ReHIPS forum

English Subforum => ReHIPS => Topic started by: HJLBX on April 11, 2016, 01:56:50 am

Title: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 11, 2016, 01:56:50 am
I have created this thread so that I and other beta testers can ask questions about unexpected ReHIPS behaviors.

The goal of this thread is simple:

* * * * *

Ask a question about an unexpected behavior or feature.

ReHIPS staff can explain details about feature(s).

ReHIPS staff can explain that behavior(s) is\are unexpected to user - but intended by design - or appears to be an issue\bug.

After answer to question(s), user can post an issue\bug report - if any is needed.

* * * * *

Beta testers and users can learn product better.

This process will reduce needless reports and burden on ReCrypt staff.

This thread will be a centralized thread for beta testers and other users to find answers to common questions about ReHIPS.

It could serve as the basis for ReCrypt staff to identify the most commonly asked questions on ReHIPS installation, features, use and issues\problems.

* * * * *

If this thread does not work out, then it can be closed or deleted by ReCrypt staff at their discretion.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 11, 2016, 02:06:25 am
I read the Admin manual; I understand how DeployHelper works for the most part.  I have questions about implementation and few minor questions.

DeployHelper:

* * * * *

Requires ReHIPS_Setup.exe correct ?

* * * * *

Why not permanently integrate DeployHelper into ReHIPS (Training Mode works better for me in configuring programs to run in IE) so it works after ReHIPS_Setup.exe deleted ?

* * * * *

What is difference between\advantage to using Deploy Helper created shortcut and program created shortcut ?

* * * * *

Does active Protection Mode (Expert, Normal, Light,...) affect DeployHelpter behavior ?


Expert Mode = alerts, even while using DeployHelpter.  I understand this.  I am asking if any problems have been connected to a particular Protection Mode setting.

* * * * *

Any reported issues with DeployHelper ?

* * * * *

Most installers don't identify themselves as requiring Admin rights to install.  So most users will probably always adopt run as Admin; perhaps limited rights option is not necessary ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 11, 2016, 04:24:02 pm
ReHIPS isolated environments are based on Windows built-in isolation of different users from each other and from the system (if they don't have admin privileges). So then a program is isolated it is executed from a specially created ReHIPS user with limited access rights. Being run this way it won't be able to access real user's profile folder and registry hive. This may be a problem as the user expects the program even being isolated will have the same settings as it had before isolation. One of several possible ways to solve this is to use DeployHelper.
DeployHelper installs the program right into the new ReHIPS user. So all the settings will go from the start into isolated environment, no need to copy them from the real user environment. But it needs program setup file to do this. On the low level it just creates ReHIPS user and runs setup from that user. As the program being installed that way creates desktop and start menu shortcuts in the ReHIPS user environment, the real user won't see them, so DeployHelper recreates them for the real user on real user's desktop and start menu.
As DeployHelper is a separate application it's not affected by ReHIPS protection mode. Sometimes setup files may run other files which may lead to ReHIPS alert, it's OK though inconvenient for the user, so we've got it in our TODO list to fix this.
No issues were reported with DeployHelper yet.
Some installers don't explicitly state in the manifest that they need admin rights (DeployHelper detects the ones that do and honour this running it with admin rights). But being run later they ask for elevation. For this case DeployHelper with admin was made. Of course DeployHelper with admin can be used for every installer, but it's not recommended. For one thing DeployHelper will give ReHIPS user admin privileges. Of course it's just temporary while installer is working. But why doing it if we can be just fine without it. Besides admin requiring installers tend to install software to Program Files folder. Sometimes it's something desirable, but personally I prefer isolated software to reside in isolated environment so it'll be completely gone when I remove the isolated environment and I won't have to uninstall it later from Program Files folder.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 12, 2016, 03:17:35 am
What will be intended behavior for partitions and external drives ?

* * * * *

HIPS monitors all partitions and drives - that is easy enough.

* * * * *

Some users will want to execute programs residing on different partitions and  from Flash drives as isolated programs.

I tried flash drive - will not load into isolated environment.

I think this is intended design, but I am not sure.

Same problem as executing file isolated from PA user profile - correct ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 12, 2016, 10:38:51 am
By default external drives and network files in the terms of process execution interception are no different from regular processes. But when you isolate them, there is a catch. By default isolated programs have access neither to real user's profile folder, nor to removable or network media. This is by design as some removable media like flash drives may be formatted in old filesystems like FAT that doesn't support access rights and even being formatted in NTFS it usually allows everyone full access (thus isolated programs can mess with the contents of a flash drive).
To explicitly run a program isolated from the real user profile folder you should set Copy User Data flag (the latest ReHIPS version sets this flag automatically in non-Expert mode).
To run a program isolated from network or flash drive you should set additional Media access rights in the isolated environment window.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 13, 2016, 02:09:25 am
By default external drives and network files in the terms of process execution interception are no different from regular processes. But when you isolate them, there is a catch. By default isolated programs have access neither to real user's profile folder, nor to removable or network media. This is by design as some removable media like flash drives may be formatted in old filesystems like FAT that doesn't support access rights and even being formatted in NTFS it usually allows everyone full access (thus isolated programs can mess with the contents of a flash drive).
To explicitly run a program isolated from the real user profile folder you should set Copy User Data flag (the latest ReHIPS version sets this flag automatically in non-Expert mode).
To run a program isolated from network or flash drive you should set additional Media access rights in the isolated environment window.

I followed the above outlined steps, just for the sake of testing.

Example, portable CCleaner (just for testing isolated launch - and not actual use)

However, I always get the attached ReHIPS error message.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 13, 2016, 02:43:44 am
I have a question about "Copy User Data."

* * * * *

With Cyberfox, I can only get it to launch (with Webroot browser extensions) in the isolated environment by following the steps below:

Either right-click Cyberfox shortcut and select "Run Isolated in ReHIPS" - or - create "Allow in Isolated Environment" rule.

Enable "Copy User Data."  (If I enable "Copy User Data" later, I assume no data is ever copied since it never fixes the issues.)

When the message "Cyberfox is not your default browser," I must untick "Perform this check every time at startup" and then select "Not Now" button.

* * * * *

I have attached an image of the contents of ReHIPSUser1 directory; it only contains AppData and regtrans.

I have also attached an image of the contents of ReHIPSUser1.DESKTOP* created by DeployHelper.

* * * * *

Following the above steps does not cause the problems experienced when using DeployHelper.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 13, 2016, 02:58:25 am
Does "Copy User Data" completely load Documents, Downloads, Music, etc including all folder contents ?

* * * * *

I am trying to use Isolated Environment to write reports for this forum.

However, I am having to switch back-and-forth to gain access to real user folders.

I created Read\Write access for C:\Users\HJLBX\Pictures, but I cannot access any of the objects.

I have experimented with folder and file inheritance settings; still no access.

Attached image.

* * * * *

Maybe I am not understanding how "Copy User Data" and real user folder\file access works in ReHIPS.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 13, 2016, 12:18:22 pm
Example, portable CCleaner (just for testing isolated launch - and not actual use)
However, I always get the attached ReHIPS error message.
That's strange. Could you us give more information: Isolated environment Media access rights options, type of external media used and type of filesystem on that media (FAT, NTFS, etc)?

If I enable "Copy User Data" later, I assume no data is ever copied since it never fixes the issues.
The most possible reason for this was explained here
it runs without settings at first (as there are no settings in the empty isolated environment and Copy data flag is not set), creates default settings (without any extension) and uses them later (even if Copy data flag is set, it isn't needed anymore as settings are present in the isolated environment and won't be copied on demand anymore).
In other words, Cyberfox doesn't see any settings at first and creates default settings. Copy User Data copies only files that are absent is the isolated environment, but present in the real user environment. And as there are settings present in the isolated environment (default newly created) nothing is copied later when Copy User Data flag is set.

The first screenshot Capture46.PNG, it doesn't look like active isolated environment. It looks like this was isolated environment, but it's deleted, hence most of the files were deleted, but some are in use by Windows and will be deleted after reboot.

Does "Copy User Data" completely load Documents, Downloads, Music, etc including all folder contents ?
Like I said
With this flag set registry keys and file/folders are copied from the real user to the isolated environment on demand (the application tries to reach them, they're not in the isolated environment, but found in the real user environment).
In other words, a program tries to access some file. It's absent in the isolated environment, but is present in the real user environment. Then it's copied. Usually programs try to access only their settings from Local or Remote AppData. Other files and folders you can see in ReHIPS user profile are just system objects, Windows created them for internal needs.

There is no use to set any access to the real user profile folder files or folders in the isolated environment options. Any access to the real user profile folder is redirected to the ReHIPS user folder. So if the file being accessed exists in the ReHIPS user folder, it'll be opened. If the file being accessed is absent in the ReHIPS user folder, but Copy User Data flag is set, it'll be copied to the ReHIPS user folder and then opened. In other cases access will result in error. So no direct access to the real user profile folder by the isolated program is performed, thus there is no use to set any access to the real user profile folder files or folders.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 13, 2016, 12:35:50 pm
I keep trying to explain the issue on my system, but it is difficult using this method to communicate an issue sometimes...

Capture46 is active isolated environment created when setting up Cyberfox for first time.  It stays that way and never changes.

Using DeployHelper to set up Cyberfox does not work; extensions will never be loaded using DeployHelper - even after system reboot.

The only way I can get extensions to load and Cyberfox to work in the Isolated Environment is by following the steps I outlined in the thread.

* * * * *

I have tried to access files only present in real user profile via browser, text editor, archiver, etc. 

When I open Documents folder for example, it is always empty - even with "Copy User Data" enabled - during access; I can never gain access to files I need while in Isolated Environment.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 13, 2016, 12:47:28 pm
Example, portable CCleaner (just for testing isolated launch - and not actual use)
However, I always get the attached ReHIPS error message.
That's strange. Could you us give more information: Isolated environment Media access rights options, type of external media used and type of filesystem on that media (FAT, NTFS, etc)?

I will check it.  Give me some time...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 13, 2016, 01:30:20 pm
Using DeployHelper to set up Cyberfox does not work; extensions will never be loaded using DeployHelper - even after system reboot.
I have tried to access files only present in real user profile via browser, text editor, archiver, etc. 
DeployHelper installs software from scratch into isolated environment. So maybe extensions should also be installed there, it depends on the way they work. Could you give a list of extensions? I'll look into this issue.
When I open Documents folder for example, it is always empty - even with "Copy User Data" enabled - during access; I can never gain access to files I need while in Isolated Environment.
Do you mean you browse into the profile folder and don't see the files from real user profile folder? This is because redirection is in action, you'll see contents of ReHIPS user folder. But if you try to access files from the real user profile folder, they'll be copied. For example you have isolated notepad and you have file C:\Users\HJLBX\AppData\Local\file.txt that is absent in C:\Users\ReHIPSUser1\AppData\Local\file.txt. If you browse from notepad to either C:\Users\HJLBX or C:\Users\ReHIPSUser1, you'll see contents of C:\Users\ReHIPSUser1 because of redirection. But if you try to open file C:\Users\HJLBX\AppData\Local\file.txt or C:\Users\ReHIPSUser1\AppData\Local\file.txt for example by typing file name in the open file dialog filename field, it'll be copied and opened.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 12:23:20 pm
DeployHelper installs software from scratch into isolated environment. So maybe extensions should also be installed there, it depends on the way they work. Could you give a list of extensions? I'll look into this issue.

I uninstalled all other security softs, removed all remnants - even cleaned registry and prefetch.  So now I am running only ReHIPS.

Cyberfox 45.0.3
LastPass 3.3.1 (for Firefox)

Once again same issue.

If I use DeployHelper, then LastPass extension will never get loaded.

If I create the Isolated Environment manually, and tick "Copy User Data," then it gets loaded.

* * * * *

I'm just trying to pin this down so as to save other users frustrations because of unexpected behaviors.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 12:25:59 pm
What is proper technique for setting up rules for Child Programs in Isolated Environment ?

For example, Cyberfox.exe > plugin-container.exe; Cyberfox.exe > helper.exe.

Is it best to also allow both plugin-container.exe and helper.exe to run inside Isolated Environment - or it doesn't matter - as long as they can execute ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 12:36:32 pm
So, if I understand correctly, there is no way to gain access to pictures I have stored in the real user profile from inside the Isolated Environment ?

They have to be manually moved ahead of time to ReHIPSUser or to C:\ReHIPS to be available ?

LOL... this is causing me some angst. 

I just want to learn what I need to do to make it work - if it is possible.

If it is possible, can someone give an example of the steps I need to follow ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 12:42:13 pm
I just want to confirm this - objects can be elevated to admin privileges inside the Isolated Environment - correct ?

But even if they get elevated, what they can do inside the Isolated Environment is still restricted - correct ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 12:44:45 pm
What is the default folder content of C:\ReHIPS folder ?

Is it dependent upon what programs are detected during program detection\installation of RulesPack ?

Do the sub-folders have the same restrictions as the main C:\ReHIPS folder ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 14, 2016, 01:38:33 pm
I have these rules in RulesPack:
Cyberfox.exe: process - ALLOW_RESTRICTED, parenting - ALLOW.
plugin-container.exe: process - ALLOW_RESTRICTED, parenting - ALLOW.
I don't have any rules for helper.exe as it resides in uninstall folder and seems to be uninstall-related.
plugin-container is only started by Cyberfox, thus it'll inherit all rights and privileges, so it doesn't matter if it's restricted or not. But just for security precautions it's marked as restricted.

I'll check LastPass and come back with more information later.

So, if I understand correctly, there is no way to gain access to pictures I have stored in the real user profile from inside the Isolated Environment ?
If you have Copy User Data flag set, it's possible. For example you have C:\Users\HJLBX\Pictures\picture.bmp you wish to open in isolated Paint. You start isolated Paint (don't forget to set Copy User Data flag), File-Open menu, navigate to C:\Users\ReHIPSUserX\Pictures (Paint isolated ReHIPS User) or C:\Users\HJLBX\Pictures (doesn't matter which one as the latter will be redirected to the former), type picture.bmp as File name and click Open. Yes, you might not see this file in the list of files in folder as it hasn't been copied to the isolated environment yet. But when you enter the file name and try to open it, it'll be copied and successfully opened.

I just want to confirm this - objects can be elevated to admin privileges inside the Isolated Environment - correct ?
Nope, they can't. They can try to ask you for elevation showing standard UAC dialog and asking for admin username/password. But they can't do it themselves.

What is the default folder content of C:\ReHIPS folder ?

Is it dependent upon what programs are detected during program detection\installation of RulesPack ?

Do the sub-folders have the same restrictions as the main C:\ReHIPS folder ?
RulesPack during installation of initial rules creates this folder if any restricted program needs it (in the current version, by release it will always create this folder). For example browsers may need some folder to save downloaded files to, so subfolder Browser is created in ReHIPS folder. Or office programs need some storage for documents to work with, so Office folder is created. The access rights were borrowed from the user profile folders in Windows (will be slightly tightened by release): any user can view and read from immediate ReHIPS folder, but only current real user (the one the rules were installed for) and respective ReHIPS user have access to the subfolders (Browser, Office, etc) and files in them.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 01:47:39 pm
I don't have any rules for helper.exe as it resides in uninstall folder and seems to be uninstall-related.

If I use DeployHelper, then Cyberfox.exe will execute helper.exe.

If I create the Isolated Environment manually and tick "Copy User Data", then Cyberfox.exe doesn't execute helper.exe.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 14, 2016, 01:50:16 pm
I added initial rules for RulesPack, it expects Cyberfox to be already installed. So it doesn't need helper.exe rule.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 01:53:56 pm
If you have Copy User Data flag set, it's possible. For example you have C:\Users\HJLBX\Pictures\picture.bmp you wish to open in isolated Paint. You start isolated Paint (don't forget to set Copy User Data flag), File-Open menu, navigate to C:\Users\ReHIPSUserX\Pictures (Paint isolated ReHIPS User) or C:\Users\HJLBX\Pictures (doesn't matter which one as the latter will be redirected to the former), type picture.bmp as File name and click Open. Yes, you might not see this file in the list of files in folder as it hasn't been copied to the isolated environment yet. But when you enter the file name and try to open it, it'll be copied and successfully opened.

I tried it.  It works.

I didn't know that FileHelper wouldn't populate the list; unexpected behavior.

The user needs to know the file name - so a little inconvenient, but it works.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 01:59:05 pm
RulesPack during installation of initial rules creates this folder if any restricted program needs it (in the current version, by release it will always create this folder). For example browsers may need some folder to save downloaded files to, so subfolder Browser is created in ReHIPS folder. Or office programs need some storage for documents to work with, so Office folder is created. The access rights were borrowed from the user profile folders in Windows (will be slightly tightened by release): any user can view and read from immediate ReHIPS folder, but only current real user (the one the rules were installed for) and respective ReHIPS user have access to the subfolders (Browser, Office, etc) and files in them.
[/quote]

Any way to have a complete set of subfolders installed by default ?

That way user doesn't have create the individual subfolders and figure out access rights and all that sort of rigmarole ?

For example, user installs ReHIPS but doesn't have Office installed at the time.  So ReHIPS will not create an Office subfolder during install.  User installs Office at some point in the future - and they don't know how to create the correct access rights.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 14, 2016, 02:00:14 pm
Is it really necessary\safe to have C:\ReHIPS with execution rights ?

See attached image.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 14, 2016, 03:53:02 pm
The user needs to know the file name - so a little inconvenient, but it works.
This was mostly designed for copying programs settings, and programs know their files names, so it works. As it's a dangerous feature it's discouraged to use it to open some files that's why it's inconvenient. If you want to work with some file in an isolated program, the best solution is to copy it to the appropriate C:\ReHIPS subfolder. The less secure (but still more secure than Copy User Data flag), but more convenient solution is to use double-click to open file, but Open File Access should be set in isolated environment options.

That way user doesn't have create the individual subfolders and figure out access rights and all that sort of rigmarole ?

For example, user installs ReHIPS but doesn't have Office installed at the time.  So ReHIPS will not create an Office subfolder during install.  User installs Office at some point in the future - and they don't know how to create the correct access rights.
ReHIPS monitors the Windows registry for changes in uninstall applications. Thus it detects that some new program was installed (office for example) and updates rules. So there shouldn't be any problems for the user who installs Office later, after ReHIPS.
This list of possible subfolders is as follows: Browser, Mail, Office and PDF.

Is it really necessary\safe to have C:\ReHIPS with execution rights ?
Nothing to worry about, ReHIPS will alert about new processes from this folder just the way it alerts about any other new processes, ReHIPS is not affected by this right in any way.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 14, 2016, 04:09:33 pm
The user needs to know the file name - so a little inconvenient, but it works.
This was mostly designed for copying programs settings, and programs know their files names, so it works. As it's a dangerous feature it's discouraged to use it to open some files that's why it's inconvenient. If you want to work with some file in an isolated program, the best solution is to copy it to the appropriate C:\ReHIPS subfolder. The less secure (but still more secure than Copy User Data flag), but more convenient solution is to use double-click to open file, but Open File Access should be set in isolated environment options.

That way user doesn't have create the individual subfolders and figure out access rights and all that sort of rigmarole ?

For example, user installs ReHIPS but doesn't have Office installed at the time.  So ReHIPS will not create an Office subfolder during install.  User installs Office at some point in the future - and they don't know how to create the correct access rights.
ReHIPS monitors the Windows registry for changes in uninstall applications. Thus it detects that some new program was installed (office for example) and updates rules. So there shouldn't be any problems for the user who installs Office later, after ReHIPS.
This list of possible subfolders is as follows: Browser, Mail, Office and PDF.

Is it really necessary\safe to have C:\ReHIPS with execution rights ?
Nothing to worry about, ReHIPS will alert about new processes from this folder just the way it alerts about any other new processes, ReHIPS is not affected by this right in any way.
Does it create the folder, for example Office, if i install office after installing rehips or folder creation is only when rehips is installed?
Also i saw you have rules for adobe reader but not for Adobe Acrobat which i use(so PDF folder was not created). Might want to add those if you have the time.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 14, 2016, 04:21:14 pm
It creates ReHIPS subfolders every time initial rules are installed. By default they are installed when ReHIPS is installed. But they are also installed when Windows registry changes are detected in uninstall programs or by user request from the main ReHIPS GUI window.
Added notes about initial rules for Adobe Acrobat to our TODO list.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 15, 2016, 12:23:12 am
When I try to save a file to C:\ReHIPS, it returns message "You do not have access rights to save to this location.  Contact your Administrator."

It is only possible to save files to ReHIPSUser profile ?

If I understand correctly, then the workaround is user must download inside ReHIPSUser, close Isolated Enviornment and then copy to C:\ReHIPS ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 15, 2016, 02:28:20 am
Is there any way to optimize the alerts so that multiple alerts do not appear all at one time ?

This commonly occurs during program installations.

It has never caused a problem in my experience, but some users complain about HIPS that permit a flurry of alerts to appear all at once.

I suppose it causes confusion and\or the user might worry that it will cause errors, problems, failed installs, etc - if they respond to the alerts out-of-sequence with the actual run sequence (asynchronous response to alerts).
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 15, 2016, 10:49:32 am
When I try to save a file to C:\ReHIPS, it returns message "You do not have access rights to save to this location.  Contact your Administrator."

It is only possible to save files to ReHIPSUser profile ?

If I understand correctly, then the workaround is user must download inside ReHIPSUser, close Isolated Enviornment and then copy to C:\ReHIPS ?
You need to save to C:\ReHIPS\Browser or PDF,Office,etc. You can't save in the main folder. Assuming you are talking about a browser if you go in rehips settings for that browser you can see it has permission for C:\ReHIPS\Browser and subfolders only.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 15, 2016, 11:38:51 am
When I try to save a file to C:\ReHIPS, it returns message "You do not have access rights to save to this location.  Contact your Administrator."

It is only possible to save files to ReHIPSUser profile ?

If I understand correctly, then the workaround is user must download inside ReHIPSUser, close Isolated Enviornment and then copy to C:\ReHIPS ?
You need to save to C:\ReHIPS\Browser or PDF,Office,etc. You can't save in the main folder. Assuming you are talking about a browser if you go in rehips settings for that browser you can see it has permission for C:\ReHIPS\Browser and subfolders only.

ReHIPS installed C:\ReHIPS for Internet Explorer.

I manually added C:\ReHIPS for Cyberfox isolated environment.  Access denied.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 15, 2016, 11:40:54 am
Weird. My internet explorer created the Browser folder that has access to it. I think this is the intended function. You don't have a browser folder?

(http://i.imgur.com/D55VAKY.png)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 15, 2016, 12:04:00 pm
Weird. My internet explorer created the Browser folder that has access to it. I think this is the intended function. You don't have a browser folder?

(http://i.imgur.com/D55VAKY.png)

I have browser folder.

Try to save file to C:\ReHIPS using Cyberfox, Access is Denied.  I have identical configurations for both IE and Cyberfox isolated environments - set up Cyberfox access to C:\ReHIPS identical to that of Internet Explorer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 15, 2016, 12:10:29 pm
Permissions only allow administrator to write in C:\ReHIPS. When you launch an application isolated it doesn't have admin rights so it can't write there. The Browser folder on the other hand can be written by normal users that's why it works.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 15, 2016, 12:22:52 pm
Permissions only allow administrator to write in C:\ReHIPS. When you launch an application isolated it doesn't have admin rights so it can't write there. The Browser folder on the other hand can be written by normal users that's why it works.

Thanks.  Fumbling about trying out how the file system access rights and access works with ReHIPS.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 15, 2016, 12:25:27 pm
What i don't understand is why i can't access the files from an isolated app if i give it access from permission tab in the gui.
For example i give permission to C:\Users\Admin\test pic for Firefox(isolated). When i open firefox and try to browse to that account folder i don't see it. Any idea why it's happening?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 15, 2016, 12:43:19 pm
ReHIPS folder was designed to contain auto-installed subfolders. It wasn't designed for subfolders to be created manually. So current access rights may pose a problem for this. It will be redesigned in this release to support both auto and manually created folders.

What i don't understand is why i can't access the files from an isolated app if i give it access from permission tab in the gui.
For example i give permission to C:\Users\Admin\test pic for Firefox(isolated). When i open firefox and try to browse to that account folder i don't see it. Any idea why it's happening?
There was some discussion about it here, maybe it'll help.
If you have Copy User Data flag set, it's possible. For example you have C:\Users\HJLBX\Pictures\picture.bmp you wish to open in isolated Paint. You start isolated Paint (don't forget to set Copy User Data flag), File-Open menu, navigate to C:\Users\ReHIPSUserX\Pictures (Paint isolated ReHIPS User) or C:\Users\HJLBX\Pictures (doesn't matter which one as the latter will be redirected to the former), type picture.bmp as File name and click Open. Yes, you might not see this file in the list of files in folder as it hasn't been copied to the isolated environment yet. But when you enter the file name and try to open it, it'll be copied and successfully opened.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 15, 2016, 12:55:44 pm
Yes i saw that but unfortunately i still don't understand. I understand how the copy user data works but what is the use of permission tab if it's not to give permission to main account folders? This is what i don't understand.

Quote
In other words you can block or allow an access to some folder, file or registry entry for all programs in this isolated environment.

In help file it's saying the quote msg above. So i opened a file and still can't access it. Obviously i am missing something and would like some help.
(http://i.imgur.com/l1tANiV.jpg)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on April 15, 2016, 12:58:18 pm
Is there any way to optimize the alerts so that multiple alerts do not appear all at one time ?

This commonly occurs during program installations.

It has never caused a problem in my experience, but some users complain about HIPS that permit a flurry of alerts to appear all at once.

I suppose it causes confusion and\or the user might worry that it will cause errors, problems, failed installs, etc - if they respond to the alerts out-of-sequence with the actual run sequence (asynchronous response to alerts).

Thanks for your suggestion. We'll think of something in one of the following releases.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 15, 2016, 01:21:31 pm
what is the use of permission tab if it's not to give permission to main account folders? This is what i don't understand.
Permission tab was designed to control access rights to any file/folder except real user profile folder. Real user profile folder is a special folder that is treated specially, any access to it is always redirected to ReHIPS user profile folder. Any other file or folder access is controlled by permission tab.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 15, 2016, 01:32:32 pm
what is the use of permission tab if it's not to give permission to main account folders? This is what i don't understand.
Permission tab was designed to control access rights to any file/folder except real user profile folder. Real user profile folder is a special folder that is treated specially, any access to it is always redirected to ReHIPS user profile folder. Any other file or folder access is controlled by permission tab.

So, if I understand correctly, access rights to folders\files in Isolated Enviornment control panel is for ReHIPSUser profile only.

The only exception to this is C:\ReHIPS sub-folders.

Can user add sub-folders manually to C:\ReHIPS without any issues - for example - Pictures folder ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 15, 2016, 01:33:17 pm
what is the use of permission tab if it's not to give permission to main account folders? This is what i don't understand.
Permission tab was designed to control access rights to any file/folder except real user profile folder. Real user profile folder is a special folder that is treated specially, any access to it is always redirected to ReHIPS user profile folder. Any other file or folder access is controlled by permission tab.
Nice. It's completely clear now. Maybe i missed that real user profile folder is excluded from that permission tab but if i didn't miss and it's not in the help file you can maybe add it.

@HJLBX I think access rights to folders\files in Isolated Enviornment control panel is for anything except real user profile folders.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 15, 2016, 02:49:42 pm
So, if I understand correctly, access rights to folders\files in Isolated Enviornment control panel is for ReHIPSUser profile only.
You can set access rights to any files and folders except real user profile folder. Actually you can set access rights there too, but they won't matter as redirection is in effect. I think, we'll add error for this, added to our TODO list.

Can user add sub-folders manually to C:\ReHIPS without any issues - for example - Pictures folder ?
Right now ReHIPS folder isn't designed for the subfolders to be created manually. But I'll fix this in this release.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 16, 2016, 04:22:58 am
Is it possible to configure browser - media player such that when download movie, the media player will open inside a completely different ReHIPSUser - but access the movie data downloaded to browser ReHIPSUser ?

In other words, create a movie data pipe between two independent ReHIPSUsers ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 16, 2016, 06:34:45 am
Is it possible to configure browser - media player such that when download movie, the media player will open inside a completely different ReHIPSUser - but access the movie data downloaded to browser ReHIPSUser ?

In other words, create a movie data pipe between two independent ReHIPSUsers ?

You can already by navigating from the media player's "open files" function and then access the other ReHIPSUser folders.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 16, 2016, 10:19:01 am
You can already by navigating from the media player's "open files" function and then access the other ReHIPSUser folders.
You're right, it should work, but only if media player runs unisolated from the real user. As ReHIPS grants the real user access to C:\ReHIPS folder and ReHIPS users profile folders for the user convenience.

Is it possible to configure browser - media player such that when download movie, the media player will open inside a completely different ReHIPSUser - but access the movie data downloaded to browser ReHIPSUser ?

In other words, create a movie data pipe between two independent ReHIPSUsers ?
By default isolated environments don't have any access to each other folders. If you don't want to copy/move the file there are 2 ways to get this working. You can grant your media player access to the Browser folder in the permissions tab (read access should be enough, I suppose). Or you can set "Open file access" media player option (read access should be enough again) and use double-click to open the file.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 17, 2016, 03:20:20 am
I was trying to accomplish:

1.  Download movie
2.  Open movie with WMP
3.  Have WMP open and play a movie in a separate ReHIPSUser (not same ReHIPSUser as browser)

Playing movie in same IE as browser is reasonably safe I suppose.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 17, 2016, 12:39:25 pm
After deleting USER & SYSTEM groups, I noticed that non-existant\obsolete file paths are no longer highlighted to indicate file is not on system at that file path.

See attached images.  I typed Red in images, but I meant Pink\Red.

Am I missing something ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 17, 2016, 12:58:05 pm
Maybe someone can point out what I am doing wrong in trying to execute CCleaner isolated from flash drive (D:\).

See attached flash video.

Select demo.html.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 17, 2016, 01:21:29 pm
Maybe someone can point out what I am doing wrong in trying to execute CCleaner isolated from flash drive (D:\).

See attached flash video.

Select demo.html.
Pretty weird. I tried it and it works for me. See anything different? Even changed protection to expert mode.
Ignore the missing username.

(http://i.imgur.com/s3xP308.jpg)
(http://i.imgur.com/H11Yvsg.png)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 17, 2016, 01:22:06 pm
1.  Download movie
2.  Open movie with WMP
3.  Have WMP open and play a movie in a separate ReHIPSUser (not same ReHIPSUser as browser)

Playing movie in same IE as browser is reasonably safe I suppose.
I've just tried to do it on a default stock Windows 7.
1. Open Internet Explorer, it opens in isolated environment. Download a movie for example in C:\ReHIPS\Browser.
2. By default WMP is allowed in RulesPack, set it to isolated.
3. As the movie resides in Browser ReHIPS subfolder, allow newly isolated WMP access to it by either allowing read access to C:\ReHIPS\Browser with files and subfolders inheritance in Permissions tab, or setting Open file access option to WMP isolated environment to Read.
4. Try to open it from real user explorer. WMP is set to be isolated, access to movie file is granted. It works.

After deleting USER & SYSTEM groups, I noticed that non-existant\obsolete file paths are no longer highlighted to indicate file is not on system at that file path.
ReHIPS is designed as a thin client architecture with GUI being a thin client and Service doing all the work. Program tree is cached in GUI to relieve communications channel from excessive load requesting it every time. So GUI doesn't know if these files exist at the moment or not, it operates basing on information from Service. Thus if program tree is completely updated, GUI will know about changes in file presence and will mark them with pink/red. So it's some kind of feature. But we'll see what we can do, maybe update it after timeout, maybe add a manual update button.

Maybe someone can point out what I am doing wrong in trying to execute CCleaner isolated from flash drive (D:\).
What is the type of filesystem on that media (FAT, NTFS, etc)? You may also need Unsecured FS Media access right set.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 17, 2016, 01:40:48 pm
CCleaner issue.

Flash Drive = FAT32.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 17, 2016, 01:45:58 pm
FAT32 file system doesn't support permissions, so any program (including isolated) can access any file/folder with any access. To mitigate this issue Unsecured FS checkbox was added, you need to set it to allow access to unsecured filesystems.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 17, 2016, 01:47:59 pm
FAT32 file system doesn't support permissions, so any program (including isolated) can access any file/folder with any access. To mitigate this issue Unsecured FS checkbox was added, you need to set it to allow access to unsecured filesystems.

Unsecured FS fixes it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 17, 2016, 01:57:45 pm
As far as WMP, I'm talking about using the browser cache instead of saving the movie file to C:\ReHIPS\Browser.

It's OK.  I just allow WMP to run inside the same IE as the browser.  Should be reasonably safe.

If I could get WMP to auto-launch inside a separate IE, but use the browser cached movie data - I would do it, but I don't think it is possible.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 17, 2016, 02:21:38 pm
Ah, you mean watching a movie from browser cache and not from already downloaded file.
There are two possible solutions: to allow browser start processes without inspection (so it'll start WMP in browser's current isolated environment) or to add WMP to the same isolated environment. Both of them actually result in WMP running in the same isolated environment on the same isolated desktop as the browser. They won't be protected from each other, but I agree with you, it's reasonably safe.
There may be another solution, use separate isolated environments, set browser's Can be parent option to Allow with children inspection and allow WMP access to the browser's isolated environment (to the cache folder) from Permissions tab. I haven't tried it (maybe it'll need access to something more than just cache folder and files, maybe they communicate through some COM and it won't work at all because of isolation) and personally I'm not in favor of allowing one isolated environment access to another one, but you can try it if you want.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 17, 2016, 11:58:38 pm
After deleting USER & SYSTEM groups, I noticed that non-existant\obsolete file paths are no longer highlighted to indicate file is not on system at that file path.
ReHIPS is designed as a thin client architecture with GUI being a thin client and Service doing all the work. Program tree is cached in GUI to relieve communications channel from excessive load requesting it every time. So GUI doesn't know if these files exist at the moment or not, it operates basing on information from Service. Thus if program tree is completely updated, GUI will know about changes in file presence and will mark them with pink/red. So it's some kind of feature. But we'll see what we can do, maybe update it after timeout, maybe add a manual update button.

This behavior was unexpected.  It still doesn't seem quite right because I rebooted system several times - so GUI should have been updated and non-existant files should have been marked.

Prior to removing USER & SYSTEM groups, GUI would update after closing\re-opening.  Since removing these groups, it did not.

Only after installing another program on system, did ReHIPS GUI mark all appropriate files red\pink.

* * * * *

I will have to test it again by deleting USER & SYSTEM - start over again.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 18, 2016, 12:28:11 am
The sure way to force GUI update the list is to restart the GUI, you don't have to reboot. If after restart it still doesn't show absent program files with pink/red, it's strange, code is quite straightforward.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 19, 2016, 10:21:10 am
I uninstall USER & SYSTEM rules groups.

After a period of time - sometimes a few hours while other times a day or so - it appears ReHIPS re-installs all the rules from the RulesPack.

I have consciously stayed away from the GUI so as not to inadvertently hit the "Install Rules" button.

I have tried this several times with the same result.

Is this expected behavior ?

Is it a feature of ReHIPS ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 19, 2016, 10:29:09 am
I uninstall USER & SYSTEM rules groups.

After a period of time - sometimes a few hours while other times a day or so - it appears ReHIPS re-installs all the rules from the RulesPack.

I have consciously stayed away from the GUI so as not to inadvertently hit the "Install Rules" button.

I have tried this several times with the same result.

Is this expected behavior ?

Is it a feature of ReHIPS ?
Fixer said this in some other topic. So maybe you installed/uninstalled a program?
Quote
Rules are also installed when Windows registry changes are detected in uninstall programs or by user request from the main ReHIPS GUI window.
https://forum.re-crypt.com/index.php?topic=2032.msg3221#msg3221 (https://forum.re-crypt.com/index.php?topic=2032.msg3221#msg3221)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 19, 2016, 10:38:12 am
I uninstall USER & SYSTEM rules groups.

After a period of time - sometimes a few hours while other times a day or so - it appears ReHIPS re-installs all the rules from the RulesPack.

I have consciously stayed away from the GUI so as not to inadvertently hit the "Install Rules" button.

I have tried this several times with the same result.

Is this expected behavior ?

Is it a feature of ReHIPS ?
Fixer said this in some other topic. So maybe you installed/uninstalled a program?
Quote
Rules are also installed when Windows registry changes are detected in uninstall programs or by user request from the main ReHIPS GUI window.
https://forum.re-crypt.com/index.php?topic=2032.msg3221#msg3221 (https://forum.re-crypt.com/index.php?topic=2032.msg3221#msg3221)

No.  I didn't change anything on system.  No installs\uninstalls - just delete USER & SYSTEM - then sit back and observe.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: schelkunov on April 19, 2016, 10:57:31 am
Quote
No.  I didn't change anything on system.  No installs\uninstalls - just delete USER & SYSTEM - then sit back and observe.
What about Windows updates?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 19, 2016, 11:10:15 am
Quote
No.  I didn't change anything on system.  No installs\uninstalls - just delete USER & SYSTEM - then sit back and observe.
What about Windows updates?

No.  No Windows update.

* * * * *

We have three possibilities:

User installation
Windows update
App store query\update

* * * * *

Not concerned about it really - just getting to know how ReHIPS behaves.

Experimenting & observing.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 19, 2016, 11:43:09 am
Try to look at ReHIPS log, when RulesPack32/64.exe was started, it'll give you time, when rules were installed. And maybe some other processes around it will hint at what happened. Currently it installs rules: on ReHIPS install if user chose so, on user demand, on new user login, on changes in Uninstall registry key.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 19, 2016, 07:03:43 pm
Cyberfox 45.0.3
LastPass 3.3.1 (for Firefox)

Once again same issue.

If I use DeployHelper, then LastPass extension will never get loaded.

If I create the Isolated Environment manually, and tick "Copy User Data," then it gets loaded.
I looked into this issue. When you use DeployHelper, it creates a separate ReHIPSUser-oriented installation. So in order for it to use LastPass extension, you should install it into that instance of Cyberfox.
But ReHIPS release should already have initial rules for Cyberfox, so it should load all existing extensions.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 20, 2016, 10:19:09 pm
In ReHIPS alerts, "Block" = block & terminate correct ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 20, 2016, 10:23:02 pm
In ReHIPS alerts, "Block" = block & terminate correct ?
Yes, you're right.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 21, 2016, 12:13:55 am
I have been testing ReHIPS Trusted Command Lines by setting all system processes to Ask.

