Have there been any reports or known issues with any other security softs ?
Would like any infos so I do not combo with a soft for which there is a known conflict - and then needlessly report a bug with upcoming release.
TIA
Hello, HJBX!
We didn't face any conflicts between ReHIPS 2.xx and other security software.
Best regards.
After Installing Rehips,
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against ROP attacks.
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
Quote- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against ROP attacks.
I think I know why. If I'm right, there are a lot conflicted with Hitman Pro Alert security (and not only) programs.
Quote- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
Is Chrome isolated with ReHIPS too?
Quote from: schelkunov on April 07, 2016, 03:34:54 PM
Quote- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against ROP attacks.
I think I know why. If I'm right, there are a lot conflicted with Hitman Pro Alert security (and not only) programs.
on my system, only my portable apps.
Quote from: schelkunov on April 07, 2016, 03:34:54 PMQuote- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
Is Chrome isolated with ReHIPS too?
it is not isolated since i allowed the sandboxie's processes.
ReHIPS and AppGuard (NOT A CONFLICT):
User must set AppGuard to Install before using ReHIPS Deploy Helper or manually configuring isolated environment for application the very first time.
AppGuard is software restriction policy security soft.
It blocks\interferes with ReHIPS DeployHelper access to User Profile.
It blocks execution of files from User Space - unless digitally signed and LUA policy is applied.
User must also make all ReHIPSUSser folders exception folders with read\write access.
That's it... pretty simple.
Dr Web Katana - even in Paranoid Mode working fine with ReHIPS.
However, there is one problem in Paranoid Mode.
If user blocks desktoptools64.exe, then isolated application will still execute in isolated environment, but CPU will be increased.
See images.
* * * * *
Solution: Don't block desktoptools64.exe if you enable Paranoid Mode. Better yet, create AutoRun exception in Katana for desktoptools.exe.
Quote from: umbrapolaris on April 07, 2016, 01:59:05 PM
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against ROP attacks.
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.
But I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?
Quote from: fixer on April 12, 2016, 08:14:19 PM
Quote from: umbrapolaris on April 07, 2016, 01:59:05 PM
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against ROP attacks.
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.
But I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?
If Umbra doesn't respond within a few days, the best way to reach him is to send a PM at MalwareTips. He will respond.
Any how, I sent PM to him already to take a look at your questions.
Quote from: fixer on April 12, 2016, 08:14:19 PM
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.
HMPA has now issues with ROP , MS Office applications are now also blocked by HMPA (see HMPA thread on wilders, some companies has to remove HMPA from their workers machines); temporary fix is disabling ROP protection for concernedapps. I guess HMPA devs will issue a fix.
https://www.wilderssecurity.com/threads/hitmanpro-alert-support-and-discussion-thread.324841/page-374 (the issue reports start at middle of the page)
QuoteBut I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?
yes, your procedure is using Chrome inside default sandbox by manually sandboxing it. That is working for default settings and average user of Sandboxie, So no problem in this case.
unfortunately, long time (Paid) users of Sandboxie , we have several different setting, in my case:
- Chrome run in its own dedicated Sandbox, hence this sandbox has lot of custom tighter settings than the default sandbox.
- Chrome is "Forced" (means when i clicked on any shortcut of Chrome, it
always start sandboxed.
- This chrome sandbox has some restriction access settings (some are surely conflicting with ReHIPs); i have to do tests.
will keep you informed.
HMPA hooks several functions (like LdrLoadDll in ReHIPS case) by splicing, walks the stack frames and checks the caller address if it looks like ROP by trying to disassemble up. IMHO, this can give false positives for delay load import and some compiler optimizations along with some other programs hooks.
If Chrome processes aren't isolated by ReHIPS, ReHIPS shouldn't affect them in any way. So it's somewhat strange that pages are stuck. Could you give more details? Maybe try do Disable ReHIPS in the main window. Or try to "net stop ReHIPSSrvc" to shutdown it completely and check if error still persists.
Found my issue:
- Appguard : Rehips' processes (hipsagent64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...
