ReHIPS

Discussion in 'sandboxing & virtualization' started by MrBrian, May 24, 2014.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    right now I have it on standard mode.
    what will change if I switch to expert mode?
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    thanks for your help, I will give it a go.
    If it ignores trusted vendors, then I think it should basically function like an anti-executable running according to a whitelist. that is what I am looking for.
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    does ReHIPS protect vulnerable processes, like NVT ERP does?
     
  4. guest

    guest Guest

    so what is the point to use ReHIPS; you just discard its main and strongest purpose...

    Of course. Every process can be blocked.
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    so, if ReHIPS without isolation is missing the main purpose, then it would be better to use NVT ERP instead?
     
  6. guest

    guest Guest

    indeed. it is similar has having a 4x4 car and only driving in town, pointless.
     
  7. hjlbx

    hjlbx Guest

    You have to do it manually. I made a request to make this process for the user more simple, but I'm not sure what ReCrypt has decided yet. Right now I think their focus is on general usability improvements.

    After ReHIPS stable is released I will talk again with fixer and schelnukov about it.

    All that being said, if you understand and know which processes that are shipped with Windows, then it is not a difficult task - because a process without a permanent rule generates an alert. When you see that alert - if the process should not be executing - you block and ask questions later.

    For example, if you are surfing to a website using Chrome and get alerts for Powershell and RegAsm.exe executions - you just know something is not quite right. You block those processes from running and then investigate using the ReHIPS logs, other utilities, etc.

    Afterwards, if it is legit, then you can unblock things.

    This is time intensive, but this is not difficult...
     
  8. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    77
    got an error - rehips service could not be started
     
  9. guest

    guest Guest

    it is not very helpful, can you give details, procedure to replicate it?
    did you switch Windows users without login out?
     
  10. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    77
    Another similar error on boot up for rehips - "failed to open service link"
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    why not post on https://forum.re-crypt.com/index.php?board=2.0
    the guys over there will be happy to help.
    Of course, you should provide as much specific info as possible, in order to help them help you...
     
  12. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    77
    This probably has more to do with another software product - here is what I conclude:
    I like to run adwcleaner, and I download it from bleeping computer. I always uncheck all the option boxes, and make my own choices with adwcleaner.
    But it wasn't adwcleaner that did this to windows/rehips - I also saw malwarebytes jrt junk removal tool, on bleeping computer - so I gave it a try. I should have not used a command line cleaner with no choices - even combofix never did this when I used it on windows 7. There was a warning in jrt, before you start it, but what good is that if you use it.
    So I got the rehips error - and with a lot of patience I uninstalled rehips, which takes a bit, then reinstalled, and let it set its initial rules in the parsing installed products.
    Well the rehips hipsgui error was gone - replaced by can not start rehips, qt5winextras.dll is missing. So I got a copy of the dll qt5winextras.dll, and put it in the directories system32 and syswow64, and that error was gone - replaced by the error that doesn't want to be fixed, with many solutions posted in google search that don't work. The error is 0xc000007b, and is said to be related to c++ redistributable, .net framework, directx, and maybe others. I have tried many repair attemps from replacing dll's to running chkdsk repair from boot, nothing has worked.
    I will have to save all my files, and do a fresh windows install.
    I will never use a command line scanner/cleaner again - especially ones without options - and I will never use malwarebytes jrt ever again. I do use malwarebytes anti-malware pro, but only use it as a scanner - and I also use malwarebytes anti-executable.
    One final thing - over the years since using windows 7,8,8.1 - I have never updated windows - most people will not like this, and say it is not secure and a problem for windows. I have found windows performs poorly with updates, from installation, conflicting with seemingly, and even itself - and other things, like security software, video software, software in general - and just generally not working well within the whole system. Even the updater is slow, and uses to excess resources. But I must admit, I would rather update windows this one time, than reinstall a copy of windows. I know I would be able to install the updated .net framework, which I can't right now - because I'm missing certain windows updates.
    What should I do - update windows, or reinstall it?

    Thanks.
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    can ReHIPS be combined with a AV that contains a HIPS component, such as Kaspersky Internet Security?
    I know that generally speaking, it is bad to combo one HIPS with another, but maybe ReHIPS works differently (no hooks)?
     
  14. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I used both in the past without any major problems.
    The only possible issue I could find is the isolated desktop of ReHIPS because it seems that Kaspersky recognizes separate desktop to be really separate to the point that it disregards some options regarding the isolated program. For instance, I used Chrome, and Kaspersky's Secure Data Input was disabled. If Chrome is in isolation, Secure Data Input activates on password fields, despite that it is Off in the Kaspersky program options.