Everything appears to be working as expected.

Wildcard support working fine.

* * * * *

It will take 3 or 4 days of further testing.  If I find anything I will report it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 21, 2016, 12:58:29 am
How do you plan on handling critical Windows processes ?

Will you remove them from the GUI and hard code them - or leave them exposed with an additional guard against modification ?

* * * * *

Before you finalize the list of critical Windows processes can you let us beta testers take a look ?

SpyShelter made some mistakes in their hard coded allowed processes of which I am aware.  Other beta testers might detect potential problems as well.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 21, 2016, 01:02:17 am
Is it accurate to refer to ReHIPS' Isolated Environment as an access restriction enhanced limited user container ?

The reason I am asking is that some have asked me and, instead of a lengthy explanation, I am trying to use fairly clear terminology.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 21, 2016, 09:28:56 am
If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?

Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 21, 2016, 09:46:42 am
I am noticing some SYSTEM System32 and SysWOW64 rules are reverting to their default settings after I have modified\customized the rules.

Is this a feature ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 21, 2016, 09:50:42 am
If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?

Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?
From my gui you can't run any system rules to run isolated. You can?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 21, 2016, 09:55:02 am
If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?

Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?
From my gui you can't run any system rules to run isolated. You can?

You are correct.  No option available to do so for programs assigned to SYSTEM.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 21, 2016, 09:58:08 am
Anw i am also interested on what is the point of the system rules. I tried to find in the help file but failed unfortunately.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 21, 2016, 01:38:59 pm
How do you plan on handling critical Windows processes ?
Will you remove them from the GUI and hard code them - or leave them exposed with an additional guard against modification ?
* * * * *
Before you finalize the list of critical Windows processes can you let us beta testers take a look ?
We don't want to block anything completely from the user like we know it better than everyone else. So processes will definitely be exposed, maybe in Expert Mode only, maybe with some extra warnings on modification. It won't be included in the upcoming release, but it's in our TODO list. So when it's ready, active beta-testers will get the first look.

Is it accurate to refer to ReHIPS' Isolated Environment as an access restriction enhanced limited user container ?
Yes, I think so.

If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?
Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?
SYSTEM user is for the most priveleged programs only, like core Windows components and privileged services. Besides by default these programs are non-interactive. So it's unlikely that some graphical user-oriented program will ever be executed from SYSTEM user. Thus no rules are usually required for it. But even if it will be executed, standard ReHIPS alert will be shown, so you won't miss it. Also keep in mind that SYSTEM user has more strict security, it isn't allowed to isolate as only trusted programs should be executed, thus any initial rules that are allowed with isolation for other real users are block-rules for SYSTEM user.

I am noticing some SYSTEM System32 and SysWOW64 rules are reverting to their default settings after I have modified\customized the rules.
If you deleted some rules, they may be reinstalled, when RulesPack is executed (either on user request to Install Rules, or some program was installed/uninstalled, or some new user is logged-in). But if you have some rules in the database, RulesPack won't affect them in any way. And also modification of one rule doesn't affect any other rules, they're completely independent. So if it doesn't behave as intended, create a separate topic with detailed description and we'll look into this issue.

Anw i am also interested on what is the point of the system rules. I tried to find in the help file but failed unfortunately.
ReHIPS is designed to support different real users with different set of rules in case computer is used by different persons. SYSTEM user is a privileged built-in Windows user for privileged processes. So it's treated as a separate entity in terms of users with its own set of rules.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 22, 2016, 11:58:19 am


Here is one of those strange command lines:

taskhostw.exe $(Arg0)

This is the command line for starting a program via Task Manager.

Even though the command line is whitelisted in ReHIPS, executing a program via Task Manager will always generate a Sub-Program alert for this command line.

Any ideas ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 26, 2016, 06:04:58 pm
This is a bug. Should be fixed in the upcoming release.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 27, 2016, 12:42:03 am
I have been trying to open ReHIPS.xml.

I have tried opening as Admin, but ReHIPS.xml will always open as a blank page in Internet Explorer.

I have also tried as Admin using WPS xml editor - which also uses Internet Explorer - so same result.

* * * * *

I can open using WPS text editor and keep most of the xml formatting, copy & paste to notepad - so I found a workaround.

* * * * *

I don't want to open xmls as text file because it is just a jumbled mess in plain text editors.

* * * * *

Am I missing something when trying to use browser to open ReHIPS xml ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 27, 2016, 09:40:20 am
I have been trying to open ReHIPS.xml.

I have tried opening as Admin, but ReHIPS.xml will always open as a blank page in Internet Explorer.

I have also tried as Admin using WPS xml editor - which also uses Internet Explorer - so same result.

* * * * *

I can open using WPS text editor and keep most of the xml formatting, copy & paste to notepad - so I found a workaround.

* * * * *

I don't want to open xmls as text file because it is just a jumbled mess in plain text editors.

* * * * *

Am I missing something when trying to use browser to open ReHIPS xml ?
No clue about wps but if you want to keep formating use Notepad++ (start as admin), it works excellent. It even has a portable version
https://notepad-plus-plus.org/download/v6.9.1.html (https://notepad-plus-plus.org/download/v6.9.1.html)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 27, 2016, 09:53:34 am
I have been trying to open ReHIPS.xml.

I have tried opening as Admin, but ReHIPS.xml will always open as a blank page in Internet Explorer.

I have also tried as Admin using WPS xml editor - which also uses Internet Explorer - so same result.

* * * * *

I can open using WPS text editor and keep most of the xml formatting, copy & paste to notepad - so I found a workaround.

* * * * *

I don't want to open xmls as text file because it is just a jumbled mess in plain text editors.

* * * * *

Am I missing something when trying to use browser to open ReHIPS xml ?
No clue about wps but if you want to keep formating use Notepad++ (start as admin), it works excellent. It even has a portable version
https://notepad-plus-plus.org/download/v6.9.1.html (https://notepad-plus-plus.org/download/v6.9.1.html)

Thanks.  Notepad is useless as an editor.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 27, 2016, 09:55:14 am
Yeah it's good for nothing. Notepad++ on the other hand is very useful for me. Keeps formatting and all.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on April 30, 2016, 02:05:06 am
This is just a preliminary observation; I have to confirm.

I tested malware by downloading a malware pack to C:\ReHIPS on 14/4/2016.

I selected the various malware icons and chose right-click "Run isolated in ReHIPS."

At least three of them were ransomware and I am unsure of the classification of the others - since it was a quick test of the Isolated Environment.

On 28/4/2016 I noticed some essentially inert folders\files had been installed to data directories (e.g. ProgramData and AppData).

For example, there was a randomly named folder in C:\ProgramData and a Hitman Pro scan detected a generic trojan.  Some other partial or empty files were also found.

* * * * *

Has anyone performed any malware testing of right-click "Run isolated in ReHIPS" ?

Could it be that right-click "Run isolated in ReHIPS" allows some very fast drops to the real user directory ?

[NOTE:  I have seen this type of behavior with other security softs.]

* * * * *

I am just looking for any infos that might help before I proceed to further malware testing.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 30, 2016, 06:05:43 am
i guess it is time to recreate my Virtual Machine ^^
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 30, 2016, 10:56:57 am
Running with right-click "Run isolated in ReHIPS" should be no different from Alert and Allow in isolated environment. And neither of them allows fast drops as process is restarted in isolated environment and is isolated from the very beginning of execution.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 30, 2016, 06:56:14 pm
I have been trying to open ReHIPS.xml.

I have tried opening as Admin, but ReHIPS.xml will always open as a blank page in Internet Explorer.

I have also tried as Admin using WPS xml editor - which also uses Internet Explorer - so same result.
I think this is because xml has several root elements and not just one as regular xmls do. I'll see what I can do.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on May 03, 2016, 12:58:31 am
I just want to confirm my understanding of ReHIPS isolated environment file access restrictions.

Most virtualization allows inter-process communications and all the programs run inside such a sandbox have full read access essentially to the entire real user file system and registry.

This is true even when running an application using Windows' very own LUA\SUA.

One of the primary advantages to using ReHIPS is that reads are re-directed and limited to ReHIPSUser. 

Even if a user selects "Copy User Data" for an isolated environment there is relatively little risk since real user data access has to be done specifically - and is not done generically across the entire file system.

In other words, SYSTEM and USER (ReHIPSUser) profiles are running simultaneously but ReHIPSUser activity is well isolated from SYSTEM.  In the case that a child program is run outside the isolated environment, it will inherit ReHIPSUser access rights and integrity level.

* * * * *

fixer - is all of this correct ?  I think my understanding is not correct.

* * * * *

Let's use a hypothetical example.

A browser is exploited.  The exploit enables fileless malware that searches the system for what softs are installed - e.g. browsers, host processes, etc.

The malware can create processes outside the isolated environment, so I am assume it is able to read the file system.

There is a fine distinction that I think I am missing.

Please point out my errors...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 03, 2016, 12:47:42 pm
Lets take a look at possible cases and access rights.
Elevated admin. Maximum access rights, can read+write from everywhere across file system and registry.
Non-elevated admin=LUA. Slightly restricted read rights (some files may be SYSTEM read-only, but elevated admin can take the ownership and grant any access rights to itself and LUA can't do it, but there are few system locations like this+other users' profile folders and registry hives are also inaccessible) and restricted write rights (restricted for the same reason as reading is restricted, but there are significantly more locations, like Program Files, Windows, System32, etc and HKLM registry hive). But this user is vulnerable to LUA elevation and may become elevated admin.
Non-admin user=SUA. The same as LUA, but without elevation vulnerability for the cost of usability.
ReHIPS User. The same as SUA with further restrictions. If you take a closer look, you'll see that by default write access to most files and folders is granted to Authenticated users. And every logged-in user including LUA, SUA and ReHIPS User are Authenticated. ReHIPS turns this group in isolated programs token into deny-only. So no write access will be granted to them by that access control entry. And on top of that, several more filters are layered: network storages, removable media, CD/DVD/BD disks, unsecured filesystems (that don't support access rights like FAT). Besides SUA provides some kind of isolation to protect OS, but if you run all programs in SUA and keep all documents there, one exploited/rogue application will endanger all of them. And ReHIPS keeps different isolated environments isolated not just from OS and real user, but also from each other meaning for example browser gone haywire won't affect office documents in any way.
In other words, ReHIPS User has read access as SUA. And write access is limited to its profile folder and several folders that are explicitly allowed to write to by Windows (we're currently working on blocking write access there too).
If Copy User Data is checked, read access to the real user profile folder will be granted, it's recommended to use for compatibility purposes only during first start and then disable it.

If any isolated program is exploited, it can look for installed software as it's usually installed in Program Files and read access to it is granted. And even if you allow process creation without any isolation or allow parenting without any child inspection, every child process is subject to inheritance. In terms of security pretty much everything is inherited: token, access rights to any objects, including file system and registry, privileges, integrity level, etc. It means that any child process won't be able to escape isolation if parent process was isolated. And it's not just process creation, any action won't allow isolation escape, including task scheduling, some .NET modules registration, unusual host processes usage or some other stuff that is now popular to bypass other security software. Otherwise it's Windows vulnerability and will be patched by MS.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 03, 2016, 03:35:53 pm
@fixer Nice explanation, thanks.

i made some researches but wasn't satisfied enough from the result; maybe you can answer:

Does LUA + UAC at max tweaked to ask passsword would grant the same level of protection as SUA? (i know SUA use file/registry virtualization, im not sure for LUA)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 03, 2016, 04:19:43 pm
Does LUA + UAC at max tweaked to ask passsword would grant the same level of protection as SUA? (i know SUA use file/registry virtualization, im not sure for LUA)
It offers the same level of usability, including virtualization (as it's actually more usability than security feature). But it won't offer the same level of security. I'll quote from here https://technet.microsoft.com/en-us/magazine/2007.09.securitywatch.aspx
Quote
With Windows Vista, the idea is that users will run as standard user instead, and suddenly local privilege escalation issues become very interesting. Unfortunately, this is also where we run into some of the limitations of UAC. Remember, there is no effective isolation; there is no security boundary that isolates processes on the same desktop. The OS does include some protective measures to keep the obvious and unnecessary avenues of communication blocked, but it would be impossible and undesirable to block them all. Therefore, Microsoft does not consider breaches of that nonexistent security boundary to be security breaches. Mark Russinovich pointed out as much in a blog post at blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx.
Mark is totally correct. Microsoft is well aware of the fact that there is no security boundary between a low process and an elevated one on the same desktop. As there was never intended to be any isolation between processes on the same desktop, it really can't be called a security vulnerability when it is discovered that there is no isolation between processes on the same desktop. Obviously, that diminishes the value of UAC as a first-order mechanism for fighting malware, but it was not designed to be that anyway, despite what you might read in various places, including some from Microsoft.
In other words, UAC and LUA is not for security. And even if you max-out UAC, it won't be for security. Yes, they tried to block some bypassing ways, but if some other ways arise, they can freely refuse to patch it. So I wouldn't rely on UAC and LUA in terms of security.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 03, 2016, 06:24:50 pm
thanks for the article, it was really interesting.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on May 04, 2016, 02:20:02 am
HIPS = blocks execution of files on both real user and ReHIPSUser profiles (1st layer of protection)

Individual program Isolated Environments protect against (2nd layer of protection; deny-only & inheritance):

Exploit application poisoning (via containment)
Access to real user profile(s)
Access to another ReHIPSUser profile
Access to other partitions\drives
Unwanted inter-program communications
Compromised ReHIPSUser profile is deletable
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on May 04, 2016, 03:23:32 am
ReHIPS isolated environment seems - to me - to be similar in a lot of ways to modern UI apps run in their own AppContainers.

I know ReHIPS does not use AppContainer, but the general concepts seem the same.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 04, 2016, 11:30:04 am
ReHIPS isolated environment seems - to me - to be similar in a lot of ways to modern UI apps run in their own AppContainers.
I know ReHIPS does not use AppContainer, but the general concepts seem the same.
Yes, something like it. The system is also protected from AppContainers and they're protected from each other. But they're more secured by the cost of usability as they have to explicitly declare all the locations they need access to, so AppContainer software has to be coded to support this, you can't easily put any random program in AppContainer. As AppContainers are already secured, ReHIPS detects it and doesn't allow to isolate them.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 10, 2016, 01:17:33 am
Also i saw you have rules for adobe reader but not for Adobe Acrobat which i use(so PDF folder was not created). Might want to add those if you have the time.
Adobe Acrobat was added to the initial rules pack.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on May 12, 2016, 12:01:28 am
Are there any OS tweaks that you can think of that would mess with ReHIPS ?

The only thing I can think of is tampering with folder\file system permissions - and in that case it could mess up Windows itself and thereby ReHIPS.

In other words, any dependencies with services, permissions, etc shipped with Windows that shouldn't be messed with ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 12, 2016, 01:05:13 am
ReHIPS depends on some services like BFE for network access filtering. But it does so in a nice and documented way. Besides several standard services depend on it. Tampering with folder/file/registry system permissions shouldn't affect ReHIPS as it honors lack of access rights when changing permissions. It may mess the security up, but I wouldn't consider it a ReHIPS issue. Some other things that may mess with ReHIPS... hard to say. Service relies on some privileges, revoking them may make some things harder causing some errors, but it'll also affect all services including standard ones. Maybe some software that restricts new users creation. But I don't know why would I need such a software. So at the moment I can't think of some tweaks that would seriously mess with ReHIPS and wouldn't affect any other standard application/service as it was coded with minimal assumptions about environment avoiding any hardcodes.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on May 12, 2016, 01:26:18 am
ReHIPS depends on some services like BFE for network access filtering. But it does so in a nice and documented way. Besides several standard services depend on it. Tampering with folder/file/registry system permissions shouldn't affect ReHIPS as it honors lack of access rights when changing permissions. It may mess the security up, but I wouldn't consider it a ReHIPS issue. Some other things that may mess with ReHIPS... hard to say. Service relies on some privileges, revoking them may make some things harder causing some errors, but it'll also affect all services including standard ones. Maybe some software that restricts new users creation. But I don't know why would I need such a software. So at the moment I can't think of some tweaks that would seriously mess with ReHIPS and wouldn't affect any other standard application/service as it was coded with minimal assumptions about environment avoiding any hardcodes.

I generally disable all unneeded services - quite a lot like Retail Demo Mode, etc, uninstall most Windows Apps, disable all unneeded networking functionality - PnP, IPv6, IGMP, SMB 1.0, unnecessary firewall rules, etc - all that sort of rubbish.

All essential core Windows stuff I leave "As Is."

It should be OK... thanks fixer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on May 22, 2016, 04:05:29 pm
I apologize if this has been asked or answered before. If I open Chrome, then open tabs, an information would come up saying that the number of allowed protected programs for the demo has reached.

Indeed, in the Isolated Programs, chrome.exe filled all the spots.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 22, 2016, 04:17:37 pm
I apologize if this has been asked or answered before. If I open Chrome, then open tabs, an information would come up saying that the number of allowed protected programs for the demo has reached.

Indeed, in the Isolated Programs, chrome.exe filled all the spots.
The free program has a limit of 10 programs if i am not mistaken. Chrome launches a new process per tab/extension so it might be that. So for now until the program is out to buy you might want to either use Firefox or have no extensions and less tabs to be below the limit.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on May 22, 2016, 04:20:27 pm
Thanks!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on May 22, 2016, 06:10:29 pm
While in isolated mode, laptop's own mouse cannot make any shortcuts like two-finger scroll, two-finger click, etc.
How do I configure that?
Again, I apologize if this has been asked or answered before. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 22, 2016, 06:17:52 pm
While in isolated mode, laptop's own mouse cannot make any shortcuts like two-finger scroll, two-finger click, etc.
How do I configure that?
Again, I apologize if this has been asked or answered before. :)
You should take the program out of isolation mode and use learning mode for a while after install so all your programs get proper permissions but anw do you get a blocked msg or something when you do the two finger scroll? Go check logs when it happens.
To access them go in gui and click on advanced mode and you will see a blue tab above called log.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on May 22, 2016, 06:26:19 pm
There are no blocking messages or popups when I do those gestures. There are also no errors in the logs. I can see only allowed events.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 22, 2016, 06:37:16 pm
There are no blocking messages or popups when I do those gestures. There are also no errors in the logs. I can see only allowed events.
Did you try learning mode? If yes and with no result devs will need more info on how to reproduce the issue.
For example what program is responsible for  two-finger scroll, two-finger click and with what settings did you allow it. I know that on dell laptops it's DellTpad and on Asus it's Asus smart gesture and if you allow it you can do them. I just tested.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on May 22, 2016, 07:00:13 pm
I already tried Learning mode, but the gestures still wouldn't work.
Okay, I will provide details.

Edit:
I have Alps Pointing Device.
Specific laptop model is HP Pavilion 14-v241tx.

Also, to be more transparent, I run many security programs. :D
These are: ZAM Premium, HMP.A, AppGuard, ESS 9, and CryptoPrevent. You can also count Rollback RX 10 Professional. :D
Of course, I did the standard exclusion of ReHIPS.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 22, 2016, 07:28:45 pm
Ok try this. The program should be digitally signed by alps electric co. ltd so add that in trusted vendors and set the protection mode to Standard.
Btw i assume you use version 2.1.0 because you said isolation mode. Am i correct?
A good idea is to also go in Settings- Programs- click on your windows name or system and type Apntex.exe. You should have a rule for it and tell me the settings.

About the other programs you need to add hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe to power applications of appguard. Also if i am right about using 2.1.0 it's not compatible with HMP.A and it was fixed on version 2.2.0.
About the rest of your programs i have no clue but someone might be able to give you some info. In general when beta testing too much programs is not such a good idea.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 22, 2016, 07:58:35 pm
These are: ZAM Premium, HMP.A, AppGuard, ESS 9, and CryptoPrevent. You can also count Rollback RX 10 Professional. :D
Of course, I did the standard exclusion of ReHIPS.

About the other programs you need to add hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe to power applications of appguard. Also if i am right about using 2.1.0 it's not compatible with HMP.A and it was fixed on version 2.2.0.
About the rest of your programs i have no clue but someone might be able to give you some info. In general when beta testing too much programs is not such a good idea.

- ZAM : shouldn't give issues, it is ust a scanner
- HMPA : latest versions are indeed incompatible with v2.1.0
- Appguard : i used to put all ReHIPS processes in Power apps
- ESS & cryptoprevent: no idea
-  RX : no issue

Honestly Xhen, you have way too many security apps. ReHIPS + Appguard + HMPA will block almost everything, the rest are not necessary.

To do proper beta-testing , you must reduce redundant apps , since ReHIPS is a mix of HIPS & Sandbox , using other HIPS or sandboxes at same time may cause incompatibilities, and make the solving of issues more difficult.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on May 23, 2016, 04:22:59 am
Thanks, umbra and aDVll!

I actually have 2.2.0. When I said "isolation mode" it was actually said generally. I didn't know that it could refer to 2.1.0. :D
Good advice, umbra! I installed it on my production machine to see and eventually report any apparent issues with other software. I guess this was not a good idea. Anyway, I have a VM. I will test ReHIPS later on that.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on May 23, 2016, 08:24:52 am
If you are going to use the real user profile to launch exploitable apps, then I would use AppGuard and\or HMP.A.

Using the real user profile to execute any unknown\untrusted programs is just plain asking for trouble.

A lot of security soft protections will not work in ReHIPSUser profile -- because those softs do not support multiple active user profiles; their protections will work for C:\Users\User but not C:\Users\ReHIPSUser.  A case in point is AppGuard.  Guarded Apps work for the real user, but all ReHIPS isolated apps are launched Un-Guarded.

All I can say is that it depends upon how you use the real user profile (desktop).

That being said, if you use ReHIPS as recommended, then you really have no need to use anything else.  For best real user profile protection, I recommend AppGuard.

The AppGuard + ReHIPS combo = software restriction policy + non-hook HIPS, command line monitoring, program containment with restricted file system and registry access, and network access control (for isolated apps).

If you keep all exploitable, network facing apps isolated from each other -- it is as good security as you can get without making your security config a whole lot less user-unfriendly.

* * * * *

I really tried to mess with the real user file system and registry from inside an isolated environment, but could not succeed.

I am confident in ReHIPS' ability to protect system.  A few recommended improvements - like earlier GUI startup and auto-delete ReHIPSUser - will make it even better.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 23, 2016, 12:42:17 pm
XhenEd
If your issue still persists, I think it's better to create a new topic to solve it. And several questions regarding this issue.
1. Try to disable ReHIPS. Does it persist?
2. If 1 is no, but it persists if you turn ReHIPS back on, my guess it's about some processes being blocked/executed in isolation, I'll need log.
3. If 1 is yes, try to disable ReHIPS service by typing "net stop ReHIPSSrvc" in cmd. (type "net stop ReHIPSService" to turn it back on later) [and yes, services names are a bit different, it's not a typo] Does it persist?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on May 26, 2016, 04:44:55 pm
Hello again!

This is just a guess, but I think the reason why my laptop's own mouse wouldn't work was because I interrupted (closed) the initial installation of ReHIPS' own rules. I closed the cmd.exe because it already took around a minute while seemingly doing nothing.

In my VM, however, I decided to not interrupt it. As expected, it took longer to finish. But, it finished! I just had to wait. Nevertheless now, mouse gestures work at least in my VM. But of course, it might be because of security software installed. But at least mouse gestures now work! :D

So just a humble suggestion, maybe you can put a sentence reminding users to not close the initial installation of rules. In this way, users like me wouldn't close the cmd.exe.

Also, to clarify, my issue about mouse gestures (which is now gone, yay!) was when Pale Moon was inside ReHIPS' isolated environment. Mouse gestures always worked when Pale Moon wasn't inside that. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 26, 2016, 06:40:30 pm
on my machine, initial rules installing took 4-5mn
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 26, 2016, 06:45:31 pm
This is just a guess, but I think the reason why my laptop's own mouse wouldn't work was because I interrupted (closed) the initial installation of ReHIPS' own rules. I closed the cmd.exe because it already took around a minute while seemingly doing nothing.

It's a confirmed bug. Sometimes it takes seconds and sometimes it takes minutes. Devs will fix it given time.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 27, 2016, 03:06:16 am
So just a humble suggestion, maybe you can put a sentence reminding users to not close the initial installation of rules. In this way, users like me wouldn't close the cmd.exe.
Thanks for your suggestion, we'll think how to do it.
But I don't think this is the culprit as rules are reinstalled if they weren't installed successfully at the first time.
If gestures don't work in isolated environments, it'd be better to create a new topic to find out the root of the problem. My best guess is they're not supported on isolated desktops. Do they work in isolated program that is executed on the main desktop?
And to be sure: you have notebook with touchpad and gestures are provided by some standard preinstalled application bundled with notebook?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: SparknLight on May 27, 2016, 08:28:00 pm
Hello,

In the Settings->Programs window, the "Rest to Defaults" still grey, so never tested in my side.
A reset/default button, for each Program and their "Objects Permissions" and "Privileges" could be useful.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 27, 2016, 08:49:43 pm
Hello,

In the Settings->Programs window, the "Rest to Defaults" still grey, so never tested in my side.
A reset/default button, for each Program and their "Objects Permissions" and "Privileges" could be useful.
Reset to default work only on the rest of the tabs but not programs. Good suggestion about the extra buttons. I am sure devs will consider it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 27, 2016, 08:59:42 pm
Other settings are quite easy to reset to default, there are just a bunch of checkboxes with some default values. But Programs, they aren't this easy. So Reset to Defaults button is always disabled for this tab for now. But we have some plans for it, so we didn't remove this button. Resetting to defaults for isolated environment access rights and permissions, it's an interesting idea, we'll think about it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 09, 2016, 04:09:13 pm
maybe you can put a sentence reminding users to not close the initial installation of rules. In this way, users like me wouldn't close the cmd.exe.
Added some output on lengthy operations to indicate that it's not hang, but working.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 09, 2016, 04:27:57 pm
Speaking of initial rules, can the be tweaked according user choice after initial installation of them?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 09, 2016, 04:34:50 pm
Speaking of initial rules, can the be tweaked according user choice after initial installation of them?
If you mean if you can change the initial rules then yes. If a rule is present the rule pack will not affect them. They will stay as you set them up.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 09, 2016, 04:55:47 pm
If you mean if you can change the initial rules then yes. If a rule is present the rule pack will not affect them. They will stay as you set them up.
So if I click on Install Rules on main GUI and they are re-run again my customized settings are not set back to default initial rules, correct?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 09, 2016, 04:58:34 pm
If you mean if you can change the initial rules then yes. If a rule is present the rule pack will not affect them. They will stay as you set them up.
So if I click on Install Rules on main GUI and they are re-run again my customized settings are not set back to default initial rules, correct?
Correct. If a rule is present it doesn't get overwritten.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 09, 2016, 05:12:40 pm
Correct. If a rule is present it doesn't get overwritten.
Fine, thanks. Anyway I believe there should be a confirmation msgbox everytime we click on Install Rules. Sometimes I accidentally click on it and Exe Radar Pro warns about it then I block it but the process goes into an infinite loop of block and auto-run which makes me to restart the machine, otherwise I have to allow to Install Rules once again, no good for me.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 09, 2016, 05:15:41 pm
Correct. If a rule is present it doesn't get overwritten.
Fine, thanks. Anyway I believe there should be a confirmation msgbox everytime we click on Install Rules. Sometimes I accidentally click on it and Exe Radar Pro warns about it then I block it but the process goes into an infinite loop of block and auto-run which makes me to restart the machine, otherwise I have to allow to Install Rules once again, no good for me.
it's already confirmed install button will be moved in the next release. It was suggested by umbrapolaris a while back and devs said they will do it.
https://forum.re-crypt.com/index.php?topic=2105 (https://forum.re-crypt.com/index.php?topic=2105)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 09, 2016, 05:21:16 pm
it's already confirmed install button will be moved in the next release. It was suggested by umbrapolaris a while back and devs said they will do it.
https://forum.re-crypt.com/index.php?topic=2105 (https://forum.re-crypt.com/index.php?topic=2105)
Ah yes, thank you so much.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 09, 2016, 05:43:23 pm
it's already confirmed install button will be moved in the next release. It was suggested by umbrapolaris a while back and devs said they will do it.
https://forum.re-crypt.com/index.php?topic=2105 (https://forum.re-crypt.com/index.php?topic=2105)
Ah yes, thank you so much.
No worries.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 04:59:47 am
I'm not sure if these behaviors are intended. I use the browser as a model. These might apply also to other programs.

1. When the browser is within the isolated account, and it is restarted (i.e. by add-on request, etc.), the browser closes and will not come back, unless it is started by the user again.

2. If the browser is already open in the isolated account, then I switched to the main account, and then open the browser again using its shortcut in the main account, it would say "Pale Moon is already running..." and then closes.


For the second item, I suggest that the program within the isolated account should be called. And so, if clicking the shortcut in the main account happens, the browser that is already open within the isolated account should be opened again. It should be like restoring a minimized program.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 10, 2016, 11:23:34 am
1. When the browser is within the isolated account, and it is restarted (i.e. by add-on request, etc.), the browser closes and will not come back, unless it is started by the user again.
Can you tell how to reproduce it, so I could take a look into it.

2. If the browser is already open in the isolated account, then I switched to the main account, and then open the browser again using its shortcut in the main account, it would say "Pale Moon is already running..." and then closes.
This is browser behavior, it was coded to do so. I don't think ReHIPS can affect it in any way.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 11:32:02 am
I'm not sure if these behaviors are intended. I use the browser as a model. These might apply also to other programs.

1. When the browser is within the isolated account, and it is restarted (i.e. by add-on request, etc.), the browser closes and will not come back, unless it is started by the user again.

Tried with Firefox and this and it restarted just fine.
https://addons.mozilla.org/en-US/firefox/addon/re-start/ (https://addons.mozilla.org/en-US/firefox/addon/re-start/)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:13:00 pm
It is really weird that restart is not working properly with my ReHIPS.

All settings of ReHIPS is default except the inclusion of Pale Moon to be launched automatically to its isolation.
I use Pale Moon 64-bit. OS is Windows 10 64-bit (Enterprise Evaluation Copy).
I tried to restart with Lastpass' installation and with the re-start add-on given by aDVII. But every restart just closed the isolated desktop. I waited for awhile, but it really wasn't launching again. It only launched back when I open the browser, and the installation of Lastpass was successful.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 03:14:59 pm
It is really weird that restart is not working properly with my ReHIPS.

All settings of ReHIPS is default except the inclusion of Pale Moon to be launched automatically to its isolation.
I use Pale Moon. OS is Windows 10 64-bit. Evaluation copy.
I tried to restart with Lastpass' installation and with the re-start add-on given by aDVII. But every restart just closed the isolated desktop. I waited for awhile, but it really wasn't launching again. It only launched back when I open the browser, and the installation of Lastpass was successful.
Give me a few min to try with pale moon. Maybe that is the problem. Tell me what version you use so i can try the same?
Found Pale Moon 26.2.2 with 32 or 64 bit. Tell me what to get.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:18:53 pm
It is really weird that restart is not working properly with my ReHIPS.

All settings of ReHIPS is default except the inclusion of Pale Moon to be launched automatically to its isolation.
I use Pale Moon. OS is Windows 10 64-bit. Evaluation copy.
I tried to restart with Lastpass' installation and with the re-start add-on given by aDVII. But every restart just closed the isolated desktop. I waited for awhile, but it really wasn't launching again. It only launched back when I open the browser, and the installation of Lastpass was successful.
Give me a few min to try with pale moon. Maybe that is the problem. Tell me what version you use so i can try the same?
Found Pale Moon 26.2.2 with 32 or 64 bit. Tell me what to get.
I use 64 bit.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 03:23:04 pm
It is really weird that restart is not working properly with my ReHIPS.

All settings of ReHIPS is default except the inclusion of Pale Moon to be launched automatically to its isolation.
I use Pale Moon. OS is Windows 10 64-bit. Evaluation copy.
I tried to restart with Lastpass' installation and with the re-start add-on given by aDVII. But every restart just closed the isolated desktop. I waited for awhile, but it really wasn't launching again. It only launched back when I open the browser, and the installation of Lastpass was successful.
Give me a few min to try with pale moon. Maybe that is the problem. Tell me what version you use so i can try the same?
Found Pale Moon 26.2.2 with 32 or 64 bit. Tell me what to get.
I use 64 bit.
Just tried with latest windws 10 64bit, pale moon 64 bit and the extension i linked you and it worked :S
Maybe you use some other software that blocks something?
Also what rules did you make for pale moon to have exactly the same?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:25:02 pm
 :( :( :(
No. This Guest OS just got a reset. After reset, only Guest Additions, Pale Moon, and ReHIPS were installed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 03:26:27 pm
Ok show me the rules you made so it runs isolated and with what permissions to make sure we have the same stuff.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:27:12 pm
How may I do that?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 03:30:24 pm
Settings, programs, expand the windows username, find palemoon rules, double click,expand the menu with the arrows at the bottom and show me the second tab called permissions.
This or go to logs and click palemoon.

Never mind i figured it out. Go to the permissions and deselect Use Different Desktop and DESKTOP_HOOKCONTROL. Now it should work.
Problem is that it doesn't restart when on a different desktop. Will make a bug topic so devs can check it out and also make default rules for palemoon.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:33:30 pm
That setting is also the exact setting for Pale Moon.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 03:35:02 pm
Check my edit. I explained to you what to do to solve your problem. It's how you made the rule and possible even a bug.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:38:23 pm
Yes! It worked!
Thanks for the help, aDVII!

Also, I just noticed the red border now. Didn't see that yet, until now. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 03:39:43 pm
Yes! It worked!
Thanks for the help, aDVII!

Also, I just noticed the red border now. Didn't see that yet, until now. :)
Glad you solved it. Hopefully in the future Palemoon will have default rules as they should be.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:40:59 pm
But, with that de-selection of options for Pale Moon, does it mean lesser protection for it?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 10, 2016, 03:44:47 pm
But, with that de-selection of options for Pale Moon, does it mean lesser protection for it?
No. When hook control is off then different desktop can be off. Reason that when creating rules both are selected is that a lot of programs don't work without hook control. So to avoid people being mortified that it doesn't work it's better to have default both selected so that at least it works. Less convenience on a different desktop but it will work 100%.
In browsers case usually hook control is not needed so you can disable both as you saw with Palemoon just now.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 10, 2016, 03:47:06 pm
But, with that de-selection of options for Pale Moon, does it mean lesser protection for it?
No. When hook control is off then different desktop can be off. Reason that when creating rules both are selected is that a lot of programs don't work without hook control. So to avoid people being mortified that it doesn't work it's better to have default both selected so that at least it works. Less convenience on a different desktop but it will work 100%.
In browsers case usually hook control is not needed so you can disable both as you saw with Palemoon just now.

Okay, got it! Thanks!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 10, 2016, 09:07:04 pm
I looked into Firefox restart issue. Firefox restarts itself by starting its process and exiting. But when it starts process, winsta0/default is explicitly set as window station and desktop. But it's meant to be executed on isolated desktop and has no access rights to the main default desktop. So this new process is started and immediately terminated as it can't access desktop. So it's Firefox bug (feature?), that it's ignorant of other desktops, and ReHIPS can do nothing about it. Fortunately latest Firefox versions don't need HOOK_CONTROL access right and may be executed on main desktop.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 11, 2016, 03:14:21 am
@fixer

Do you mean Pale Moon? It's based on Goanna engine now, a fork of Gecko engine 2x.x version.
I thought Firefox works well because you didn't experience the restart issue earlier.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 11, 2016, 03:54:29 am
2. If the browser is already open in the isolated account, then I switched to the main account, and then open the browser again using its shortcut in the main account, it would say "Pale Moon is already running..." and then closes.
This is browser behavior, it was coded to do so. I don't think ReHIPS can affect it in any way.

I actually meant the shortcut in the taskbar, so that clicking it will be like restoring a minimized program. I was thinking that it should just open the isolated browser, rather than anything else. But if this is not possible or just impractical, I'm still okay with that. ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 11, 2016, 09:50:17 am
@fixer

Do you mean Pale Moon? It's based on Goanna engine now, a fork of Gecko engine 2x.x version.
I thought Firefox works well because you didn't experience the restart issue earlier.
Firefox was running on same desktop as you made palemoon do later that's why it was restarting.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 11, 2016, 10:56:21 am
@fixer

Do you mean Pale Moon? It's based on Goanna engine now, a fork of Gecko engine 2x.x version.
I thought Firefox works well because you didn't experience the restart issue earlier.
Firefox was running on same desktop as you made palemoon do later that's why it was restarting.
Ah, so, by default rules of ReHIPS, Firefox is running without those options like separate desktop?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 11, 2016, 10:59:22 am
@fixer

Do you mean Pale Moon? It's based on Goanna engine now, a fork of Gecko engine 2x.x version.
I thought Firefox works well because you didn't experience the restart issue earlier.
Firefox was running on same desktop as you made palemoon do later that's why it was restarting.
Ah, so, by default rules of ReHIPS, Firefox is running without those options like separate desktop?
Correct. Palemoon will do the same on next version. It was added in the database.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 11, 2016, 11:03:20 am
Okay, got it now!  :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 11, 2016, 12:43:19 pm
I actually meant the shortcut in the taskbar, so that clicking it will be like restoring a minimized program. I was thinking that it should just open the isolated browser, rather than anything else. But if this is not possible or just impractical, I'm still okay with that. ;)
Do you mean taskbar shortcuts for programs next to start button? Just to be sure. When you click this shortcut, new instance of PaleMoon is started. If it should be executed in isolation, then this new instance is started in isolation. And then it's up to PaleMoon what to do. If it's configured to execute on the main desktop, it discovers that the first instance is already running and uses window messages to communicate with it, everything goes fine and it continues execution. If it's configured to execute on separate isolated desktop, it discovers that the first instance is already running and tries to communicate with it using window messages, but they're on different desktops, communications fails, and it shows error message "Pale Moon is already running...". So this is PaleMoon behavior. As a workaround you can execute it on the main desktop with HOOK_CONTROL access right disabled.
BTW I added PaleMoon to the RulesPack.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 11, 2016, 12:55:43 pm
I actually meant the shortcut in the taskbar, so that clicking it will be like restoring a minimized program. I was thinking that it should just open the isolated browser, rather than anything else. But if this is not possible or just impractical, I'm still okay with that. ;)
Do you mean taskbar shortcuts for programs next to start button? Just to be sure. When you click this shortcut, new instance of PaleMoon is started. If it should be executed in isolation, then this new instance is started in isolation. And then it's up to PaleMoon what to do. If it's configured to execute on the main desktop, it discovers that the first instance is already running and uses window messages to communicate with it, everything goes fine and it continues execution. If it's configured to execute on separate isolated desktop, it discovers that the first instance is already running and tries to communicate with it using window messages, but they're on different desktops, communications fails, and it shows error message "Pale Moon is already running...". So this is PaleMoon behavior. As a workaround you can execute it on the main desktop with HOOK_CONTROL access right disabled.
BTW I added PaleMoon to the RulesPack.
Thanks for the explanation! Now I get it.
Yes, I meant the pinned taskbar icons.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 13, 2016, 12:15:35 pm
I would also like to report that mpc-hc 64-bit has no rule. As far as I can remember, rules pack only has the 32-bit because it would say that mpc-hc is not present, although it is, just 64-bit. I don't know the rules for mpc-hc 32-bit, and so I can't make a wise decision about its settings for 64-bit.