Quote from: umbrapolaris on April 13, 2016, 11:05:21 AM
Found my issue:
- Appguard : Rehips' processes (hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...
Same softs, two different systems, two different behaviors... LOL.
I haven't had to do this is AppGuard.
Quote from: umbrapolaris on April 13, 2016, 11:05:21 AM
Found my issue:
- Appguard : Rehips' processes (hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...
I tested this and also had to put them in power application or else isolated applications didn't start. Except if it's something with appguard trial which i doubt. Seemed to work ok.
ReHIPS & Shadow Defender
No problems experienced at initiation of Shadow Mode.
User just needs to create an Allow rule manually for C:\System32\mountvol.exe outside of Shadow Mode.
This is same behavior as with SpyShelter HIPS; user must manually create the allow execution rule for mountvol.exe.
However, the first time I manually created the Allow execution rule for mountvol.exe outside of Shadow Mode, when I entered\exited Shadow Mode the rule disappeared; I had to recreate the rule manually using the ReHIPS filehelper again.
* * * * *
After entering\exiting Shadow Mode a few times (5X), ReHIPS reverted to unregistered version.
Prompt to activate ReHIPS appeared.
See image of About ReHIPS; not activated\registered in Shadow Mode.
* * * * *
Exit Shadow Mode and return to real user desktop, then ReHIPS is activated\registered.
Combining ReHIPS with other security softs that will block items inside ReHIPSUser is problematic.
For example, Webroot will auto-block items executed in ReHIPSUser without generating an alert. Also, if there is any alert while inside the Isolated Environment, then the user will not see the alert.
I only discovered some blocked items in ReHIPSUser after doing some routine inspection of Webroot rules.
* * * * *
This is an issue to which there is no easy solution. That's all there is to it. ReHIPS actually has nothing to do with it. Each user will have to sort it out for themselves - depending upon what they combo ReHIPS with.
Actually, it should be a general recommendation that any security soft that auto-blocks or has HIPS functionality is NOT recommended to combine with ReHIPS. If the user disregards this recommendation, then it is on the user to manage any problems.
ReCrypt can't accommodate every single use situation.
Quote from: HJLBX on April 14, 2016, 03:47:36 AM
* * * * *
After entering\exiting Shadow Mode a few times (5X), ReHIPS reverted to unregistered version.
Prompt to activate ReHIPS appeared.
had similar issue with Rollbak RX (i made a thread for it)
HJLBX
Looks like it's the similar issue umbrapolaris reported. Does it show the same HWID, but ReHIPS unregisters?
Quote from: fixer on April 14, 2016, 12:32:55 PM
HJLBX
Looks like it's the similar issue umbrapolaris reported. Does it show the same HWID, but ReHIPS unregisters?
Different HWID.
You can see in the attached image in the initial report that the HWID begins with 8....
My actual HWID begins with 5....
If your HWID changed, it's not exactly a bug, it's a feature :) HWID is bound to the hardware components, HDD to be more exact. If it detects changes in HWID, it thinks it was moved to some other PC and asks for the new key. I guess Shadow Defender is somehow affects the HDD information so ReHIPS doesn't recognize it as the same HDD. I'll look at it later, maybe I'll think of something.
BTW, added mountvol.exe to RulesPack, thanks for report.
Tested 2 antikeyloggers.
Works great with Zemana antikeylogger free.
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.
Checked Shadow Defender. Looks like it installs its own filtering drivers on disk partitions. And it doesn't support SCSI_INQUIRY command to that filtered partitions returning STATUS_ACCESS_DENIED, which leads to change of HWID, which leads to unregistered state. So it's partially Shadow Defender issue and partially ReHIPS feature.
yes because Shadow Defender protect the MBR from changes while in Shadow Mode.
Actually as Shadow Defender doesn't restrict driver loading in any way, it won't be able to protect anything from kernel-mode threats. SCSI_INQUIRY is a standard read-only command and poses no threat, besides it's issued by a driver, so I don't know why they did it, most likely they just didn't implement all the possible codes (some of which are usually not used).
Quote from: aDVll on April 14, 2016, 08:16:14 PM
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.
