ReHIPS

Discussion in 'sandboxing & virtualization' started by MrBrian, May 24, 2014.

  1. guest

    guest Guest

    The current version we are testing was never planned to be released soon until the announcement in January 2017 (if all works as expected), since last year we had 2-3 betas builds. However you can get a public beta version if you can't wait.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well I gave it another shot, and got it working sort of. Deleted conflicting software first to test. I found I could run a simple program isolated, but when I isolated a program that required a response to something like ERP it would jump back to the regular window. Am I doing something wrong?
     
  3. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    In prior versions of ReHIPS, if a program program launched a process inside the isolated environment without any existing HIPS rule for it, it would then generate a HIPS alert outside the isolated environment. This presented an issue - the newly launched program would seem to freeze, but actually it was because the HIPS alert was on the real desktop. There was no indicator to the user that a HIPS alert was waiting to be answered on the real desktop. I asked fixer to implement the auto-switching as the solution to the above "issue."
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    So after that it stays in the real desktop? If that's the case it's isolation is useless to me.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep. Once I replied to an alert it stayed in the main desktop, in essence ending the isolation
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Don't remember seeing such an arrow, but I'll take another look.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, now I am officially impressed. Finally got my mind wrapped around it and got it working. I ran 3 of the nastiest pieces of Ransomware at it and it passed with flying colors. So now I have a couple more questions.

    1. As for the hmpa and appguard exclusions. What exe's are you excluding.
    2. Do you really need HMPA
    3 How are you guys using it now. In actual real time or just for beta testing.

    Now you guys have me really wound up.

    Pete
     
  8. guest

    guest Guest

    the process stay on Isolated Environment / virtual desktop, the alert is on real desktop but is indicated to in the virtual desktop by the blinking widget ; you then click the 2 arrows areas of the widget togo to real desktop.
    and if you don't like Vitual desktop, you can force an isolated apps to be displayed on real desktop (a la sandboxie) in exchange for some potential minimal loss in security (depending the app & situation)
     
    Last edited by a moderator: Feb 11, 2017
  9. guest

    guest Guest

    - On HMPA : i put HIPSAgent64.exe , HIPSGui64.exe, HIPSservice64.exe on HMPA exclusion ; on latest beta of HMPA , not needed but since a previous version of HMPA blocked ReHIPS to run its isolation, i do it to prevent issues and further potential incompatibilities).

    - On AG : add the same processses to AG's Powerapps, if not, isolation can't run.

    HMPA, not really , exploits are contained in IE (Isolated Environment) but i still use it for its other features (keystroke encryption which works in the IE). Never good to me to inject a security apps with dll from another one ^^

    i used it real time, in fact it is my essential app with AG. It even makes me ditched Sandboxie, which is a huge prowess.

    I am glad you like it, 1st time i used it i was also impressed and you just scratch the surface of what ReHIPS can do, if you enable advanced settings in the GUI, you have access to huge granular settings and tweaking options for each process & IE.

    We closed beta testers gave to the devs, a huge list of usability improvement requests, the security aspect seems complete (as far as vulnerabilities don't emerge)...

    Most "issues" you may face now are some alerts due to the whitelist not being completed yet. I advise you to register on ReHIPS forum and read the various threads if you have time, because there is a lot of threads ^^ ), you will learn a lot about Windows security mechanism and ReHIPS.
     
    Last edited by a moderator: Feb 11, 2017
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks guest. I am already registered on the forum. Well one of the things I like is it not as popular as SBIE. To much of the malware is now SBIE aware.

    So what do you run isolated.
     
  11. guest

    guest Guest

    * = In Virtual Desktop

    Chrome, Tor Browser*, Foxit Reader*, VLC*, SMplayer*, Outlook* & Office* ( if the file isn't from me), and Tixati*

    Those are my most used apps, they have a permanently created IE. For others apps, i often use "Run Isolated in ReHIPS" depending the situation.

    i impatiently wait the next build, lot of our requests were implemented.

    obviously, my bad... if not you won't have the beta lol , i need more coffee ^^
     
    Last edited by a moderator: Feb 11, 2017
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Is 2.22 RC the latest. My thanks to you guest and SHvFI for helping me to get it to this.
     
  13. guest

    guest Guest

    yes, 2.2.0 :thumb: (closed beta tester have some newest builds, but not much different concerning security)

    You are welcome :)
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    @Peter2150 Interesting that you are getting 'really wound up', which is rare I would say ;)
    I have it on my secondary machine, but kind of 'on ice' for now as I haven't played with it for a while. I liked it but probably didn't spend enough time to properly get my head around it.
    You make me keen again. With usability improvements, well ... :)
    Keep us posted with your experiences.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, update. I installed it on my desktop. Install went well. In testing everything seemed to work as advertised. Played around with the stuff on my system and then looked at what I would need to do to make it mine, and then uninstalled. WHY?

    Well my first test I almost knew would fail. I use the Rhapsody/Napster Music service, and won't give it up. It's a nightmare for security programs. The desktop icon isn't an icon, but a clickonce application. The music service isn't' started by an application perse, but by rundll32 kicking off a DLL. I then heads to appdata for the rest it's stuff. Nuffsaid.