That said, I would request that mpc-hc 64-bit be made a rule, and that the rules pack be readily made available to read for re-evaluation by the user afterwards.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 13, 2016, 12:33:07 pm
I would also like to report that mpc-hc 64-bit has no rule. As far as I can remember, rules pack only has the 32-bit because it would say that mpc-hc is not present, although it is, just 64-bit. I don't know the rules for mpc-hc 32-bit, and so I can't make a wise decision about its settings for 64-bit.

That said, I would request that mpc-hc 64-bit be made a rule, and that the rules pack be readily made available to read for re-evaluation by the user afterwards.
Not all programs have rules. It's not a matter that your mpc is 64 bit. Devs just didn't had the chance to add rules for the specific program.
Just add a rule manual. It should be pretty simple.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 13, 2016, 01:23:14 pm
I would also like to report that mpc-hc 64-bit has no rule. As far as I can remember, rules pack only has the 32-bit because it would say that mpc-hc is not present, although it is, just 64-bit. I don't know the rules for mpc-hc 32-bit, and so I can't make a wise decision about its settings for 64-bit.

That said, I would request that mpc-hc 64-bit be made a rule, and that the rules pack be readily made available to read for re-evaluation by the user afterwards.
Not all programs have rules. It's not a matter that your mpc is 64 bit. Devs just didn't had the chance to add rules for the specific program.
Just add a rule manual. It should be pretty simple.
I know. The problem is I don't have an informed choice about what options to check/uncheck. Maybe checking or unchecking will expose loopholes or problems of usability. So, I want to have a model for this. The rule for mpc-hc 32-bit should have been my model, but I don't know its settings.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 13, 2016, 01:44:26 pm
I would also like to report that mpc-hc 64-bit has no rule. As far as I can remember, rules pack only has the 32-bit because it would say that mpc-hc is not present, although it is, just 64-bit. I don't know the rules for mpc-hc 32-bit, and so I can't make a wise decision about its settings for 64-bit.

That said, I would request that mpc-hc 64-bit be made a rule, and that the rules pack be readily made available to read for re-evaluation by the user afterwards.
Not all programs have rules. It's not a matter that your mpc is 64 bit. Devs just didn't had the chance to add rules for the specific program.
Just add a rule manual. It should be pretty simple.
I know. The problem is I don't have an informed choice about what options to check/uncheck. Maybe checking or unchecking will expose loopholes or problems of usability. So, I want to have a model for this. The rule for mpc-hc 32-bit should have been my model, but I don't know its settings.
Give me 10 minutes i will check what works and tell you.

EDIT: Program needs hooks to work so you have to enable that and different desktop. Btw i blocked subprograms because on the few minutes i tried it mpc didn't ask to launch anything but if you see any blocks related to subprograms change it to allow. Also had network access off but if you wish put it on so you can update.

http://i.imgur.com/R9wnOqA.png (http://i.imgur.com/R9wnOqA.png)
http://i.imgur.com/frpPTXj.png (http://i.imgur.com/frpPTXj.png)

EDIT: If you use something like madvr or lav filter you might have to put those in the same isolated environment so they properly work and also allow the program to launch them(i have it blocked with my settings). Didn't test because you didn't mention that you used any.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 13, 2016, 03:06:56 pm
Thank you, adVll!  :D
I will try your suggested options.  :D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 13, 2016, 05:51:16 pm
Thank you, adVll!  :D
I will try your suggested options.  :D
All good?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 13, 2016, 06:09:10 pm
It's fine. It's working.
But I decided to not put in a sandbox. Maybe it's not designed to be in one.
Volume wouldn't work. There was sound, but the volume couldn't be changed. I tinkered with the settings, but it wouldn't work.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 13, 2016, 06:26:08 pm
It's fine. It's working.
But I decided to not put in a sandbox. Maybe it's not designed to be in one.
Volume wouldn't work. There was sound, but the volume couldn't be changed. I tinkered with the settings, but it wouldn't work.
weird. I can change sound normally when isolated with the settings i gave you.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 13, 2016, 06:29:20 pm
Fwiw, volume is working here.
Same architecture, same ReHIPS settings.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 13, 2016, 06:31:43 pm
It's fine. It's working.
But I decided to not put in a sandbox. Maybe it's not designed to be in one.
Volume wouldn't work. There was sound, but the volume couldn't be changed. I tinkered with the settings, but it wouldn't work.
weird. I can change sound normally when isolated with the settings i gave you.
I mean the master volume, not mpc-hc's volume control. I could change the program's volume through its own volume control, but when it comes to the main/master volume control, I couldn't when inside the isolated desktop.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 13, 2016, 06:33:12 pm
I mean the master volume, not mpc-hc's volume control. I could change the program's volume through its own volume control, but when it comes to the main/master volume control, I couldn't.
Also master working here...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 13, 2016, 06:35:13 pm
I mean the master volume, not mpc-hc's volume control. I could change the program's volume through its own volume control, but when it comes to the main/master volume control, I couldn't.
Also master working here...
When inside the isolated desktop, using only the keyboard shortcuts?

 :(
Maybe this is similar to gesture issue. :(
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 13, 2016, 07:05:25 pm
When inside the isolated desktop, using only the keyboard shortcuts?
Within isolated desktop:
I'm able to mute (Ctrl + m) or Vol + or - (arrow keys Up and Down) to slide MPC-HC control.

If you are talking about Windows master volume I don't even know any key strokes for sliding it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 13, 2016, 07:08:46 pm
I mean the master volume, not mpc-hc's volume control. I could change the program's volume through its own volume control, but when it comes to the main/master volume control, I couldn't.
Also master working here...
When inside the isolated desktop, using only the keyboard shortcuts?

 :(
Maybe this is similar to gesture issue. :(
@Mr.X I think @XhenEd means the pc volume not the application volume and yes it doesn't seem to work.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 13, 2016, 07:11:32 pm
Yes, I meant the pc volume. I could change the volume through the program's control or its keyboard shortcuts, but when I press keyboard shortcuts for the main pc volume, the volume wouldn't change.

Thanks for confirming, adVII!  :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 13, 2016, 07:16:06 pm
Yes, I meant the pc volume. I could change the volume through the program's control or its keyboard shortcuts, but when I press keyboard shortcuts for the main pc volume, the volume wouldn't change.

Thanks for confirming, adVII!  :)
It's because it's on another desktop and it's for all application doing that. Now if it's a bug or for security i don't know. Will ask fixer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 13, 2016, 08:22:23 pm
I'll add RulesPack rules for mpc-hc 64-bit.
About master volume, my best guess is that volume control application that registers shortcuts and controls volume works only at the main default desktop. But not sure, will check it. What application do you use for this? As default Windows volume control doesn't seem to support shortcuts.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on June 13, 2016, 08:26:03 pm
As default Windows volume control doesn't seem to support shortcuts.
True. A quick read a few moments ago someone said there's need for tweaks...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 13, 2016, 08:39:06 pm
I'll add RulesPack rules for mpc-hc 64-bit.
About master volume, my best guess is that volume control application that registers shortcuts and controls volume works only at the main default desktop. But not sure, will check it. What application do you use for this? As default Windows volume control doesn't seem to support shortcuts.
You need a multimedia keyboard or a laptop i believe. That is how i tested.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 13, 2016, 08:50:55 pm
If it's not native, I guess it's supported by some software similar to gestures support. That's why the same issue arises here. But I'll take a closer look once I get the exact software name.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 14, 2016, 12:07:14 am
I am unsure whether or not this is an unexpected behaviour when I launch Internet Explorer (Windows 10) should ReHips automatically switch me to the isolated environment which Internet Explorer operates within.  As I have to manually click on the ReHips gadget to switch to Internet Explorer?

Also if I click on an email via windows mail (Windows 10) should the screen briefly go blank and received an error message unable to open ......., but when I switch manually to the isolated environment the email link has been successfully loaded?   
Title: Competitor product is blocked now.
Post by: Mr Cryptor on June 14, 2016, 02:23:50 am
I'm not able to use Sandboxie (SBIE) program now with first deployment of ReHIPS (first time using ReHIPS).
Have you blocked SBIE or similar comptetitor products from running after  installing your product ReHIPS?
I would like both yours and SBIE's running without conflict. How can we arrange that?

Firefox Browser
Windows 8.1
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 14, 2016, 02:32:24 am
If it's not native, I guess it's supported by some software similar to gestures support. That's why the same issue arises here. But I'll take a closer look once I get the exact software name.
It's Realtek.
It has 4 processes running: 2 HD Audio Background Process, Realtek Audio Service, Realtek HD Audio Manager.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on June 14, 2016, 05:01:36 am
I am unsure whether or not this is an unexpected behaviour when I launch Internet Explorer (Windows 10) should ReHips automatically switch me to the isolated environment which Internet Explorer operates within.  As I have to manually click on the ReHips gadget to switch to Internet Explorer?

Also if I click on an email via windows mail (Windows 10) should the screen briefly go blank and received an error message unable to open ......., but when I switch manually to the isolated environment the email link has been successfully loaded?

You can't run Sandboxed browser inside the ReHIPS isolated environment (ReHIPSUser) -- if that's what you're trying to do.

Besides, double isolation would be pointless since ReHIPS provides all the isolation mechanisms required for high security.

To do it, you have to give access rights to C:\Sandbox (default) or wherever you created the Sandboxie sandbox file path.

There might be other file system and registry access rights needed for it to work.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on June 14, 2016, 06:26:28 am
I am unsure whether or not this is an unexpected behaviour when I launch Internet Explorer (Windows 10) should ReHips automatically switch me to the isolated environment which Internet Explorer operates within.  As I have to manually click on the ReHips gadget to switch to Internet Explorer?

i don't know for IE, i don't use it. but Chrome is ran sandboxed (you have the red outline)

Quote
Also if I click on an email via windows mail (Windows 10) should the screen briefly go blank and received an error message unable to open ......., but when I switch manually to the isolated environment the email link has been successfully loaded?

i think Windows Apps (Edge, Mail, Weather, etc...) are not supported, since they run in Appcontainer (Window own sandbox) which is a deeper integrity level than ReHIPS or Sandboxie.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on June 14, 2016, 06:29:39 am
Windows Apps and Edge are not supported for use in ReHIPSUser.

As Umbra explained, they run in AppContainer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 15, 2016, 12:44:13 am
I am unsure whether or not this is an unexpected behaviour when I launch Internet Explorer (Windows 10) should ReHips automatically switch me to the isolated environment which Internet Explorer operates within.  As I have to manually click on the ReHips gadget to switch to Internet Explorer?
If a new program is started in isolated environment on a separate isolated desktop, ReHIPS should autoswitch to that desktop. But it also switches back to the main desktop if isolated desktop has no visible windows for some time. Does it persist with other programs or just with IE? Haven't seen anything like it and truth to tell have no idea why it may happen. Could you explain it with more details, how to reproduce this issue? Maybe make a video?

Also if I click on an email via windows mail (Windows 10) should the screen briefly go blank and received an error message unable to open ......., but when I switch manually to the isolated environment the email link has been successfully loaded?
Looks like something strange. Could you descrive it step-by-step so I could reproduce and check this issue?

Have you blocked SBIE or similar comptetitor products from running after  installing your product ReHIPS?
I would like both yours and SBIE's running without conflict. How can we arrange that?
No, we don't block any software just because they're our competitors. And I can tell with all the responsibility we never will. Most likely you're trying to isolate the same application by both products, ReHIPS and Sandboxie. Like umbra said here https://forum.re-crypt.com/index.php?topic=2427.msg4496#msg4496 that's superfluous and I'm not sure that's supported at all.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 15, 2016, 05:59:32 am
Thank you fixer for your interest regarding the Unexpected Behaviours I have posted, I have PM you regarding sending you an email so I can attach screenshots, log etc to you as I do not know the ReHIPS Supports email address.

I have discovered an issue at times when launching Internet Explorer in the isolated desktop environment that Norton Internet Security add fails to appear.  I have provided screenshots when NIS add-on is present and missing from IE.

Also I have just discovered another issue regarding Internet Explorer loading normally (not in an isolated desktop environment).  If you press windows key and g ,you get the xbox games recorder as my testing laptop is 5 years old does not support this feature and I receive an error message - "Sorry this pc doesn't meet the hardware requirements for recording clips learn more"  if I click on learn more Internet Explorer is launched normally - not within the isolated desktop? should this happen?  screenshot provide in post.

Also I have not tested yet but when launching Internet explorer and does not auto switch to the isolated desktop I mentioned in my previous post, could be the result of Malwarebytes Anti-Exploit free, not sure as yet when I have time I shall test.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 15, 2016, 05:06:52 pm
MalwareBytes Anti-Exploit uninstalled makes not difference to IE not autoswitching to ReHIPS isolated desktop enviroment.  Not sure but it could be conflict with Norton Security? add-on not sure will test as soon as able.

Thank you both HJLBX & umbrapolaris for your comments regarding these issues

HJLBX - Sorry but I am not using Sandboxie with ReHIPS, I see not point using Sandoxie with ReHIPS.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 15, 2016, 09:54:49 pm
I have discovered an issue at times when launching Internet Explorer in the isolated desktop environment that Norton Internet Security add fails to appear.  I have provided screenshots when NIS add-on is present and missing from IE.
I'll try to reproduce this and come back with more info later. Though not sure if I succeed, I remember last time I failed to install NIS at all.

Also I have just discovered another issue regarding Internet Explorer loading normally (not in an isolated desktop environment).  If you press windows key and g ,you get the xbox games recorder as my testing laptop is 5 years old does not support this feature and I receive an error message - "Sorry this pc doesn't meet the hardware requirements for recording clips learn more"  if I click on learn more Internet Explorer is launched normally - not within the isolated desktop? should this happen?  screenshot provide in post.
Internet Explorer is started by some other application. I guess this application is allowed to start other processes without inspection. So IE is not expected and just started with rights and privileges of its parent, that is non-isolated. So it's OK.

Not sure but it could be conflict with Norton Security? add-on not sure will test as soon as able.
Maybe it really is some incompatibility with other security software and something blocks it from switching. But it's strange that manually it switches just OK. Does it persist with other programs or just with IE?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 15, 2016, 10:10:43 pm
@Noverco
Is this the version of norton you have because i see that NIS is replaced by Norton Security Delux. I am asking because i will also try to reproduce the problem.
http://us.norton.com/downloads-trial-norton-internet-security (http://us.norton.com/downloads-trial-norton-internet-security)

EDIT: Works for me even when i have IE isolated with norton addon enabled.

http://i.imgur.com/kq0VoXU.png (http://i.imgur.com/kq0VoXU.png)

Windows 10 64bit
Norton Security Delux  22.6.0.142
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 16, 2016, 01:13:10 pm
Oh yes, aDVll thank you I am using Norton Security Deluxe.  I am sorry for not providing the correct version, unfortunately my brain hasn't upgraded to that fact let :o

I haven't tested other programs as yet fixer, just tried the basic software notepad, wordpad all work as expected -no problem with auto switching to isolated desktop environment.

I shall continue to test.  Unfortunately my internet has been playing up yesterday and be unable to send video etc to you.  Thankfully I am able to do so today.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 16, 2016, 01:43:23 pm
aDVll "EDIT: Works for me even when i have IE isolated with norton addon enabled"

Wow, so IE works everytime with Norton add on and auto switches to isolated desktop everytime.  Now I am confused :o

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 16, 2016, 02:04:45 pm
aDVll "EDIT: Works for me even when i have IE isolated with norton addon enabled"

Wow, so IE works everytime with Norton add on and auto switches to isolated desktop everytime.  Now I am confused :o
It was a fluke i didn't know it didn't do it 100% of time. I restarted and now IE does not start. So yes something is wrong. I am trying to investigate further and will edit if i figure something out.
Not only IE doesn't start properly it freezes the whole VM and i have to restart when i try to launch IE isolated.
So apparently when you launch IE isolated and then enable the addon it works but if you restart the computer it then breaks IE and doesn't start properly. Weird. Fixer have to figure this out it's above my skill level. 
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 16, 2016, 04:36:48 pm
Im glad I am not the only one, I reinstall ReHIPs and so far IE auto switches to the isolated desktop enviroment (fingers crossed).  but still issue with norton add on not appearing at times.  I have send screenshots, videos, and I saved the rehips log and sent all to fixer.  I am so glad I can use the internet again!!!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 16, 2016, 04:38:43 pm
Im glad I am not the only one, I reinstall ReHIPs and so far IE auto switches to the isolated desktop enviroment (fingers crossed).  but still issue with norton add on not appearing at times.  I have send screenshots, videos, and I saved the rehips log and sent all to fixer.  I am so glad I can use the internet again!!!
If it breaks again just disable the addon for now until devs can see what is wrong. It doesn't really offer any real value.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on June 16, 2016, 04:54:32 pm
It doesn't really offer any real value.

i second that
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 16, 2016, 04:55:47 pm
Thank you aDVll, unfortunately I rely on identity Safe as my password manager (offline vault) on main pc and I am stuck with IE (hope Edge soon allows add-ons).  Norton add-on use to work on chrome and firefox - but now firefox with norton add-on you cannot use identity safe!?! and chrome frequent updates cause issues with norton add-on.
 
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 16, 2016, 04:57:02 pm
Thank you aDVll, unfortunately I rely on identity Safe as my password manager (offline vault) on main pc and I am stuck with IE (hope Edge soon allows add-ons).  Norton add-on use to work on chrome and firefox - but now firefox with norton add-on you cannot use identity safe!?! and chrome frequent updates cause issues with norton add-on.
I understand your issue but you might want to look at Lastpass. Pretty solid on all browsers and easy to use.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 16, 2016, 05:01:17 pm
Yes I've tried lastpass, but I do not like to store my passwords online.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 16, 2016, 05:03:45 pm
Yes I've tried lastpass, but I do like to store my passwords online.
lastpass is online but if you meant offline check Keepass. It has a pretty solid addon for Firefox and a ok for IE and Chrome

EDIT: Don't get me wrong i am not saying don't use what you prefer which is the norton addon i am just  giving you suggestions if it breaks again until a proper solution can be found.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 16, 2016, 05:07:18 pm
Thank you aDVll I will check out Keepass. 

As this is my first experience being involved in any type of forum.

I appreciate your assistance and suggestions aDVll, thank you.



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 16, 2016, 07:59:50 pm
Thank you aDVll I will check out Keepass. 

As this is my first experience being involved in any type of forum.

I appreciate your assistance and suggestions aDVll, thank you.
You are welcome.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 19, 2016, 05:15:31 pm
Is it intended that Vivaldi has separate desktop and hook control enabled, unlike Google Chrome that has the options unchecked? Why? There are both Chromium-based.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 19, 2016, 05:18:05 pm
Is it intended that Vivaldi has separate desktop and hook control enabled, unlike Google Chrome that has the options unchecked? Why? There are both Chromium-based.
I assume you made the rules manually for Vivaldi and default is hooks and different desktop? If yes then try disabling both and see if it works.
If rules were made by rehips then a dev tested it and it didn't work without hooks but you can test it on your own and confirm if something changed.  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 19, 2016, 05:23:50 pm
Is it intended that Vivaldi has separate desktop and hook control enabled, unlike Google Chrome that has the options unchecked? Why? There are both Chromium-based.
I assume you made the rules manually for Vivaldi and default is hooks and different desktop? If yes then try disabling both and see if it works.
If rules were made by rehips then a dev tested it and it didn't work without hooks but you can test it on your own and confirm if something changed.  ;)
I deleted the user profiles of Chrome, IE, and Vivaldi. Then, I installed the rules with RulesPack. After that, I saw Vivaldi back again. So, I think it was intended. But I'm just not sure why the options are checked, since it is also Chromium-based.

Yeah, I will test it later.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 19, 2016, 05:30:03 pm
I just got a message: Demo limit of isolated programs reached.
I'm running Google Chrome with many processes as expected. Then, I ran Vivaldi which has many processes too.

I already registered this. Is there still limit?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 19, 2016, 05:35:27 pm
Register has no limit. Are you sure it's still activated? Try restarting i guess to see if activation stays so devs have something to go by.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 19, 2016, 05:38:31 pm
Register has no limit. Are you sure it's still activated? Try restarting i guess to see if activation stays so devs have something to go by.
I will try to restart the system.

I also just tried executing Vivaldi with separate desktop and hook control unchecked. It hanged. I also didn't get the demo limit message. I'll restart the system now.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 19, 2016, 05:58:16 pm
I already restarted the system, but I still get demo limit message. It's regardless of Vivaldi. When the number of programs reach more than 10, demo limit pop-up shows up. About Page says ReHIPS is registered to me. What I did, however, if this would make a difference, was click on the "Registered" button.

Edit: It's not consistent with Chrome. Chrome now has more than 10 processes, but the pop-up never shows. I launched Vivaldi, then the pop-up showed.  :o
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 19, 2016, 06:03:12 pm
Wait for devs i guess. Might be a bug because i clicked the registered button also and nothing changed.
Maybe it's this
https://forum.re-crypt.com/index.php?topic=2384.0 (https://forum.re-crypt.com/index.php?topic=2384.0)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 19, 2016, 06:07:37 pm
Wait for devs i guess. Might be a bug because i clicked the registered button also and nothing changed.
Maybe it's this
https://forum.re-crypt.com/index.php?topic=2384.0 (https://forum.re-crypt.com/index.php?topic=2384.0)

Oohh.. maybe... I have no Shadow Defender, but I have RollBack Rx installed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 19, 2016, 06:13:22 pm
yeah umbra had it before with RollBack but not 100% sure because at some point it stopped happening for him.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 19, 2016, 06:35:22 pm
yeah umbra had it before with RollBack but not 100% sure because at some point it stopped happening for him.
But I think RollBack Rx is potentially the culprit only when doing a rollback, which I haven't done yet after registering ReHIPS. I'm thinking of my other security softwares.
Just for clarification, I'm using ReHIPS on my host/main OS. So, there are other security software installed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 19, 2016, 06:51:18 pm
I think it's this bug https://forum.re-crypt.com/index.php?topic=2384.0 So lets suspend this report until you try the version with it fixed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on June 19, 2016, 07:56:01 pm
yeah umbra had it before with RollBack but not 100% sure because at some point it stopped happening for him.
But I think RollBack Rx is potentially the culprit only when doing a rollback, which I haven't done yet after registering ReHIPS. I'm thinking of my other security softwares.
Just for clarification, I'm using ReHIPS on my host/main OS. So, there are other security software installed.

I have done several rollbacks with RX after RX was installed, the "unregistering" issue never happened with RC2.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 21, 2016, 11:08:52 am
Is it always slow when creating a new isolated environment?

As an example, when I create an isolated environment for Chrome and Copy User Data is checked, it would take about 2-3 minutes to launch, then it would hang for about 1-2 minutes, then all would be good to go. So, approximately, creating a new isolated environment takes about 5 minutes before it can be used.

My laptop has HDD, not SSD. So, expect relative slowness. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 21, 2016, 11:45:24 am
Is it always slow when creating a new isolated environment?

As an example, when I create an isolated environment for Chrome and Copy User Data is checked, it would take about 2-3 minutes to launch, then it would hang for about 1-2 minutes, then all would be good to go. So, approximately, creating a new isolated environment takes about 5 minutes before it can be used.

My laptop has HDD, not SSD. So, expect relative slowness. :)
My Chrome profile folder is 700MB and it's small files so a few min sounds about right on an hdd. Especially if you have a slow 5400rpm drive. I am pretty sure it's not rehips issue tbh because on my ssd it takes only a few seconds.
Maybe others can confirm it's slow and my pc it's just a fluke.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 21, 2016, 09:27:32 pm
Chrome (and chrome-forked) browser can be installed in 2 ways: in Program Files (actually this one is preferable) and in real user home directory. If there are some files in real user home directory that program needs, they should be copied to ReHIPS user profile directory as isolated programs don't have any access to real user folders. So if Chrome was installed at second location... well, there'll be some lag at first start/RulesPack rules installation. Anyway it only happens at first time, so it shouldn't be too bothersome.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 22, 2016, 05:52:03 am
Chrome (and chrome-forked) browser can be installed in 2 ways: in Program Files (actually this one is preferable) and in real user home directory. If there are some files in real user home directory that program needs, they should be copied to ReHIPS user profile directory as isolated programs don't have any access to real user folders. So if Chrome was installed at second location... well, there'll be some lag at first start/RulesPack rules installation. Anyway it only happens at first time, so it shouldn't be too bothersome.
Mine is installed in the Program Files directory. Yes, it only happens at the creation of the isolated environment.

I presume that there are plans for making this easier and manageable, right? It's because how about the situations where the isolated profile, for example the browser's profile, gets infected? It needs to be cleansed. And right now, cleansing means deleting that user profile, and creating another one from scratch, which is a hassle.

Anyway, I don't intend to intentionally infect my browser.  ;D
It's just a thought for a possible scenario.  ;D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 22, 2016, 11:57:49 am
I don't think anything can be done to make this easier. The problem is: we've got a bunch of files, they should be isolated program writable. So we have 2 options.
1. We add some element of risk by either allowing isolated program access to real user home directory or copy them, but don't delete and copy all the files on isolated environment recreation, just some. Both are security risks.
2. We copy them all and recreate also by deleting and copying all files. Takes some time, but safe from security point of view.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 22, 2016, 01:09:01 pm
I don't think anything can be done to make this easier. The problem is: we've got a bunch of files, they should be isolated program writable. So we have 2 options.
1. We add some element of risk by either allowing isolated program access to real user home directory or copy them, but don't delete and copy all the files on isolated environment recreation, just some. Both are security risks.
2. We copy them all and recreate also by deleting and copying all files. Takes some time, but safe from security point of view.
I understand, fixer.  :)
With only those two choices available, I, myself, would choose the 2nd option.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 22, 2016, 08:47:30 pm
Thank you fixer for your interest regarding the Unexpected Behaviours I have posted, I have PM you regarding sending you an email so I can attach screenshots, log etc to you as I do not know the ReHIPS Supports email address.

I have discovered an issue at times when launching Internet Explorer in the isolated desktop environment that Norton Internet Security add fails to appear.  I have provided screenshots when NIS add-on is present and missing from IE.

Also I have just discovered another issue regarding Internet Explorer loading normally (not in an isolated desktop environment).  If you press windows key and g ,you get the xbox games recorder as my testing laptop is 5 years old does not support this feature and I receive an error message - "Sorry this pc doesn't meet the hardware requirements for recording clips learn more"  if I click on learn more Internet Explorer is launched normally - not within the isolated desktop? should this happen?  screenshot provide in post.

Also I have not tested yet but when launching Internet explorer and does not auto switch to the isolated desktop I mentioned in my previous post, could be the result of Malwarebytes Anti-Exploit free, not sure as yet when I have time I shall test.
Hi novero after Fixer figured out the issue is on Norton side i went ahead and tried to allow it from within settings.
Here is the fix but note i didn't have time to test it a lot but it seems to work even after a lot of restarts. Will do some more testing tomorrow on some other vm's though to make sure. If you want to try it now here are the steps and remember after you change the settings please restart the computer. Norton doesn't seem to accept the changes before a restart.
http://i.imgur.com/kS7Rw5y.gifv (http://i.imgur.com/kS7Rw5y.gifv)

EDIT: I couldn't test the vault though because i don't have it and i am not even sure exactly how it works. Not many info on Norton site. Note if the addon needs to communicate with norton main application to do auto complete it will not be possible because IE runs on a different desktop.

Btw you said you don't like lastpass because it stores the password online but norton does the same and doesn't even have 2 step authentication. You might want to look into it.  ;)

Safe search works though, that i tested, but i know this is now what your main concern was.

EDIT2: Tested it again on a new VM and again works so i just need someone to confirm.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 23, 2016, 03:32:45 pm
Thank you aDVll for your post and PM on the issue.  Norton add-on works so far (fingers crossed!!), but still issue that I have to manually click on the ReHIPS gadget to switch to IE (does not autoswitch to ReHIPs isolated desktop environment).  I will change Norton before I have to renew!!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 23, 2016, 03:45:11 pm
Nice. Glad it works now. Maybe the auto switching issue will get fixed with a new IE isolated environment. Let me know if it does. It will be a good information to have.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 23, 2016, 04:35:13 pm
Thank you aDVll, Wow, fantastic - After following your instructions Norton add-on (now appears) and IE now auto switches into ReHIPS isolated desktop environment, with no problems.  You have helped me tremendously:>

Norton add-on fix from aDVll quote :-

http://i.imgur.com/kS7Rw5y.gifv

IE auto switches fix from aDVll quote :-

I checked and mine autoswitched when i start IE with norton after the fix. Can you try going in rehips gui and deleting Internet Explorer isolated environment, restarting and then clicking install rules in gui to install the rules again? Hopefully this will fix the autoswitch issue.

Also I wish take the opportunity to thank fixer for the assistance, time and support looking into this issue!!!, and finding out it was a Norton issue!!!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 23, 2016, 06:21:35 pm
I would also like to give an update regarding the Norton add-on (local vault - tested) for IE.  I can now confirm since aDVll fix, that the vault (local vault) for Norton add-on works perfectly as well. 

Once you click on the vault icon on the Norton add on for IE, within in the ReHIPs isolated desktop environment you must then switch back to the normal(main) desktop as you will see the Norton identity safe screen popup asking you to enter the vault password.  Once you enter the vault password, switch back into the ReHIPs isolated desktop environment which IE is present and you can use the vault normally.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 23, 2016, 06:59:37 pm
I have a couple more things to add.
I looked into autoswitching issue. ReHIPS was autoswitching to isolated desktop. But then empty desktop timeout (if isolated desktop is active and there are no visible windows on it, it autoswitches to the main desktop after 5 sec timeout) was kicking in and switching back to the main desktop. I changed this timeout for the first autoswitch to 10 sec, just in case for slow PCs, and it's still 5 sec for subsequent timeouts. This addon issue was actually a norton issue, but I increased the first timeout anyway.
Without adding ReHIPS folder in exception list, norton can cause PC to deadlock. ReHIPS is indirectly involved into this, but it's also norton issue. So it's highly recommended to either add ReHIPS folder to exceptions as aDVll suggested or disable norton auto-protection as it's the feature that causes this behavior.
And I'd like to thank aDVll for his tremendous help in debugging this and other issues.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on June 23, 2016, 07:31:24 pm
And I'd like to thank aDVll for his tremendous help in debugging this and other issues.
I certainly agree with this.  :) :) :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 23, 2016, 07:41:02 pm
Thank you fixer, Its certainly good of you for the detailed investigation, time, explanation and making an adjustment for the issue with Norton and auto switching.

Yes I wholeheartedly agree with fixer and XhenEd regarding fixers quote I'd like to thank aDVll for his tremendous help in debugging this and other issues.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 23, 2016, 10:20:39 pm
Thanks guys. Anything to help if i can. It's worth it to help devs that care about users and actually check all reported bugs from all users.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 23, 2016, 11:43:29 pm
Also if I click on an email via windows mail (Windows 10) should the screen briefly go blank and received an error message unable to open ......., but when I switch manually to the isolated environment the email link has been successfully loaded?
Should be fixed now.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 24, 2016, 03:46:57 pm
Thank you, fixer that's absolutely smashing news.  I am certainly impressed on how quickly this issue has been resolved. 

How does one get this fix - is it via a new updated version of a ReHIPs?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 24, 2016, 03:54:42 pm
Thank you, fixer that's absolutely smashing news.  I am certainly impressed on how quickly this issue has been resolved. 

How does one get this fix - is it via a new updated version of a ReHIPs?
yes. You will be able to test the fix on the next rehips version. Rehips it's a completely offline solution it doesn't do updates on it's own.  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Noverco on June 24, 2016, 04:40:33 pm
Thank you, aDVll for the confirmation that the new fix will be delivered via a new version of ReHIPs. Will look forward to test new version. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on June 27, 2016, 10:18:59 am
I am trying to solve a few problems.

General Problem:

Some programs installed in real user directory (C:\Program Files and C:\Users\User\AppData - as examples) do not function correctly to various degrees when executed isolated.

Question:

Is there a way to install those problematic programs directly inside the ReHIPSUser profile - instead of the real user profile - to see if that will resolve the problematic behavior(s) ?

If yes, then what is the proper procedure ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 27, 2016, 10:44:14 am
Is there a way to install those problematic programs directly inside the ReHIPSUser profile - instead of the real user profile - to see if that will resolve the problematic behavior(s) ?
DeployHelper was meant for this. Right-click on your program setup/installer file->Run in ReHIPS DeployHelper. If installer requires admin privileges, then Run in ReHIPS DeployHelper as Administrator can be chosen. Then this program standard setup window will be shown, install it. After installation finishes, DeployHelper window will be shown with possible list of executable files. Take a look at this list and make some changes if needed. These files will be added to the ReHIPS database to be started in isolation in the same isolated environment your program was installed into.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on June 28, 2016, 11:28:54 am
Is there a way to install those problematic programs directly inside the ReHIPSUser profile - instead of the real user profile - to see if that will resolve the problematic behavior(s) ?
DeployHelper was meant for this. Right-click on your program setup/installer file->Run in ReHIPS DeployHelper. If installer requires admin privileges, then Run in ReHIPS DeployHelper as Administrator can be chosen. Then this program standard setup window will be shown, install it. After installation finishes, DeployHelper window will be shown with possible list of executable files. Take a look at this list and make some changes if needed. These files will be added to the ReHIPS database to be started in isolation in the same isolated environment your program was installed into.

Is there any security disadvantage - to programs installed to ReHIPSUser with DeployHelper ?

By that, I mean, isn't a program installed to ReHIPSUser at least a bit more vulnerable to tampering or other mis-deeds - as opposed to it being installed in the real user profile (C:\Programs) ?

I don't honestly know if there is any significant risk to malc0de having access to a program's executables and libraries within ReHIPSUser.  Malc0ders don't typically try to modify program *.exes and *.dlls since the typical installation directories are protected against modification by Windows.

However, if the executables and libraries are installed to ReHIPSUSer, does ReHIPS protect them from modification - the same as Windows' file system protection mechanisms ?

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 28, 2016, 02:29:35 pm
Is there any security disadvantage - to programs installed to ReHIPSUser with DeployHelper ?

By that, I mean, isn't a program installed to ReHIPSUser at least a bit more vulnerable to tampering or other mis-deeds - as opposed to it being installed in the real user profile (C:\Programs) ?
DeployHelper installation itself doesn't provide security, i.e. it you start some malicious installer by DeployHelper, it may do something bad during installation. But after installation it doesn't matter if you use this program after Allowing in isolation or after DeployHelper installation, both are equally secure.

I don't honestly know if there is any significant risk to malc0de having access to a program's executables and libraries within ReHIPSUser.  Malc0ders don't typically try to modify program *.exes and *.dlls since the typical installation directories are protected against modification by Windows.

However, if the executables and libraries are installed to ReHIPSUSer, does ReHIPS protect them from modification - the same as Windows' file system protection mechanisms ?
At first I'd like to say, that even DeployHelper-installed software may reside in Program Files folder. It'll require admin during installation, but it's possible.
You're right, Program Files folder is write-protected, isolated programs won't be able to write into in/change files in it, and ReHIPS user home profile folder is isolated-program writable. But does it pose security risk? I don't think so. When it comes to overwriting executables, it means isolated environment is already compromised, and some malicious code is already executing in it. This executable files changing right won't allow it to elevate, something like let it persist in already compromised isolated environment. But such environment should be recreated anyway. Besides ReHIPS control hashes of executable files. Plus malware can persist without executable files modification, but controlling program data (some exploit, for example).
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on June 30, 2016, 12:55:56 am
How are you "white-listing" programs ?

1.  By file-path only
2.  By digital signature (Trusted Publisher & valid certificate)
3.  By hash

Combination of all (3) above ?

* * * * *

Here is worst case scenario:

A.  RulesPack contains rules for Program_XYZ.exe installed at C:\Program Files, C:\Program Files (x86) or C:\Users\User\Local\AppData.
B.  Program_XYZ.exe uses digital certificate from Trusted Publisher that is stolen\counterfeited.
C.  No white-listing via hash. (I don't know how you could stay on top of installer hashes)

Not likely, but possible...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 02, 2016, 01:23:49 pm
By "white-listing" I guess you mean initial rules installation by RulesPack?
It uses only (1). ReHIPS relies on assumption that computer is clean in the moment ReHIPS is installed. Otherwise malware may persist with some drivers and no security software can effectively with 100% guarantee fight it. And as far as I remember, there was a note in some manual that it's recommended to manually check the rules installed by RulesPack. Besides (2) and (3) may change very quickly. For example, chromium is built every day (in not several times a day) and it's not signed. And RulesPack was designed to provide relatively easy way to install rules for any program version. With the though in mind that this interface may be made public one day so users could make their own set of initial rules.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on July 22, 2016, 07:45:40 am
Hello Guys,

Can a *.sys file in User Space that is registered on the system to Windows services run amok ?

For example, a malicious *.sys located at c:\users\user\*.