As I couldn't reproduce it, could you describe it with more details? What browser were you using? Was it on a separate desktop or not? If it was, separate desktops are most likely not supported by this antikeylogger, try it on the main desktop.
Quote from: fixer on April 19, 2016, 04:47:28 PM
Quote from: aDVll on April 14, 2016, 08:16:14 PM
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.
As I couldn't reproduce it, could you describe it with more details? What browser were you using? Was it on a separate desktop or not? If it was, separate desktops are most likely not supported by this antikeylogger, try it on the main desktop.
Wait i will test again with Chrome and Firefox latest and tell you exactly what i did.
Ok Firefox works ok but Chrome does not. While running Chrome isolated(default rules you guys make) any key pressed doesn't appear because Keyscrambler protects the keys. If you disable rehips and launch Chrome normally then keyscrambler works great.
As you see in this gif keyscrambler is showing i am in an unprotected application and keys i pressed get protected(keyscrambler icon showing the letters changed).
Chrome has Appcontainer and Win32k Lockdown flags on.
http://i.imgur.com/wSWrNbo.gifv (http://i.imgur.com/wSWrNbo.gifv)
Try to enable DESKTOP_HOOKCONTROL access right, KeyScrambler seems to be in need of it, or use separate desktop, KeyScrambler doesn't work with them, thus doesn't block any printing. This is the solution if you want to keep KeyScrambler. Or you can discard it as ReHIPS also protects you from keyloggers.
Quote from: fixer on April 20, 2016, 08:46:39 PM
Try to enable DESKTOP_HOOKCONTROL access right, KeyScrambler seems to be in need of it, or use separate desktop, KeyScrambler doesn't work with them, thus doesn't block any printing. This is the solution if you want to keep KeyScrambler. Or you can discard it as ReHIPS also protects you from keyloggers.
Nah i don't need to use it. Was just testing applications i already had for possible issues so i can report them.
Another version of HitmanPro.Alert was recently released.
Any program run inside the Isolated Environment will still trigger a ROP alert and that program will be terminated by HMP.A.
ROP mitigation must be disabled for any program run inside Isolated Environment.
* * * * *
HookDll64.dll causes the ROP false positive. Erik Loman from SOPHOS\Surf Right will help if asked.
* * * * *
HMP.A protective border\keystroke encryption will not display for any program run inside the Isolated Environment.
not only isolated ones, but any of them involved with hookdll64.dll and hookdll32.dll.
i reported it earlier.
Already reported and should be already fixed.
Can anyone confirm that running an application isolated makes it not run guarded on Appguard? I checked from gui taskbar icon-guarded execution and when application is isolated it doesn't show and when it's not it shows.
Had to put all rehips files as power application for them to work btw if it matters and added exception for rehips user folders.
Quote from: aDVll on May 02, 2016, 10:08:28 AM
Can anyone confirm that running an application isolated makes it not run guarded on Appguard?
i confirm; tested with Virtual Box & Chrome
im not sure , but i think sandboxie isolation take over Chrome from ReHIPS, even if Chrome is logged as isolated in ReHIPS.
not an issue , just an observation. i dont know if in this case , ReHIPS is still isolating Chrome.
edit: if Chrome is forced by sandboxie; Sandboxie is taking over the isolation, leaving just one process to ReHIPS.
Hmm this makes things interesting. So i assume this mean you lose all appguard protection for guarded apps right?
About sandboxie rehips will not show alerts(normal mode) because sandboxie launches everything as child process if i remember correctly. Don't have it installed atm so can't confirm but i am pretty sure.
Quote from: aDVll on May 02, 2016, 11:41:12 AM
Hmm this makes things interesting. So i assume this mean you lose all appguard protection for guarded apps right?
it is what i believe.
QuoteAbout sandboxie rehips will not show alerts(normal mode) because sandboxie launches everything as child process if i remember correctly.
when i first launched sandboxi-ed softs , i sat ReHIPS on training to avoid potential conflicts; i guess this may be the result of sandboxie hookings ( not sure about that)
Anyway it is not a real issue , since we shouldn't isolate an already sandboxed browser which has itself a sandbox :P
Quote from: aDVll on May 02, 2016, 11:41:12 AM
Hmm this makes things interesting. So i assume this mean you lose all appguard protection for guarded apps right?
