ReHIPS

Discussion in 'sandboxing & virtualization' started by MrBrian, May 24, 2014.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Paid version is really only necessary for isolating a multi-process browser such as Chrome+extensions.
    On Windows 10, Chrome is pretty secure out-of-the-box, and if you enable a few flags, you are even safer.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I use multi-process Firefox, but generally with few tabs open.
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I'm not a firefox user, but guest should know.
     
  4. guest

    guest Guest

    Extensions counts as process in multi-processes browsers.
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    PaleMoon is a good solution for a single-process browser: http://www.palemoon.org/
    It's based on pre-Quantum Firefox, open source and still actively developed
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    We don't hear much about exploits on updated versions of Chrome or Firefox these days. If anyone has heard about such a thing happening in the last couple years, please link me to the story. So it is not a must to isolate Chrome or Firefox, IMO.
    Unlike Sandboxie, ReHIPS does not isolate your browser's downloads. True, it will not put them in real user space, but if you go and execute the downloaded files, they will not run isolated by default. So downloads is not a strong reason to isolate a browser.
     
  7. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    So, what SW would you suggest to run isolated by default? Office-like? E-mail?
    What's Chrome flags would you suggest to enable for stronger security?
    Thanks :)
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The most important to isolate, IMHO: Office apps, especially MS Office.
    PDF apps, especially Adobe.
    Any browser that is not modern or does not receive the latest updates.
    As for Email clients, I would isolate them, even though I haven't heard much lately about such exploits.
    Ideally, you should isolate any and all internet-facing apps, if you can.

    There is a chrome flag for "Enable AppContainer Lockdown", and another one for "Enable GPU AppContainer Lockdown". Those are the flags that help to isolate Chrome from the local system. There are other flags to harden Chrome, but this is not the thread to discuss them.

    Maybe @guest can weigh in on your questions, he should have some good insights :)
     
  9. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Ok, thanks :)
    Does ReHIPS still register as AV in the windows security center?
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I don't think so. It used to register? That's funny, because it is not an AV or a firewall, I don't know why it should register.
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    That's interesting. I don't think it does that anymore, but guest should be able to tell us for sure.
    I never saw that it disabled Windows Defender, and when I ran it with a third party AV, I never saw it listed by Windows as an AV.
     
  13. ReHIPS

    ReHIPS Developer

    Joined:
    Aug 29, 2014
    Posts:
    37
    Location:
    Europe
    Hello everyone.

    There was a blogpost with recommendations on what programs should be isolated, here https://forum.rehips.com/index.php?topic=9542.0

    Yes, ReHIPS did register in Windows Security Center as antivirus and antispy. But later (from ReHIPS 2.2.0) we decided to remove it as other AVs like Defender may act like: ah, they already have an AV, I'll do nothing then.

    Best Regards, fixer.
     
  14. guest

    guest Guest

    Which is the definition of sandboxed downloads...so ReHIPS does isolate downloads.

    By default and based on its rules:
    1- if executed from the isolated browser (aka "open" function in browsers), the file can't run.
    2- if executed manually from ReHIPS' container or ReHIPSuserX, the option to allow/isolate/block the exe is offered.
    However you can play with the settings to prevent execution from the container or download folder.

    Sandboxie automatically isolate any files run from its container, it is why Shmu think it is isolated download, if you create manually a file in the container of sandboxie and run it, the result is the same, the file is ran isolated. So in the case described by Shmu about sandboxie, it is not isolated download but isolated folder.

    which is wrong based on the demonstration above. You won't like drive-by Downloads.
     
    Last edited by a moderator: Jul 11, 2018
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I am not putting down ReHIPS, just pointing out a difference in default behavior, as compared to Sandboxie.

    In SBIE, I download Riskiware.exe, go to the download location, click, and it runs in sandbox.

    In ReHIPS, I download Riskiware.exe, go to the download location, click, and I get the same prompt I would see if I was running it from real user space. It is not isolated by default. This is okay, because ReHIPS handles the unknown file with anti-exe (SBIE can't do that, so it sandboxes instead). But bottom line, it is the same behavior as when I didn't isolate my browser in the first place.
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Please share that tweak, it sounds interesting.
     
  17. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    This is the key point in my opinion.
    If I have to follow this recommendation:
    I should isolate nearly everything.
    But the good point of ReHIPS is that it can alert the user before isolating stuffs
     
  18. guest

    guest Guest

    example, for my Chrome IE:

    C:\ReHIPS\Browser is (by default) where you should download the file from your browser; but personally i setup for the Chrome IE access to 2 other folders (downloads/uploads)

    rehips.JPG

    Then the isolated Chrome will not be able to execute downloaded files (because X is denied) , just read and write. (R = read, W = Write, X = execute).

    This is the true power of ReHIPS, and the reason why i love it, you have a lot of options concerning object permissions and Privileges.
     
    Last edited by a moderator: Jul 11, 2018
  19. guest

    guest Guest

    everything known as attack vectors (internet facing apps, docs readers, medias players, etc...)

    it is why i love it. Waited for such programs since years.
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    That's cool, thanks!
     
  21. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Yeah, it's like Comodo Firewall with the option to prompt before sandboxing apps and without the bothersome kernel hooks (problems with Windows updates).
    And it's also a great UAC replacement, since you can't whitelist apps in the UAC.

    I was thinking to try:
    • K9 Web Security to avoid risky websites
    • Light traditional AV (such as Panda) to get rid of known malware
    • ReHIPS to replace the UAC, perform a pre-exe check and add the option to run stuffs isolated in case of doubts
    • NVT OSArmor as post-exe check, just in case of user mistake
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Comodo makes it totally easy to sandbox an unknown. It just happens by itself.
    With ReHIPS, if you want to isolate an unknown, you need to go through a few windows and make a few decisions.
    First you need to decide if it will run in an existing IE, and if so, which one?
    If you want to give it a new IE, you need to set the rules (or just go with the default rules, not so bad :) )
     
  23. guest

    guest Guest

    yes the comodo sandbox is simpler, it was never intended to be the main protection, it is supposed to be the auto-sandbox and the HIPS.

    looks good, without overlapping features. But i won't disable UAC.
     
  24. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    I wrote disable but I meant set to never notify
     
  25. guest

    guest Guest

    for me UAC must be set at max. and i added the reg tweak to disable elevation of unsigned programs.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.