Are there any internal Windows mechanisms that would check a malicious driver or executable registered as a service in User Space ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 22, 2016, 11:59:54 am
Administrator privileges are required to register a new service.
But if some service is already registered, it's possible to replace its executable file with some malicious file. So all service executable files should be stored in secured locations (like System32 or Program Files). And I haven't seen any software yet that installs service executables in insecure locations. Neither I recall any software that checks for this.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on July 22, 2016, 02:31:20 pm
Administrator privileges are required to register a new service.
But if some service is already registered, it's possible to replace its executable file with some malicious file. So all service executable files should be stored in secured locations (like System32 or Program Files). And I haven't seen any software yet that installs service executables in insecure locations. Neither I recall any software that checks for this.

It has the appearance of being a wide-open door... because all the security softs I have seen don't check for *.sys files in User Space.

It is not difficult to register a driver or service in Use Space, type kernel, start at boot.

I have seen a few malware register executables, but not *.sys files, as services from User Space.

That all being said, of course it is no issue for ReHIPS because of the way isolated environment is designed\works.

Thanks fixer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on July 22, 2016, 03:28:50 pm
Administrator privileges are required to register a new service.
But if some service is already registered, it's possible to replace its executable file with some malicious file. So all service executable files should be stored in secured locations (like System32 or Program Files). And I haven't seen any software yet that installs service executables in insecure locations. Neither I recall any software that checks for this.

It has the appearance of being a wide-open door... because all the security softs I have seen don't check for *.sys files in User Space.

It is not difficult to register a driver or service in Use Space, type kernel, start at boot.

I have seen a few malware register executables, but not *.sys files, as services from User Space.

That all being said, of course it is no issue for ReHIPS because of the way isolated environment is designed\works.

Thanks fixer.

Remember that you have Secureboot (https://msdn.microsoft.com/en-us/library/windows/desktop/hh848061(v=vs.85).aspx) and Early-launch anti-malware feature on Win8/10, that block malicious drivers during boot.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on July 22, 2016, 08:16:37 pm
Administrator privileges are required to register a new service.
But if some service is already registered, it's possible to replace its executable file with some malicious file. So all service executable files should be stored in secured locations (like System32 or Program Files). And I haven't seen any software yet that installs service executables in insecure locations. Neither I recall any software that checks for this.

It has the appearance of being a wide-open door... because all the security softs I have seen don't check for *.sys files in User Space.

It is not difficult to register a driver or service in Use Space, type kernel, start at boot.

I have seen a few malware register executables, but not *.sys files, as services from User Space.

That all being said, of course it is no issue for ReHIPS because of the way isolated environment is designed\works.

Thanks fixer.

Remember that you have Secureboot (https://msdn.microsoft.com/en-us/library/windows/desktop/hh848061(v=vs.85).aspx) and Early-launch anti-malware feature on Win8/10, that block malicious drivers during boot.

I wonder if registering a *.sys file as a service somehow circumvents SecureBoot and ELAM on W8/10 ?

Just wondering... sort of interesting.  I am not sure if there is a distinction between a *.sys driver and a *.sys service on Windows.

Think about it.  When testing malware, some will register services - using an *.exe, but I wonder if it can be successfully done with a *.sys.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 22, 2016, 09:27:26 pm
Services can be .sys and .exe files.
.sys files are drivers. Drivers operate in kernel-mode and most of them are loaded after ELAM (thus enabling ELAM to inspect loading drivers).
.exe files are user-mode services and are loaded after initialization of some user-mode subsystems which is usually after drivers.
ELAM was mostly designed to inspect drivers, so registering a .sys service won't circumvent it. But keep in mind, it's just some signature scanning, so don't expect some magic detecting unknown samples.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on July 24, 2016, 06:30:37 pm
Hello guys...

I have a technical question regarding a 3rd-party security soft protection inside the ReHIPS isolated environment.

For example, a user combines anti-virus XYZ with ReHIPS.  They download a known malware (that will be detected by anti-virus XYZ) to ReHIPS isolated environment, but anti-virus XYZ does not detect the malware.  Alternatively, a security soft is installed to real user with a feature that is not functional within the ReHIPS isolate environment.

Obviously, on the face of it, this is because the anti-virus product running has no access to an active ReHIPUser.  ReHIPS user is a separate profile under Windows - just like the SUA\LUA and protected Admin accounts are separate - with one set of installed software not able to cross over to the other user profile.  LOL... ReHIPS doing its job very well indeed -- but typical user doesn't see it this way.  They think ReHIPS has broken their other security softs.

Is there a better way for us beta testers to explain this matter when it comes up on other forums ?

I'd like to be able to tell new and prospective users precisely why it happens and why it is of no real concern.  I know the second part, but I need a bit more understanding to explain the first part.

I am asking this because I am highly confident that I am missing something - and that the answer is not necessarily clear-cut.

More importantly, I don't want to explain things incorrectly.  I do my best to steer questions to this forum, but some users just won't put forth the effort.  Then the mis\dis-information about ReHIPS starts and correct answers are few and far in-between.  ReHIPS is a good product and - where I can - I feel compelled to defend it by providing accurate infos.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on July 24, 2016, 07:21:47 pm
Hello guys...

I have a technical question regarding a 3rd-party security soft protection inside the ReHIPS isolated environment.

For example, a user combines anti-virus XYZ.  They download a malware to ReHIPS isolated environment and anti-virus XYZ does not detect the malware.

Obviously, on the face of it, this is because the anti-virus product has no access to ReHIPUser.  LOL... ReHIPS doing its job very well indeed -- but typical user doesn't see it this way.  They think ReHIPS has broken their other security softs.

Is there a better way for us beta testers to explain this matter when it comes up on other forums ?

I'd like to be able to tell new and prospective users precisely why it happens and why it is of no real concern.  I know the second part, but I need a bit more understanding to explain the first part.
Maybe an ignorant reply by me and i must admit i don't know the area well but wouldn't the antivirus run with system permission and will be able to access everything? I don't have an antivirus running atm but pretty sure they use a service or a driver running at system level integrity to avoid any permission issues.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 25, 2016, 12:25:22 pm
Default permissions to the vast majority of objects (including file system objects, like ReHIPS user profile folder) include Allow all access entry to Administrators and System. Usually AV software intercepts file access using drivers (drivers should have no problems accessing any file), then they may delegate file checking to AV service (which is usually executed with local system privileges, thus will also access ReHIPS user profile folder without problems). So I don't see any problems here.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 07, 2016, 09:30:49 pm
There was sound, but the volume couldn't be changed. I tinkered with the settings, but it wouldn't work.
I looked into this issue. It's similar to gestures issue, they rely on main desktop. So it's not ReHIPS fault and nothing can be done on our side.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on August 08, 2016, 04:42:09 am
 :'( :'( :'(
I understand, fixer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: harsha_mic on August 10, 2016, 10:35:22 pm
Hello All,

I just installed downloaded and process explorer.
I was intrigued to see that it is not able to see integrity levels of isloated programs ran by ReHIPS. See the screenshot, what i mean.

Is this expected? If so, can i make access to process explorer, to fetch integrity levels and others?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 10, 2016, 10:36:29 pm
Run process explorer as an admin. It's because it doesn't have access rights without it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: harsha_mic on August 10, 2016, 10:44:37 pm
aah. Thanks.
However, i am seeing explorer.exe hangs after AU update. 2 times in the past 10 mins.

1st time - Downloaded a movie through torrent (in ReHIPS env) --> Navigated to dwd folder (rehipsuser folder) and double clicked the .mp4 file --> Hang explorer.exe.
2nd time - Navigated to Downloads Folder (real user) --> Open PRocess Explorer folder --> Hang explorer.exe

Not sure if it has anything to do with ReHIPS. Just reporting..FYI
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: harsha_mic on August 10, 2016, 10:46:53 pm
Also, i think in rehips --> setting --> Programs tab --> we should have a search option, to quickly look up to a desired program.

Currently, one has to go through line by line ..
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 10, 2016, 10:50:36 pm
Also, i think in rehips --> setting --> Programs tab --> we should have a search option, to quickly look up to a desired program.

Currently, one has to go through line by line ..
Click any program in program tab and start typing. It has search but no search box yet. They will probably add one on stable release.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: harsha_mic on August 10, 2016, 10:55:53 pm
Click any program in program tab and start typing. It has search but no search box yet. They will probably add one on stable release.

Perfect! Thanks!!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 10, 2016, 11:02:43 pm
aah. Thanks.
However, i am seeing explorer.exe hangs after AU update. 2 times in the past 10 mins.

1st time - Downloaded a movie through torrent (in ReHIPS env) --> Navigated to dwd folder (rehipsuser folder) and double clicked the .mp4 file --> Hang explorer.exe.
2nd time - Navigated to Downloads Folder (real user) --> Open PRocess Explorer folder --> Hang explorer.exe

Not sure if it has anything to do with ReHIPS. Just reporting..FYI
I don't see this issue on my windows 10 AU with rehips. Maybe you upgraded and upgrade went wrong? A clean install would help you identify if it was that.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on August 11, 2016, 08:29:20 am
Windows Explorer hang is a known issue on W10; it is Windows and not ReHIPS.

The Windows Explorer hang seems to be system specific and somewhat intermittent.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on August 24, 2016, 05:28:35 am
Aren't tray icons technically shortcut (*.lnk) files in Windows ?

However, they seem a bit odd because the command lines in the shortcuts - especially the ones that point to Control Pane (ImmersiveControlPanel) - seem like "non-standard" command lines.

I am going to use Control Panel applet "Mouse" which is executed by rundll32.exe:

"C:\WINDOWS\System32\rundll32.exe" C:\WINDOWS\System32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\main.cpl

It's weird since shell32.dll doesn't know to create\load mouse.dll - it ain't in the command line...

For example, if I double-click on the touchpad\pointer device tray icon it creates a Recent mouse.lnk, the command line is:



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 24, 2016, 12:42:59 pm
Actually command lines in shortcuts are a bit more complicated than just ordinary program paths with arguments. Some Control Panel items can be called through hardcoded GUIDs, more on these GUIDs can be found here https://msdn.microsoft.com/en-us/library/ee330741(v=vs.85).aspx , so for example (don't remember exactly, it's just a sample) something like
::{26EE0668-A00A-44D7-9371-BEB064C98683}\8\::{17CD9488-1228-4B2F-88CE-4298E93E0966}\pageDefaultProgram
is equivalent to
control.exe /name Microsoft.DefaultPrograms /page pageDefaultProgram
for ShellExecuteEx API.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on August 25, 2016, 06:53:04 am
Actually command lines in shortcuts are a bit more complicated than just ordinary program paths with arguments. Some Control Panel items can be called through hardcoded GUIDs, more on these GUIDs can be found here https://msdn.microsoft.com/en-us/library/ee330741(v=vs.85).aspx , so for example (don't remember exactly, it's just a sample) something like
::{26EE0668-A00A-44D7-9371-BEB064C98683}\8\::{17CD9488-1228-4B2F-88CE-4298E93E0966}\pageDefaultProgram
is equivalent to
control.exe /name Microsoft.DefaultPrograms /page pageDefaultProgram
for ShellExecuteEx API.

I see most control panel applets are executed rundll32.exe using Shell32.dll, CONTROL_RUN -- including tray icons.

It's kinda funky since the tray icon (as a short-cut) isn't exposed in the Windows file system.

I was wondering if this is the reason why tray icons cannot be exposed in the isolated environment.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 25, 2016, 01:46:52 pm
The biggest problem for isolated desktops is shell (explorer.exe by default). Shell is responsible for desktop, start menu, tray. And other programs usually communicate with shell via COM. So mostly it's not about icons, but about running another instance of shell or emulating shell, but doing it in a secure and compatible way.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 28, 2016, 03:44:35 pm
the windows process "wevtutil.exe" is always blocked
see log file
I clicked on one of the relevant entries in log, and I found that this process was indeed set by default to be blocked, so I set it to allow (hope that is the right thing to do...) because Windows tries again and again to run this process.
I am on Windows 10 pro x64 AU
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 28, 2016, 04:11:09 pm
the windows process "wevtutil.exe" is always blocked
see log file
I clicked on one of the relevant entries in log, and I found that this process was indeed set by default to be blocked, so I set it to allow (hope that is the right thing to do...) because Windows tries again and again to run this process.
I am on Windows 10 pro x64 AU
Yeah you are right wevtutil is not allowed by default to launch other programs so Fixer will have to check it out.
What exactly are you trying to do with office when this happens, print? WOI also use office but never had such an alert.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 28, 2016, 04:15:46 pm
I was not even trying to do anything, it just pops out of the blue.
maybe it is related to "officeclicktorun", it does weird things.
I have Office 2016
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 28, 2016, 05:24:05 pm
I was not even trying to do anything, it just pops out of the blue.
maybe it is related to "officeclicktorun", it does weird things.
I have Office 2016
Maybe it's click to run then but i don't have one around to test. I have the normal office 2016.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 28, 2016, 05:39:05 pm
Thanks for your report, fixed, allowed it to create child processes.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 28, 2016, 05:43:02 pm
how to make that change on my ReHIPS settings?
sometimes I find the same windows processes listed in two or three places...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 28, 2016, 05:49:58 pm
how to make that change on my ReHIPS settings?
sometimes I find the same windows processes listed in two or three places...
It's as many times as users you have + 1 for System. To change go in rehips settings, find wevtutil and change the setting to allow to execute program. That should fix it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 28, 2016, 06:45:15 pm
just to clarify, it is the instance in syswow64 that needs to be allowed.
that's how it is on my system, at least
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 28, 2016, 06:47:53 pm
just to clarify, it is the instance in syswow64 that needs to be allowed.
that's how it is on my system, at least
Yeah that's what you are logs are saying.  ;)
C:\Windows\SysWOW64\wevtutil.exe
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on August 29, 2016, 07:42:01 am
how to make that change on my ReHIPS settings?
sometimes I find the same windows processes listed in two or three places...

if you see a blocked process that shouldn't (because you know and are sure it is legit) , just open the log panel , click on the culprit process, it will open the rule so you can change it from "Block" to "Inspect children" or "Allow"
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 30, 2016, 11:45:27 am
I rebooted, and as soon as desktop appeared, I started up a process that should have been blocked by ReHIPS.
Not only was it not blocked, but it was not even terminated when ReHIPS loaded.
(After ReHIPS finished loading, I tried again to start up the process, and it was successfully blocked)
Is this expected behavior?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 30, 2016, 11:49:41 am
I rebooted, and as soon as desktop appeared, I started up a process that should have been blocked by ReHIPS.
Not only was it not blocked, but it was not even terminated when ReHIPS loaded.
(After ReHIPS finished loading, I tried again to start up the process, and it was successfully blocked)
Is this expected behavior?
Protection when you don't have lockdown mode enabled starts as soon as rehips gui loads. If you want it to always be on even on pc boot enable lockdown mode. In future versions this is improved and you have another option to have lockdown mode when gui is not started and out of lockdown mode when gui is running(to get alerts).
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 30, 2016, 11:52:30 am
thanks.
I like that future option.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 30, 2016, 12:14:29 pm
thanks.
I like that future option.
Yep it is useful for some users. I personally always run in lockdown mode. I don't do alerts and if something is blocked i will sort it manually at some point when i have time.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 30, 2016, 12:17:58 pm
but even with lockdown, when does the protection actually start?
malware might try to run very early, before the protection kicks in...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 30, 2016, 12:22:55 pm
but even with lockdown, when does the protection actually start?
malware might try to run very early, before the protection kicks in...
It starts on system boot. First of all malware doesn't appear from thin air. For a malware to start at boot it means you allowed malware to run, not even isolated on your system. The least of your worries is starting again at boot. You are already infected and it's your fault. You either had rehips off or you allowed it and it's in whitelist now.
Assuming rehips was off and the malware is not whitelisted it might run before rehps or after. It all depends on the kind of malware and how it achieves boot. Rehips starts really early when in lockdown mode so there is a chance it gets blocked if you didn't whitelist it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 30, 2016, 05:02:17 pm
this is a problem that all security softs face.
I have set ReHIPS to block powershell and script interpreters, which I personally don't use, as a second line of defense. This is just in case I mistakenly allowed malware to execute.

I would suggest that ReHIPS offer various templates to the user, when the program first installs.
the template for the home user would block powershell and script interpreters by default, and template for IT pros would allow them by default, and would also allow other processes that power users need, such as the windows mounting process that Shadow Defender uses.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 30, 2016, 05:12:39 pm
this is a problem that all security softs face.
I have set ReHIPS to block powershell and script interpreters, which I personally don't use, as a second line of defense. This is just in case I mistakenly allowed malware to execute.

I would suggest that ReHIPS offer various templates to the user, when the program first installs.
the template for the home user would block powershell and script interpreters by default, and template for IT pros would allow them by default, and would also allow other processes that power users need, such as the windows mounting process that Shadow Defender uses.
In the future versions you will be able to create your own templates and rules. It's in the works to provide a tool to do so and it works pretty well. Then if you wish you can maintain your own rules between release and even make rules for the specific programs you use.
You need to remember this is beta. Program is really solid and offers perfect protection but things related to ease of use will come with future release versions.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 30, 2016, 05:14:46 pm
cool
glad to hear that my ideas are already in the works...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 30, 2016, 05:21:40 pm
cool
glad to hear that my ideas are already in the works...
Devs have many ideas and they are already implementing them but us users suggesting things never hurt anyone. We might get an idea they didn't think so keep the suggestions coming.  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 30, 2016, 05:50:49 pm
okay, so here's another one that you guys have probably thought of already:
when you click on "install rules", you should get a window asking  if you are sure you really want that.
It is too easy to mistakenly click on install rules, instead of on settings.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 30, 2016, 06:04:14 pm
okay, so here's another one that you guys have probably thought of already:
when you click on "install rules", you should get a window asking  if you are sure you really want that.
It is too easy to mistakenly click on install rules, instead of on settings.
Yeah HJLBX suggested it already. That and a thousand more suggestions he made.  ;D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on August 31, 2016, 05:44:02 am
mostly all usability suggestion has been made by either hjlbx, ADVII, or me  :D

btw i was the one who mentioned the bad placement of the Install Rules button  :p

there is the thread i created for "usability" suggestions : https://forum.re-crypt.com/index.php?topic=2105.0 , feel free to adress suggestion there.

i think now, now most of the new suggestions will be related to specific softwares.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 31, 2016, 10:19:31 am
mostly all usability suggestion has been made by either hjlbx, ADVII, or me  :D

btw i was the one who mentioned the bad placement of the Install Rules button  :p

there is the thread i created for "usability" suggestions : https://forum.re-crypt.com/index.php?topic=2105.0 , feel free to adress suggestion there.

i think now, now most of the new suggestions will be related to specific softwares.
My bad then. I found the other topic and didn't check open topic.
OK to set things clear umbrapolaris  spammed devs with a million suggestions also.  :P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on August 31, 2016, 02:38:24 pm
i was just kidding, us three have added a phonebook of suggestions/recommendaions to the dev. until they sort them all, it will be ReHIPS v3  rofl
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 31, 2016, 02:40:15 pm
i was just kidding, us three have added a phonebook of suggestions/recommendaions to the dev. until they sort them all, it will be ReHIPS v3  rofl
I know mate i am also joking around. The losing side is fixer side that has to code all this suggestions. We did the easy part.  :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: harsha_mic on September 02, 2016, 03:30:54 pm
I was trying to play an episode in netflix UWA in W10 64 bit. However, it failed to play with some error code.
Upon inspecting the logger, i see below is wrongly blocked causing the issue.

Quote
9/2/2016 17:50:18 PM: Program C:\Windows\System32\WWAHost.exe with PID 8228 executing program C:\Windows\System32\mfpmp.exe with PID 4752 - blocked
9/2/2016 17:50:18 PM: Program C:\Windows\System32\mfpmp.exe with PID 4752 terminated

So, i set WWAHost.exe to "inspect children" from "blocked", for the field "Can execute programs".

Perhaps we have to add it in the whitelist?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 02, 2016, 03:34:50 pm
Thanks for your report, fixed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 06, 2016, 01:35:07 am
Is\Are there any fundamental processes on the system that can\will ignore restricted privileges ?

For example,


These processes can be abused to write code... so some security vendors recommend running them with limited privileges.

?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 06, 2016, 07:36:38 pm
Only ReHIPS processes are hardcoded, thus rules for them are applied though these processes are absent in ReHIPS database. All other processes obey corresponding rules in database.
lsass, csrss, smss-are usually privileged processes, so no isolated process will have access to them.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on September 07, 2016, 05:46:48 pm
XlbGameSave.Task.exe
this process needs to be allowed to run child processes, or it gets blocked.
see attached screenshot of log
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 08, 2016, 03:51:38 pm
Thanks for your report, fixed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on September 15, 2016, 04:59:13 pm
C:\WINDOWS\system32\igfxHK.exe
this intel process needs to be allowed to start child processes
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 18, 2016, 01:59:07 pm
Thanks for your report, fixed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 20, 2016, 12:07:16 pm
Is multi language in the plans for the next stable release and if yes what languages are coming?

Also can rehips block code injection and hollow process for isolated processes? Pretty sure it does both because they can't access other processes but just a confirmation so we can have an official answer i can post in the malwaretips topic that people were wondering about.
Btw what about not isolated application. Will it detect the change?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 20, 2016, 05:37:59 pm
Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Btw what about not isolated application. Will it detect the change?
I don't quite follow. What do you mean?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 20, 2016, 06:38:23 pm
Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Btw what about not isolated application. Will it detect the change?
I don't quite follow. What do you mean?
About translation any plans for other languages or not atm?

If i run an application not isolated does it prevent/notify about code injection and hollow process method to other not isolated applications?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 20, 2016, 08:20:16 pm
Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers ;)
Non-isolated programs are unrestricted, so they're free to inject in each other.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 20, 2016, 08:25:40 pm
Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers ;)
Non-isolated programs are unrestricted, so they're free to inject in each other.
Maybe you can check oneskyapp to setup a translation project. It's pretty easy to use and if you keep the collaborators at 5 only it's free. I doubt at start you will need/have more.
https://www.oneskyapp.com/ (https://www.oneskyapp.com/)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 21, 2016, 01:12:57 am
Thanks for the hint, sounds interesting, we'll think about it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 21, 2016, 05:23:56 am
Someone asked this question and I vaguely remember what was said here on the forum.

When it comes to:


does the HIPS module actually block any of these ?

* * * * *

I was of the understanding that it does not - for example, hollow process, but any malicious activity is limited to the isolated environment in which the hollow process occurs.

Also code injection, dll injection, memory scraping, RMI, etc is blocked by running programs in isolated environments.

In other words, the HIPS itself doesn't detect and block memory attacks in similar fashion to some other HIPS, but it is the built-in Windows mechanisms used by ReHIPS that prevents (isolates) or limits any damage to the isolated environment.

Inter-process attacks are blocked by virtue of their isolation from one another - and this extends to real user profile process run as NT AUTHORITY\SYSTEM.  The exception is when multiple programs are run simultaneously within an isolated environment (non-recommended practice).

Finally, the isolation is two-way; SYSTEM is isolated from isolated environment and isolated environment is isolated from SYSTEM.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 21, 2016, 02:58:50 pm
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 22, 2016, 03:33:27 am
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

In that case then, the HIPS module itself does not block anything other than execution... that's the specific question that was asked at MT.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 22, 2016, 10:20:47 am
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

In that case then, the HIPS module itself does not block anything other than execution... that's the specific question that was asked at MT.
I think rehips only monitors execution and change of hash file of the whitelisted/blocked files. All the other protections are a result of running program isolated as another user without access to the rest of the system. Let's wait for Fixer though to confirm because i might be totally wrong.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 23, 2016, 12:59:33 pm
ReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 24, 2016, 03:01:45 am
ReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.

This is exactly how I understood it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on September 24, 2016, 06:41:20 am
It was expected; ReHIPS is a sandbox + HIPS not a HIPS with sandbox ^^
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 25, 2016, 08:20:05 pm
Have you been able to figure out a way to:

1.  auto-delete ReHIPSUSer profile upon closing all programs run isolated in ReHIPS
2.  auto-generate the clean, base-line ReHIPSUser profile after Step 1 above

?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 25, 2016, 09:06:29 pm
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 26, 2016, 12:35:36 am
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on September 26, 2016, 07:02:13 am
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.

In fact the automatic deletion of the IE's content (aka IE reset) is important, there should be an option/checkbox, that allow the IE to be recreated "as new" without the user intervention. without it, it is quite risky in term of privacy/security.

i know that rules can be reinstalled, why not an option that save and re-install IE , maybe it is technically difficult, i dont know, im not developer^^
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 26, 2016, 10:02:15 am
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.
If you use the application without isolation for a while until it's fixed as you like it when you isolate and rehips copies everything it will be perfect on every isolate environment creation. Minus things that can't be copied like browser cookies, outlook emails and in general anything associated with user account.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 26, 2016, 01:55:43 pm
Isolated environment recreation is basically deletion and reinstallation from rules. Why completely delete? It may be compromised in any way, so it may be dangerous to keep some objects from old isolated environment. Why reinstallation from rules? Firstly, because these rules can be user-tweaked to suit any needs. And secondly, there are so called Special Objects (folders and registry keys) in RulesManager. They're processed when rules are being installed. But ReHIPS database doesn't have any information about these folders. So isolated environment recreation involves rules database.
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on September 27, 2016, 06:46:01 am
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.
exactly what i want !  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 27, 2016, 09:23:31 am
Isolated environment recreation is basically deletion and reinstallation from rules. Why completely delete? It may be compromised in any way, so it may be dangerous to keep some objects from old isolated environment. Why reinstallation from rules? Firstly, because these rules can be user-tweaked to suit any needs. And secondly, there are so called Special Objects (folders and registry keys) in RulesManager. They're processed when rules are being installed. But ReHIPS database doesn't have any information about these folders. So isolated environment recreation involves rules database.
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.

OK, I get it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Raheel99 on September 27, 2016, 04:57:43 pm
After installation got "Failed to open service link".  I am using Comodo Firewall with custom rule and  Network was disable.  After getting this message, I temporarily disable firewall, after which re-hips started from desktop icon without any problem. 
For rechecking I quit re-hip, enabled firewall and got again same message.


Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 27, 2016, 05:03:36 pm
ReHIPS uses sockets to communicate with its service. Socket is open for local connections only. But looks like for some reason comodo blocks it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Raheel99 on September 27, 2016, 06:07:21 pm
ReHIPS uses sockets to communicate with its service. Socket is open for local connections only. But looks like for some reason comodo blocks it.

That is the reasons that HIPServices32.exe and HIPGui32.exe are showing TCP ESTABLISHED connection to 127.0.0.1.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 28, 2016, 07:50:16 am
Do not tick "Filter Loopback Traffic" under COMODO firewall settings or create custom rules for HIPServices32 and HIPGui32 as required; see image.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Raheel99 on September 28, 2016, 05:00:10 pm
Thanks HJLBX. I have un-tick loopback traffic and add permanent rule and its working fine.

Can we add and protect any specific registry key globally.  During running malware, I allow it once in isolated environment from where we can add registry key for RW. But malware is injecting dll module in running processes like explorer, service, svchost etc. and this  malicious module checking and adding startup in AppInit_DLLs registry key.

Allowing once also result in dll file creations in c:\program files user\tmp windows\tmp folder and log showing failed to start isolated program....... 

Is it possible to globally restrict creation of executable file (dll, sys, drv, ocx etc) by the process? 
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Raheel99 on September 28, 2016, 05:15:34 pm
I am expecting that after allowing malware once, further alert will popup like injecting dll, dll file creation etc but unfortunately malicious dll attach to DesktopTool32.exe as you can see it in attach image.  How about adding some tamper protection
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 28, 2016, 05:39:45 pm
By the dev a few post above
Quote
ReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.

So rehips doesn't monitor injecting within the isolated environment neither file creation except default locations you can see in rehips gui. When an isolated environment is infected just delete and recreate it. The registry and anything created within that environment will be gone. In the release version you will be able to delete and recreate it on program shutdown automatically.
About globally restricting file creation of executable it's not possible but if they try to execute you will get an alert. Per isolated environment you can restrict locations which programs running with specific environmental can't access.
You can also make permanent rules about all of this that will take place on rule install(rule manager that will be released) so in result running a program you wish isolated or not and restricting and allowing access to the locations you want.

About dll injecting in DesktopTool32 i don't have the knowledge to comment so will leave it to Fixer but protection is offered by Service so in my simple mind it will not affect anything plus when you delete the isolated environment the dll will be gone.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Raheel99 on September 28, 2016, 06:30:01 pm
Thanks aDVll for detail explanation. Best practice should be never ever allowed unknown process. I have read somewhere that process is actually container with at least one thread or many threads. The malware which I am testing is actually creating thread once dll loaded in memory through widows registry InitDLL key.  One rootkit detection  tool shows message that "2 threads have been injected in to it. Do you want to kill them or not?".   Click yes kill those thread and we can further investigate about the infection.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 28, 2016, 07:12:26 pm
Thanks aDVll for detail explanation. Best practice should be never ever allowed unknown process. I have read somewhere that process is actually container with at least one thread or many threads. The malware which I am testing is actually creating thread once dll loaded in memory through widows registry InitDLL key.  One rootkit detection  tool shows message that "2 threads have been injected in to it. Do you want to kill them or not?".   Click yes kill those thread and we can further investigate about the infection.
In practice if you don't know if a file it's safe or you think it can be exploited run it isolated. Worse case scenario the file is infected and you delete the isolated environment. Sure it might drop some stuff in common location that blocking access would break things in many cases but you can restrict that even further if you know how the program you downloaded operates or you delete them later. 
I assume you didn't run it isolated though because you said it dropped something in program files and also injected other processes not running in the isolated environment.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Raheel99 on September 28, 2016, 07:32:55 pm
You are right, I did'nt ran program isolated. Testing Re-Hips about showing some more alert but it is still much better than comodo HIPS.  I am testing it inside virtual box using shadow defender.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 28, 2016, 07:36:55 pm
You are right, I did'nt ran program isolated. Testing Re-Hips about showing some more alert but it is still much better than comodo HIPS.  I am testing it inside virtual box using shadow defender.
Rehips and Comodo hips are not the same because they have a different way on how to achieve protection. They are not really comparable because rehips is trying to achieve protection with mostly isolation. The hips part is just for execution. The real protection comes from isolation. 
Yeah i saw the shadow defender sign i just mentioned the cleaning remains in general.  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 02, 2016, 08:28:23 am
Thanks HJLBX. I have un-tick loopback traffic and add permanent rule and its working fine.

Can we add and protect any specific registry key globally.  During running malware, I allow it once in isolated environment from where we can add registry key for RW. But malware is injecting dll module in running processes like explorer, service, svchost etc. and this  malicious module checking and adding startup in AppInit_DLLs registry key.

Allowing once also result in dll file creations in c:\program files user\tmp windows\tmp folder and log showing failed to start isolated program....... 

Is it possible to globally restrict creation of executable file (dll, sys, drv, ocx etc) by the process?

You mean by configuring COMODO rules or ReHIPS ?

As others have stated, ReHIPS' HIPS module is:


If you want much more control over processes, file creation, registry keys, etc - then use COMODO.  However, with all COMODO's power, I still choose something more simple - like ReHIPS.

So, isolated environment gets infected - so what ?  Delete isolated environment and start over with clean isolated environment.

No need to clean install OS.  No complicated cleanup of User Space directories.  No complicated registry\file system cleanup.

Don't keep valuable datas\files in isolated environment...

That's it... simple.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Raheel99 on October 03, 2016, 03:45:17 pm
HJLBX I mean configuring Re-HIPS.  I already used sandboxie which also run program completely isolated but using Re-HIPS where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 04, 2016, 09:09:48 am
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 04, 2016, 11:09:29 am
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.

As Umbra points out.

For vulnerable programs - like browser, office suite, etc - that are routinely exploited - it is recommended that you install them directly into their own individual, dedicated isolated environment (ReHIPSUser1, ReHIPSUser2,...,ReHIPSUserN) using DeployHelper.

Each ReHIPSUser is a separate user profile.  You can install a program only into that specific user profile - and not into the real user profile.  This keeps it isolated.  Isolated prevents damage to the real user profile.

As far as updates, whether a program is installed to real user or ReHIPSUser profiles I am not sure of all the technicalities.  You have to ask fixer.

I can understand your confusion.  Chrome is installed to C:\Program Files, is always run isolated, so how do updates get onto real system ?  Most soft updates involve directories in C:\Users\* and direct access to real file system from isolated environment is denied.

Alternatively, Chrome is installed to ReHIPSUser, is always run isolated, so how are updates handles ?

Ask fixer -- he will explain with more specific details than I am able.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 04, 2016, 11:14:14 am
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.

As Umbra points out.

For vulnerable programs - like browser, office suite, etc - that are routinely exploited - it is recommended that you install them directly into their own individual, dedicated isolated environment (ReHIPSUser1, ReHIPSUser2,...,ReHIPSUserN) using DeployHelper.

Each ReHIPSUser is a separate user profile.  You can install a program only into that specific user profile - and not into the real user profile.  This keeps it isolated.  Isolated prevents damage to the real user profile.

As far as updates, whether a program is installed to real user or ReHIPSUser profiles I am not sure of all the technicalities.  You have to ask fixer.

I can understand your confusion.  Chrome is installed to C:\Program Files, is always run isolated, so how do updates get onto real system ?  Most soft updates involve directories in C:\Users\* and direct access to real file system from isolated environment is denied.

Alternatively, Chrome is installed to ReHIPSUser, is always run isolated, so how are updates handles ?

Ask fixer -- he will explain with more specific details than I am able.
Already did here
https://forum.re-crypt.com/index.php/topic,2419.msg4454.html#msg4454 (https://forum.re-crypt.com/index.php/topic,2419.msg4454.html#msg4454)

and here with the exception
https://forum.re-crypt.com/index.php/topic,2498.msg4913.html#msg4913 (https://forum.re-crypt.com/index.php/topic,2498.msg4913.html#msg4913)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 05, 2016, 07:58:19 am
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.

As Umbra points out.

For vulnerable programs - like browser, office suite, etc - that are routinely exploited - it is recommended that you install them directly into their own individual, dedicated isolated environment (ReHIPSUser1, ReHIPSUser2,...,ReHIPSUserN) using DeployHelper.

Each ReHIPSUser is a separate user profile.  You can install a program only into that specific user profile - and not into the real user profile.  This keeps it isolated.  Isolated prevents damage to the real user profile.

As far as updates, whether a program is installed to real user or ReHIPSUser profiles I am not sure of all the technicalities.  You have to ask fixer.

I can understand your confusion.  Chrome is installed to C:\Program Files, is always run isolated, so how do updates get onto real system ?  Most soft updates involve directories in C:\Users\* and direct access to real file system from isolated environment is denied.

Alternatively, Chrome is installed to ReHIPSUser, is always run isolated, so how are updates handles ?

Ask fixer -- he will explain with more specific details than I am able.
Already did here
https://forum.re-crypt.com/index.php/topic,2419.msg4454.html#msg4454 (https://forum.re-crypt.com/index.php/topic,2419.msg4454.html#msg4454)

and here with the exception
https://forum.re-crypt.com/index.php/topic,2498.msg4913.html#msg4913 (https://forum.re-crypt.com/index.php/topic,2498.msg4913.html#msg4913)

Thanks for links... I couldn't remember where they were and did not bother to search.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 08, 2016, 09:34:58 am
Where can I buy one of these ?:

ReCrypt matryoshka - correct ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on October 08, 2016, 11:12:54 am
It's a symbol of russian annual security conference ZeroNights http://zeronights.org On some previous conferences they were giving away these symbols, for example matryoshka-shaped pillow. But I don't know if they're available for sale.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 08, 2016, 07:57:10 pm
It's a symbol of russian annual security conference ZeroNights http://zeronights.org On some previous conferences they were giving away these symbols, for example matryoshka-shaped pillow. But I don't know if they're available for sale.

He needs ReCrypt shield on his chest...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 08, 2016, 08:38:11 pm
Yep he really does

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 08, 2016, 10:05:19 pm
Yep he really does

I'd definitely pay for that...

That's way cool DVII.

Bet you used MS Paint... LOL.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 08, 2016, 10:08:20 pm
Yep he really does

I'd definitely pay for that...

That's way cool DVII.

Bet you used MS Paint... LOL.
You got me. MS paint but obviously the preview. I know a guy that knows a guy and they gave the paint preview.  :P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 09, 2016, 01:10:49 pm
Why use Photoshop when MS paint can do the same :P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on October 11, 2016, 04:29:29 pm
I was unable to print from adobe PDF reader, it is isolated but not on separate desktop. It has desktop hook control.
how can I get it to connect to print spool or whatever it needs?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 11, 2016, 08:00:04 pm
I was unable to print from adobe PDF reader, it is isolated but not on separate desktop. It has desktop hook control.
how can I get it to connect to print spool or whatever it needs?
Normal printer or virtual printer?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 12, 2016, 10:12:26 am
LOL... I can't remember...  :o

Has keyboard key combo fast switching been implemented for switching back-and-forth between the isolated environment and the system desktop ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 12, 2016, 10:39:03 am
LOL... I can't remember...  :o

Has keyboard key combo fast switching been implemented for switching back-and-forth between the isolated environment and the system desktop ?
Ctrl+alt+I takes you to normal desktop.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 16, 2016, 08:17:05 am
Maybe a stupid question, there is a difference, in term of security, if we untick "use separate desktop" while configuring an IE?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 16, 2016, 10:39:48 am
Maybe a stupid question, there is a difference, in term of security, if we untick "use separate desktop" while configuring an IE?
https://forum.re-crypt.com/index.php/topic,1611.0.html (https://forum.re-crypt.com/index.php/topic,1611.0.html)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 16, 2016, 11:10:58 am
Thanks bro.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 16, 2016, 11:14:42 am
Thanks bro.
No worries. If you care i do some random sample testing from time to time for quality control and i never had issues with enabling hooks without a different desktop. Sure there is a possibility as fixer explained but probably it has to be a target attack which doesn't worry me. My convenient is more important and the other software i use should cover the anything that possible manages to get out.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 17, 2016, 06:43:24 am
im have plenty to secure my back too, i was just asking for informations, i was not sure if the question was asked already
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 17, 2016, 10:27:45 am
im have plenty to secure my back too, i was just asking for informations, i was not sure if the question was asked already
I know. You have Fort Knox equivalent protection.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 19, 2016, 06:37:13 am
Hello,

I have installed v2.2.0RC2...However, I don't understand whether it is to start automatically, or is it an on demand installation, only.