About sandboxie rehips will not show alerts(normal mode) because sandboxie launches everything as child process if i remember correctly. Don't have it installed atm so can't confirm but i am pretty sure.
Guarded App = application is run with same file system and registry access rights\restrictions as if executed in Windows LUA w\UAC enabled; all child processes inherit limited access rights of parent
Isolated App = same with further restriction to ReHIPSUser - instead of almost entire file system; all child processes inherit limited access rights of parent - even if run outside the isolated environment
Isolated and Guarded Apps are essentially equivalent.
Quote from: HJLBX on May 02, 2016, 11:55:49 AM
Guarded App = application is run with same file system and registry access rights\restrictions as if executed in Windows LUA w\UAC enabled; all child processes inherit limited access rights of parent
Isolated and Guarded Apps are essentially equivalent.
So guarded apps on SUA + UAC max is pointless i guess ?
Quote from: umbrapolaris on May 02, 2016, 12:01:50 PM
Quote from: HJLBX on May 02, 2016, 11:55:49 AM
Guarded App = application is run with same file system and registry access rights\restrictions as if executed in Windows LUA w\UAC enabled; all child processes inherit limited access rights of parent
Isolated and Guarded Apps are essentially equivalent.
So guarded apps on SUA + UAC max is pointless i guess ?
From what I understand - pretty much yes.
However, fixer might have further insight since he knows the Windows accounts so well...
Quote from: umbrapolaris on May 02, 2016, 11:49:03 AM
Quote from: aDVll on May 02, 2016, 11:41:12 AM
Hmm this makes things interesting. So i assume this mean you lose all appguard protection for guarded apps right?
it is what i believe.
I think this can be fixed by appguard because it simply not detecting the app launched because it's done by another user or something. Maybe you can report to appguard beta forum for them to check. I would post on wilderssecurity topic but a dev there said it's not the place to report if i remember correctly.
Quote from: aDVll on May 02, 2016, 12:37:02 PM
Quote from: umbrapolaris on May 02, 2016, 11:49:03 AM
Quote from: aDVll on May 02, 2016, 11:41:12 AM
Hmm this makes things interesting. So i assume this mean you lose all appguard protection for guarded apps right?
it is what i believe.
I think this can be fixed by appguard because it simply not detecting the app launched because it's done by another user or something. Maybe you can report to appguard beta forum for them to check. I would post on wilderssecurity topic but a dev there said it's not the place to report if i remember correctly.
AppGuard does not support multiple active user profiles.
I know BRN. They won't do it.
Quote from: HJLBX on May 02, 2016, 12:23:59 PM
However, fixer might have further insight since he knows the Windows accounts so well...
I haven't looked into Appguard yet, so I'm not aware of principles it operates on. But it seems you're right.
HitmanPro.Alert should be working fine now.
Quote from: fixer on May 08, 2016, 07:36:20 PM
HitmanPro.Alert should be working fine now.
with the new build i guess;)
when we can get a "stable" new beta build?
We've got a couple more issues to fix and to test these fixes. I think this or next week new RC build will be ready.
Quote from: fixer on May 09, 2016, 12:28:42 PM
We've got a couple more issues to fix and to test these fixes. I think this or next week new RC build will be ready.
Nice, good to hear. Just let us know what it was fixed so we can test and confirm if possible.
No more issues with HMPA , well done.
I did a search but can't find a mention of Emsisoft.
If I run Emsisoft Anti-Malware with ReHIPS 2.2 Beta installed on my Win 7 Pro x64, the interface will not opene and I don't know if EAM is otherwise working normally though services / processes appear to be running.
Uninstalling ReHIPS solves the problem. Exiting or disabling does not.
I have not tested whether adding mutual exclusions would allow these two softs to run together.
Any advice from the experts?