    The traditional office applications all worked fine, but I would have to totally reconfigure, as quite often I will run two different office apps together one on each of two monitors. The default setup won't do that. Also since almost 99% of my office docs are internally generated I don't need the isolation. Don't Sandbox any of them.

    Then there is Outlook. First I run Quickbooks, which in itself has two apps. Then there is check scanning software. Separate app the runs in quickbooks. Then all invoices,etc, are emailed by sending them thru Outlook. Then in outlook, there are two add ons that are also separate apps. One is a spam filter, another a search engine. Finally I use Microsoft Map Point 2013, which interconnects with Outlook for mapping contact addresses. Can you see trying to configure that mess. I won't even try it with Sandboxie.

    So it comes down to the only application that works for me is my browsers. It was a pain as the passwords weren't retained. And they work fine in SBIE, so I ask my self what the point is.

    All that said this looks like an exciting application and I shall monitor and test.

    OH, one other issue. I couldn't get Acrobat Pro XI to run isolated. It generate errors in loading the file, and when I got around that I got a licensing error. Again I don't need the isolation as all PDF's are internally generated.
     
  16. guest

    guest Guest

    If you post exactly this on ReHIPS forum, the dev will take a look and may offer you workarounds; they often find one.
    Devs won't come here to solve them.

    what you means by your passwords aren't retained? those you used with the browser own password manager?

    If yes because ReHIPS by default don't use user datas for security sake, IEs use the default setting of the brower/apps; then you may try:

    Go to Settings (enable advanced mode) > Programs > (search your username ), your various IEs will be displayed (check my screenshot) > double click on the browser > tick "copy user data" > relaunch your browser. > if it works as you want , untick the box (you wont like everything be copied in the IE, especially malwares ^^)


    yes it is, most common apps are working, now specific uses must be notified to them.

    Rehips forum is your best bet ;)

    This is the kind of issues the devs are looking for, either they already have a solution or they will figure it out.
     

    Attached Files:

    Last edited by a moderator: Feb 13, 2017
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay, I will copy my post and post over there.
     
  18. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    78
    Hi, this not specifically about rehips, but as rehips is one of my security programs, I am posting it here.
    This is about allowing drive by malware to be installed on a computer.
    I installed the "free" version of super video converter, as freemake video converter wasn't working for a certain file.
    I had unstalled super video converter a few years ago, and remembered that it had addon malware/spyware that a program like unchecky could stop, but I am also very vigilant during installation, and watch everything.
    There is also an unbundled version of super video converter for $14 that I didn't get.
    Well there is no choice anymore with the free super video converter download, even if you uncheck everything, it still gives you malware/spyware - it changes all taskbar browser shortcuts links to .ico and .ink malware that open their browser to a russian search engine. It adds a chrome browser search extension, changes firefox homepages and searches, adds a malware folder, and other things.
    Rehips didn't catch it, but neither did avast premier, comodo hips,malwarebytes anti exploit, zemana anti malware, spyshelter premium.
    I should have tried handbrake video converter, but I didn't have a good experience last time.
    PS, I used to have hitman pro alert, and winantiransom, but I took those off because they slowed/caused problems with the computer.
    So this isn't about rehips in general, but that a lot of security can miss drive by malware/spyware that is accidentally, unbeknownst installed.
    Any suggestions on how to "harden" rehips?
    Also, feel free to move this to another section.
    I used malwarebytes, hitmanpro, emsisoft emergency kit and zemana to clean the computer.

    Thanks.
     
    Last edited: Feb 21, 2017
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    try installing with NVT ERP. With that you might see it install that piece and can block it. I've done this with open candy
     
  20. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    78
    Thanks for the reply. I was thinking that there must be a good program that watches all the details of installations, I was using process explorer and process hacker, but they weren't detailed enough or didn't catch it I guess.
    Would comodo hips and comodo killswitch running find these seperate installation pieces?
    Are there other software programs like nvt erp that can find and block/ask all the little unseen installation bits?

    Thanks.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    OKay, this is going way off topic. Why don't you start a new thread and pose your question there.

    Thanks.
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    If you want a product that is going to catch everything in the run sequence, then you have to use a product that has a HIPS, but it isn't always going to catch bundled PUPs\PUAs.

    If you want to trace an entire installation, then you need to use a product like Revo or Total Uninstall.

    As far as antivirus that is going to detect and prevent the installation of bundled riskware and PUPs - that is going to vary widely from antivirus publisher to antivirus publisher. There are not strict industry rules applied by AVs to every single PUP, riskware, OpenCandy, toolbars, etc.
     
    Last edited: Feb 21, 2017
  23. guest

    guest Guest

    Those are not spyware or malwares, those are browser Hijackers/PUPs, not malicious themselves but surely very annoying. So security solutions won't bother with them. because they don't impact the system areas.

    If you would installed it isolated in ReHIPS , it wont affect your browser.
     
  24. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    78
    Thanks for the replies.
     
  25. guest

    guest Guest

    ReHIPS RC4 was released yesterday , it should be the last build before Stable release (quoted from the devs; if everything is ok, obviously) ,

    One major visible change is the full support for multi-user accounts (aka SUAs), Admins can now deny/allow users to access the GUI (from what i see ).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.