It appears to me that it is on demand, only.   Also, do need to register the program, or because it is a beta, there is no need.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 19, 2016, 07:03:18 am
Hello,

I have installed v2.2.0RC2...However, I don't understand whether it is to start automatically, or is it an on demand installation, only.
It appears to me that it is on demand, only.   

No it it start automatically, demo or full version, i guess you are using a SUA (Standard User Account) so the GUI won't start automatically on SUA, if that the case, you have 2 solutions:

1- the simplest : on settings > Protection, set ReHIPS to  Lockdown Mode (always) , then the service will start silently wihout GUI. you will surely have some apps of yours blocked but you can whitelist them later (the best option is to whitelist them prior to enter lockdown mode).

2- create a scheluded task starting when you log on on SUA, and launching HIPSGui64.exe, so the GUI will show up when you log on.

Quote
Also, do need to register the program, or because it is a beta, there is no need.


if you register (aka you buy it ^^)  you will have unlimited process isolation, while the free demo (as you surely using actually) is limited to 10 processes (so bye bye using Chrome or other multi-processes browsers)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 19, 2016, 11:17:53 am
Hello,

I have installed v2.2.0RC2...However, I don't understand whether it is to start automatically, or is it an on demand installation, only.
It appears to me that it is on demand, only.   

No it it start automatically, demo or full version, i guess you are using a SUA (Standard User Account) so the GUI won't start automatically on SUA, if that the case, you have 2 solutions:

1- the simplest : on settings > Protection, set ReHIPS to  Lockdown Mode (always) , then the service will start silently wihout GUI. you will surely have some apps of yours blocked but you can whitelist them later (the best option is to whitelist them prior to enter lockdown mode).

2- create a scheluded task starting when you log on on SUA, and launching HIPSGui64.exe, so the GUI will show up when you log on.

Quote
Also, do need to register the program, or because it is a beta, there is no need.


if you register (aka you buy it ^^)  you will have unlimited process isolation, while the free demo (as you surely using actually) is limited to 10 processes (so bye bye using Chrome or other multi-processes browsers)


Thanks for your assistance and advice.  :)  I run Windows 10 Pro in admin mode.    ...So, that wasn't the problem of why it wasn't starting.

I went into the settings, and clicked on "Reset to defaults".  That fixed it, and it now runs at startup.

P.S.  How does one get to be part of the 'active users' group?

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 19, 2016, 11:19:25 am
Hello,

I have installed v2.2.0RC2...However, I don't understand whether it is to start automatically, or is it an on demand installation, only.
It appears to me that it is on demand, only.   

No it it start automatically, demo or full version, i guess you are using a SUA (Standard User Account) so the GUI won't start automatically on SUA, if that the case, you have 2 solutions:

1- the simplest : on settings > Protection, set ReHIPS to  Lockdown Mode (always) , then the service will start silently wihout GUI. you will surely have some apps of yours blocked but you can whitelist them later (the best option is to whitelist them prior to enter lockdown mode).

2- create a scheluded task starting when you log on on SUA, and launching HIPSGui64.exe, so the GUI will show up when you log on.

Quote
Also, do need to register the program, or because it is a beta, there is no need.


if you register (aka you buy it ^^)  you will have unlimited process isolation, while the free demo (as you surely using actually) is limited to 10 processes (so bye bye using Chrome or other multi-processes browsers)


Thanks for your assistance and advice.  :)  I run Windows 10 Pro in admin mode.    ...So, that wasn't the problem of why it wasn't starting.

I went into the settings, and clicked on "Reset to defaults".  That fixed it, and it now runs at startup.

P.S.  How does one get to be part of the 'active users' group?
Be active, report bugs, help users and wait.... It's like any forum.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 19, 2016, 11:24:24 am



Thanks for your assistance and advice.  :)  I run Windows 10 Pro in admin mode.    ...So, that wasn't the problem of why it wasn't starting.

I went into the settings, and clicked on "Reset to defaults".  That fixed it, and it now runs at startup.

P.S.  How does one get to be part of the 'active users' group?
Be active, report bugs, help users and wait.... It's like any forum.

I see, thank you.    ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 19, 2016, 11:25:41 am



Thanks for your assistance and advice.  :)  I run Windows 10 Pro in admin mode.    ...So, that wasn't the problem of why it wasn't starting.

I went into the settings, and clicked on "Reset to defaults".  That fixed it, and it now runs at startup.

P.S.  How does one get to be part of the 'active users' group?
Be active, report bugs, help users and wait.... It's like any forum.

I see, thank you.    ;)
You are welcome.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 19, 2016, 11:28:09 am
 I mucked up that BBS code, as I usually do.  :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 19, 2016, 12:58:28 pm
I am running Opera browser v40.0.2308.81...

"Demo limit of isolated programs reached"...I have to go into the log and delete program from the log, when it reaches the limit.

What is the point in participating in the beta, with such limitation?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 19, 2016, 01:47:54 pm
I am running Opera browser v40.0.2308.81...

"Demo limit of isolated programs reached"...I have to go into the log and delete program from the log, when it reaches the limit.

What is the point in participating in the beta, with such limitation?
It's to test the program. It gives you 10 processes for free(which are a lot for anything that multi process browser) and if you want more you can buy the program.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 19, 2016, 07:34:46 pm
What is the point in participating in the beta, with such limitation?

Testing is not only surfing, is also using other programs which 99% of them don't have more than 1-2 processes active at a time. Only chromium based browsers are limited. Not a big deal, you still have several mono-process browsers.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 20, 2016, 12:31:37 am
I have a problem with GUI resolution, as per screenshot:



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 20, 2016, 10:22:15 am
@Tarnak

What is the resolution?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 20, 2016, 10:40:19 am
If you look at the screenshot, carefully, it is obvious that under 'Protection mode:', that the five levels are not clearly shown, i.e. illegible.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 20, 2016, 10:46:22 am
If you look at the screenshot, carefully, it is obvious that under 'Protection mode:', that the five levels are not clearly shown, i.e. illegible.
I saw that buddy. I want your pc resolution which creates the problem so i can test it if possible by my setup.

Also did you change windows scaling level?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 20, 2016, 12:38:59 pm
It is a known problem, apparently: "DPI scaling problem with some software running on Surface Book"  Google is your friend.  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 21, 2016, 03:51:29 am
I have had a problem when booting up and logging in with my password on my Surface Book.  It takes a few minutes for the login window to go away after entering my password.  This only started after I had allowed a popup from ReHips, earlier.

....I wanted to place my image, here, but wasn't permitted to do so....


I have disabled ReHips from starting at boot via Task Manager.  This has enabled me to login without the delay, I mentioned above.   

The following line is taken from the rules log for ReHips:

20/10/2016 0:03:03 AM: Program C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe with PID 1840 executing program C:\Program Files (x86)\Panda Security\Panda Security Protection\bspatch.exe with PID 3876 - allowed with children inspection

Is there a way to reverse any change that occurred by my allowing that popup?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on October 21, 2016, 06:33:20 am
I have had a problem when booting up and logging in with my password on my Surface Book.  It takes a few minutes for the login window to go away after entering my password.  This only started after I had allowed a popup from ReHips, earlier.

....I wanted to place my image, here, but wasn't permitted to do so....


I have disabled ReHips from starting at boot via Task Manager.  This has enabled me to login without the delay, I mentioned above.   

The following line is taken from the rules log for ReHips:

20/10/2016 0:03:03 AM: Program C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe with PID 1840 executing program C:\Program Files (x86)\Panda Security\Panda Security Protection\bspatch.exe with PID 3876 - allowed with children inspection

Is there a way to reverse any change that occurred by my allowing that popup?

You are running:


together on a single system = problems because of the overlap of HIPS functionality with process inspection  by multiple programs beginning at boot.

bspatch.exe allows the virus signatures to be updated incrementally; it is a signatures update module.  It will run even if you have the virus component of Panda disabled.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 21, 2016, 08:09:00 am
@HJLBX

I believe that I can run these together...All have been running fine on Surface Book.

The only problem is with the introduction of ReHips.  That is the only HIPS specific program in my security setup.  Maybe, I could delay the startup of Rehips, for say, five minutes at bootup?  There is always a way to overcome a problem, surely?

Does anybody from ReHips, other than beta testers, give advice to address problems, when running the software?

P.S. If i reset the rules to default, wouldn't that fix the bspatch.exe problem?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 21, 2016, 09:08:35 am
@Tarnak

When you have Voodooshield + ReHIPS , you won't need Webroot or Panda. because the point of having Anti-exe is too ditch Real-time AVs (that hog the system).

Anti-exe are superior to AVs , if you have the skill to use anti-exes properly , you already supposed to know that AVs are useless compared to them.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on October 26, 2016, 09:55:03 am
getting back to the problem printing from isolated Adobe PDF Reader:
I am not sure what kind of printing I am trying to do.
I just click on print, in Reader, but it doesn't connect to the printer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 26, 2016, 10:21:55 am
getting back to the problem printing from isolated Adobe PDF Reader:
I am not sure what kind of printing I am trying to do.
I just click on print, in Reader, but it doesn't connect to the printer.
Anything blocked? Can you share logs while you try to print?
To start i would try allowing network access to adobe reader in case in does some local communication to print the file. That's what it should need.
For example for me.

Quote
C:\Windows\System32\svchost.exe with PID 788 executing program C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\HPNetworkCommunicatorCom.exe with PID 1132 - allowed with children inspection
C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\HPNetworkCommunicatorCom.exe with PID 1132 execution - allowed
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on October 26, 2016, 12:10:00 pm
Hi, thanks
This time around, I reinstalled ReHIPS from scratch, and to my surprise, I have no problem printing from isolated Adobe Reader.
This is in spite of the fact that according to the settings, it does not seem to have access to print spool, see screenshot.
So I don't know how it prints, but it does.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 26, 2016, 12:16:37 pm
Only write is blocked. Glad you solved it and i see you have network enabled so maybe i was right.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on October 27, 2016, 06:47:19 am
yes only writes are blocked , not execution.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Blomkist on November 27, 2016, 12:58:03 am
Can I buy a license thru the application link or this is just for the stable release version?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on November 27, 2016, 06:42:47 am
Can I buy a license thru the application link or this is just for the stable release version?

i guess it is for the old stable version, but after you can convert it by contacting the support/devs here. They will do for you.
better ask first before purchasing.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on November 27, 2016, 10:45:18 am
I bought through link, and the key I received was only good for old edition.
But Fixer gave me the key I needed, through PM.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Blomkist on November 27, 2016, 10:50:59 am
Thanks for the replies, I will test it for few days and see if it can be put permanently on my system.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on November 27, 2016, 10:55:21 am
you should be able to test it just fine with the demo version, with the exception of Chrome, because Chrome starts a lot of processes.
If you want to test chrome in isolation, and you have extensions, you will probably have to use a default profile that has no extensions. Then, you hopefully won't go over the limit...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on December 29, 2016, 09:23:42 pm
just installed rehips,
and I've noticed that when you check Install initial rules (or something like that) in installer, rules will be installed after rehips run,
but I have to wait around 30s until window with installing rules appear, so won't it be better to implement it to installer window or make some notice/warning message that initial rules are not yet installed

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on December 29, 2016, 09:32:53 pm
just installed rehips,
and I've noticed that when you check Install initial rules (or something like that) in installer, rules will be installed after rehips run,
but I have to wait around 30s until window with installing rules appear, so won't it be better to implement it to installer window or make some notice/warning message that initial rules are not yet installed
You don't have to do anything else after you click install rules so no reason for a warning. Gui that pops up immediately is saying installing rules while it's installing(check image linked).
http://i.imgur.com/Bwb01nj.png (http://i.imgur.com/Bwb01nj.png)

The initial rule installation windows when it appears tells you to not close it and wait(check image linked).
http://i.imgur.com/qTP4z3O.png (http://i.imgur.com/qTP4z3O.png)

I believe everything is covered
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on December 29, 2016, 09:49:15 pm
ok I just didn't expect that it suddenly appear after a while
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on December 29, 2016, 10:03:54 pm
ok I just didn't expect that it suddenly appear after a while
I see what you mean. It's basically because rehips installer when you select install rules calls rulepack and that does the rule installing. The cmd alike windows you see if rule pack.

When you do the rule install from the gui no windows appear. I assume reason that devs made the window visible the first time is because you need to somehow know things are getting installed(the first rule install takes a few seconds).
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on December 30, 2016, 08:57:09 pm
is it normal that internet explorer will run isolated, if I launch it directly from C:\Program Files\Internet Explorer\iexplore.exe or via shorcut, but it won't run isolated if it's open by another program, e.g. if you click on  Order Licence in rehips registration window

internet explorer is set to be default browser (but I don't use it)

btw it is possible to somehow get notifications of windows notifications (from tray icons) and flashing icons in main desktop or other program message, because when I am working in virtual desktop I won't find out that something is happening in main desktop until I return back to it

also how does rehips handle different locale,
let's say that I will need to install non-unicode program in differet locale
I will need to change my locale to that language and then reboot, after I will install program and then run it in newly created isolated environment after I am done I will change my locale back to default and reboot

so my question is:
If that isolated environment will retain different locale setting and I will be able to run and work with my program with default locale or I will still have to change locale and reboot

another question is how does rehips work with applocale

tia






Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on December 30, 2016, 09:05:19 pm
Quote
is it normal that internet explorer will run isolated, if I launch it directly from C:\Program Files\Internet Explorer\iexplore.exe or via shorcut, but it won't run isolated if it's open by another program, e.g. if you click on  Order Licence in rehips registration window

internet explorer is set to be default browser (but I don't use it)
It's because the program that launches IE is set to execute programs not isolated(allow). If you want a program to launch other programs based on your already set rules(in your example isolated) the execute programs needs to be set to inspect children.
http://i.imgur.com/RmUiCnR.png (http://i.imgur.com/RmUiCnR.png)

Quote
btw it is possible to somehow get notifications of windows notifications (from tray icons) and flashing icons in main desktop or other program message, because when I am working in virtual desktop I won't find out that something is happening in main desktop until I return back to it
It's already added in the next version of rehips.

Quote
also how does rehips handle different locale,
let's say that I will need to install non-unicode program in differet locale
I will need to change my locale to that language and then reboot, after I will install program and then run it in newly created isolated environment after I am done I will change my locale back to default and reboot

so my question is:
If that isolated environment will retain different locale setting and I will be able to run and work with my program with default locale or I will still have to change locale and reboot

another question is how does rehips work with applocale

tia
I never tried such thing but i would assume it will launch as the locale it would run if not isolated by rehips. The program probably somehow saves what locale to use in it's settings folder which rehips doesn't mess with. Rehips just launches the program isolated as another user. If you try it you can tell us how it went.  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on December 30, 2016, 09:46:12 pm
Quote
is it normal that internet explorer will run isolated, if I launch it directly from C:\Program Files\Internet Explorer\iexplore.exe or via shorcut, but it won't run isolated if it's open by another program, e.g. if you click on  Order Licence in rehips registration window

internet explorer is set to be default browser (but I don't use it)
It's because the program that launches IE is set to execute programs not isolated(allow). If you want a program to launch other programs based on your already set rules(in your example isolated) the execute programs needs to be set to inspect children.
http://i.imgur.com/RmUiCnR.png (http://i.imgur.com/RmUiCnR.png)

Quote
btw it is possible to somehow get notifications of windows notifications (from tray icons) and flashing icons in main desktop or other program message, because when I am working in virtual desktop I won't find out that something is happening in main desktop until I return back to it
It's already added in the next version of rehips.

Quote
also how does rehips handle different locale,
let's say that I will need to install non-unicode program in differet locale
I will need to change my locale to that language and then reboot, after I will install program and then run it in newly created isolated environment after I am done I will change my locale back to default and reboot

so my question is:
If that isolated environment will retain different locale setting and I will be able to run and work with my program with default locale or I will still have to change locale and reboot

another question is how does rehips work with applocale

tia
I never tried such thing but i would assume it will launch as the locale it would run if not isolated by rehips. The program probably somehow saves what locale to use in it's settings folder which rehips doesn't mess with. Rehips just launches the program isolated as another user. If you try it you can tell us how it went.  ;)

thx
I will try next time

btw
do you need to edit some setting, if you want to run browser (or another programs) protected by one another security program (e.g. emet, mbae or HMPA, ...)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on December 30, 2016, 10:02:59 pm
Quote
is it normal that internet explorer will run isolated, if I launch it directly from C:\Program Files\Internet Explorer\iexplore.exe or via shorcut, but it won't run isolated if it's open by another program, e.g. if you click on  Order Licence in rehips registration window

internet explorer is set to be default browser (but I don't use it)
It's because the program that launches IE is set to execute programs not isolated(allow). If you want a program to launch other programs based on your already set rules(in your example isolated) the execute programs needs to be set to inspect children.
http://i.imgur.com/RmUiCnR.png (http://i.imgur.com/RmUiCnR.png)

Quote
btw it is possible to somehow get notifications of windows notifications (from tray icons) and flashing icons in main desktop or other program message, because when I am working in virtual desktop I won't find out that something is happening in main desktop until I return back to it
It's already added in the next version of rehips.

Quote
also how does rehips handle different locale,
let's say that I will need to install non-unicode program in differet locale
I will need to change my locale to that language and then reboot, after I will install program and then run it in newly created isolated environment after I am done I will change my locale back to default and reboot

so my question is:
If that isolated environment will retain different locale setting and I will be able to run and work with my program with default locale or I will still have to change locale and reboot

another question is how does rehips work with applocale

tia
I never tried such thing but i would assume it will launch as the locale it would run if not isolated by rehips. The program probably somehow saves what locale to use in it's settings folder which rehips doesn't mess with. Rehips just launches the program isolated as another user. If you try it you can tell us how it went.  ;)

thx
I will try next time

btw
do you need to edit some setting, if you want to run browser (or another programs) protected by one another security program (e.g. emet, mbae or HMPA, ...)
No you don't need to do anything in rehips. About HMPA i know you need to add exceptions for rehips(rehips gui, agent, service) in the exploit mitigation module or else the system and rehips has weird behaviour. About the rest of the programs i don't think so but if you notice anything weird try exceptions for rehips first.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on December 31, 2016, 03:15:02 pm
how does rehips check which program is installed on PC

I have firefox installed on non-system disk partition with profile folder on other non-system partition

and rehips won't recognize I have firefox when installing rules

which 3rd-party programs are included in initial rules, is there list?

if rehips won't recognize the program is installed, it is possible to add option to manually apply rules with recommended setting from initial rule pack to that specific program

also
is there some security advantage if I use option Use Separate Desktop

will there be option to display border only when mouse is in window title and change color
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on December 31, 2016, 05:50:31 pm
how does rehips check which program is installed on PC

I have firefox installed on non-system disk partition with profile folder on other non-system partition

and rehips won't recognize I have firefox when installing rules

which 3rd-party programs are included in initial rules, is there list?

if rehips won't recognize the program is installed, it is possible to add option to manually apply rules with recommended setting from initial rule pack to that specific program

also
is there some security advantage if I use option Use Separate Desktop

will there be option to display border only when mouse is in window title and change color
If the program is not in the install program list and registry rehips can't figure out it's there. It doesn't scan all your pc to see if it finds something. You can create rules for Firefox manually and run it isolated though.
About default rules when you create rules for portable firefox it applies those. In firefox though you can remove hook control and different desktop because it's not needed.
Different desktop is only needed if hook control has to be enabled for an isolated program to work. When you have hook control enabled to have the same level of protection you need to enable different desktop.

Next releases will have something called rule pack which is an editable list of programs you use on your pc so you can for example change the firefox rules to include portable firefox in a specific location you have. Can't list all the programs that run isolated but it's most popular browsers and some office application and pdf applications.

About autohide border a developer will need to answer you but for color and size the option was there on 2.1 and was removed so probably not. You can change it manually though from settings.xml(color is RGB but not sure on the format so devs needs to tell you but you can do size easily) in rehips install folder.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on December 31, 2016, 08:58:34 pm
will there be option to display border only when mouse is in window title and change color
You mean like in Sandboxie? That can be implemented, but is there any use for this? Personally I never used this feature. Am I missing something?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on January 01, 2017, 01:11:13 pm
will there be option to display border only when mouse is in window title and change color
You mean like in Sandboxie? That can be implemented, but is there any use for this? Personally I never used this feature. Am I missing something?

let's say, I would like to take some screenshot (for guide, ...), and I usually use red frame to specify location, button, ...,  so it can be confusing for my friends,
solution is to disable border, but still I would like to quickly determine if current program does run isolated

btw
licence is for one PC, right,
if I am multibooting can I use one licence for multiple OS, or do I need to order more licences
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on January 01, 2017, 01:17:20 pm
will there be option to display border only when mouse is in window title and change color
You mean like in Sandboxie? That can be implemented, but is there any use for this? Personally I never used this feature. Am I missing something?

let's say, I would like to take some screenshot (for guide, ...), and I usually use red frame to specify location, button, ...,  so it can be confusing for my friends,
solution is to disable border, but still I would like to quickly determine if current program does run isolated

btw
licence is for one PC, right,
if I am multibooting can I use one licence for multiple OS, or do I need to order more licences
Just don't focus the window when taking the screenshot and it will not have a red frame.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on January 02, 2017, 08:10:07 pm
Just don't focus the window when taking the screenshot and it will not have a red frame.

forgot about that, but still there is problem with menu bar
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on January 02, 2017, 08:13:01 pm
Just don't focus the window when taking the screenshot and it will not have a red frame.

forgot about that, but still there is problem with menu bar
Correct. In such case that you need to make tutorials then i guess go in setting and disable the border.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on January 03, 2017, 04:09:55 pm
I just run process explorer and I noticed that svchost.exe (DcomLaunch) is using around 10 % CPU, after some testing I figured it started after I've installed rehips, so is this normal

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on January 03, 2017, 04:16:19 pm
I just run process explorer and I noticed that svchost.exe (DcomLaunch) is using around 10 % CPU, after some testing I figured it started after I've installed rehips, so is this normal
No such behaviour was reported by anyone yet. Did you add the exception i told you for HMPA and the other software you use.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on January 03, 2017, 04:22:26 pm
No such behaviour was reported by anyone yet. Did you add the exception i told you for HMPA and the other software you use.

I am using "free" HMPA so no antiexploit
but maybe I need edit some setting for avast, just remember that it has HIPS in setting I think
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on January 03, 2017, 04:24:29 pm
No such behaviour was reported by anyone yet. Did you add the exception i told you for HMPA and the other software you use.

I am using "free" HMPA so no antiexploit
but maybe I need edit some setting for avast, just remember that it has HIPS in setting I think
Yeah maybe. Try that and if not write down all the software you use with rehips to try and figure it out.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on January 03, 2017, 04:55:20 pm
No such behaviour was reported by anyone yet. Did you add the exception i told you for HMPA and the other software you use.

I am using "free" HMPA so no antiexploit
but maybe I need edit some setting for avast, just remember that it has HIPS in setting I think
Yeah maybe. Try that and if not write down all the software you use with rehips to try and figure it out.

ok tried to add rehips folder to exception, still no change,
so I've tried to disable avast shields and reboot
And noticed that rehips gui won't start (forgot to check autostart after reinstall), svchost uses only 0.01 % CPU,
but after running HIPSGui64.exe, it will again use around 10 % even with avast disabled
rehips still works fine I can run programs isolated

if this help I use MBAE free, wfc, HMAP "free", avast and sandboxie, I also have glasswire but it's disabled (services are not running)


 
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on January 03, 2017, 05:03:45 pm
No such behaviour was reported by anyone yet. Did you add the exception i told you for HMPA and the other software you use.

I am using "free" HMPA so no antiexploit
but maybe I need edit some setting for avast, just remember that it has HIPS in setting I think
Yeah maybe. Try that and if not write down all the software you use with rehips to try and figure it out.

ok tried to add rehips folder to exception, still no change,
so I've tried to disable avast shields and reboot
And noticed that rehips gui won't start (forgot to check autostart after reinstall), svchost uses only 0.01 % CPU,
but after running HIPSGui64.exe, it will again use around 10 % even with avast disabled
rehips still works fine I can run programs isolated

if this help I use MBAE free, wfc, HMAP "free", avast and sandboxie, I also have glasswire but it's disabled (services are not running)
Hmm tell me your cpu model if you don't mind. It's either a very old model or something it's running again and again infinite time causing the cpu load. Reason it doesn't do it without HIPSgui it's because without it rehips doesn't work(except if you enable lockdown mode.
So can i have your cpu model and logs?

EDIT: Also when you first installed rehips before adding rules and things was the cpu usage the same if you remember?

EDIT2: It will probably be a good idea to make a new topic with the issue. Easier for users and developers to notice and help.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on January 03, 2017, 05:19:00 pm
I have intel core i7-3610qm
after I've installed rehips and rules it also showed that usage, but I thought it was normal because I set it to learning mode

and where are logs

edit: ok i will create it
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on January 05, 2017, 01:45:36 pm
will there be option to display border only when mouse is in window title and change color
It makes sense, I'll this to our TODO list.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Reset on January 13, 2017, 06:46:56 pm
Hi, developers.
I think ReHIPS has stayed in the beta status for quite a long time.
Do you plan to release a stable version and sell the license?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on January 13, 2017, 09:58:16 pm
Hello, Reset.
Yup, it's been a while. We want to make it perfect and hone it the best we can. Don't worry, I think it'll be released soon.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Reset on January 14, 2017, 01:10:49 am
Hello, Reset.
Yup, it's been a while. We want to make it perfect and hone it the best we can. Don't worry, I think it'll be released soon.

Hi fixer.
Thank you very much for your hard work!
I am looking forward to the stable version.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on February 24, 2017, 06:41:17 pm
It is possible to add lockdown mode to tray menu,
if possible as cascading menu with on/off option to avoid accidentally clicking on it,
popup window with warning should also work.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on February 24, 2017, 09:06:30 pm
It is possible to add lockdown mode to tray menu,
if possible as cascading menu with on/off option to avoid accidentally clicking on it,
popup window with warning should also work.
Thank you for your suggestion. This request already in our TODO list. Earlier it was requested in: https://forum.re-crypt.com/index.php?topic=2105.msg5078#msg5078.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on February 27, 2017, 05:38:09 pm
cool

btw I've found bug
I like using portable apps
when I am copying folder with these apps from backup folder, I will usually rename created "copy" folder and run app in this folder, ReHIPS will try to look for files in not yet renamed "copy" folder, but because folder is already renamed it can't find files and thus ReHIPS will fail to hash these files

also you should add AVAST Software s.r.o. to trusted vendor
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on February 27, 2017, 05:41:06 pm
cool

btw I've found bug
I like using portable apps
when I am copying folder with these apps from backup folder, I will usually rename created "copy" folder and run app in this folder, ReHIPS will try to look for files in not yet renamed "copy" folder, but because folder is already renamed it can't find files and thus ReHIPS will fail to hash these files

also you should add AVAST Software s.r.o. to trusted vendor
Rehips whitelists by location and hash so if location or hash changes it means the file is not the same.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on February 27, 2017, 06:56:53 pm
but even if I whitelist it in new location it will still point to old location, in setting there will be two location, one for older not yet renamed and newer with renamed folder,
and it's quite annoying when you run app which create many child processes (chromium based browsers, ...)
and even if I delete both locations in, ReHIPS will still create popup and then againt it will create rules for two location
I don't know how to fix it
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on February 27, 2017, 07:02:29 pm
but even if I whitelist it in new location it will still point to old location, in setting there will be two location, one for older not yet renamed and newer with renamed folder,
and it's quite annoying when you run app which create many child processes (chromium based browsers, ...)
and even if I delete both locations in, ReHIPS will still create popup and then againt it will create rules for two location
I don't know how to fix it
Get me an image of rules for a portable application that gives you this problem and the also attach the rehips logs after you run it and will see what is happening.

Thanks.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on February 27, 2017, 07:31:40 pm
I am usually in shadow mode so I can't/don't want to test other apps now

so I have tried different app (TCPViewPortable http://portableapps.com/apps/utilities/tcpview-portable (http://portableapps.com/apps/utilities/tcpview-portable)), still same error

for rules you mean this? This is for renamed one
program path: Z:\1\TCPViewPortable.exe
windows user name: --------------
can execute programs: allow
can be executed: alert
can execute sub-programs: inapplicable
trust level (full green)
vendor: Rare Ideas, LLC (add to trusted)

for not yet renamed it's same except for path, no vendor, trust level and hash is empty

EDIT:
also the not yet renamed location should be red (files not found) but ReHIPS still think that files still exist, only if I restart GUI it will show files not found


Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on February 27, 2017, 08:26:55 pm
Thank you for your report, we've seen some issues with file renaming. Problem lies deep in file system internals and some Windows API functions keep returning the old file name. But we've got it in our TODO list to take a closer look at this issue.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 01, 2017, 06:16:47 pm
how does ReHIPS handle tray icons,

when I isolate MS word and than print document, printer will print it but there will be no print tray icon (I think it's generated by explorer process), so I can't check if there are some pending documents to print or cancel current print job

do I need to create rule to allow it appear?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 07:34:35 pm
How do I get rid of the color border that I can see round the edge of the browser window? The browser is Opera. I wanted to post some screenshots in the ReHips topic at Wilders' forums, but I couldn't for some reason connected to the install of ReHips earlier, about 80 minutes ago.  These screenshots seem to show with the install of ReHips, that something seems to have affected my browser in some way.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 01, 2017, 07:38:45 pm
How do I get rid of the color border that I can see round the edge of the browser window? The browser is Opera. I wanted to post some screenshots in the ReHips topic at Wilders' forums, but I couldn't for some reason connected to the install of ReHips earlier, about 80 minutes ago.  These screenshots seem to show with the install of ReHips, that something seems to have affected my browser in some way.
It's just so you can identify that the browser is running isolated. If you don't want that open rehips, click settings, then click advanced mode(on the left of the window), click on the tab called protection, untick Display isolation border and click ok.
After you have done this no border will show up.

EDIT: Check the video below for all the steps.

http://i.imgur.com/52QUaGn.gifv (http://i.imgur.com/52QUaGn.gifv)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 07:47:37 pm
Thanks.... That did the trick.  But, now  I just got a popup which gives me the choice of OK/ Buy  to do with "Demo limit of isolated programs reached". I clicked OK, of course since this beta testing. But, why and for what have I reached limit?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 07:50:42 pm
Everytime, I try to open that image in the browser that you have in your post above, I get that Demo thing business. Annoying!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 01, 2017, 07:51:22 pm
The demo is limited to 10 isolated processes; Chromium-based browsers are multi-process browsers , so you reach the limit just by opening it. You may use FF or IE instead, until you decide to buy a license when the stable will be released.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 01, 2017, 07:52:26 pm
Everytime, I try to open that image in the browser that you have in your post above, I get that Demo thing business. Annoying!
Opera is multi process. Which means each extension, tab, etc is a different process. Rehips unregistered(demo) version has a limit of 10 processes. When you pass that it gives you the msg you are talking about.
In the paid version there are no limits.

If you wish you can even buy now before it gets released. Contact Fixer for more information if you wish.

EDIT: Umbra was faster.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 07:54:35 pm
But, I am a beta tester.  Trying to test. This is silly, that restriction should be lifted, at least while testing.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on March 01, 2017, 07:58:13 pm
Tarnak is annoyed. See? :D Chromium-based browsers shouldn't be allowed to launch in isolation when using the Free version. :) At best, offer the free users an upgrade option.

@Tarnak, only few, the closed-beta testers, are given the privilege in getting the registered, unrestricted, version. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 07:59:47 pm
I an sure @fixer will see these posts. ;)  I have been a long time tester of various security products. Just check at Wilders' forums.

Edit: looks a post  has been made, while I was typing this
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 01, 2017, 08:00:11 pm
But, I am a beta tester.  Trying to test. This is silly, that restriction should be lifted, at least while testing.
Rehips is completly offline. So lets say the devs remove the restriction then why would anyone buy the paid version and not use the beta version FOREVER?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 08:01:08 pm
More disappointed, than annoyed....But, it is the developers choice!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 01, 2017, 08:03:13 pm
More disappointed, than annoyed....But, it is the developers choice!
There is nothing they can do and also keep the competely offline part of the program which many will appreciate for the privacy it gives to it's users. It's a tradeoff to make money and developers have to eat.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 01, 2017, 08:04:15 pm
But, I am a beta tester.  Trying to test. This is silly, that restriction should be lifted, at least while testing.

Just use IE or FF , the restriction is lifted only for closed-beta testers and we were selected based on our active participation since the older versions.
The devs want to avoid the passer-by or freeloaders. The demo allows you unlimited duration for testing , the only restriction is the number of processes; and by using a single process browser is enough to test it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on March 01, 2017, 08:05:50 pm
More disappointed, than annoyed....But, it is the developers choice!
Prove your worth. Post more often in this forum. Discovering bugs and posting some suggestions are always welcome. :) Follow my footsteps. :D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 08:08:26 pm
I don't use FF, not even installed on my Surface Book. So, no go, there. ;) I like Opera. But, I have Vivaldi installed, too. But, that will habe the same problem as Opera.  I am a serious tester, and not fly-by-night.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 01, 2017, 08:08:35 pm
I an sure @fixer will see these posts. ;) I have been a long time tester of various security products. Just check at Wilders' forums.

But not for ReHIPS despite the thread on Wilders exist since months   ;D

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 08:13:56 pm
More disappointed, than annoyed....But, it is the developers choice!
Prove your worth. Post more often in this forum. Discovering bugs and posting some suggestions are always welcome. :) Follow my footsteps. :D

I tried with the version, when I first signed up here in October.  I ran into problems, and had conferred with Fixer by PM.  I was waiting for a newer version, which has eventuated months later. I can't help it if the developer, is frugal in the timing of releases.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 01, 2017, 08:16:14 pm
Prove your worth. Post more often in this forum. Discovering bugs and posting some suggestions are always welcome. :) Follow my footsteps. :D
Indeed Xhened was a demo user while i (and 2-3 others) were users since v1, we gave lot of feedbacks so we get the gift.

I don't use FF, not even installed on my Surface Book. So, no go, there. ;) I like Opera. But, I have Vivaldi installed, too. But, that will habe the same problem as Opera.  I am a serious tester, and not fly-by-night.
Report

We don't say the opposite, it is a dev choice, so just prove them your real interest, with time you may be a closed beta tester too. :)
Just
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 08:19:15 pm
I am trying, but I can't even get my screenshots posted which I am sure have something to do with Rehips being reinstalled on my system.  This limitation is a hindrance.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 01, 2017, 08:20:31 pm
Anyway, it 3:20 am, and I am signing out....need some sleep!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 01, 2017, 08:21:24 pm
I am trying, but I can't even get my screenshots posted which I am sure have something to do with Rehips being reinstalled on my system.  This limitation is a hindrance.

so just select "disabled" on the tray icon, launch Opera and re-enable the protection. you will use Opera non-isolated.

or in the program section, remove opera's rule, (it maybe a bit complicated for you to find out how  at beginning).
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on March 01, 2017, 10:58:12 pm
how does ReHIPS handle tray icons,

when I isolate MS word and than print document, printer will print it but there will be no print tray icon (I think it's generated by explorer process), so I can't check if there are some pending documents to print or cancel current print job

do I need to create rule to allow it appear?
I don't think it's about rules, but I haven't looked into this. Added to our TODO list to sort it out.

Tarnak
I understand your upset, it can be annoying, this message constantly popping up, I agree. Every time new isolated process above limit is started, it's killed and this message is shown. But if user never sees any limitations, why would he buy it? And I believe every build including beta ones should be as close to release version as possible including licensing, so potential users could evaluate it and have a better idea of what the release will be like. To some people this limitation is critical, to others it's not. But why not, we're always ready to take the first step towards our users, send me your HWID in PM and we'll think of something.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 02, 2017, 04:27:08 am
I think I made progress in trying to get an image posted: See my post at Wilders' forums a short time ago - https://www.wilderssecurity.com/threads/rehips.364248/page-23#post-2656650
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 02, 2017, 04:44:53 am

Tarnak
I understand your upset, it can be annoying, this message constantly popping up, I agree. Every time new isolated process above limit is started, it's killed and this message is shown. But if user never sees any limitations, why would he buy it? And I believe every build including beta ones should be as close to release version as possible including licensing, so potential users could evaluate it and have a better idea of what the release will be like. To some people this limitation is critical, to others it's not. But why not, we're always ready to take the first step towards our users, send me your HWID in PM and we'll think of something.

PM sent a short time ago. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 02, 2017, 07:14:37 am
So, you can see I have installed this program, again, in the early hours of the morning, this time around. Not the best time to do so, I think . ;)

I am confused as to why I have 3 users for ReHips.  When I last tested ReHips in October/November, last year, I had two ReHips user folders. Just can't understand the rationale.




Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 02, 2017, 07:44:01 am
More apps are isolated, more users ReHIPS creates.  Users are not based on your Windows's number of user accounts but of the number of Isolated Environment.

1 Isolated Environment = 1 ReHIPSuser
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 02, 2017, 10:35:55 am
Apologies this is a noob question and may have been addressed before in these 30 pages.

IIRC when I installed RC2 I had 3 ReHIPSUser accounts. When I received the link to RC4, I uninstalled RC2 and settings and installed RC4. I now have 8 ReHipsUser accounts of which 5, 6, 7 and 8 seem to be 'active' for Chrome, IE and Firefox.

Is it possible to delete the other earlier users (now seemingly unused) either through ReHIPs or some other means, or doesn't it matter - will they get reused at some point?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 02, 2017, 11:14:14 am
You can delete the old users, anyway ReHIPS will create new IEs/users for the apps concerned.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 02, 2017, 12:38:09 pm
Could be a coincidence, but after installing RC4 I have had a slew of 'DPC Watchdog Violation' BSODs and a general slow-down, so I have decided to roll back.
I like the idea of ReHIPS, so will no doubt embark on the 'learning curve' again, when I'm feeling stronger  :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: XhenEd on March 02, 2017, 02:03:34 pm
Could be a coincidence, but after installing RC4 I have had a slew of 'DPC Watchdog Violation' BSODs and a general slow-down, so I have decided to roll back.
I like the idea of ReHIPS, so will no doubt embark on the 'learning curve' again, when I'm feeling stronger  :)
That's the kind of issues that must be posted. If you feel that ReHIPS has something to do with the BSODs, then report that here for further investigations. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 02, 2017, 02:24:00 pm
All I did was install ReHIPS RC4 and when I go back to previous image problem is gone.
But that BSOD seems to be an SSD-related driver issue. I don't have an SSD on that machine, and I doubt ReHIPS implements or modifies any drivers.
So it is probably something else ... unless someone else can replicate.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 02, 2017, 02:27:32 pm
Could be a coincidence, but after installing RC4 I have had a slew of 'DPC Watchdog Violation' BSODs and a general slow-down, so I have decided to roll back.
I like the idea of ReHIPS, so will no doubt embark on the 'learning curve' again, when I'm feeling stronger  :)
That's the kind of issues that must be posted. If you feel that ReHIPS has something to do with the BSODs, then report that here for further investigations. :)

That is the point of beta testing, get issues and report them, not just using a product then when you have issues uninstalling the soft and move on.
Devs offers beta demos especially for that, so other users won't get it next time. especially when the stable release is near.