Quote from: paulderdash on June 01, 2016, 06:47:10 PM
I did a search but can't find a mention of Emsisoft.
If I run Emsisoft Anti-Malware with ReHIPS 2.2 Beta installed on my Win 7 Pro x64, the interface will not opene and I don't know if EAM is otherwise working normally though services / processes appear to be running.
Uninstalling ReHIPS solves the problem. Exiting or disabling does not.
I have not tested whether adding mutual exclusions would allow these two softs to run together.
Any advice from the experts?
I had the same issue paul but it was fixed. Atm i am not using EAM to test but fixer will sort it again if it broke. Will bump the topic on beta forum i had in case he doesn't notice this reply. Will also test it tonight and see if i can reproduce paul.
EDIT: Can confirm it's broken. Don't remember if i tested the fix when it happened but i am bumping the topic so devs can check the bug again.
Quote from: paulderdash on June 01, 2016, 06:47:10 PM
I have not tested whether adding mutual exclusions would allow these two softs to run together.
You can only make all EAM processes "Allowed" for the HIPS; there is no "exclusion" for process monitoring in ReHIPS like there is in an AV that does process scanning.
Anyhow, creating Allow rules for EAM in ReHIPS will not fix the issue; it is something that the developer has to fix.
Thanks @HJLBX
I had previously run ReHIPS in training mode for a day or so, and EAM would have done updates and a scan in that time. But I don't think I actually opened the interface at that time. Or subsequently in standard mode, to 'Allow'.
But if a developer fix is required, and from @aDVII's post it seems they have encountered this previously, I will keep an eye out here.
I had the same issue paul but it was fixed. Atm i am not using EAM to test but fixer will sort it again if it broke. Will bump the topic on beta forum i had in case he doesn't notice this reply. Will also test it tonight and see if i can reproduce paul.
EDIT: Can't confirm it's broken. Don't remember if i tested the fix when it happened but i am bumping the topic so devs can check the bug again.
[/quote]
Thanks @aDVII - would appreciate if Fixer, or yourself, can post back here ...
Quote from: paulderdash on June 02, 2016, 10:45:49 AM
I had the same issue paul but it was fixed. Atm i am not using EAM to test but fixer will sort it again if it broke. Will bump the topic on beta forum i had in case he doesn't notice this reply. Will also test it tonight and see if i can reproduce paul.
EDIT: Can't confirm it's broken. Don't remember if i tested the fix when it happened but i am bumping the topic so devs can check the bug again.
Quote
Thanks @aDVII - would appreciate if Fixer, or yourself, can post back here ...
Lol i meant to say i can confirm it's broken. No clue why i typed can't. Sorry for the confusion paulderdash but no worries i bumped the beta topic for EAM. It will get fixed if possible.
Don't worry, I didn't miss it, it's in our TODO list. Will take a closer look as soon as I finish with some other issues.
Thanks fixer. Will wait in eager anticipation :)
Looking good otherwise!
I looked into this issue. Actually it's their bug because of unsafe DllMain of a2framework.dll. If anyone has an account on their forum or knows some of their developers, I can file a bugreport. But nevertheless this issue should be solved, so I'll try to devise some workaround.
Quote from: fixer on June 02, 2016, 08:49:20 PM
I looked into this issue. Actually it's their bug because of unsafe DllMain of a2framework.dll. If anyone has an account on their forum or knows some of their developers, I can file a bugreport. But nevertheless this issue should be solved, so I'll try to devise some workaround.
I have an account on their forum. I can try posting on malwaretips and their forum if you give me the info. One of their devs is active on both.
MSDN https://msdn.microsoft.com/ru-ru/library/windows/desktop/ms682583(v=vs.85).aspx recommends
QuoteThe entry-point function should perform only simple initialization or termination tasks. It must not call the LoadLibrary or LoadLibraryEx function (or a function that calls these functions). Similarly, the entry-point function must not call the FreeLibrary function (or a function that calls FreeLibrary).
and https://msdn.microsoft.com/ru-ru/library/windows/desktop/dn633971(v=vs.85).aspx#general_best_practices
QuoteYou cannot call any function in DllMain that directly or indirectly tries to acquire the loader lock. Otherwise, you will introduce the possibility that your application deadlocks or crashes.