    And so, it's like isolated program with Kaspersky's default options enabled.
     
  15. guest

    guest Guest

    pointless to do that... you would have double times of alert for the same thing.
     
  16. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    That will be the case if KIS is set to Interactive mode. "Automatic" is the default.
     
  17. guest

    guest Guest

    But in a logic state of mind , just pointless... ReHIPS's main point is to have an hook-less sandbox/HIPS , so why use at same time another HIPS (with Hooks) which will make things more complicated (not saying potential compatibility issues, as you just said).

    Now , if you wanna play , you are free to do but at the end it is just redundant.

    you don't use 2 seatbelts when driving, but one seatbelt and an airbag.
     
  18. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    77
    wow - never even thought to look for one, because I didn't know one was there - did a windows repair trouble-shooting start up, and there was a restore point from the day before I used mb jrt - used the restore point and rehips hipsgui is fine now - saved time, and was able to back up disk files also. so glad rehips is back - will never use jrt or another command line cleaner/scanner again, one without choices. will still use adwcleaner. this was the first time using jrt - and as the poster above said, I also use ccleaner.
     
  19. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    77
    just had to do a few edits on unbound programs in rehips - mainly just allow winrar to run an executable for rar files within rar files - and let the browsers run in a normal environment.
    as I said, so glad rehips is back - and running with many other security software - my setup is still the same - avast, comodo, spyshelter, zemana am, mbam ae, adguard, anvir, winpatrol, appguard - and my mozilla browsers have noscript, ublock, umatrix, policeman, request policy. all working with rehips.
     
  20. guest

    guest Guest

    If he runs all of them at same time on the same machine, that is not overkill, that is crazy... and totally pointless.
    Avast , Comodo , Spyshelter, ReHIPS, = 3 HIPS and one Behavior Blocker at same time ! come on!
    Appguard = an anti-exe , as if 3 HIPS were not enough...Appguard alone can do as good as the HIPS.
    WinPatrol = monitoring the registry and autorun, the 3 HIPS above did it already...

    This config is unstable in best case ; opening potential conflicts because of the drivers...
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,914
    3 HIPS aka "Triple-HIPS" ;)
    There is always a fallback if one is failing ... :D
    4 ScriptBlocker :eek:
     
  22. I tend to agree with guest, anyone running with triple HIPS is ready for the Ministry of Silly Walks
     
  23. guest

    guest Guest

    You meant Ministry of Legoland :p
     
  24. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    77
    Got the error again at windows startup - "Failed to open service link."
    Have to open C:\Program Files\ReCrypt\ReHIPS and run HIPSGui64.exe manually.
    Here is a screenshot - http://i.imgur.com/7ZDovY8.jpg
    I will post in the rehips forum as suggested.
     
  25. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    77
    A fix to hipsgui64.exe startup. I knew the rehips hipsgui startup location was in the all users startup folder at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup, because winpatrol and anvir told me of the new startup location when I installed rehips a month or so ago. Even on the reinstall of rehips I did a few days ago (after I used mbytes jrt, and the rehips gui service gave the fail to start error), I still expected hipsgui64 to be in the startup folder. Well, it wasn't.

    I had another item in the startup folder, and I saw that it was labelled as a shortcut - so I tried to add hipsgui64.exe from the rehips program folder as a shortcut to the startup folder - windows didn't allow it - it would only say, it can't do this, and would you like to place the shortcut on the desktop (I should have done this right away, and then copied the desktop shortcut, to the startup folder shortcut). But I didn't (yet) - I copied the full hipsgui64.exe from the rehips program folder and placed it in startup folder. Then I got the windows error alluded to earlier - can not start the program because qt5winextras.dll is missing - which I previously felt the dll was missing because of the mbytes jrt scan/clean.

    I deleted the full hipsgui64.exe from the startup folder, created the hipsgui64 shortcut on the desktop, copied the desktop shortcut to the startup folder (which asked for administrator that seemed slightly different in the dialogue box from when I added the full hipsgui64.exe).
    This worked. I tried to edit the name of hipsgui64.exe in the startup folder, because it had the word shortcut after it - and my other startup folder item didn't - but it asked for administrator privileges, and I didn't want to mess with it. It also has .exe at the end of it, while my other startup item doesn't. (If I remember the original install of rehips, the hipsgui64 startup folder icon was exactly like my other startup item, with no .exe, and no following word shortcut as description, just hipsgui64 - that's why I tried to edit the name, but left it because windows asked for administrator privileges, and it was working as named.)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.