Create a thread, describe your system (OS, security softs installed) , describe when the issue appeared, on what conditions (what you did to get it), etc...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 02, 2017, 02:59:59 pm
OK. I just rolled back to earlier image to see if I still got the BSODs, and hopefully back in working order. So I've lost the dump infos now.
I will retry ReHIPS when I have more time, and if I get the same issue I will post a new thread.
FWIW it was on Win 10 Pro x64 v1607 14393.693 - WD | ZAL | Reason CS | VS | MB3 AE | AppCheck | Adguard | Sbie (not active) | Glasswire | Secure Folders
but not sure under what conditions, looked like while loading Firefox, but not always.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 02, 2017, 03:14:55 pm
FWIW it was on Win 10 Pro x64 v1607 14393.693 - WD | ZAL | Reason CS | VS | MB3 AE | AppCheck | Adguard | Sbie (not active) | Glasswire | Secure Folders
but not sure under what conditions, looked like while loading Firefox, but not always.

That is a lot of security Apps , and i see:

- Sandboxie: not a good idea, even if inactive, the drivers are still present.
- MBAE which surely inject dlls into ReHIPS process and may be the cause of the BSODS as HMPA did before for me.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 02, 2017, 04:56:00 pm
 
All I did was install ReHIPS RC4 and when I go back to previous image problem is gone.
But that BSOD seems to be an SSD-related driver issue. I don't have an SSD on that machine, and I doubt ReHIPS implements or modifies any drivers.
So it is probably something else ... unless someone else can replicate.

that BSOD can be also caused by graphic or sound card, in your case I think it's related to sound card, ReHIPS has some issues with some drivers, I would try to update driver or use generic from Microsoft
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 02, 2017, 05:01:04 pm
All I did was install ReHIPS RC4 and when I go back to previous image problem is gone.
But that BSOD seems to be an SSD-related driver issue. I don't have an SSD on that machine, and I doubt ReHIPS implements or modifies any drivers.
So it is probably something else ... unless someone else can replicate.

that BSOD can be also caused by graphic or sound card, in your case I think it's related to sound card, ReHIPS has some issues with some drivers, I would try to update driver or use generic from Microsoft
What drivers does rehips has issues with? Rehips doesn't mess with other drivers especially sound except if you disable microphone from rehips settings which then disables your whole audio card.

Anw without a dump file nothing can be done and guessing doesn't help.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on March 02, 2017, 05:07:04 pm
that BSOD can be also caused by graphic or sound card, in your case I think it's related to sound card, ReHIPS has some issues with some drivers, I would try to update driver or use generic from Microsoft
There indeed are some issues with some sound card drivers. But they aren't ReHIPS-related and can't cause BSOD. It's just simple user-mode request polling status of sound devices takes some time to complete eating CPU, a lot more time than on default Windows driver. So it's not some incompatibility with ReHIPS and I don't think it can cause BSOD. Anyway I'm afraid I won't be able to advise or say something specific without dump.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 02, 2017, 05:07:48 pm
you know that I have issue with cpu usage for svchost, @fixer already know why

Quote from: fixer
CPU usage is indeed the issue, we also noticed it on one of our test PCs. The root of the problem are some vendor drivers that take some time to process requests unlike default Windows drivers.

in @paulderdash case it may or may not relate to it
EDIT:
ok
so it's probably not caused by ReHIPS
IIRC my friend has same BSOD, he's said that he has to update some driver to fix it

btw
@fixer
could you add option to refresh database, I am using portable apps, and when I don't have USB flash connected to PC, ReHIPS will show file not found, but after connecting it will still show file not found, unless I restart GUI

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 02, 2017, 05:23:02 pm

What drivers does rehips has issues with? Rehips doesn't mess with other drivers especially sound except if you disable microphone from rehips settings which then disables your whole audio card.


I certainly can attest to that, when I disabled the microphone through settings in ReHips. But, I fixed as per the screenshots, attached.

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 02, 2017, 05:25:04 pm

What drivers does rehips has issues with? Rehips doesn't mess with other drivers especially sound except if you disable microphone from rehips settings which then disables your whole audio card.


I certainly can attest to that, when I disabled the microphone through settings in ReHips. But, I fixed as per the screenshots, attached.

It's be design though. There is no other elegant way to disable the microphone.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 02, 2017, 05:30:39 pm

What drivers does rehips has issues with? Rehips doesn't mess with other drivers especially sound except if you disable microphone from rehips settings which then disables your whole audio card.


I certainly can attest to that, when I disabled the microphone through settings in ReHips. But, I fixed as per the screenshots, attached.

It's be design though. There is no other elegant way to disable the microphone.


Not critical, and not blaming ReHips....since I have both camera and microphone disabled on my Surface Book. ;) Just go into "Privacy Settings" in Windows 10.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 02, 2017, 05:31:34 pm
It's be design though. There is no other elegant way to disable the microphone.

what about this

right click on the sound tray icon, click on recording device, right click on selected microphone and disable it
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on March 02, 2017, 05:36:14 pm
right click on the sound tray icon, click on recording device, right click on selected microphone and disable it
In this case any program can enable it back, even the isolated one. So it won't do.

We chose to disable sound card completely not just because there is no other secure way to do it nice and easy. According to latest research (I don't remember the link, but I can find it if you're interested, or you can google for it) sound can be recorded even with headphones plugged into headphones output. So to secure it completely we disable sound card. And it needs admin rights to enable it back. So no isolated program can do it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 02, 2017, 05:42:02 pm
right click on the sound tray icon, click on recording device, right click on selected microphone and disable it
In this case any program can enable it back, even the isolated one. So it won't do.

We chose to disable sound card completely not just because there is no other secure way to do it nice and easy. According to latest research (I don't remember the link, but I can find it if you're interested, or you can google for it) sound can be recorded even with headphones plugged into headphones output. So to secure it completely we disable sound card. And it needs admin rights to enable it back. So no isolated program can do it.

you don't need to, I think I read it too,
btw it is possible to implement in ReHIPS option to choose which sound card to disable
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 02, 2017, 05:45:59 pm
It's be design though. There is no other elegant way to disable the microphone.

what about this

right click on the sound tray icon, click on recording device, right click on selected microphone and disable it

Just like, so. :)  BTW, it was disabled.  I need playback for youtube, etc.



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on March 02, 2017, 08:27:53 pm
could you add option to refresh database, I am using portable apps, and when I don't have USB flash connected to PC, ReHIPS will show file not found, but after connecting it will still show file not found, unless I restart GUI
We will think about returning refresh button, that was removed several build ago.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 03, 2017, 05:00:14 am
I had ReHips disabled, yesterday.  But, this morning after starting my Surface Book laptop, I renabled ReHips.

I then loaded my browser, and immediately in quick succession the following happened [see screenshots], after which the browser was then OK to carry on.

Obviously, this shouldn't occur.



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 03, 2017, 06:03:39 am
After a temporary removal of the'number of tabs' limit, courtesy of @fixer : The next time I started Opera, I didn't see any of those error messages, mentioned in my preceding post.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 03, 2017, 06:21:08 am
After a temporary removal of the'number of tabs' limit, courtesy of @fixer : The next time I started Opera, I didn't see any of those error messages, mentioned in my preceding post.

That is good  for Chromium users. As we told you , it was because the demo limits by processes, maybe considering the number of isolated application instead would be better for a demo.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 03, 2017, 07:46:02 am
After a temporary removal of the'number of tabs' limit, courtesy of @fixer : The next time I started Opera, I didn't see any of those error messages, mentioned in my preceding post.

That is good  for Chromium users. As we told you , it was because the demo limits by processes, maybe considering the number of isolated application instead would be better for a demo.

Yes....I agree, because in Opera, it is so easy to end up with twenty or more tabs open.  I end up with that, quite regularly, per browser session. But, I can see the devs point of view, too. ;) :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 04, 2017, 11:13:20 am
OK. I just rolled back to earlier image to see if I still got the BSODs, and hopefully back in working order. So I've lost the dump infos now.
I will retry ReHIPS when I have more time, and if I get the same issue I will post a new thread.
FWIW it was on Win 10 Pro x64 v1607 14393.693 - WD | ZAL | Reason CS | VS | MB3 AE | AppCheck | Adguard | Sbie (not active) | Glasswire | Secure Folders
but not sure under what conditions, looked like while loading Firefox, but not always.
I installed RC4 again and got the 'DPC Watchdog Violation' again. Note I had also uninstalled Sandboxie this time, and disabled all MB3 protection i.e. including AE.
The BSOD occurred when I tried to execute a Bvckup2 backup, before Bvckup2 loaded, but I have had other conditions previously.
Attaching a minidump. Not sure if it will show the necessary. As Ive said before it may not be ReHIPS, though it seems to occur only when I have it installed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 04, 2017, 11:19:27 am
OK. I just rolled back to earlier image to see if I still got the BSODs, and hopefully back in working order. So I've lost the dump infos now.
I will retry ReHIPS when I have more time, and if I get the same issue I will post a new thread.
FWIW it was on Win 10 Pro x64 v1607 14393.693 - WD | ZAL | Reason CS | VS | MB3 AE | AppCheck | Adguard | Sbie (not active) | Glasswire | Secure Folders
but not sure under what conditions, looked like while loading Firefox, but not always.
I installed RC4 again and got the 'DPC Watchdog Violation' again. Note I had also uninstalled Sandboxie this time, and disabled all MB3 protection i.e. including AE.
The BSOD occurred when I tried to execute a Bvckup2 backup, before Bvckup2 loaded, but I have had other conditions previously.
Attaching a minidump. Not sure if it will show the necessary. As Ive said before it may not be ReHIPS, though it seems to occur only when I have it installed.
Something is messing with the kernel so Fixer that is smarter than me will check the dmp. Btw all MBAM and ZAM drivers are still loaded so if i was a gambler i would bet they don't play well together under certain conditions. Maybe something gets crazy when rehips is installed with this 2. Hopefully fixer can figure this out from the dmp.

Does the crash happen every time you use bvckup2 now?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 04, 2017, 12:08:27 pm
So far I haven't had a crash this morning. Holding thumbs.
I have just started Bvckup2 and it IS running fine this time, so it is some other condition.
The only other thing I have done is disable camera and microphone, but @fixer earlier commented that that was probably not a cause. Hope the minidump shows enough infos.
Maybe it is the MB3 or ZAL drivers.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 04, 2017, 12:12:24 pm
Remove totally the other apps, you can't find an issue by just disabling the features, drivers have to be removed , especially with anti-exploits which are always the sources of severe issues
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 04, 2017, 12:23:51 pm
I will if the issue recurs. At the moment I just want to see how ReHIPS 'fits in' and check it out. Else I may revert to Sandboxie, yes I know it is a different beast :)
And I know you deem the anti-malwares unnecessary. I am pretty sure you are right if ReHIPS is used properly.
Btw I am intrigued - how then do you get HMPA to run alongside ReHIPS then? What changes did you have to make?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 04, 2017, 02:23:13 pm
Another minidump - the fifth since I installed RC4 (all the same 'DPC Watchdog Violation', so not sure if an additional minidump is helpful). This time during or after loading Firefox (I wasn't at my PC).

Edit: @Fixer I assume you will post here if you do spot something (or not)? I guess I should have started a new thread for my issue.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 04, 2017, 02:47:57 pm
Btw I am intrigued - how then do you get HMPA to run alongside ReHIPS then? What changes did you have to make?

I added 3 of ReHIPS processes into HMPA exclusions (was mandatory for the first beta of v2.2)  but now it seems not necessary, but i still do it in case of...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on March 04, 2017, 09:44:47 pm
Another minidump - the fifth since I installed RC4 (all the same 'DPC Watchdog Violation', so not sure if an additional minidump is helpful). This time during or after loading Firefox (I wasn't at my PC).

Edit: @Fixer I assume you will post here if you do spot something (or not)? I guess I should have started a new thread for my issue.
Both minidumps point to one problem, but contains little information. Can you get full kernel memory dump (https://msdn.microsoft.com/en-us/library/windows/hardware/ff542953(v=vs.85).aspx) and send me link to it to PM?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 05, 2017, 09:37:19 am
Thanks @crasher. Set it up for a kernel memory dump, and it crashed shortly afterwards. Will send you a PM.
I suspect it is Malwarebytes 3 (AE module), or Zemana Anti-Logger or Reason Core Security (recently playing with that), as others have said, which should be removed.
If the crash has nothing to do with ReHIPS, my apologies for wasting your time!

Edit: PM sent.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 05, 2017, 12:02:43 pm
I have program which I have allowed to run, but sometimes I would like it to run it isolated

Instead of right clicking and selecting "Run isolated in ReHIPS", I would like to create shortcut for it to run isolated.
is this possible?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 05, 2017, 12:05:09 pm
I have program which I have allowed to run, but sometimes I would like to run it isolated

Instead of right clicking and selecting "Run isolated in ReHIPS", I would like to create shortcut for it to run isolated.
is this possible?
Nope not possible to make such shortcut. What you can do is run isolated in rehips for the specific program and let it create a new IE for it and when you want to run it not isolated disable rehips, launch it and then enable rehips again.

EDIT: I assumed it's not a portable application that you can just make a copy and launch that.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 05, 2017, 01:12:01 pm
I have program which I have allowed to run, but sometimes I would like to run it isolated

Instead of right clicking and selecting "Run isolated in ReHIPS", I would like to create shortcut for it to run isolated.
is this possible?
Nope not possible to make such shortcut. What you can do is run isolated in rehips for the specific program and let it create a new IE for it and when you want to run it not isolated disable rehips, launch it and then enable rehips again.

EDIT: I assumed it's not a portable application that you can just make a copy and launch that.

it's not portable application
I am testing firefox nightly, I am running it alongside stable

I had created shortcut and it seems to work, but I don't know if correctly

"C:\Program Files\ReCrypt\ReHIPS\RunRestricted64.exe" "C:\Program Files\Nightly\firefox.exe"  -p nightly -no-remote
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 05, 2017, 01:43:44 pm
I have program which I have allowed to run, but sometimes I would like to run it isolated

Instead of right clicking and selecting "Run isolated in ReHIPS", I would like to create shortcut for it to run isolated.
is this possible?
Nope not possible to make such shortcut. What you can do is run isolated in rehips for the specific program and let it create a new IE for it and when you want to run it not isolated disable rehips, launch it and then enable rehips again.

EDIT: I assumed it's not a portable application that you can just make a copy and launch that.

it's not portable application
I am testing firefox nightly, I am running it alongside stable

I had created shortcut and it seems to work, but I don't know if correctly

"C:\Program Files\ReCrypt\ReHIPS\RunRestricted64.exe" "C:\Program Files\Nightly\firefox.exe"  -p nightly -no-remote
That seems clever and never though of it. Good work. If you can see it in isolated program list in rehips(enable advanced mode from main gui) then it works. If not i will test it in a bit and tell you how it went.

EDIT: It works. Well done.
Remember to change the default rules for firefox in rehips to allow and when you want it to run isolated run your shortcut.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 05, 2017, 02:00:26 pm
it's working but some programs  will not be child process of rehips but outside (I use Process Explorer to watch processes)
I am not familiar how this work, but ReHIPS says it's isolated (in GUI and red border) so I think it's okay
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 05, 2017, 02:02:38 pm
it's working but some programs  will not be child process of rehips but outside (I use Process Explorer to watch processes)
I am not familiar how this work, but ReHIPS says it's isolated (in GUI and red border) so I think it's okay
You can always check on what user account they are running in process explorer. Then you will know when it's rehips and when not but i never seen rehips gui showing the wrong info.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 05, 2017, 02:05:19 pm
it's working but some programs  will not be child process of rehips but outside (I use Process Explorer to watch processes)
I am not familiar how this work, but ReHIPS says it's isolated (in GUI and red border) so I think it's okay
You can always check on what user account they are running in process explorer. Then you will know when it's rehips and when not but i never seen rehips gui showing the wrong info.

thx, forgot about that
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 05, 2017, 03:21:00 pm
it's working but some programs  will not be child process of rehips but outside (I use Process Explorer to watch processes)
I am not familiar how this work, but ReHIPS says it's isolated (in GUI and red border) so I think it's okay

some child processes of FF need to be run isolated too, (plug-in container.exe especially) , so you have to add it to the  same IE as FF.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on March 05, 2017, 07:13:20 pm
Thanks @crasher. Set it up for a kernel memory dump, and it crashed shortly afterwards. Will send you a PM.
I suspect it is Malwarebytes 3 (AE module), or Zemana Anti-Logger or Reason Core Security (recently playing with that), as others have said, which should be removed.
If the crash has nothing to do with ReHIPS, my apologies for wasting your time!

Edit: PM sent.

Thank you for your dump. Try to remove or fully disable product with gwdrv driver (I think it is GlassWire).
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 06, 2017, 09:03:30 am
It is indeed Glasswire. I'll uninstall it later to confirm if it solves the problem and report back.

Edit 1: @crasher btw Excellent sleuthing, and dedication (reading kernel dumps on a Sunday night)  8)

Assuming you are correct and it is gwdrv driver (Glasswire is now uninstalled, no crashes so far, so I'm sure you are right) - if it is an incompatibility, is there any chance of making ReHIPS compatible with Glasswire, or would a change need to be made from the Glasswire side? Glasswire is essentially a Windows firewall monitor / interface. I would like to keep it as I have a paid lifetime license ...

Edit 2: I have also alerted Glasswire to this issue on their uninstall feedback screen, and asked also if they could reach out to you.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on March 06, 2017, 12:05:08 pm
Assuming you are correct and it is gwdrv driver (Glasswire is now uninstalled, no crashes so far, so I'm sure you are right) - if it is an incompatibility, is there any chance of making ReHIPS compatible with Glasswire, or would a change need to be made from the Glasswire side?

We will investigate this problem more deeply, but it does not seem that the problem on our side.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 06, 2017, 12:10:56 pm
After a while I'll try reinstalling Glasswire to see if the problem reappears. Maybe installing GW after ReHIPS could solve it.
Else, lets hope they fix it on their side (see my Edit: 2 above).

Edit 1: Is anyone else here using Glasswire successfully with ReHIPS?

Edit 2: I think didn't have this issue before with RC2, but at that time I was using the Glasswire free version.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 06, 2017, 03:55:29 pm
it's working but some programs  will not be child process of rehips but outside (I use Process Explorer to watch processes)
I am not familiar how this work, but ReHIPS says it's isolated (in GUI and red border) so I think it's okay

some child processes of FF need to be run isolated too, (plug-in container.exe especially) , so you have to add it to the  same IE as FF.

I don't use plugins, so I don't need to.

After a while I'll try reinstalling Glasswire to see if the problem reappears. Maybe installing GW after ReHIPS could solve it.
Else, lets hope they fix it on their side (see my Edit: 2 above).

Edit 1: Is anyone else here using Glasswire successfully with ReHIPS?

Edit 2: I think didn't have this issue before with RC2, but at that time I was using the Glasswire free version.

I used to use glasswire free, no problem at all with RC2 too.
I just installed it in shadow mode (Shadow Defender) and no BSOD, but I noticed that that paid version has two additional monitors, one for network device and second for camera and mic.




Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 06, 2017, 06:29:20 pm
After a while I'll try reinstalling Glasswire to see if the problem reappears. Maybe installing GW after ReHIPS could solve it.
Else, lets hope they fix it on their side (see my Edit: 2 above).

Edit 1: Is anyone else here using Glasswire successfully with ReHIPS?

Edit 2: I think didn't have this issue before with RC2, but at that time I was using the Glasswire free version.
Quote from: Ozone
I used to use glasswire free, no problem at all with RC2 too.
I just installed it in shadow mode (Shadow Defender) and no BSOD, but I noticed that that paid version has two additional monitors, one for network device and second for camera and mic.
Thanks @Ozone.
I subsequently saw in MalwareTips you had used Glasswire, and thanks for confirming compatibility of Glasswire free with RC2.
Perhaps it is the paid version with additional monitors (drivers?) that is caused a conflict on my machine. Ticking / unticking antispy camera and microphone in ReHIPS did not make a difference, but I guess the mere co-existence of the drivers could be the issue.
I have had no crashes today. I will try reinstalling first Glasswire free, then paid, tomorrow, and report back.
@crasher @fixer Will you let us know of any further research developments?  I apologise Glasswire issue is not in a different thread ... should I still start one?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on March 06, 2017, 06:52:27 pm
@crasher @fixer Will you let us know of any further research developments?  I apologise Glasswire issue is not in a different thread ... should I still start one?
Try to reproduce this crash and if you can, create new thread, we will reproduce and investigate it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 07, 2017, 09:50:37 am
I don't use plugins, so I don't need to.

This is not a plugin, this a needed exe for FF to function properly, you can see it in the FF install folder. It must be allowed in the same isolated environment as firefox.exe.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on March 07, 2017, 12:39:25 pm
I don't use plugins, so I don't need to.

This is not a plugin, this a needed exe for FF to function properly, you can see it in the FF install folder. It must be allowed in the same isolated environment as firefox.exe.

it's mainly used for plugins, in some version of multi-process FF (e10S) it is used sometimes for tab, but with nightly 54 (x64) I haven't seen plugins-container.exe running, instead of I see several child firefox.exe processes running

even ReHIPS haven't created rule for it

but of course I have plugins-container.exe in same IE for stable FF (e10S is enabled/disabled, it depends if I enable/disable some addons) but with stable FF I visit only sites related with work, and I haven't encountered plugins-container.exe


Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 07, 2017, 03:59:58 pm
it's mainly used for plugins, in some version of multi-process FF (e10S) it is used sometimes for tab, but with nightly 54 (x64) I haven't seen plugins-container.exe running, instead of I see several child firefox.exe processes running

even ReHIPS haven't created rule for it

but of course I have plugins-container.exe in same IE for stable FF (e10S is enabled/disabled, it depends if I enable/disable some addons) but with stable FF I visit only sites related with work, and I haven't encountered plugins-container.exe
so you are good
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 08, 2017, 06:51:02 am
I know that I had this problem with GUI lack of clarity, when I was testing in October, and I mentioned it back then. Still, occurring, for me. See the difference in the following images:




Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on March 08, 2017, 09:05:28 am
i never had this kind of problem, maybe it is a local issue on your system (or maybe the language implementation)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: paulderdash on March 08, 2017, 09:34:45 am
@crasher @fixer Will you let us know of any further research developments?  I apologise Glasswire issue is not in a different thread ... should I still start one?
Try to reproduce this crash and if you can, create new thread, we will reproduce and investigate it.
I reinstalled Glasswire yesterday, but so far have not been able to reproduce it. Thankfully.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 08, 2017, 11:07:05 am
@Tarnak
Do you use scaling in windows?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 08, 2017, 12:04:01 pm
No, I don't. I wouldn't know how, anyway. It would probably need a change to the windows registry.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 08, 2017, 12:13:10 pm
No, I don't. I wouldn't know how, anyway. It would probably need a change to the windows registry.
Assuming you use windows 10 then no. Windows does it on it's own. Can you please check and if it's not at 100% change it to that and see how it looks?

Control Panel\All Control Panel Items\Display and there you click set a custom scaling level.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on March 08, 2017, 01:36:13 pm
I know that I had this problem with GUI lack of clarity, when I was testing in October, and I mentioned it back then. Still, occurring, for me. See the difference in the following images:

We testing GUI with font scaling up to 125%. HiDPI monitors support planned on next release.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 08, 2017, 03:17:20 pm
No, I don't. I wouldn't know how, anyway. It would probably need a change to the windows registry.
Assuming you use windows 10 then no. Windows does it on it's own. Can you please check and if it's not at 100% change it to that and see how it looks?

Control Panel\All Control Panel Items\Display and there you click set a custom scaling level.

I have a Surface Book, which is a Microsoft first, and of course it comes with Windows 10 Pro.

I have never ever accessed Control Panel > Display, so everything [settings] is default. It would not be prudent to change scaling, as it may lead to undesirable results, as it warns.





Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on March 08, 2017, 03:49:00 pm
No, I don't. I wouldn't know how, anyway. It would probably need a change to the windows registry.
Assuming you use windows 10 then no. Windows does it on it's own. Can you please check and if it's not at 100% change it to that and see how it looks?

Control Panel\All Control Panel Items\Display and there you click set a custom scaling level.

I have a Surface Book, which is a Microsoft first, and of course it comes with Windows 10 Pro.

I have never ever accessed Control Panel > Display, so everything [settings] is default. It would not be prudent to change scaling, as it may lead to undesirable results, as it warns.
Yep, 200% it's too much for rehips gui i guess. Maybe rehips devs can change it so it looks ok even at this huge scaling.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on March 08, 2017, 03:52:06 pm
I think the ball is in their court, so to speak. I can't change anything.  ;)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on April 05, 2017, 10:02:03 pm
I found another issue with path names
I am trying ImDisk (https://sourceforge.net/projects/imdisk-toolkit/) and ReHips will fail hash apps in this ramdisk

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 05, 2017, 11:41:51 pm
Looks like its driver is quite limited in capabilities and ignores documentation. It's a file system driver, so it emulates file system access. But it doesn't support all the queries the standard driver supports. For example GetFinalPathNameByHandle API flag FILE_NAME_NORMALIZED isn't handled at all. And FILE_NAME_OPENED flag only supports VOLUME_NAME_NT flag, but filename returned isn't accepted by CreateFile. Or QueryFullProcessImageName with 0 flag is supposed to return Win32 path format, but it returns native system path format. So it's definitely not ReHIPS bug, but I'll take a look, maybe I'll be able to find some workarounds.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on April 06, 2017, 09:33:53 am
after little research I found out why,

Quote
ImDisk Virtual Disk Driver is designed to be a small, simple and yet powerful virtual disk driver. It runs on very old versions of Windows NT as well as modern Windows versions. However, because of this compatibility design and because it emulates disk volumes rather than complete disks, it is not always compatible with all applications and drivers. For instance, you cannot manage things like mount points, drive letters and similar for ImDisk drives using mountvol command line tool or in Disk Management in Windows. As another example, you cannot create or access shadow copies on ImDisk drives. So, applications that use similar Windows features as Disk Management dialog to enumerate disks and disk volumes to find disk properties like sector sizes and similar, might possibly not work as expected with ImDisk drives.

source: http://www.ltr-data.se/opencode.html/ (http://www.ltr-data.se/opencode.html/)

I would be very glad if there is some workrounds, as other "free" ramdisks have size limitation
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 06, 2017, 06:08:59 pm
Looks like it's possible to make workaround if image is mapped as a drive like Q:\. But I don't see any good solution if it's mounted to some folder in existing file system like C:\MyFolder\MappedDisk. So I think it can be solved only partially.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on April 09, 2017, 10:34:51 pm
I am using it as volatile ramdisk (I am using Z:\) mainly as container for sandboxie and portable apps, so there is no image


also I  noticed that when I print some documents with isolated program, tray icon for print won't appear, but then if I immediately print documents with non-isolated program tray icon will appear with all print jobs from both isolated and non-isolated programs



 
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 09, 2017, 10:47:30 pm
My guess is that isolation works and isolated application doesn't have enough access rights to notify shell about printing so it could show the icon, but I'll add in our TODO to look into it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on April 20, 2017, 02:16:40 pm
Hello, dear Rehips :P
I like to test your software 8) like others if u plz provide me a DW link  ;)
Many thank♥
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 20, 2017, 03:03:11 pm
Hello, perisanboy. Link sent.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 25, 2017, 07:02:59 am
ok so actually ReHIPS is quite satble, the GUI seems complete. 

i was thinking about rules; seems ReHIPS is offline , and the main changes will be the addition of missing rules for some new/updated applications, i was thinking about implementing a "import rules" kind of features , so instead of releasing new versions without much changes except rules, rules would be released instead and imported.

i'm not sure it was asked before.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 25, 2017, 10:54:07 am
We've already made some changes for ReHIPS to support RulesManager if it's present and roll back to RulesPack if not. So it should be quite easy to put RulesManager, updated default.rdb and click Reinstall Rules in ReHIPS Settings window to update rules.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 25, 2017, 11:33:57 am
For beginners, would it be simpler if it was possible to do it from the GUI?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 25, 2017, 11:47:46 am
All Office files ran isolated by default, but there is a way to exclude some of them?

For example , i have a folder with office docs i created, so safe, so how can i run them non-isolated without reducing the security level to launch them ?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 25, 2017, 12:04:48 pm
All Office files ran isolated by default, but there is a way to exclude some of them?

For example , i have a folder with office docs i created, so safe, so how can i run them non-isolated without reducing the security level to launch them ?
I don't think you can do that, at least i can't think of a way. On next version though ask would properly work. So if you set ask in MS Word to ask it will ask each time you launch it if you want to launch it isolated or normal. I know it's not ideal but maybe at some point we will have a whitelisted folder feature that ignores rules isolation.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 25, 2017, 01:11:07 pm
So if you set ask in MS Word to ask it will ask each time you launch it if you want to launch it isolated or normal. I know it's not ideal but maybe at some point we will have a whitelisted folder feature that ignores rules isolation.
I thought about that too, but not the ideal to me.

Seems it comes down to an old request i made implementing folders rules.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 25, 2017, 01:35:11 pm
For beginners, would it be simpler if it was possible to do it from the GUI?
One-button solutions are always simpler, and we'll get there, one step at a time ;)

Folders filtering feature will be there in next major build (2.3.x). But I don't think it'll solve this question. You see, filtering works on program-level. Like we have folder A and programs 1.exe, 2.exe and 3.exe in that folder. It'll be possible to allow all from folder A resulting in allowed 1.exe, 2.exe and 3.exe. But documents, it's a different thing. They're not programs by themselves, program is the same for all of them, like winword.exe. To filter documents command line parsing is required. And it's a real pain. And I don't mean it's complicated and we're too lazy to implement it. I mean it's prone to errors (you can google for a lot of vulnerabilities in other products regarding command line parsing) and these errors often result in system compromise like allowing some document that should be isolated. So it's a risky road and I don't think it's a good idea.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 26, 2017, 06:54:21 am
Folders filtering feature will be there in next major build (2.3.x).
How it will work?

Quote
Like we have folder A and programs 1.exe, 2.exe and 3.exe in that folder. It'll be possible to allow all from folder A resulting in allowed 1.exe, 2.exe and 3.exe.
and block or isolate all i guess?

Quote
But documents, it's a different thing. They're not programs by themselves, program is the same for all of them, like winword.exe. To filter documents command line parsing is required. And it's a real pain. And I don't mean it's complicated and we're too lazy to implement it. I mean it's prone to errors (you can google for a lot of vulnerabilities in other products regarding command line parsing) and these errors often result in system compromise like allowing some document that should be isolated. So it's a risky road and I don't think it's a good idea.
ok so don't bother hahahaha, better getting alerts than introducing potential vulnerabilities.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 26, 2017, 05:10:05 pm
It'll work just like any other program now, but will support wildcards like "block C:\Windows\Temp\*". You'll be able to allow, block, isolate-just like any other program. Most of it is already implemented, but it'll be in the next major build as it hasn't been tested yet.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 27, 2017, 08:26:56 am
It'll work just like any other program now, but will support wildcards like "block C:\Windows\Temp\*". You'll be able to allow, block, isolate-just like any other program.
Perfect , exactly what i wanted.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 27, 2017, 11:42:41 am
As a small peak into the future, the next big feature is fine-grained parenting rules. Like we have program A, we can allow it to create child processes B and C, isolate child process D and block other child processes. Don't know which major version it'll be in though, maybe 2.3.0, maybe the next one after it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 27, 2017, 02:37:17 pm
As a small peak into the future, the next big feature is fine-grained parenting rules. Like we have program A, we can allow it to create child processes B and C, isolate child process D and block other child processes. Don't know which major version it'll be in though, maybe 2.3.0, maybe the next one after it.
That will be quite useful. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on April 30, 2017, 03:35:13 pm
it is possible to make tray icon color to reflect active profile, currently it has only enabled – green and disabled – red

usually when I am installing new apps I change profile to permissive and sometimes I forgot to change it back to standard

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 01, 2017, 07:47:21 am
it is possible to make tray icon color to reflect active profile, currently it has only enabled – green and disabled – red

usually when I am installing new apps I change profile to permissive and sometimes I forgot to change it back to standard
good idea.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 01, 2017, 10:57:53 am
it is possible to make tray icon color to reflect active profile, currently it has only enabled – green and disabled – red

usually when I am installing new apps I change profile to permissive and sometimes I forgot to change it back to standard
Already suggested and they are thinking about it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 14, 2017, 11:54:46 am
currently ReHIPS doesn't have "autodelete" option
but playing with firefox portable give me idea, if I run it in IE (because of restriction) I have to run it locally, and it will copy profile and program to Temp folder
so the idea is: it is possible to add option to automatically delete contents in Temp folder after last isolated program is closed
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 14, 2017, 12:00:35 pm
currently ReHIPS doesn't have "autodelete" option
but playing with firefox portable give me idea, if I run it in IE (because of restriction) I have to run it locally, and it will copy profile and program to Temp folder
so the idea is: it is possible to add option to automatically delete contents in Temp folder after last isolated program is closed
No reason to do that. They will add proper reset isolated environment and solve the issue the proper way.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 14, 2017, 02:56:11 pm
Autodelete option is planned for the next major release (2.3.x), so don't worry, it'll be there.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 14, 2017, 05:08:11 pm
cool
hope it will be soon
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 21, 2017, 01:29:07 pm
I can change location of TEMP/TMP for main user in "Environment Variables", but it is possible for IE?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 21, 2017, 01:38:21 pm
I can change location of TEMP/TMP for main user in "Environment Variables", but it is possible for IE?
What do you mean? Give an example.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 21, 2017, 05:27:09 pm
to change location for TEMP/TMP you follow this steps
1) Right click on Computer and click on Properties
2) Click on Advanced system settings
3) Click on Environment Variables
4) In User variables for "user" there will be TEMP and TMP listed with location in "%USERPROFILE%\AppData\Local\Temp" by default

I can edit it and change location to other driver
but I don't want it to change for main profile (non-IE) because it caused error for Diagnostic Troubleshooting Wizard or when I am installing some older programs

Basically, I want to change location of TEMP folder for ReHIPSUserX without changing it for account user
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 21, 2017, 05:35:44 pm
to change location for TEMP/TMP you follow this steps
1) Right click on Computer and click on Properties
2) Click on Advanced system settings
3) Click on Environment Variables
4) In User variables for "user" there will be TEMP and TMP listed with location in "%USERPROFILE%\AppData\Local\Temp" by default

I can edit it and change location to other driver
but I don't want it to change for main profile (non-IE) because it caused error for Diagnostic Troubleshooting Wizard or when I am installing some older programs

Basically, I want to change location of TEMP folder for ReHIPSUserX without changing it for account user
You can make a symbolic folders and it will work i guess. Never tried it though but i don't see why not.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 21, 2017, 06:07:04 pm
They aren't easily changable via GUI, but yes, they can be changed.
1. Make sure the isolated program is running. Otherwise isolated user registry hive may not be loaded.
2. Next you need to get isolated user SID. In cmd.exe run "wmic useraccount where name='ReHIPSUser1' get sid" using the desired ReHIPS user name. It'll give you SID like S-1-5-21-1234567890-1234567890-1234567890-1001.
3. Go to registry HKEY_USERS\<SID_FROM_STEP_2>\Environment and change environment variables there.
4. Probably restart will be needed, not sure.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 21, 2017, 06:56:52 pm
symbolic/hard links don't work, program will hang without error

changing registry works without needing to reboot pc
only con is that I have to re-add access right to temp folder on RAMDisk each time I remount it
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 24, 2017, 05:45:08 am
i observed that recently that the rulespack reinstall by itself, is it normal behavior? if yes any way to stop it?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 24, 2017, 10:33:02 am
RulesPack is executed automatically on first ReHIPS install. It asks for execution upon subsequent ReHIPS installs (i.e. updates). It's executed automatically on new user login to install rules for him. And it's also autoexecuted when changes in installed programs are detected (i.e. new programs appeared in Uninstall programs list) to install rules for these new programs. And autoexecution is unconditional. Is there any reason to stop it? It doesn't overwrite any existing rules, just appends absent rules.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 24, 2017, 01:11:21 pm
RulesPack is executed automatically on first ReHIPS install. It asks for execution
-  It doesn't overwrite any existing rules, just appends absent rules.
ok that s why...  for example i am using Rollback RX , so when i rollback to a previous snapshot (taken after ReHIPS was installed), ReHIPS reinstall the missing rules/IE (those i deleted because i didnt need them).
i thought than one installed the first time , it doesn't do it automatically in the future.
So basically, there is no subsequent reinstallation if the rules from the rdb file are all present, but auto-reinstalled if some are missing?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 24, 2017, 01:13:27 pm
RulesPack is executed automatically on first ReHIPS install. It asks for execution
-  It doesn't overwrite any existing rules, just appends absent rules.
ok that s why...  for example i am using rollback RX , so  when i rollback to a previous snapshot, ReHIPS reinstall the missing rules/IE (those i deleted because i didnt need them)
Just use rule manager and edit rules that way to avoid the issue.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 24, 2017, 01:46:55 pm
You've got 2 options:
1. Use RulesManager and create rdb database however you need as rules will be installed from it.
2. Don't delete rules you don't use, mark them as blocked instead, they won't allow anything and won't be overwritten.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 24, 2017, 04:29:42 pm
Programs which have option "hide when minimized" enabled and are isolated in separated desktop, will "disappear" when they are minimized, because there is no taskbar with tray area, no idea how to restore them

also as said previously if I open isolated Print queue window, there will be no tray icon, and if I minimized, it will also "disappear" with no tray icon, but this time I can restore it with alt+tab

I don't know if it's been already suggested but it is possible to make rehips tray icon change when it isolate programs so user will be aware that some programs are isolated
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on May 24, 2017, 04:32:37 pm
You have access to isolated program into a different desktop from the session manager or ctrl+alt+I.

