ReHIPS

Discussion in 'sandboxing & virtualization' started by MrBrian, May 24, 2014.

  1. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
    So, what SW would you suggest to run isolated by default? Office-like? E-mail?
    What's Chrome flags would you suggest to enable for stronger security?
    Thanks :)
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    The most important to isolate, IMHO: Office apps, especially MS Office.
    PDF apps, especially Adobe.
    Any browser that is not modern or does not receive the latest updates.
    As for Email clients, I would isolate them, even though I haven't heard much lately about such exploits.
    Ideally, you should isolate any and all internet-facing apps, if you can.

    There is a chrome flag for "Enable AppContainer Lockdown", and another one for "Enable GPU AppContainer Lockdown". Those are the flags that help to isolate Chrome from the local system. There are other flags to harden Chrome, but this is not the thread to discuss them.

    Maybe @Umbra can weigh in on your questions, he should have some good insights :)
     
  3. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
    Ok, thanks :)
    Does ReHIPS still register as AV in the windows security center?
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    I don't think so. It used to register? That's funny, because it is not an AV or a firewall, I don't know why it should register.
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    That's interesting. I don't think it does that anymore, but Umbra should be able to tell us for sure.
    I never saw that it disabled Windows Defender, and when I ran it with a third party AV, I never saw it listed by Windows as an AV.
     
  7. ReHIPS

    ReHIPS Developer

    Joined:
    Aug 29, 2014
    Posts:
    37
    Location:
    Europe
    Hello everyone.

    There was a blogpost with recommendations on what programs should be isolated, here https://forum.rehips.com/index.php?topic=9542.0

    Yes, ReHIPS did register in Windows Security Center as antivirus and antispy. But later (from ReHIPS 2.2.0) we decided to remove it as other AVs like Defender may act like: ah, they already have an AV, I'll do nothing then.

    Best Regards, fixer.
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    Which is the definition of sandboxed downloads...so ReHIPS does isolate downloads.

    By default and based on its rules:
    1- if executed from the isolated browser (aka "open" function in browsers), the file can't run.
    2- if executed manually from ReHIPS' container or ReHIPSuserX, the option to allow/isolate/block the exe is offered.
    However you can play with the settings to prevent execution from the container or download folder.

    Sandboxie automatically isolate any files run from its container, it is why Shmu think it is isolated download, if you create manually a file in the container of sandboxie and run it, the result is the same, the file is ran isolated. So in the case described by Shmu about sandboxie, it is not isolated download but isolated folder.

    which is wrong based on the demonstration above. You won't like drive-by Downloads.
     
    Last edited: Jul 11, 2018
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    I am not putting down ReHIPS, just pointing out a difference in default behavior, as compared to Sandboxie.

    In SBIE, I download Riskiware.exe, go to the download location, click, and it runs in sandbox.

    In ReHIPS, I download Riskiware.exe, go to the download location, click, and I get the same prompt I would see if I was running it from real user space. It is not isolated by default. This is okay, because ReHIPS handles the unknown file with anti-exe (SBIE can't do that, so it sandboxes instead). But bottom line, it is the same behavior as when I didn't isolate my browser in the first place.
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    Please share that tweak, it sounds interesting.
     
  11. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
    This is the key point in my opinion.
    If I have to follow this recommendation:
    I should isolate nearly everything.
    But the good point of ReHIPS is that it can alert the user before isolating stuffs
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    example, for my Chrome IE:

    C:\ReHIPS\Browser is (by default) where you should download the file from your browser; but personally i setup for the Chrome IE access to 2 other folders (downloads/uploads)

    rehips.JPG

    Then the isolated Chrome will not be able to execute downloaded files (because X is denied) , just read and write. (R = read, W = Write, X = execute).

    This is the true power of ReHIPS, and the reason why i love it, you have a lot of options concerning object permissions and Privileges.
     
    Last edited: Jul 11, 2018
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    everything known as attack vectors (internet facing apps, docs readers, medias players, etc...)

    it is why i love it. Waited for such programs since years.
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    That's cool, thanks!
     
  15. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
    Yeah, it's like Comodo Firewall with the option to prompt before sandboxing apps and without the bothersome kernel hooks (problems with Windows updates).
    And it's also a great UAC replacement, since you can't whitelist apps in the UAC.

    I was thinking to try:
    • K9 Web Security to avoid risky websites
    • Light traditional AV (such as Panda) to get rid of known malware
    • ReHIPS to replace the UAC, perform a pre-exe check and add the option to run stuffs isolated in case of doubts
    • NVT OSArmor as post-exe check, just in case of user mistake
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    Comodo makes it totally easy to sandbox an unknown. It just happens by itself.
    With ReHIPS, if you want to isolate an unknown, you need to go through a few windows and make a few decisions.
    First you need to decide if it will run in an existing IE, and if so, which one?
    If you want to give it a new IE, you need to set the rules (or just go with the default rules, not so bad :) )
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    yes the comodo sandbox is simpler, it was never intended to be the main protection, it is supposed to be the auto-sandbox and the HIPS.

    looks good, without overlapping features. But i won't disable UAC.
     
  18. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
    I wrote disable but I meant set to never notify
     
  19. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    for me UAC must be set at max. and i added the reg tweak to disable elevation of unsigned programs.
     
  20. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
    Yeah, but it's a pain in the @ss... for example, I use O&O ShutUp10. Since it requires to run elevated, every time I run it, I get a UAC promt... why Microsoft doesn't add a whitelisting feature to the UAC o_O
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,086
    So how do you run an unsigned installer, let's say you downloaded some niche app from Github or something?
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,904
    Location:
    Europe then Asia
    First, i always install under admin account, never from SUA so i put the switch in the taskbar like this:

    reg.jpg

    this can only be done in Admin Account, on SUA the registry is virtualized.
     
  23. ReHIPS

    ReHIPS Developer

    Joined:
    Aug 29, 2014
    Posts:
    37
    Location:
    Europe
    Besides denying execution from folder you can utilize fine-grained children control. Allow some processes that are essential like chrome.exe itself for chrome to spawn children and block all other. Or block children execution from some folder by wildcard mask.

    Best Regards, fixer.
     
  24. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    661
    Location:
    Italy
    By "children" do you mean only .exe files or anything launched by the parent process, for example scripts, other processes and so on?
     
  25. ReHIPS

    ReHIPS Developer

    Joined:
    Aug 29, 2014
    Posts:
    37
    Location:
    Europe
    You see, scripts aren't processes by themselves, they need someone, an interpreter, to execute them. And this interpreter must be a separate process with its own .exe file.

    In case of a browser "scripts"="separate processes with .exe file". Browsers don't interpret .bat or other shell command scripts themselves, they launch some process like cmd.exe to do it. And it'll be blocked.

    In case of script-interpreting processes like cmd.exe itself "script" won't spawn any additional processes. But ReHIPS treats these processes with more checks, also checking their command line. In case it's not whitelisted, you'll get alert. But cmd.exe doesn't download anything from the web, so it's just for the completeness.

    And ReHIPS controls processes, so basically it doesn't metter, whether it's an .exe file or some other executable file. New process=filtering.

    Best Regards, fixer.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.