They call some dangerous API functions like GetFileVersionInfoSize and GetFileVersionInfo that call LoadLibraryEx and FreeLibrary thus acquiring loader lock. It may be OK by itself, but in conjunction with other software it may cause undesired effects like deadlocks.
Ok reported with the info you provided. If you see anything you don't like tell me so i can change it. I just copy pasted what you said and informed them it was info from a developer.
http://www.wilderssecurity.com/threads/emsisoft-anti-malware-emsisoft-internet-security-11-has-been-released.381438/page-8#post-2592393 (http://www.wilderssecurity.com/threads/emsisoft-anti-malware-emsisoft-internet-security-11-has-been-released.381438/page-8#post-2592393)
http://support.emsisoft.com/topic/20259-compatibility-issue-with-rehips-and-info-on-the-issue/ (http://support.emsisoft.com/topic/20259-compatibility-issue-with-rehips-and-info-on-the-issue/)
i have access to their closed-beta forum; if needed.
Thanks @aDVII and @fixer! That is tangible info.
I hope the Emsisoft devs can soon provide a response, and a fix!
It's OK, everybody makes mistakes, that's what testers are for :) Regardless of Emsisoft devs response, I'll try to devise some workaround for the ReHIPS to work even in these conditions.
Quote from: fixer on April 19, 2016, 04:01:52 PM
Actually as Shadow Defender doesn't restrict driver loading in any way, it won't be able to protect anything from kernel-mode threats. SCSI_INQUIRY is a standard read-only command and poses no threat, besides it's issued by a driver, so I don't know why they did it, most likely they just didn't implement all the possible codes (some of which are usually not used).
Has anyone looked into this already? I mean report this to Tony?
Quote from: Mr.X on June 06, 2016, 05:45:46 AM
Quote from: fixer on April 19, 2016, 04:01:52 PM
Actually as Shadow Defender doesn't restrict driver loading in any way, it won't be able to protect anything from kernel-mode threats. SCSI_INQUIRY is a standard read-only command and poses no threat, besides it's issued by a driver, so I don't know why they did it, most likely they just didn't implement all the possible codes (some of which are usually not used).
Has anyone looked into this already? I mean report this to Tony?
Shadow defender isn't you to protect you during your session, it is supposed to cancel all changes made during the said session at reboot; so it doesn't matter if you are hit by hundreds of malwares; one reboot later they are gone.
I think he meant compatibility with ReHIPS which uses SCSI_INQUIRY for HWID generation as ReHIPS gives wrong HWID when executed in shadow mode.
Quote from: umbrapolaris on June 06, 2016, 07:56:04 AM
it is supposed to cancel all changes made during the said session at reboot; so it doesn't matter if you are hit by hundreds of malwares; one reboot later they are gone.
Since we brough it up actually it won't be able to protect from certain malware which uses kernel-mode drivers. Shadow defender doesn't restrict driver loading in any way so it'll be driver vs driver, it's a fight it can't win. So yes, kernel-mode malware may persist after reboots.
Quote from: fixer on June 06, 2016, 11:20:52 AM
I think he meant compatibility with ReHIPS which uses SCSI_INQUIRY for HWID generation as ReHIPS gives wrong HWID when executed in shadow mode.
Quote from: umbrapolaris on June 06, 2016, 07:56:04 AM
it is supposed to cancel all changes made during the said session at reboot; so it doesn't matter if you are hit by hundreds of malwares; one reboot later they are gone.
Since we brough it up actually it won't be able to protect from certain malware which uses kernel-mode drivers. Shadow defender doesn't restrict driver loading in any way so it'll be driver vs driver, it's a fight it can't win. So yes, kernel-mode malware may persist after reboots.
SD create a copy of the whole system (MBR included) so the writes are redirected to a virtual partition, shouldn't the kernel-mode malware infect only the virtual system (hence disappearing when the virtual system is deleted upon reboot)?