EDIT: If you need the tray icon you need to deselect the different desktop option.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 24, 2017, 04:44:25 pm
I can switch to separated desktop normally but it will appear empty and after while outside of that isolated desktop it will terminate self
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 24, 2017, 04:59:54 pm
Ozone, don't worry, we've got this issue in our TODO list to fix it. But it'll be in the next release, not 2.2.0.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 24, 2017, 07:17:04 pm
You've got 2 options:
1. Use RulesManager and create rdb database however you need as rules will be installed from it.
2. Don't delete rules you don't use, mark them as blocked instead, they won't allow anything and won't be overwritten.
in fact i created IEs for some apps, but some are not needed now (but maybe later) , so i don't want remove them of the rdb i made. i wish i can "deactivate" them so they can't be reinstalled automatically.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 24, 2017, 08:21:45 pm
Ozone, don't worry, we've got this issue in our TODO list to fix it. But it'll be in the next release, not 2.2.0.

I don't mind, I was just testing something

but I have some issues with latest ReHIPS

I had reinstalled ReHIPS (deleted settings and all ReHIPS folders except C:\ReHIPS) but now all files in C:\ReHIPS\Office can't be opened by isolated programs, in security tab of files is unknown ID (previous rehips ID)

fortunately moving files around will remove/reset this unknown ID and allow me open these files

also C:\ReHIPS folder has not changed icon

another issue is that HIPSService64.exe and HIPSAgent64.exe in latest ReHIPS always use 1-2% even thought I do nothing


 

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on May 24, 2017, 08:33:51 pm
Umbra, we'll add something like active/inactive rule, we've got it in our TODO list.

Ozone, thanks for your report, we'll check these issues.
Regarding 1-2% CPU load, that's possible, even if you don't do anything visible, sometimes processes start and die somewhere out there, sometimes they read and write files, load should be minimal, but Service needs to check if it's not isolated processes. I'll take a look at possible bottlenecks to lighten the load.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 24, 2017, 08:42:22 pm
I have rehips log opened and nothing appears, but it's new reinstall so I will wait some time and see if this issue disappear
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on May 25, 2017, 08:00:40 am
Umbra, we'll add something like active/inactive rule, we've got it in our TODO list.
Good ! it will be useful because , while reinstalling rules , i could launch Chrome non-isolated...which was surprising until i realized rules were reinstalled.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on May 25, 2017, 08:51:35 pm
after some testing it seems that  HIPSAgent64.exe cpu usage is related to IE – isolation border and renamed window

in previous version I didn't have this problem
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on June 06, 2017, 09:08:29 pm
just cosmetic, but could you add in windows with "File Hashes" that you're using  sha512, something like this "File Hashes (SHA512)"

could you add timestamp for when was file added in rehips (rules) and option to open file location from rehips setting window

also it is possible to edit initial rulespack

btw
will you solve the problem with google safe browsing, it's really annoying

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 06, 2017, 10:11:14 pm
OK, we'll add SHA512 marker.

Open file location button is already planned. Timestamp... hmmm, what's the use-case for this feature?

Initial rulespack is already completely editable, I'll announce RulesManager separately in a couple of days I think. It's really powerful, but not so nice and pretty and not so stable, that's why we haven't included it in a default build.

Google safe browsing - you mean that red window popping-up and scaring users that this site serves malware?
Ogh, it's a funny story actually. Well, "funny" also depends on your point of view. Anyway at first they didn't like ReHIPS setup. Have no idea why actually, it's served through https, certificate is OK, it's signed with a valid signature, no protectors, packers, whatsoever, no AV detections, compiler and installer are also standard and wide-spread. I decided it's not good and tried to fix it via google webmaster tools. Now the whole forum and site are banned as their crawler found links to the setup. I'm afraid to fix it further, maybe they'll ban the whole server :)
In other words we're working on it, but google is google. I never had any hard feelings towards it. But when you face this and don't have many options what to do and there is no adequate support, it's hard to remain unbiased.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on June 06, 2017, 10:15:32 pm
after some testing it seems that  HIPSAgent64.exe cpu usage is related to IE – isolation border and renamed window

in previous version I didn't have this problem
I am on the 2.2.0 public release, and for the first couple minutes after startup, I see CPU usage of about 30% for  HIPSAgent64.exe. This causes a very significant delay in the launching of isolated apps, until the CPU finally goes down.
It doesn't seem to matter whether or not I enable isolation border and renamed window.

Windows 10 x64 CU
Windows Defender
NVT ERP

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 07, 2017, 01:09:50 am
I can't reproduce this issue with CPU-eating-on-startup Agent, but I'll try to solve it in PM.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 07, 2017, 02:17:39 pm
Looks like Google came to senses and Google Safe Browsing issue is solved.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on June 07, 2017, 02:24:52 pm
after some testing it seems that  HIPSAgent64.exe cpu usage is related to IE – isolation border and renamed window

in previous version I didn't have this problem
I am on the 2.2.0 public release, and for the first couple minutes after startup, I see CPU usage of about 30% for  HIPSAgent64.exe. This causes a very significant delay in the launching of isolated apps, until the CPU finally goes down.
It doesn't seem to matter whether or not I enable isolation border and renamed window.

Windows 10 x64 CU
Windows Defender
NVT ERP
You sure it matters if you launch something isolated? Try not launching anything and see if cpu load drops. If it actually drops how long did it take and when you launch what does it happen? Also if you don't mind, to compare with my test, what cpu model do you have.
I personally see a high cpu load for the first few seconds the system boots(10-20s).

Also something else to consider do you use lockdown mode and if yes in what setting?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on June 09, 2017, 03:29:02 pm
OK, we'll add SHA512 marker.

Open file location button is already planned. Timestamp... hmmm, what's the use-case for this feature?

Initial rulespack is already completely editable, I'll announce RulesManager separately in a couple of days I think. It's really powerful, but not so nice and pretty and not so stable, that's why we haven't included it in a default build.

Google safe browsing - you mean that red window popping-up and scaring users that this site serves malware?
Ogh, it's a funny story actually. Well, "funny" also depends on your point of view. Anyway at first they didn't like ReHIPS setup. Have no idea why actually, it's served through https, certificate is OK, it's signed with a valid signature, no protectors, packers, whatsoever, no AV detections, compiler and installer are also standard and wide-spread. I decided it's not good and tried to fix it via google webmaster tools. Now the whole forum and site are banned as their crawler found links to the setup. I'm afraid to fix it further, maybe they'll ban the whole server :)
In other words we're working on it, but google is google. I never had any hard feelings towards it. But when you face this and don't have many options what to do and there is no adequate support, it's hard to remain unbiased.

I should be more specific, I mean timestamps for file hashes (when hash was added), so it will be possible to figure out when file was modified because if "Ignore File Modification" is checked there is no warning. (unless you check "Program file modified – allowed")

CPU usage now is better, HIPSService64.exe is using around 0,2 %, so it's okay and only on windows 7 HIPSAgent64.exe is using 1 % (on windows 10 no problem at all).

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on June 09, 2017, 10:03:32 pm
I should be more specific, I mean timestamps for file hashes (when hash was added), so it will be possible to figure out when file was modified because if "Ignore File Modification" is checked there is no warning.

Thanks for your suggestion. We'll think about it. May be we will add additional info about files like version, etc.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on June 15, 2017, 03:39:00 pm
I was trying https://www.airlockdigital.com/application-whitelisting-auditor/ and after "hundreds" popups ReHIPS GUI crashed

additional info
I have only allowed program to launch, later (other) permissions were blocked
after crash I have run GUI again (ApplicationWhitelistAuditor.exe was still running) and after "hundreds" popups ReHIPS GUI again crashed
I was in shadow mode so no log



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on June 15, 2017, 06:25:51 pm
I was trying https://www.airlockdigital.com/application-whitelisting-auditor/ and after "hundreds" popups ReHIPS GUI crashed

additional info
I have only allowed program to launch, later (other) permissions were blocked
after crash I have run GUI again (ApplicationWhitelistAuditor.exe was still running) and after "hundreds" popups ReHIPS GUI again crashed
I was in shadow mode so no log

Thank you for your bugreport. We'll try to reproduce this problem and fix it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on June 18, 2017, 12:16:57 am
it is possible to add number of matches when searching files, similar to browsers (2 of 4, 1 of 1, ...)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on June 18, 2017, 01:57:15 am
Do you mean search in Programs tree?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on June 18, 2017, 10:58:14 am
Do you mean search in Programs tree?

yes
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on June 18, 2017, 04:15:55 pm
it is possible to add number of matches when searching files, similar to browsers (2 of 4, 1 of 1, ...)

Thanks for your suggestion. We'll add this in one of the following releases.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on July 06, 2017, 01:10:51 pm
it is possible to add option to create temporary rules for apps with existing rules (so I don't have to revert to/change existing rules) or option to create several rules set (profile) for apps with option to choose which one would be active

also I've noticed that you can't change settings duration, would you add option to change them
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 10, 2017, 08:53:43 pm
It's possible to have several RDB-files for RulesManager. But it isn't currently possible to have multiple rules for the same program in ReHIPS itself. As a workaround you can allow it and create shortcut to execute it in isolation. It's also possible to set Ask in execution options, and you'll get Alert each time the program is executed, you can set Only Once not to save your choice in the database for it to ask every time.

I don't think multiple rules for the same program is a good idea, you have to prioritize them somehow, it may lead to undesired effects like you set it to block and think it's OK, but there is an allow rule with higher priority.
Adding profiles is possible. But I'm not sure if it's worth the effort. You see, we already have 3 levels in the programs tree, 4th will be added soon. Adding 5th profile level may be an overkill as I don't see an often used use-case which will be covered by this change.

Settings duration - do you mean for Working Mode? Like set Learning Mode for 30 mins?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on July 13, 2017, 11:24:44 pm
C:\WINDOWS\system32\igfxTray.exe
This processes comes from Intel integrated graphics
It needs permission to execute programs, so the user can open the intel graphics control panel from the system tray icon.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 14, 2017, 12:24:26 am
Thanks for your report, but that one is already set. I guess you updated from some older version, so existing rules weren't overwritten, that's why you have old value.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on July 14, 2017, 08:21:06 am
That's funny -- I reinstalled Windows and then installed ReHIPS from the release version, 2.2.0.0.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 14, 2017, 01:14:53 pm
Yeah, release ReHIPS 2.2.0 allows C:\Windows\system32\igfxTray.exe to execute processes. So I guess either rules are from some older version or something was manually changed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on July 15, 2017, 10:44:44 am
@fixer

I assume if notpetya runs isolated it doesn't have access to other processes to do the access level elevation it requires. Am i correct?

https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/ (https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/)

https://www.youtube.com/watch?v=hZKLEw-Our4 (https://www.youtube.com/watch?v=hZKLEw-Our4)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on July 15, 2017, 11:08:02 am
@fixer

I assume if notpetya runs isolated it doesn't have access to other processes to do the access level elevation it requires. Am i correct?

https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/ (https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/)

https://www.youtube.com/watch?v=hZKLEw-Our4 (https://www.youtube.com/watch?v=hZKLEw-Our4)

NotPetya\PetWrap uses a trusted computing base bypass of UAC with cross over to the Admin account.  If run in a SUA, it will simply encrypt files, but if the user signs out of the SUA and signs into the Admin account, then rundll32 runs with the elevated privileges needed to execute the malicious dll\PsExec and encrypt the MBR.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 15, 2017, 01:20:47 pm
We haven't checked Petya and the second one (NotPetya, Netya, whatever it's called) ourselves yet.
But according to research articles I don't think it'll bypass ReHIPS.
If it's executed directly in isolation, it may encrypt just files it has write access to, that is by default basically isolated user profile folder, which is completely harmless.
If it spreads as a result of exploit, this case is more dangerous as exploit itself is quite interesting and remotely subverts a privileged Windows process. But it spawns several processes like rundll32 or other interpreters that should be flagged by ReHIPS and alerted of.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on July 15, 2017, 09:22:10 pm

If it spreads as a result of exploit, this case is more dangerous as exploit itself is quite interesting and remotely subverts a privileged Windows process.

It is a trusted computing base bypass of UAC and therefore is able to attain "run as operating system."

If you watch the video, (unless I am missing something) you will see that launching the malware in the SUA crosses over to the Admin account; the video author signs-out of the SUA, and then logs back into the Admin account - where rundll32, launched in the SUA, runs the malicious dll with elevated privileges and encrypts the MBR.

The ability to cross-over from the SUA to Admin account surprised me.  However, I've read some discussions of trusted computing base vulnerabilities to accomplish unexpected things on Windows.

Just a FYI on the NotPetya samples...

There are samples on hybrid-analysis.com.  Some are listed\labeled as .exe, but are actually .dll (check the file description notes).  I tested "PetWrap.exe" but it is actually PetWrap.dll and is launched using argument rundll32 c:\<directory>\PetWrap.dll#1 1.  There are better .exe samples for testing.

I did not test it in ReHIPS isolated environment, so apologies fixer that I have nothing helpful with regards to ReHIPS that I can report here.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 16, 2017, 05:04:18 pm
UAC bypasses are possible as UAC was never designed to be a security boundary, more like simple and usable feature for admin-account users. So UAC bypass is possible, but looks like it's not a LUA account (admin account stripped to user by UAC), but a real SUA account (a simple non-admin user account). In this case my guess it either bruteforced admin password somehow or exploited PC locally to gain additional privileges as this eternal blue exploit targets a privileged Windows process. So I don't think any magic or supersecret bypass is used.

Anyway ReHIPS should alert about these new processes thus preventing it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 25, 2017, 12:09:06 am
Hello, a suggestion:
Pls, consider adding the purge button in the allowed or blocked programs ;D
it's pain when you want to search for red programs :P lazy ppl like me...   :P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 25, 2017, 01:08:24 am
You mean purge button for red programs that don't exist anymore?
Thanks for suggestion, we already have it in our TODO list.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 25, 2017, 02:00:38 am
You mean purge button for red programs that don't exist anymore?
Thanks for suggestion, we already have it in our TODO list.
Ye exactly:)
Good to hear you guys are already thinking about it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 25, 2017, 03:44:32 pm
Hello there :P
Does Rehips generate the pop up for the child process?
If I want to monitor the child process should I choose to Inspect children?or even if I allow a program for the next child process Rehips generate a pop up(expert mode)?

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 25, 2017, 03:59:35 pm
There are 4 possible options for Can Execute Programs setting. Verbatim from the help file:
Quote
Alert - "Allow program to execute other programs?" window will be displayed when this program tries to execute other program;
Block - this program will be denied to execute other programs;
Inspect children - if a child program is not in ReHIPS database, "Allow program?" window will be shown, ReHIPS database settings for child program will be applied otherwise;
Allow - allows current program to execute other programs without notification, child programs will be executed with parent access rights and privileges.
So you need Inspect children option.

Settings Duration radio button sets duration for the alert choice.
Quote
Permanent
Save settings into ReHIPS database and use them always.
Only in this session
Settings will be actual for the current session only (up to restart of the PC).
And Only Once option will be effective only once, no changes to the database will be made.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 25, 2017, 04:30:40 pm
YE I got it thnx fixer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 28, 2017, 11:45:59 pm
i want to ask my questions about Rehips here not in malware tips anymore :P :P
i want answers from fixer 8)
Let's say I want to install a new software from a trusted source.
But imagine(just possibility) that program or installer changed by some one or contain bad drivers(possibly) some hacker there hacked the website or idk:D.
So the question is how Rehips will handle the bad drivers?because I notice it won't generate an alarm for creating drives into the:system32/drivers
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on July 28, 2017, 11:48:54 pm
im want to ask my questions about rehips here not in malware tips anymore :P :P
i want answers from fixer 8)
Let's say I want to install a new software from a trusted source.
But imagine(just possibility) that program or installer changed by some one or contain bad drives(possible) some hacker there hacked the website or idk:D.
So the question is how Rehips will handle the bad drives?because I notice it won't generate an alarm for creating drives into the:system32/drives
LOL! You asked the questions though on malware tips or someone/something is reading your mind because you posted there first.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 28, 2017, 11:51:46 pm
Also pls pls pls consider to make this sandbox better it can't run a lot of software also the settings are too complicated.
Well, when I read the help file I found how to work with it.but not everyone can read the help file! ppl are lazy.

imagine if a girl in somewhere wants to work with Rhips and she is noob user she will remove it as fast as possible :P::)
you guys should consider these things make it easy to use like others! I like the Rehips sandbox bec it's smarter than others and more settings and restriction for the isolated environment but the usability is on another side.
make it work for everyone(drag and drop! ) not only for  special users!8) ;D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 28, 2017, 11:55:03 pm
Quote
LOL! You asked the questions though on malware tips though or someone/something is reading your mind because you posted there first.
ye you are right but after that I thought it's better to ask my question here ;D from the developer they know better. they are not in MT
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 29, 2017, 12:24:17 am
i want to ask my questions about Rehips here not in malware tips anymore :P :P
i want answers from fixer 8)
Let's say I want to install a new software from a trusted source.
But imagine(just possibility) that program or installer changed by some one or contain bad drivers(possibly) some hacker there hacked the website or idk:D.
So the question is how Rehips will handle the bad drivers?because I notice it won't generate an alarm for creating drives into the:system32/drivers
can you guys do this? monitor the important folders into the c: windows and if smth wanted to make a change on it Rehips will generate an alarm.is it a hard thing??idk it's hard or easy :/
it's just suggestions for better security.
I mean some important folder like drivers, system 32,... or others you knows better which one is more important
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 29, 2017, 12:47:47 am
We can't do everything at once, one step at a time. Security is pretty much taken care of, so now we mostly deal with usability. And we've got a lot of ideas and thanks to our users great suggestions. So don't worry, we'll make it easier to use, just one step at a time.

Isolated programs can't install drivers, they don't have enough permissions for this. Drivers require digital signature to be loaded by Windows, so hacking the site, infecting and resigning drivers is possible, but unlikely - too much trouble. Besides quite a few software have and really need drivers. Usually simple exe files are compromised, they have similar access rights when executed from admin (which most users do) and don't have to be signed. But if you really have to deal with a driver, my advice-think twice, do you really need it? Sometimes even legitimate drivers are full of bugs and increase attack surface.

Folders monitoring is not hard, but drivers can be loaded from any folder, so in this context this monitoring will be quite useless.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 29, 2017, 01:01:50 am
We can't do everything at once, one step at a time. Security is pretty much taken care of, so now we mostly deal with usability. And we've got a lot of ideas and thanks to our users great suggestions. So don't worry, we'll make it easier to use, just one step at a time.

Isolated programs can't install drivers, they don't have enough permissions for this. Drivers require digital signature to be loaded by Windows, so hacking the site, infecting and resigning drivers is possible, but unlikely - too much trouble. Besides quite a few software have and really need drivers. Usually simple exe files are compromised, they have similar access rights when executed from admin (which most users do) and don't have to be signed. But if you really have to deal with a driver, my advice-think twice, do you really need it? Sometimes even legitimate drivers are full of bugs and increase attack surface.

Folders monitoring is not hard, but drivers can be loaded from any folder, so in this context this monitoring will be quite useless.
Hello Fixer thnx for the answer :)I know you did well and every pc is secure with Rehips also usability is much important for now I know that. hope it will be more easy to use in the near future::)
I know isolated programs don't have permission to install drivers I was talking about installing a program from a secure source that you won't isolate the installer, by the way, you mean even trusted drivers from trusted programs make pc Into the trouble so it's better to don't install much software thnx for the info
even if they are signed and most of the time every driver's need to be signed or win don't let them I see.
ok so folder monitoring I useless also im sorry if I ask too much:/ here and also in MT 8) :P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on July 29, 2017, 01:13:56 am
Yeah, the idea is generally the less software you have installed, the more secure you are.
Don't worry, that's what support is for :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 29, 2017, 01:46:20 am
Yeah, the idea is generally the less software you have installed, the more secure you are.
Don't worry, that's what support is for :)
thnx to being so kind fixer ;D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 31, 2017, 11:41:35 pm
I have one issue, I don't know if it just happens to me or it's common for others as well. ;)
if I turn on the pop-ups in to the (settings--->logs)it will generate popup ok? :P so if I have smth that get block by Rehips or allowed that pop-up Spam my desktop IN ROW.
at the same time, I have one program isolated I can't go to the virtual desktop because that pop-up put itself on the virtual desktop button.
oh I know my English is bad I hope you know what I mean
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on July 31, 2017, 11:46:41 pm
I have one issue, I don't know if it just happens to me or it's common for others as well. ;)
if I turn on the pop-ups in to the (settings--->logs)it will generate popup ok? :P so if I have smth that get block by Rehips or allowed that pop-up Spam my desktop IN ROW.
at the same time, I have one program isolated I can't go to the virtual desktop because that pop-up put itself on the virtual desktop button.
oh I know my English is bad I hope you know what I mean
If i understand correctly either go in settings-interface and untick alerts always on top or move the session manager to another position so it doesn't get stuck behind notifications.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 31, 2017, 11:51:34 pm
Also, a suggestion can we have these rules for the sandbox:
Block incoming connections to sandboxed applications
Block outgoing connections from sandboxed applications
we have one choice: allow network for sandboxed application or don't but with these 2 rules, we have more ctrl.
so even if we allow the sandboxed software to reach the internet or the network the system remains safe also that software can use the internet.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 31, 2017, 11:52:38 pm

If i understand correctly either go in settings-interface and untick alerts always on top or move the session manager to another position so it doesn't get stuck behind notifications.[/quote]
hey, i know that but think if some one wants to have alert as well.i can disable it for sure but if i don't want it act like a crazy kid:D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on July 31, 2017, 11:55:25 pm
I have one issue, I don't know if it just happens to me or it's common for others as well. ;)
if I turn on the pop-ups in to the (settings--->logs)it will generate popup ok? :P so if I have smth that get block by Rehips or allowed that pop-up Spam my desktop IN ROW.
at the same time, I have one program isolated I can't go to the virtual desktop because that pop-up put itself on the virtual desktop button.
oh I know my English is bad I hope you know what I mean
If i understand correctly either go in settings-interface and untick alerts always on top or move the session manager to another position so it doesn't get stuck behind notifications.
hey, i know that but think if some one wants to have alert as well.i can disable it for sure but if i don't want it act like a crazy kid:D
I didn't tell you to disable anything though.

First option you just have alerts not focused
Second option you move the session manager so you can move to the virtual desktop
Third option that i just thought is to move with shortcut ctrl+alt+i
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on July 31, 2017, 11:57:51 pm
oh I see sorry my bad didn't notice this option thnx
also thnx for that hotkey :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 01, 2017, 12:01:19 am
oh I see sorry my bad didn't notice this option thnx
also thnx for that hotkey :)
You are welcome.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 01, 2017, 03:07:59 am
Tuning network control is in TODO list. We'll definitely add each program network control, not just isolated environment-wide option. Adding fine-grained control like in/out/ports/protocols filtering, this one don't know yet, maybe later if users really want it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 01, 2017, 04:05:32 am
Tuning network control is in TODO list. We'll definitely add each program network control, not just isolated environment-wide option. Adding fine-grained control like in/out/ports/protocols filtering, this one don't know yet, maybe later if users really want it.
I love that TODO list you already consider everything <3for each program? nice!like a firewall(rehipswall :P) this is a good idea it's an OTP option.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 01, 2017, 02:15:08 pm
Yeah, we've got some drafts of a firewall, also based on documented principles (WFP). It was started a bit after ReHIPS was started. But later we decided to put it on hold. So firewalling is possible and we have some groundwork for it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on August 01, 2017, 03:16:22 pm
cool , i need a serious firewall until then Windows Firewall will be my only option.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 01, 2017, 07:32:55 pm
Hey.
Does Rehips change the program rules if you use it in standard mode?or just take a decision?
help file:
Normal - programs which are in the ReHIPS database are controlled by ReHIPS in according to their settings, launchings of others are controlled by ReHIPS in heuristic way, ReHIPS notifies user when an untrusted application tries to be started and asks would user like to trust this application fully, to block it or to start it in the isolated environment, user can select ReHIPS to remember these settings and to apply them automatically when application starts next time;

Expert - programs which are in the ReHIPS AntiSy database are controlled by ReHIPS AntiSpy in according to their settings, launchings settings of others (allow, block or start in an isolated environment) must be set by the user manually.

In expert mode when Rehips ask for smth and you answer the pop up the rules in the data base(settings--->programs) will get change.
but according to the help file in the standard mode, Rehips will take most of the decisions by heuristic way or some other smart ways the question is if Rehips make some decision the rules will get changed? or just don't touch the settings? some say rules don't change in any mode but from what I see and did some test for my self I saw in expert mode if I allow or block smth the rules will get changed!

let me explain more: if you run smth and chose to inspect children for that file the Rehips set inspect children rule for that file so if that file want to start a process again you can choose to allow and if you do that the rules in program list will set to allow from inspecting children!I tested it many times set alert rule for smth and when Rehips asked me about that file when I pressed allow I went to program rules and I saw the rule changed to allow! and that alert rule removed!
when you set alert rule or inspect children for smth these rule will not remain for ever(because rehips ask you for them and if you press to allow the rules will be gone) even when you set a permanent rule not once for that file before

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 01, 2017, 08:16:54 pm
Standard Mode doesn't create new or modify any existing rules. This is an excerpt from upcoming blogpost about differences in ReHIPS Modes. Keep in mind, that it's ReHIPS internals and though now it is that way, it may change in the future.

Standard Mode. It's mostly similar to Expert Mode, but shows less alerts. It doesn't show alerts in the following situations:
-It honors Trusted Vendors list, allowing processes and allowing children of these processes with inspection.
-When file is changed and signed by the same vendor as before, it's allowed.
-Children of immersive (metro, modern UI, whatever they're called) programs are allowed.
-Children of already isolated programs are allowed.
-Children signed by the same vendor as parent are allowed.
-Immersive (metro, modern UI, whatever they're called) programs are allowed.
-Subprocesses of already isolated programs are allowed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 01, 2017, 08:27:15 pm
hey so my guess was right it will take decisions by itself I can see the smart mode is the best mode because this mode shows how smart REHIPS is everything is covered by that HIPS.

Standard Mode. It's mostly similar to Expert Mode, but shows less alerts. It doesn't show alerts in the following situations:
-It honors Trusted Vendors list, allowing processes and allowing children of these processes with inspection.
-When file is changed and signed by the same vendor as before, it's allowed.
-Children of immersive (metro, modern UI, whatever they're called) programs are allowed.
-Children of already isolated programs are allowed.
-Children signed by the same vendor as parent are allowed.
-Immersive (metro, modern UI, whatever they're called) programs are allowed.
-Subprocesses of already isolated programs are allowed.

the nice rules smart mode has  :) change the name to smart mode instance of standard mode::)
you need to add these words into the help file because it's very useful
thnx for your time and answer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 02, 2017, 04:15:54 am
 :) Can we have this ability to export our rules (program menu and also our trusted vendor's names)?it makes rehips easier to use.
because sometimes you want to reinstall rehips or sometimes you want to have back up from your rules :)

also is it possible to have thumbprint for our trusted vendor's list?  I mean Certificate(dig signed)name and thumbprint in the Trusted vendor's list.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 02, 2017, 12:31:37 pm
Rules export-import feature is in our TODO list. Though due to some internals it isn't possible to extract all information from database to recreate the same isolated environments from scratch on a clean PC. If you read my blogpost about RulesManager here https://forum.rehips.com/index.php?topic=9530.0 I mean Special Folders here. They're just copied and no information about them is stored in ReHIPS database. So the best course of action here is to modify RDB-file with RulesManager and then distribute it and recreate rules from this file with RulesManager, that's what it's meant for.

Thumbprints are possible. But do we need it? Thumbprints tend to change with each certificate reissue, and that may happen every year. And it'll be hell of a job to always keep them up-to-date. Names on the other hand usually remain the same. We also try to keep this trusted list small with only really trusted vendors, so it shouldn't be a security risk. Besides if you really worry about that list, you can edit it or enable Expert Mode, the list is ignored in that Mode.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 02, 2017, 12:51:52 pm
Hello :D so it's on your to-do list.I know what you mean I read your post before thnx for the info fixer.so it can't be done.the only way is to create it again it's not hard for everyone to create them again btw. I just thought if there is a way to consider it as an option
I know that Thumbprints is cancer but I thought it's safer to have it.so its pain I see and understand.ye the small and handy trusted list is also better I already edit it :)even removed Comodo and some other from that list.i know the list is ignored in expert mode i just wanted to play with a standard mode for a while because I think is the best and its the power of Rehips it will do the job for me :D
many thnx for the answer ; :D :P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 02, 2017, 02:09:18 pm
path wildcard
fixer what is it? and can you pls tell me home users need it or not?if we don't use it means we are losing some security guards? :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on August 02, 2017, 02:24:55 pm
wildcard are special characters made to replace other characters in command lines ; you didn't read my post on MT, huh?

because some command line will always change part of their line for the same action, so using wildcard will allow you to whitelist/blacklist  all the variant of the same command line.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 02, 2017, 02:27:32 pm
It's mostly for programs with changing path. For example Windows downloads and runs updates from C:\Windows\SoftwareDistribution\Download folder. You can't know their names, but know that this folder and write-protected, so you can allow execution of exe files from this folder.
Or metro applications have version in the folder name which is constantly changing.
So no security here, just usability, so you don't get swamped with Alerts.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 02, 2017, 07:56:34 pm
wildcard are special characters made to replace other characters in command lines ; you didn't read my post on MT, huh?

because some command line will always change part of their line for the same action, so using wildcard will allow you to whitelist/blacklist  all the variant of the same command line.
thnx for the answer and your time  I read but I didn't understand command lines.so many explanations and I'm not good in eng.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 02, 2017, 08:00:01 pm
It's mostly for programs with changing path. For example Windows downloads and runs updates from C:\Windows\SoftwareDistribution\Download folder. You can't know their names, but know that this folder and write-protected, so you can allow execution of exe files from this folder.
Or metro applications have version in the folder name which is constantly changing.
So no security here, just usability, so you don't get swamped with Alerts.
thnx for the info and explanation I see so there is nothing about security its usability I guess I will not bother to it :) btw this is good stuff... can we have it in GUI in next versions?I mean smth easy to use not everyone knows how to work with? and *  :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 02, 2017, 08:39:02 pm
Some pre-installed rules (that come with RulesManager) will have wildcards. Other than that, you can use ReHIPS without having any knowledge of wildcards and you'll be fine. But yeah, you can always use them if you want adding wildcarded rules from either RulesManager or Control Center.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 02, 2017, 10:21:47 pm
Many thnx fixer so everyone is safe even if he/she doesn't know how to use wildcards and just use Rehips without these wild cards.I just wanted to know this. :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 05, 2017, 07:52:58 pm
Hello,
While I'm using the learning mode, if I open smth and that thing needs modifying one of the processes into the program rules in the Rehips database it will change the settings for those process too? I mean change the default rules for each process
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 05, 2017, 07:54:34 pm
Hello. From upcoming blogpost:
Quote
Learning Mode. This one is quite simple. If a program is already in the ReHIPS database, these existing rules are used. If a program is not in the ReHIPS database, it's allowed and added to the database with Allow setting. In other words, ReHIPS is learning of programs on your PC that are started and adds them to allowed without any alerts.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 05, 2017, 08:00:06 pm
Hello, thnx for the answer.
so when a program is already in the ReHIPS database, these existing rules are used,
it means those default rules you set for the process will not change?! let say I want to run smth related to cmd.exe and cmd has alert alert alert rules if I run my tool it will change the  default cmd rules? or still, the alert rules remain?
thnx
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 05, 2017, 08:14:31 pm
If you have Alert, it's the same as if you don't have this field set.
So Can Execute Programs will become Alert->Allow with children inspection.
And Can Be Executed will become Alert->Allow.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 05, 2017, 08:25:24 pm
thnx :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 05, 2017, 08:42:55 pm
ok there is smth wrong  I just wanted to play with my rules with rehips in learning

set these rules for cmd :
alert
allow
alert
ran mini tool box because this tool uses cmd.set allow for the mini tool box In rehips data base for every action
ran it but cmd got block,i noticed if you set alert rule for cmd and run rehips in learning mode if smth want to run cmd it will get a block!
 alert rule for learning  mode doesn't work!and rehips don't ask you if smth want to run the cmd( same for other processes its only example)

P.S: fast blocked the cmd! so what is the point with learning mode?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 05, 2017, 09:23:29 pm
learning mode block the everything that  has alert rule!im wrong?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 05, 2017, 11:26:24 pm
Open ReHIPS log then and try to find out why it was blocked.
I tested the following, set cmd.exe:
Can Execute Programs: Alert;
Can Be Executed: Allow;
Can Execute Sub-Programs: Alert.
Then enabled Learning Mode and played with cmd.exe a bit. So it became:
Can Execute Programs: Inspect Children; - it was changed to allow execution of other programs
Can Be Executed: Allow; - it remained the same
Can Execute Sub-Programs: Alert. - it remained the same, but some lines were added to the Trusted Command Lines list
And none were blocked. So the fastest way is to take a look at ReHIPS log, it writes there reason for the action. For example
Sub-Program C:\Windows\System32\cmd.exe with PID 3072 and command line cmd /c ""C:\123.bat" " - allowed (mode)
means was allowed because of the Working Mode.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 06, 2017, 12:37:17 am
I tried it again no issue you know I guess win 7 sucks!the rules changed like your rules.
should remove this bs.
thnx for reply
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 06, 2017, 09:47:14 am
suggestion: can you resize the pop-up menu size?its too big should be smaller:D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 06, 2017, 02:29:47 pm
Which pop-up menu do you mean?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Funnelhead on August 06, 2017, 09:27:36 pm
ReHIPS appears to be blocking the file or service that checks/validates the product ID in Windows 7. In the last 2-3 days I've been getting the 'Genuine Windows' pop-up and a link to validate online.

While running ReHIPS in standard mode, Windows activation shows as "Status Not Available" and Product ID is blank (control panel > system). Once I change ReHIPS to permissive and reload the system page, it correctly shows as active.

Any thoughts?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on August 06, 2017, 09:34:55 pm
ReHIPS appears to be blocking the file or service that checks/validates the product ID in Windows 7. In the last 2-3 days I've been getting the 'Genuine Windows' pop-up and a link to validate online.

While running ReHIPS in standard mode, Windows activation shows as "Status Not Available" and Product ID is blank (control panel > system). Once I change ReHIPS to permissive and reload the system page, it correctly shows as active.

Any thoughts?
Post the logs of when it happens and an image of the error page.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 06, 2017, 10:28:53 pm
The best idea is to either take a look at logs and find out what was blocked, we'll add it to the default rules as allowed. Or to compare logs from both successful and unsuccessful passes to find the difference.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 07, 2017, 01:04:47 am
i mean the log pop up menu
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on August 07, 2017, 01:06:58 am
ReHIPS appears to be blocking the file or service that checks/validates the product ID in Windows 7. In the last 2-3 days I've been getting the 'Genuine Windows' pop-up and a link to validate online.

While running ReHIPS in standard mode, Windows activation shows as "Status Not Available" and Product ID is blank (control panel > system). Once I change ReHIPS to permissive and reload the system page, it correctly shows as active.

Any thoughts?
Hey try to train rehips in learning mode for  1week then set it in expert or standard mode.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Trooper on August 13, 2017, 08:26:26 pm
Hi guys,

First time poster here.  I purchased this product about a month or so ago and ran it at default settings.  I am sure there is a learning curve for the product just like any other security suite.  My main issue was that I noticed a significant downgrade in my PC performance.  So much so, that I had to roll back to my image that was taken before installation.  Would like to give it a go once again now that I have a little more time to mess around.  Any tips for this ReHIPS newbie?

PC is an i5 Intel with 16GB of RAM.  Windows 10 x64 Enterprise with Creators Update.  Thanks!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 13, 2017, 10:24:57 pm
Hello, Trooper. And welcome to our forum.
Could you please explain a bit more on the issue? Does it always lag or maybe for example just the first 5 minutes after boot? How does it lag exactly and do all programs seem to lag? What is CPU, RAM, HDD, etc usage? Maybe something eats too much CPU, consumes too much memory or spins HDD or something like this?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Trooper on August 21, 2017, 02:04:34 am
Hi fixer,

Sorry for the delay in getting back to you.  Thanks for the welcome. I plan to reinstall again to get a better handle on things.  The performance issues I had was just programs even things like Windows Explorer were slow to load.  I have changed my setup since then, and am running W10 x64 Enterprise with CU. I also have Emsisoft Antimalware and Appguard running.  Will it be ok to run ReHIPS with these two things in place?

Thanks!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on August 21, 2017, 09:46:19 am
Hi fixer,

Sorry for the delay in getting back to you.  Thanks for the welcome. I plan to reinstall again to get a better handle on things.  The performance issues I had was just programs even things like Windows Explorer were slow to load.  I have changed my setup since then, and am running W10 x64 Enterprise with CU. I also have Emsisoft Antimalware and Appguard running.  Will it be ok to run ReHIPS with these two things in place?

Thanks!

There are no known conflicts between AppGuard and ReHIPS.

AppGuard + ReHIPS + EAM => adjust the settings so you do not end up with double alerts from both the HIPS and the behavior blocker.  That configuration is over the top paranoid.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 21, 2017, 11:34:39 am
OK, if you have any problems don't hesitate to contact me directly via PM. I'm always here to help.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 24, 2017, 01:20:41 pm
Standard User account quirks:
1 If I install ReHIPS, and later I change one of the admin users to standard, sooner or later I start to get service link errors that are unsolvable even by uninstall/reinstall. I have to uninstall/reinstall+delete rules.

2 A few days ago, I installed LibreOffice in a standard user account, and it did not get isolation rules. Today I installed it in an admin account, and it got isolation rules.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 26, 2017, 10:49:01 pm
1. Service link error may mean that you need Administrator rights to connect to the Service, so you have to start GUI as Administrator or add this user to trusted users list in ReHIPS settings. This error was fixed to more obvious text in the upcoming 2.3.0 build.

