSwall and DefenseWall, so if it's anything like that, I will for sure hate it.

 

Yes. The list is growing.

Watch any of the ReHIPS videos and you will see what I mean. Programs run isolated can only be accessed by the ReHIPS widget. So if you routinely run more than a few programs in their own dedicated isolated environment (recommended practice) simultaneously, then you will be constantly switching back-and-forth between individual environments and\or the desktop. Also, you won't have any desktop taskbar access inside an isolated environment.

I'm pretty sure it will not be for you.

As far as myself, I don't like the altered desktop experience - it's cumbersome and inefficient for my work style and daily use patterns - so I beta test ReHIPS to help ReCrypt and other ReHIPS users - but I don't use ReHIPS on a day-to-day basis.

That being said, ReHIPS is still one of the better security solutions...

 

you mean the switching between these "virtual" desktops?

 

Yes... via the ReHIPS widget.

 

default setting : HIPS + Isolation
in Lockdown Mode: anti-exe + isolation (because non-ruled apps are blocked)

it ask (check screenshot below)

 

I did (until i removed Sandboxie because its constant useless updates bothered me) .

Basically they can both run alongside each other but they will conflict for isolating the browser ; then the user has 2 choices when isolating something:

1- keep ReHIPS as main isolator (by tweaking Sbie or by clicking Sbie tray icon to run apps non-isolated)
2- keep Sbie as main isolator by adjusting ReHIPS rules.

The only advantage of Sbie i see at the moment is that Sandboxie allow Folders isolation ( ReHIPS will surely do it too in future builds) and all your isolated apps are accessible on the real desktop (unlike ReHIPS where they are on Virtual Desktops)

 

If your process is run in isolation and ransomware should be spawned in it, it will be killed when the isolated process is terminated.

In unsecured environments, it would be very effective in keeping malware crud off your system.

 

@Peter2150 The ransomware could not even run, the HIPS module will block it before it can be isolated (unless you allow it which i don't even think to do).
And in the case you allow it , it will be restricted to the IE (Isolated Environment) which act as a tighten SUA account.

 

Thank you. Very interesting. In Lockdown Mode there's no HIPS, only anti-exe.

Then if in Lockdown Mode not isolated running process is hijacked then it can do anything. I mean not a 'drive-by-download' attack. HIPS would ask if to allow it's suspicious actions. But in the Lockdown Mode Anti-Exe watches only start of new processes. And if not isolated already running process is hijacked then it can do anything. Am I right?

 

Lockdown Mode block everything that is not present in the rules (or was removed by the user from the initial rules). in example , in Standard Mode (HIPS) , if i execute dropbox.exe (which was run for the first time) , i will get an alert; in Lockdown Mode , i will just see a popup mentioning dropbox was blocked.

ReHIPS is capable of differentiating modified processes (for example updated apps) and then alert you (unless you selected to ignore modifications for that apps)

 

@Peter2150 in Sandboxie you have the "run in Sandboxie" , in ReHIPs you have the same feature as well. So When you use it , you will create a brand new IE (as if you create a new SUA account) dedicated to that particular application, and this apps will run (by default) as if it was just installed because the IE is similar as a new user. Alternatively, you can also copy your real user data for this app in case you want it to have your settings.
dring the IE's creation (and after), you can adjust its settings (access rights and privileges) to fit your needs. It is what i like in ReHIPS, very deep control of each IE and rules.

Remember that in ReHIPS , the hips module is on top of the isolation mechanism and gives you more system-wide control and monitoring, however, you can disable it if you feel it too intrusive (but you will lose ReHIPS purpose).

p.s: i will post some screenshots when back home

 

so let's isolate a software together (HIPS module disabled):

1- we will use "Run Isolated in ReHIPS" (screenshot "run as")

2- then we have a popup allowing to select the rule's options (Screenshot "run as popup 1 & 1b; i extended the popup to show all options); we can allow/block network access, select allowed/restricted folders, access rights, privileges, etc...)

3- Once all is done , we are oriented to the Isolated Environment aka Virtual Desktop (screenshot "IE" ) acting as a tighten SUA. You can see there is no taskbar, nor icon, nothing; just your apps.
On the bottom left you have the widget allowing to switch between virtual and real desktop.

i hope i helped you understand ReHIPS better