If some malware uses conventional disk write mechanisms like CreateFile/WriteFile, you're right, all writes will be redirected. But kernel-mode malware has the same access rights and privileges as SD, it can always bypass any redirection by direct disk access, by patching SD, by disabling SD-lots of options, let alone some sophisticated malware that persist using BIOS, video card memory or some other exotic stuff.
Quote from: fixer on June 06, 2016, 01:10:14 PM
But kernel-mode malware has the same access rights and privileges as SD, it can always bypass any redirection by direct disk access, by patching SD, by disabling SD-lots of options,
i see what you saying.
Quotelet alone some sophisticated malware that persist using BIOS, video card memory or some other exotic stuff.
against those SD is helpless, as well with simple keyloggers, since SD doesn't block .
Quote from: fixer on June 06, 2016, 11:20:52 AM
I think he meant compatibility with ReHIPS which uses SCSI_INQUIRY for HWID generation as ReHIPS gives wrong HWID when executed in shadow mode.
Thanks fixer, that's exactly what I meant to say. About kernel-mode malware drivers bypassing Shadow Defender I'm aware of it, same suffers Sandboxie as well. There's a potential bypass awaiting to happen but afaik is hard to accomplish. In the meantime I rely upon it's protection and I like/really need the undo changes features after reboot. Hence I need Shadow Defender to work alongside ReHIPS but the latter not being deactivated because of changing HWiD.
Added workaround for Emsisoft Anti-Malware issue. Should work fine now.
Quote from: fixer on June 09, 2016, 04:37:53 PM
Added workaround for Emsisoft Anti-Malware issue. Should work fine now.
That's good because support said it's probably fine they do things the way they do because not many programs have compatibility issues with Emsisoft. Still waiting for their dev feedback. If something changes will let you know.
Their last msg
QuoteI've received a response. It boils down to the following:
We do use some third-party libraries in our software, and we don't have control over what functions those libraries call.
While it is possible to eliminate those dependencies, it requires a great deal of work that will take a very long time (so it won't be easy to do and it wouldn't happen anytime soon).
Even if we do eliminate those dependencies, there is no guarantee that doing so (and removing any calls to the functions mentioned by the ReHIPS dev that happen to be in out own code) would actually resolve the issue.
Our software has been calling these functions for years without any real issues, and the vast majority of security software does play nice with ours.
So basically we can either spend a ton of time trying to eliminate these functions from our software without any guarantee that it will even help, or ReHIPS can see if they can work around the issue. I'm sure that's not the answer you were looking for, however software development always seems to be more complicated than you would think it should be. ;)
Quote from: fixer on June 09, 2016, 04:37:53 PM
Added workaround for Emsisoft Anti-Malware issue. Should work fine now.
Thanks fixer! I have Emsisoft uninstalled on that machine now, but will test it (with EIS) soon ...
Looks like Emsisoft posted their final answer. If they think that coding explicitly against official documentation is OK because they break just minority of other software, it's up to them. At least I've done everything I could informing them and coding workaround.
Quote from: fixer on June 11, 2016, 04:04:17 PM
Looks like Emsisoft posted their final answer. If they think that coding explicitly against official documentation is OK because they break just minority of other software, it's up to them. At least I've done everything I could informing them and coding workaround.
Yep you did your part. Not all have your view to follow basic windows guidelines and that's why Windows is plagued with incompatibilities. Thanks for the fix.
Does the workaround involve downloading a new version?
Quote from: paulderdash on June 11, 2016, 05:07:39 PM
Does the workaround involve downloading a new version?
Yes, rehips it's 100% offline. When fixer is saying it's fixed it means he tested a fix that works and it will be incorporated on next released version.
Thanks for clarifying :)
When using Secure Folders add files below to Trusted Applications or there can be problems with files and folders: opening/modifying files/folder with programs in IE, modifying Access Rights rules in ReHIPS and reinstalling ReHIPS
DeployHelper32/64.exe
HIPSAgent32/64.exe
HIPSService32/64.exe
RulesManager32/64.exe - may be absent
RulesPack32/64.exe