2. It didn't get isolation rules or it didn't get any rules at all?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 26, 2017, 10:55:29 pm
2 It got rules but not isolation rules
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 26, 2017, 11:12:55 pm
You mean you have 2 users: Admin and non-Admin. Rules were installed for both users, but for the first user LibreOffice rules were isolating and for the second user just allowed it to execute without isolation?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 26, 2017, 11:50:02 pm
I installed Libreoffice from the standard user. I forgot to check what happened to the admin user.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on August 27, 2017, 08:37:02 pm
Thanks for your report. Added this issue to our TODO list, we'll take a look at it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on August 27, 2017, 08:55:39 pm
add this user to trusted users list in ReHIPS settings.
I tried that. I also tried, on a different occasion, turning the standard user back into an admin user. But the error messages kept coming.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 04, 2017, 09:48:49 pm
Hey,
Sometimes when I allow a file to run(permanent rule)and then exit the application the next time I want to run that tool again Rehips ask me and wants me to allow or block it.

Example: happened 2 times for Securemybit
Has any one this issue?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 04, 2017, 10:01:40 pm
Hey,
Sometimes when I allow a file to run(permanent rule)and then exit the application the next time I want to run that tool again Rehips ask me and wants me to allow or block it.

Example: happened 2 times for Securemybit
Has any one this issue?
Either the application spawns a new process each time with a different hash or you didn't allow with the permanent option but instead used the allow once option.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 04, 2017, 10:49:39 pm
Hey,
Sometimes when I allow a file to run(permanent rule)and then exit the application the next time I want to run that tool again Rehips ask me and wants me to allow or block it.

Example: happened 2 times for Securemybit
Has any one this issue?
Either the application spawns a new process each time with a different hash or you didn't allow with the permanent option but instead used the allow once option.
thnx for the answer but I'm sure it was the permanent rule.
 IDK about hash...maybe that's why.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 05, 2017, 12:29:30 am
I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: HJLBX on September 05, 2017, 08:57:02 am
I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?

https://msdn.microsoft.com/en-us/library/windows/desktop/ms632589(v=vs.85).aspx


1.  Operating System vulnerabilities (serious ones are very rare - the incidence is perhaps once every 10 years or more)
2.  Windows Hooks (advanced attack with probably the same incidence as No. 1)

If you can avoid it, don't set more hooks via ReHIPS GUI Settings\Configuration than what is already enabled by default; if you do not need default enabled hook(s), then disable them.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 05, 2017, 11:55:36 am
I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?
They probably meant having hook control on and the isolated program running on the real desktop. If you use the default setting with hook control and different desktop then nothing to worry about.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 05, 2017, 03:44:25 pm
I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?

https://msdn.microsoft.com/en-us/library/windows/desktop/ms632589(v=vs.85).aspx

  • Windows itself uses hooks
    3rd-party programs use hooks
    Hooking can be done in both the kernel and user mode
    ReHIPS uses no hooks except probably for some specific GUI\limited monitoring stuff (ask fixer)
    The hooks settings you find in ReHIPS are to enable\disable Windows hooks

1.  Operating System vulnerabilities (serious ones are very rare - the incidence is perhaps once every 10 years or more)
2.  Windows Hooks (advanced attack with probably the same incidence as No. 1)

If you can avoid it, don't set more hooks via ReHIPS GUI Settings\Configuration than what is already enabled by default; if you do not need default enabled hook(s), then disable them.
Hello,
thanks for the answer.
I know it's rare because another guy told me the same but I just wanted to know if there is a fix or patch for it :D
Sorry, but where is that enabled Hook?do you mean lock down mode?

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 05, 2017, 03:45:48 pm
Quote
If you use the default setting with hook control and different desktop then nothing to worry about.
I see thanks for the info.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 05, 2017, 10:20:22 pm
let's say im surfing the web inside the Rehips sandbox and suddenly my browser DW a keylogger(just saying) or I installed an extension which has inbuilt keylogger!
Question 1= if I have an av and my av can detect that malware will Rehips let the av to work with sandbox? I mean Rehips let your av to monitor the isolated desktop or no?
Question 2=what if I downloaded a keylogger and it went to Rehips user folder can you let us wipe the Rehips user folder every time we finished our work?
Question 3= what kind of access C: Rehips user folders have? I mean can smth infect or inject or ... your windows from that foldeR? or that folder can't access the real system.
 :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 06, 2017, 04:48:59 am
Hey, :)
Since I installed the win 10 every time I logged to the windows I was facing an ugly black screen.
I did everything to fix it, read about 20 forums and also did some tweaks in the registry but the problem didn't fix.
Tonight I was thinking maybe this issue is about one of my software so decided to remove them one by one but the problem didn't fix. :-\

30 min ago I just uninstalled the Rehips and restarted the pc and black screen went :)
I Told myself maybe this is an accident so again installed the Rehips and after that restarted the pc and again the black screen of death :-X
So I uninstalled it again and everything goes well.
My solution for this black screen was restarting the explorer via the taskbar.
Because of the epxlorer.exe was not in the process list and I had to run it manually which was painful but when I uninstalled the Rehips I could see the windows can start without any problem
How can I fix it?Omfg
Windows 10 Pro/ 1703 Build 15063.483
Also, I have the latest updates even drivers updated, everything up to dated  :-[
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 06, 2017, 01:15:16 pm
Hey, :)
Since I installed the win 10 every time I logged to the windows I was facing an ugly black screen.
I did everything to fix it, read about 20 forums and also did some tweaks in the registry but the problem didn't fix.
Tonight I was thinking maybe this issue is about one of my software so decided to remove them one by one but the problem didn't fix. :-\

30 min ago I just uninstalled the Rehips and restarted the pc and black screen went :)
I Told myself maybe this is an accident so again installed the Rehips and after that restarted the pc and again the black screen of death :-X
So I uninstalled it again and everything goes well.
My solution for this black screen was restarting the explorer via the taskbar.
Because of the epxlorer.exe was not in the process list and I had to run it manually which was painful but when I uninstalled the Rehips I could see the windows can start without any problem
How can I fix it?Omfg
Windows 10 Pro/ 1703 Build 15063.483
Also, I have the latest updates even drivers updated, everything up to dated  :-[
Do you have any blocks? Attach your logs and mention what other security software you might use.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 06, 2017, 03:31:37 pm
let's say im surfing the web inside the Rehips sandbox and suddenly my browser DW a keylogger(just saying) or I installed an extension which has inbuilt keylogger!
Question 1= if I have an av and my av can detect that malware will Rehips let the av to work with sandbox? I mean Rehips let your av to monitor the isolated desktop or no?
Question 2=what if I downloaded a keylogger and it went to Rehips user folder can you let us wipe the Rehips user folder every time we finished our work?
Question 3= what kind of access C: Rehips user folders have? I mean can smth infect or inject or ... your windows from that foldeR? or that folder can't access the real system.
 :)

1. ReHIPS doesn't block non-isolated processes from accessing isolated folders or processes. So it's completely up to AV, I think it shouldn't have any problems.
2. We have this feature in our TODO list.
3. You can take a look at our blogpost series (link to the first blogpost https://forum.rehips.com/index.php?topic=9544.0 ). It explains what file system access isolated processes have. Another blogpost is coming about processes access and memory injections. But in two words: nope, isolated processes can't harm non-isolated processes or Windows system processes.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 06, 2017, 10:21:09 pm

Do you have any blocks? Attach your logs and mention what other security software you might use.
[/quote]

I didn't have win process in block list also I have Eset internet security but this problem existed even the first time I installed the win 10 without Eset.
 I removed the windows that time because of this ugly black screen though its windows problem.
Again 4 days ago installed the win 10 and again black screen I was telling my self maybe im unlucky or maybe my graphic card is bad but when I removed the rehips black screen gone like wtf:P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on September 07, 2017, 01:04:47 pm
do anyone have any issues with Chrome extensions crashing in IE.?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 07, 2017, 01:07:24 pm
do anyone have any issues with Chrome extensions crashing in IE.?
Only Chrome extensions or you can't even load a website? It used to be EAM injecting into Chrome and you having different appcontainer settings in isolated chrome and normal chrome. Though i am testing appcontained with EAM atm and it works fine. Maybe something else you use injects appcontainer and breaks it? Try disabling it because i think you enabled it a few days ago?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on September 08, 2017, 09:15:22 pm
issue disappeared, seemed to be a one time vent...
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on September 09, 2017, 05:29:26 pm
In the past I used to use "Run as different user" with different user locale (date/time formats) to run some old programs which require different date/time formats.
So my question is, is it possible to change user locale for IE, similarly to changing variables for TEMP folders.

Also for some reason ReHIPS won't create default rules for MS Office 2016 (365), I have to download  Rules Manager and edit rules.
IIRC I have to replace "Office1?\EXCEL.EXE" with "Office16\EXCEL.EXE". Only this edit and ReHIPS will detect other programs (word, powerpoint, ...) automatically.

I am using RAMdisk and I've allowed program to access some folder on it, but each time I reboot that permission is "lost". It is in rules but it doesn't work, I have to recreate it again (delete old and create new).
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 10, 2017, 08:19:20 am
This is the third time I install the win in this week.
But this time didn't install Rehips to see what will happen and there is no black screen.
I Guess when I have Eset and Rehips together the problems come.
The last time When I installed the windows and after that Rehips everything WAS good but when I installed Eset the system goes worse.
Eset alone works good and I think Rehips alone will work well too... but I'm not sure and can't try it.
Also, that time I updated the drivers with Iobit drivers booster and I think this Animal made these problems but this time didn't install it and didn't update the drivers maybe all of these issues were about iobit?
I scared to install Rehips again because if the black screen comes it will make me to the trouble.
I mean even if I remove the Rehips after that I have explorer crashes and the win goes worst and slow.
is there any tool that let you install smth and restore the system after 2 restarts? No just one restart? Because first I need to install the rehips and after that restart it to see what will happen.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 10, 2017, 08:29:56 am
@aDVll I guess you are right and this is about other security software and in my case its Eset.
I should try to disable eset and install rehips to see what will happen :P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 10, 2017, 08:51:48 am
@aDVll I guess you are right and this is about other security software and in my case its Eset.
I should try to disable eset and install rehips to see what will happen :P
Try whitelisting rehips agent and service in eset gui.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 10, 2017, 10:38:38 am
@aDVll I guess you are right and this is about other security software and in my case its Eset.
I should try to disable eset and install rehips to see what will happen :P
Try whitelisting rehips agent and service in eset gui.
I did but didn't work... they don't work with each other.
can you fix this problem Fixer? I mean what if some one wants to use Rehips with Eset? idk about other AVs but you can try yourself.
personally, I  like to have an av on my pc I mean I want cloud and some fancy features on avs like the firewall.
I have only one way to use Rehips and that's installing the virtual os on my machine and I think it will be a good idea:/
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 10, 2017, 02:33:11 pm
In the past I used to use "Run as different user" with different user locale (date/time formats) to run some old programs which require different date/time formats.
So my question is, is it possible to change user locale for IE, similarly to changing variables for TEMP folders.
It's possible to change environment variables, it's described here https://forum.rehips.com/index.php?topic=2032.msg16131#msg16131 I think locale settings are also stored in ReHIPS user registry hive and can be changed the similar way. The only problem is to find their registry location. Google says it's Control Panel\International and Control Panel\International\Geo, but I didn't check them.

IIRC I have to replace "Office1?\EXCEL.EXE" with "Office16\EXCEL.EXE". Only this edit and ReHIPS will detect other programs (word, powerpoint, ...) automatically.
Are you sure this was the only change and it solved the issue? This is supposed to be a wildcard, and wildcards were tested. That'd be weird if wildcards are the issue.

I am using RAMdisk and I've allowed program to access some folder on it, but each time I reboot that permission is "lost". It is in rules but it doesn't work, I have to recreate it again (delete old and create new).
Changing file system or registry permissions may take some time, especially on slow HDDs, that's why they're set only on new items, old permissions aren't reset. It's supposed that already set permissions are set and written in stone. But it seems that RAMdisk doesn't save them across reboots. Added this issue to our TODO list.

perisanboy
If ReHIPS is uninstalled, no way it can interfere with the OS, it's uninstalled completely without any traces left. So if the problem persists after ReHIPS is uninstalled, 99.999% it's not about ReHIPS.
Anyway like I wrote in PM, don't worry we'll look into this issue and we'll definitely solve it if we manage to reproduce it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on September 10, 2017, 06:54:52 pm
It's possible to change environment variables, it's described here https://forum.rehips.com/index.php?topic=2032.msg16131#msg16131 I think locale settings are also stored in ReHIPS user registry hive and can be changed the similar way. The only problem is to find their registry location. Google says it's Control Panel\International and Control Panel\International\Geo, but I didn't check them.

I can't try it now, but I will test it when I get more time.

Are you sure this was the only change and it solved the issue? This is supposed to be a wildcard, and wildcards were tested. That'd be weird if wildcards are the issue.

I don't know why but ReHIPS detect Office 2007 normally.
btw this path for 2007 "C:\Program Files (x86)\Microsoft Office\Office12" and for 2016 (365) "C:\Program Files (x86)\Microsoft Office\root\Office16"
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 11, 2017, 11:35:17 am
It's possible to change environment variables, it's described here https://forum.rehips.com/index.php?topic=2032.msg16131#msg16131 I think locale settings are also stored in ReHIPS user registry hive and can be changed the similar way. The only problem is to find their registry location. Google says it's Control Panel\International and Control Panel\International\Geo, but I didn't check them.

I can't try it now, but I will test it when I get more time.

Are you sure this was the only change and it solved the issue? This is supposed to be a wildcard, and wildcards were tested. That'd be weird if wildcards are the issue.

I don't know why but ReHIPS detect Office 2007 normally.
btw this path for 2007 "C:\Program Files (x86)\Microsoft Office\Office12" and for 2016 (365) "C:\Program Files (x86)\Microsoft Office\root\Office16"
It should be changed to root\Office1?\EXCEL.EXE and it will work. Basically you have to add root\ in front of all path for office 365. This is what i am doing and i think fixer fixed the rules for the new release to reflect that.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 11, 2017, 02:01:38 pm
Yup, this root Office path should already be fixed.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on September 11, 2017, 07:54:48 pm
Yup, this root Office path should already be fixed.

great, can't wait for next version :)

btw could you add in Isolated Programs tab column with information in which IE are currently running isolated programs located and option to terminate all programs in selected IE.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 12, 2017, 12:17:09 pm
btw could you add in Isolated Programs tab column with information in which IE are currently running isolated programs located and option to terminate all programs in selected IE.
Thank you for your suggestion, we'll add this to our TODO list.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 14, 2017, 10:02:53 pm
Add an option to let the user disable Rehips for what ever time he wants like 15 min, 1 hour, 4 hours OR until restart.
Also when you will design a self-protection for rehips?
You said  I will consider it :) I'm waiting for self-protection  :)
Another suggestion: can Rehips has this option to alert the user when he wants to install smth?and ask him do you want to disable Rehips til your install finish?so I don't have to disable it manually when I want to install smth safe :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 15, 2017, 12:11:01 pm
Changing Working Mode for some time (like Disable for 15 mins) is already in our TODO list.

We've got self-protection in our TOCONSIDER list, so this one'll take some time as we have a bunch of items in our TODO list with higher priority.

We'll try to modify our process alert and implement another button like "it's a trusted installer", so it won't ask about children of the installer process. Still thinking how to do it best, but we've got this in our TODO list.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 15, 2017, 01:14:16 pm
Thnks for the answer it's good you already covered everything In your to do list :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on September 18, 2017, 06:54:33 am
On occasion I have  seen a CMD box flash briefly, and I managed to see it - UsoClient.exe

Anyhow, I just got an alert for this UsoClient.exe a short time ago, which I allowed as per an extract of ReHIPS log, as follows:

18/09/2017 13:38:36 PM: Program C:\Windows\System32\UsoClient.exe with PID 1208 executing program C:\Windows\System32\conhost.exe with PID 3744 - allowed with children inspection (alert)
18/09/2017 13:38:36 PM: Program C:\Windows\System32\conhost.exe with PID 3744 execution - allowed (rule)
18/09/2017 13:38:36 PM: Program C:\Windows\System32\services.exe with PID 1052 executing program C:\Windows\System32\svchost.exe with PID 12416 - allowed (rule)
18/09/2017 13:38:36 PM: Program C:\Windows\System32\UsoClient.exe with PID 1208 terminated
18/09/2017 13:38:37 PM: Program C:\Windows\System32\conhost.exe with PID 3744 terminated
18/09/2017 13:38:37 PM: Program C:\Windows\System32\services.exe with PID 1052 executing program C:\Windows\System32\svchost.exe with PID 10600 - allowed (rule)
18/09/2017 13:38:40 PM: Program C:\Windows\System32\svchost.exe with PID 1260 executing program C:\Windows\System32\dllhost.exe with PID 10888 - allowed with children inspection (rule)
18/09/2017 13:38:40 PM: Program C:\Windows\System32\dllhost.exe with PID 10888 execution - allowed (rule)
18/09/2017 13:38:45 PM: Program C:\Windows\System32\dllhost.exe with PID 10888 terminated
18/09/2017 13:38:51 PM: Program C:\Windows\System32\svchost.exe with PID 1260 executing program C:\Windows\System32\dllhost.exe with PID 1512 - allowed with children inspection (rule)
18/09/2017 13:38:51 PM: Program C:\Windows\System32\dllhost.exe with PID 1512 execution - allowed (rule)
18/09/2017 13:38:56 PM: Program C:\Windows\System32\dllhost.exe with PID 1512 terminated
18/09/2017 13:38:56 PM: Program C:\Windows\System32\svchost.exe with PID 12416 executing program C:\Windows\System32\wermgr.exe with PID 6852 - allowed with children inspection (rule)
18/09/2017 13:38:56 PM: Program C:\Windows\System32\wermgr.exe with PID 6852 execution - allowed (rule)
18/09/2017 13:38:57 PM: Program C:\Windows\System32\wermgr.exe with PID 6852 terminated
18/09/2017 13:39:37 PM: Program C:\Windows\System32\svchost.exe with PID 10600 terminated
18/09/2017 13:39:45 PM: Program C:\Windows\System32\svchost.exe with PID 1064 terminated

I hope that I did the right thing in allowing it, because there was another popup, and it looks like I have created a rule.  I don't understand why this is/was necessary, or may be I should have disallowed.   
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 18, 2017, 12:54:48 pm
Don't worry, UsoClient.exe is a system process and it was added in ReHIPS 2.3.0 initial database with Allow setting.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on September 22, 2017, 09:31:40 pm
After editing rules in setting and clicking on OK, highlighted item will remain highlighted but item above will be selected.
This is can cause problem, because I can accidentally edit something else I want to.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on September 23, 2017, 08:03:31 pm
After editing rules in setting and clicking on OK, highlighted item will remain highlighted but item above will be selected.
This is can cause problem, because I can accidentally edit something else I want to.
Thank you for report. Will be fixed in upcoming releases.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 28, 2017, 09:49:40 pm
We have a rule In smart mode :
Rehips can understand a Gui is modern or no and will auto allow thing if they have nice GUI.
let's say I run smth bad but it has a nice GUI like a modern GUI.
Will Rehips check my dig list to allow or block that file if the GUI was modern? or if the gui is beauty it will ignore the dig signed list?:-|
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 28, 2017, 09:54:43 pm
We have a rule In smart mode :
Rehips can understand a Gui is modern or no and will auto allow thing if they have nice GUI.
let's say I run smth bad but it has a nice GUI like a modern GUI.
Will Rehips check my dig list to allow or block that file if the GUI was modern? or if the gui is beauty it will ignore the dig signed list?:-|
What are you talking about? Rehips doesn't allow anything because it has a nice gui. No program in history of software ever allowed something because it had a nothing gui.
Rehips allows by default only programs that are in the allow list or programs that are signed by trusted vendors.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 28, 2017, 10:01:56 pm
We have a rule In smart mode :
Rehips can understand a Gui is modern or no and will auto allow thing if they have nice GUI.
let's say I run smth bad but it has a nice GUI like a modern GUI.
Will Rehips check my dig list to allow or block that file if the GUI was modern? or if the gui is beauty it will ignore the dig signed list?:-|
What are you talking about? Rehips doesn't allow anything because it has a nice gui. No program in history of software ever allowed something because it had a nothing gui.
Rehips allows by default only programs that are in the allow list or programs that are signed by trusted vendors.
HAHAHA, xdddd
i just saw smth like this in rehips gui i though it will allow smth if it has nice gui:D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 28, 2017, 10:04:07 pm
We have a rule In smart mode :
Rehips can understand a Gui is modern or no and will auto allow thing if they have nice GUI.
let's say I run smth bad but it has a nice GUI like a modern GUI.
Will Rehips check my dig list to allow or block that file if the GUI was modern? or if the gui is beauty it will ignore the dig signed list?:-|
What are you talking about? Rehips doesn't allow anything because it has a nice gui. No program in history of software ever allowed something because it had a nothing gui.
Rehips allows by default only programs that are in the allow list or programs that are signed by trusted vendors.
HAHAHA, xdddd
i just saw smth like this in rehips gui i though it will allow smth if it has nice gui:D
I think it means appcontainer applications but for sure it doesn't auto allow if you have a nice gui.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 28, 2017, 10:13:56 pm
I see thnx for the answer:P
So  Rehips don't care if the GUI is nice or ugly or it has old gui IMAO
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 28, 2017, 11:04:54 pm
IDK its a bug or just a normal behave from Rehips.
Today I just reinstalled the Rehips so it auto isolated my browser and set run isolated rule for the browser.
I just removed that rule and set Rehips to smart mode but when I ran browser Rehips generate no alert because the Yandex was already in the dig signed list ok? everything was expected but the problem is Yandex isn't in the program list! I mean Rehips didn't add it to the programs list.!
Is it normal?
Should I add Yandex manually to the list?

Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on September 28, 2017, 11:07:15 pm
Smart mode? If you have it in standard mode and yandex digital signature vendor is added in rehips it will make no alert and it will not be added in the list. It's allowed by digital signature.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 28, 2017, 11:07:52 pm
I just removed that dig signed and restart the browser so rehips asked me and I told it to allow so added it to programs list.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 28, 2017, 11:08:52 pm
Smart mode? If you have it in standard mode and yandex digital signature vendor is added in rehips it will make no alert and it will not be added in the list. It's allowed by digital signature.
xd I call standard smart:D its better than standard:D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 28, 2017, 11:10:13 pm
For dig sign malware like a malware that signed with Microsoft, standard mode is not a good idea.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on September 29, 2017, 01:00:18 am
https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell
Can Rehips block this?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on September 29, 2017, 01:43:23 pm
https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell
Can Rehips block this?
It should at least alert about PowerShell script, maybe it'll generate more alerts.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on October 01, 2017, 03:15:53 am
Thnx for the answer fixer.
I can see the new feature in the program list that asks me when I want to remove a rule.
Can we have this option to tell it don't ask again? because it's painful.
Or smth like don't ask till I press ok and exit the programs list?
Another suggestion:
1-Can we have this RulesManager64 in GUI? I mean design an option in Rehips Gui and call it initial system scan or smth like that :) so the user can run it from the Gui,  everytime he wants, not the Rehips folder.
Also, let us scan the whole windows not only driver c because you may installed smth in other drivers.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on October 01, 2017, 03:31:00 am
oh I forgot to say when you remove the Rehips that Rehips folder will remain in c: users
Pls, do smth for this because I have to remove it manually:P
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 01, 2017, 10:35:46 am
I must be getting slow in my old age  ..."smth" > a new way to spell the word 'something'.  :-\
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on October 01, 2017, 02:00:38 pm
I can see the new feature in the program list that asks me when I want to remove a rule.
Can we have this option to tell it don't ask again? because it's painful.
It should allow multiselect, so you can select several items and remove them all at once.

1-Can we have this RulesManager64 in GUI? I mean design an option in Rehips Gui and call it initial system scan or smth like that :) so the user can run it from the Gui,  everytime he wants, not the Rehips folder.
Also, let us scan the whole windows not only driver c because you may installed smth in other drivers.
Rules reinstallation is always possible via Settings->Programs tab->Reinstall Rules.
But RulesManager GUI is a different thing. RulesManager doesn't look as nice as Main GUI, so we decided not to make it easily accessible right now, it's a feature for advanced users. When we redesign it, we'll make a shortcut in Start Menu, maybe a button in Main GUI.
It doesn't scan the whole disk looking for installed programs. It scans installed programs list instead, so if a program is in that list, doesn't matter where it's installed, it'll find it.

oh I forgot to say when you remove the Rehips that Rehips folder will remain in c: users
Pls, do smth for this because I have to remove it manually:P
ReHIPS user profile folder should be deleted OK. Some files may be in use, so they're removed after reboot only, but it should eventually be deleted OK. Try to see if it's there after reboot.

I must be getting slow in my old age  ..."smth" > a new way to spell the word 'something'.  :-\
Yeah, we're getting lazier to type whole words :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on October 01, 2017, 09:18:03 pm
Hei,
Thanks for the answers you gave Fixer.
I can select them together but I thought It would be good if we have that feature.
So for installing the rules that button in program list would be enough, also I didn't know it will look at the installed app.
Thnx for the info :)
I found smth and I guess it's a problem:
When you set the alert rule for smth in smart mode and then run that program it will alert you for the first time but you have to set rule for that program like allow or inspect children.
if I want to have an alert rule for smth forever I cant.
is there any way to have an alert rule for smth forever?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on October 02, 2017, 02:54:23 pm
When you set the alert rule for smth in smart mode and then run that program it will alert you for the first time but you have to set rule for that program like allow or inspect children.
if I want to have an alert rule for smth forever I cant.
is there any way to have an alert rule for smth forever?
You can select Only Once option - your choice will matter only this one time, no permanent changes will be made to the database, the next time that program is launched, ReHIPS will ask you again.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on October 02, 2017, 03:20:07 pm
Oh, I forgot this.. sorry thx for the answer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Mr.X on October 03, 2017, 07:44:58 pm
I must be getting slow in my old age  ..."smth" > a new way to spell the word 'something'.  :-\
Getting there too!! lol
Everything's evolving, even language, for bad or good. But it's evolving.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Therapist on October 27, 2017, 04:18:47 pm
Hello, a newbie here. How to prevent ReHIPS automatically creating isolated environment for browsers? I have 3 browsers and I would like if one browser remain Un-isolated.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 27, 2017, 04:25:09 pm
Hello, a newbie here. How to prevent ReHIPS automatically creating isolated environment for browsers? I have 3 browsers and I would like if one browser remain Un-isolated.
Easier way is just change the rules to allow and be done. The more advanced way is to edit the rulepack with rule manager.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Therapist on October 27, 2017, 04:45:47 pm
Hello, a newbie here. How to prevent ReHIPS automatically creating isolated environment for browsers? I have 3 browsers and I would like if one browser remain Un-isolated.
Easier way is just change the rules to allow and be done. The more advanced way is to edit the rulepack with rule manager.
By going to the blocked tab and select the programs "can be executed" option to allow. Is that how you do it?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on October 27, 2017, 04:47:02 pm
Hello, a newbie here. How to prevent ReHIPS automatically creating isolated environment for browsers? I have 3 browsers and I would like if one browser remain Un-isolated.
Easier way is just change the rules to allow and be done. The more advanced way is to edit the rulepack with rule manager.
By going to the blocked tab and select the programs "can be executed" option to allow. Is that how you do it?
Isolated tab but all the rest are correct.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Therapist on October 27, 2017, 04:51:34 pm
Isolated tab but all the rest are correct.
Thanks!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on November 05, 2017, 03:04:39 pm
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy
Can Rehips protect the system against such bypass? I'm not talking about the SANDBOXING ability! I'm talking about the program control and hips in Rehips!
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on November 05, 2017, 03:38:23 pm
There is a powershell built-in execution policy. Like allow only scripts signed by a trusted publisher. You can think of it as of some kind of SRP (software restriction policies) extension. And it can be bypassed. That's why we don't rely on SRP and ReHIPS uses its own monitoring.
ReHIPS operates on a higher level than this built-in execution policy. So these bypasses don't affect it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: perisanboy on November 05, 2017, 04:14:26 pm
So it can be bypassed but Rehipss stand here to block it.the protection is there!thanks for the answer.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Ozone on December 27, 2017, 03:50:49 pm
Hi, could you add "Missing/Not found" tab in settings, each time MS store update apps, it will create files with different paths.
It will be easier to search which rules are unnecessary, because I also have rules for some portable apps,
and sometimes I don't have them on HDD, but I want to retain their rules.

thx
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on December 27, 2017, 06:31:29 pm
In upcoming ReHIPS 2.3.0 we implemented wildcard support for program paths. It allowed us to make one wildcard for each MS store app. And this rule remains valid and active even when this app is updated and path changes to reflect app version change. So this red old MS store apps issue should be already solved.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on February 22, 2018, 08:48:21 pm
I am using RAMdisk and I've allowed program to access some folder on it, but each time I reboot that permission is "lost". It is in rules but it doesn't work, I have to recreate it again (delete old and create new).
Added option that reassigns permissions on each reboot. So will be fixed in 2.4.0.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on March 10, 2018, 09:02:23 pm
Windows error message when opening a Word doc.
This happens in the following situation:
1 I disable RH and launch Word, and leave it running.
2 I re-enable RH
3 I open a Word doc in real user space by double-click

Funny thing is, the doc opens okay, I can edit it and save changes, and Word seems to be running isolated (I see the border). So I don't know if anything is actually broken.

I am running windows 10 x64 RS3 with Windows Defender at max protection settings
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on March 11, 2018, 12:07:01 am
Another issue this evening:
When Chrome is isolated, I can't log on to a certain web page:
https://appguardllc.slack.com
And I see a blank page when I browse to https://slack.com/get-started
I tried deleting the slack cookies in chrome, but that did not fix it.
I can log on successfully when chrome is not isolated.

EDIT: I deleted chrome cache, and problem solved. Apparently, the issue is not related to ReHIPS
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on March 12, 2018, 11:00:30 pm
After some debugging looks like this Windows Defender and isolated Word conflict stems from over-maximized security settings. A setting named something like "Block Office applications from creating executable content" is the culprit. And the blocked action is a shortcut creation to the document being edited in Recent folder. The shortcut being an LNK-file triggers this Windows Defender rule. So it has nothing to do with ReHIPS. Besides it's just a shortcut, so everything works OK.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 08, 2018, 07:53:24 pm
installed ReHIPS on Win10 Spring Creators Update, no issues so far, except some occasional "service link is busy" popup at the beginning but now seems it is ok; also maybe it is placebo but i feel ReHIPS seems to load a bit slower. Nothing serious though.

Edit: non-issue, seems Win10 sometimes forget to log-off users while rebooting/shutting Down.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: aDVll on April 09, 2018, 11:24:57 am
installed ReHIPS on Win10 Spring Creators Update, no issues so far, except some occasional "service link is busy" popup at the beginning but now seems it is ok; also maybe it is placebo but i feel ReHIPS seems to load a bit slower. Nothing serious though.
Used any of the new security settings buddy? If MS doesn't push the upgrade tomorrow i will have to find a link and manually do it as i see everyone posting about the new goodies and i am on my old crap.  :( :'(
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 09, 2018, 01:45:01 pm
installed ReHIPS on Win10 Spring Creators Update, no issues so far, except some occasional "service link is busy" popup at the beginning but now seems it is ok; also maybe it is placebo but i feel ReHIPS seems to load a bit slower. Nothing serious though.
Used any of the new security settings buddy? If MS doesn't push the upgrade tomorrow i will have to find a link and manually do it as i see everyone posting about the new goodies and i am on my old crap.  :( :'(

the Core Isolation feature (aka virtualization security) can't be turned OFF if turned ON. except that, nothing special, just a redesigned WDSC.
Some Device Security features are enabled if you have the right hardware.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Reset on April 27, 2018, 07:11:49 pm
Hi. I hope to know that with Rehips installed, would it be essential to disable the protection of Rehips during the system updates? Would it be possible that Rehips blocks the updates and causes stability issues? It seems that some other security products could actually cause problems during the system updates (e.g. https://malwaretips.com/threads/novirusthanks-osarmor.78195/page-51#post-728029).

Thank you :)
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on April 28, 2018, 09:08:25 pm
It's always a good idea to disable security apps when updating, but ReHIPS is better prepared than most for a smooth update, even if you don't. This is because there is a separate set of rules for System, it lets the system do what it needs to do.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on April 28, 2018, 09:09:26 pm
Hello, Reset.
We haven't seen or got any reports that ReHIPS blocks Windows updates. The vast majority of them are Microsoft signed. This along with default rules should provide most updates installation without any alerts. You may see some alerts though, just allow them and it'll be OK.
The only thing is Lock-Down Mode that can interfere. But like I wrote in one of blogposts this is tricky mode and it should be enabled only when you know what you're doing.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 29, 2018, 07:28:21 am
Hi. I hope to know that with Rehips installed, would it be essential to disable the protection of Rehips during the system updates? Would it be possible that Rehips blocks the updates and causes stability issues?
never had any issues while updating Windows
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Reset on April 29, 2018, 02:51:36 pm
Thanks to all of you for your replies  :D

It's always a good idea to disable security apps when updating

I ever heard that Win10 Home could install the updates automatically with no prompt (I am not using Win10 now so I am not sure). If it is true, one may not be able to disable the security apps in advance. I also often worry about the case that I forgot to turn on the security apps after the updates. 

You may see some alerts though, just allow them and it'll be OK.

Sometimes the installation of the updates happens during the shutdown/startup period of the operation system. In those periods, the user cannot answer any alerts. In such case, would everything still be fine?

never had any issues while updating Windows

Your config (https://www.wilderssecurity.com/threads/what-is-your-security-setup-these-days.111264/page-1569#post-2748497) shows that you are using the Lockdown mode of Rehips. Does this mean that Rehips in Lockdown Mode has not interfered the windows updates on your machine?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: shmu26 on April 29, 2018, 04:12:32 pm
Hi, it's true that on Windows 10, an update is likely to be downloaded and installed in the background. But it is pretty unlikely that ReHIPS will cause problems. This is especially true with updates that are installed during shutdown/startup. ReHIPS will not interfere with those updates, because your programs -- including ReHIPS -- are not running.

If you don't like to turn ReHIPS off, so just let your updates run normally, and don't worry, everything will go okay. :) If an update fails, then you should turn off all your security, and try again. But usually it fails for another reason, not because of ReHIPS.

The danger with lockdown mode is mainly what happens AFTER the update: if there is a new file or two that was installed, and it needs whitelisting, it could cause hiccups with your desktop loading properly.
This has happened to me -- Umbra can probably tell you more about that. 
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on April 30, 2018, 08:16:17 am
Just don't use lockdown Mode during an OS update.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Reset on May 02, 2018, 11:47:08 am
Thank you for all your replies. ;D
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 25, 2018, 03:23:03 pm
I have started getting Error code:DPC_Watchdog_Violation since early September, but some days it occurs more often. Like half a dozen times a day, and soon after bootup.

I have tried many of recommended things, that you find when googling to try and fix the problem. But, nothing has worked!

However, in the past 24 hours, I decided to try something, else. This was to exit ReHIPS, soon after loading at startup. This has stopped the DPC_Watchdog_Violation problem, for the moment.   These are shown in Windows: Mini Dumps, and the "Reliability Monitor" in Windows 10.

P.S.  I found some reference to the DPC_Watchdog_Violation previously, by @paulderdash - https://forum.rehips.com/index.php?topic=2032.msg12948#msg12948
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on October 25, 2018, 06:59:52 pm
The @paulderdash issue is GlassWire-related https://forum.rehips.com/index.php?topic=2032.msg13229#msg13229 or https://forum.rehips.com/index.php?topic=7863 So it has nothing to do with ReHIPS.

If you think your issue is different, could you please enable full kernel memory dump https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file and send me the dump when it BSODs again? Hopefully it'll let us find the root of the problem.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 26, 2018, 12:59:03 am
I tried following instructions, but those seem to apply to Window 8, and it is different for Windows 10 Pro.  I got into Advanced Recovery, but from there. the options to choose were just too many!   And, I didn't want too risk it, i.e. choosing the wrong one.

However, using an old Nirsoft utility[BlueScreen Viewer] that I had used in the past when running my now defunct XP desktop, and which now is installed on my Surface Book laptop, it shows the recent BSOD's: 



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on October 26, 2018, 11:49:49 am
According to the screenshot, looks like it's igdkmd64.sys fault, it's for Intel graphics, and google has some entries for this.

But it's hard to be sure by the screenshot, the best way is to send me the kernel memory dump file. Configure it like here https://www.tenforums.com/tutorials/5560-configure-windows-10-create-minidump-bsod.html I believe it's Win10-related, make BSOD happen and send me the dump. Then we'll be able to find the root of the problem.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 29, 2018, 01:49:19 am
Finally, it just crashed a short time ago!  I have the dump, which I will e-mail, as requested.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Tarnak on October 29, 2018, 02:36:56 am
Well, I just learnt about this location [C:\Windows\LiveKernelReports ] which had remained hidden, and after giving permission, I gained access.



Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: fixer on October 29, 2018, 12:11:10 pm
Thank you for your report, we looked into the issue. Though it's not a full kernel memory dump and thus some memory areas are missing in the dump provided, I'm 98% sure it's the same issue already discussed here https://forum.rehips.com/index.php?topic=7863.msg15361#msg15361 It's gwdrv.sys driver, looks like they still haven't fixed it, or maybe you use an old version. In any case ReHIPS has nothing to do with it.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on January 09, 2019, 07:32:31 pm
Can we have an option to select different PPI or resize the gui, on one system the GUI take almost the screen making rehips barely usable.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on January 09, 2019, 11:15:57 pm
Can we have an option to select different PPI or resize the gui, on one system the GUI take almost the screen making rehips barely usable.
Can you provide more information about the system such as screen resolution and DPI scaling value?
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on January 10, 2019, 02:11:48 am
Display14 inch 16:9, 1920 x 1080 pixel, Windows scaling set as 150%
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: crasher on January 10, 2019, 10:47:42 am
Display14 inch 16:9, 1920 x 1080 pixel, Windows scaling set as 150%
As temporary solution you can use Qt environment variable:
Quote
QT_SCALE_FACTOR [numeric] defines a global scale factor for the whole application, including point sized fonts.
Just set it before applicaton start. You can start from QT_SCALE_FACTOR=0.8.
We'll solve this problem completely in one of the next releases.
Title: Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
Post by: Umbra on January 20, 2019, 03:44:39 pm
thanks, will try