Discussion in 'sandboxing & virtualization' started by MrBrian, May 24, 2014.
right now I have it on standard mode.
what will change if I switch to expert mode?
thanks for your help, I will give it a go.
If it ignores trusted vendors, then I think it should basically function like an anti-executable running according to a whitelist. that is what I am looking for.
does ReHIPS protect vulnerable processes, like NVT ERP does?
so what is the point to use ReHIPS; you just discard its main and strongest purpose...
Of course. Every process can be blocked.
so, if ReHIPS without isolation is missing the main purpose, then it would be better to use NVT ERP instead?
indeed. it is similar has having a 4x4 car and only driving in town, pointless.
You have to do it manually. I made a request to make this process for the user more simple, but I'm not sure what ReCrypt has decided yet. Right now I think their focus is on general usability improvements.
After ReHIPS stable is released I will talk again with fixer and schelnukov about it.
All that being said, if you understand and know which processes that are shipped with Windows, then it is not a difficult task - because a process without a permanent rule generates an alert. When you see that alert - if the process should not be executing - you block and ask questions later.
For example, if you are surfing to a website using Chrome and get alerts for Powershell and RegAsm.exe executions - you just know something is not quite right. You block those processes from running and then investigate using the ReHIPS logs, other utilities, etc.
Afterwards, if it is legit, then you can unblock things.
This is time intensive, but this is not difficult...
got an error - rehips service could not be started
it is not very helpful, can you give details, procedure to replicate it?
did you switch Windows users without login out?
Another similar error on boot up for rehips - "failed to open service link"
why not post on https://forum.re-crypt.com/index.php?board=2.0
the guys over there will be happy to help.
Of course, you should provide as much specific info as possible, in order to help them help you...
This probably has more to do with another software product - here is what I conclude:
I like to run adwcleaner, and I download it from bleeping computer. I always uncheck all the option boxes, and make my own choices with adwcleaner.
But it wasn't adwcleaner that did this to windows/rehips - I also saw malwarebytes jrt junk removal tool, on bleeping computer - so I gave it a try. I should have not used a command line cleaner with no choices - even combofix never did this when I used it on windows 7. There was a warning in jrt, before you start it, but what good is that if you use it.
So I got the rehips error - and with a lot of patience I uninstalled rehips, which takes a bit, then reinstalled, and let it set its initial rules in the parsing installed products.
Well the rehips hipsgui error was gone - replaced by can not start rehips, qt5winextras.dll is missing. So I got a copy of the dll qt5winextras.dll, and put it in the directories system32 and syswow64, and that error was gone - replaced by the error that doesn't want to be fixed, with many solutions posted in google search that don't work. The error is 0xc000007b, and is said to be related to c++ redistributable, .net framework, directx, and maybe others. I have tried many repair attemps from replacing dll's to running chkdsk repair from boot, nothing has worked.
I will have to save all my files, and do a fresh windows install.
I will never use a command line scanner/cleaner again - especially ones without options - and I will never use malwarebytes jrt ever again. I do use malwarebytes anti-malware pro, but only use it as a scanner - and I also use malwarebytes anti-executable.
One final thing - over the years since using windows 7,8,8.1 - I have never updated windows - most people will not like this, and say it is not secure and a problem for windows. I have found windows performs poorly with updates, from installation, conflicting with seemingly, and even itself - and other things, like security software, video software, software in general - and just generally not working well within the whole system. Even the updater is slow, and uses to excess resources. But I must admit, I would rather update windows this one time, than reinstall a copy of windows. I know I would be able to install the updated .net framework, which I can't right now - because I'm missing certain windows updates.
What should I do - update windows, or reinstall it?
can ReHIPS be combined with a AV that contains a HIPS component, such as Kaspersky Internet Security?
I know that generally speaking, it is bad to combo one HIPS with another, but maybe ReHIPS works differently (no hooks)?
I used both in the past without any major problems.
The only possible issue I could find is the isolated desktop of ReHIPS because it seems that Kaspersky recognizes separate desktop to be really separate to the point that it disregards some options regarding the isolated program. For instance, I used Chrome, and Kaspersky's Secure Data Input was disabled. If Chrome is in isolation, Secure Data Input activates on password fields, despite that it is Off in the Kaspersky program options.
And so, it's like isolated program with Kaspersky's default options enabled.
pointless to do that... you would have double times of alert for the same thing.
That will be the case if KIS is set to Interactive mode. "Automatic" is the default.
But in a logic state of mind , just pointless... ReHIPS's main point is to have an hook-less sandbox/HIPS , so why use at same time another HIPS (with Hooks) which will make things more complicated (not saying potential compatibility issues, as you just said).
Now , if you wanna play , you are free to do but at the end it is just redundant.
you don't use 2 seatbelts when driving, but one seatbelt and an airbag.
wow - never even thought to look for one, because I didn't know one was there - did a windows repair trouble-shooting start up, and there was a restore point from the day before I used mb jrt - used the restore point and rehips hipsgui is fine now - saved time, and was able to back up disk files also. so glad rehips is back - will never use jrt or another command line cleaner/scanner again, one without choices. will still use adwcleaner. this was the first time using jrt - and as the poster above said, I also use ccleaner.
just had to do a few edits on unbound programs in rehips - mainly just allow winrar to run an executable for rar files within rar files - and let the browsers run in a normal environment.
as I said, so glad rehips is back - and running with many other security software - my setup is still the same - avast, comodo, spyshelter, zemana am, mbam ae, adguard, anvir, winpatrol, appguard - and my mozilla browsers have noscript, ublock, umatrix, policeman, request policy. all working with rehips.
If he runs all of them at same time on the same machine, that is not overkill, that is crazy... and totally pointless.
Avast , Comodo , Spyshelter, ReHIPS, = 3 HIPS and one Behavior Blocker at same time ! come on!
Appguard = an anti-exe , as if 3 HIPS were not enough...Appguard alone can do as good as the HIPS.
WinPatrol = monitoring the registry and autorun, the 3 HIPS above did it already...
This config is unstable in best case ; opening potential conflicts because of the drivers...
3 HIPS aka "Triple-HIPS"
There is always a fallback if one is failing ...
I tend to agree with guest, anyone running with triple HIPS is ready for the Ministry of Silly Walks
You meant Ministry of Legoland
Got the error again at windows startup - "Failed to open service link."
Have to open C:\Program Files\ReCrypt\ReHIPS and run HIPSGui64.exe manually.
Here is a screenshot - http://i.imgur.com/7ZDovY8.jpg
I will post in the rehips forum as suggested.
A fix to hipsgui64.exe startup. I knew the rehips hipsgui startup location was in the all users startup folder at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup, because winpatrol and anvir told me of the new startup location when I installed rehips a month or so ago. Even on the reinstall of rehips I did a few days ago (after I used mbytes jrt, and the rehips gui service gave the fail to start error), I still expected hipsgui64 to be in the startup folder. Well, it wasn't.
I had another item in the startup folder, and I saw that it was labelled as a shortcut - so I tried to add hipsgui64.exe from the rehips program folder as a shortcut to the startup folder - windows didn't allow it - it would only say, it can't do this, and would you like to place the shortcut on the desktop (I should have done this right away, and then copied the desktop shortcut, to the startup folder shortcut). But I didn't (yet) - I copied the full hipsgui64.exe from the rehips program folder and placed it in startup folder. Then I got the windows error alluded to earlier - can not start the program because qt5winextras.dll is missing - which I previously felt the dll was missing because of the mbytes jrt scan/clean.
I deleted the full hipsgui64.exe from the startup folder, created the hipsgui64 shortcut on the desktop, copied the desktop shortcut to the startup folder (which asked for administrator that seemed slightly different in the dialogue box from when I added the full hipsgui64.exe).
This worked. I tried to edit the name of hipsgui64.exe in the startup folder, because it had the word shortcut after it - and my other startup folder item didn't - but it asked for administrator privileges, and I didn't want to mess with it. It also has .exe at the end of it, while my other startup item doesn't. (If I remember the original install of rehips, the hipsgui64 startup folder icon was exactly like my other startup item, with no .exe, and no following word shortcut as description, just hipsgui64 - that's why I tried to edit the name, but left it because windows asked for administrator privileges, and it was working as named.)
Separate names with a comma.