ReHIPS forum

English Subforum => ReHIPS => Topic started by: shmu26 on January 06, 2017, 11:56:50 AM

Title: can be executed: alert
Post by: shmu26 on January 06, 2017, 11:56:50 AM
trying to understand how this setting works.
If I search in windows explorer for a process that has this setting, and I click on it to run it, it will start up without triggering an alert.
why is that?
Title: Re: can be executed: alert
Post by: aDVll on January 06, 2017, 12:15:47 PM
Quote from: shmu26 on January 06, 2017, 11:56:50 AM
trying to understand how this setting works.
If I search in windows explorer for a process that has this setting, and I click on it to run it, it will start up without triggering an alert.
why is that?
It's signed and in trusted vendors? It's launched by a safe application set to just allow child?

Show me the logs of when it happens and will tell you.
Title: Re: can be executed: alert
Post by: shmu26 on January 06, 2017, 12:31:07 PM
I attached screenshots
Title: Re: can be executed: alert
Post by: aDVll on January 06, 2017, 12:47:23 PM
Explorer is to inspect so it launches powershell because you use standard mode and Microsoft is in the trusted vendor list. So it doesn't ask and allows it.

If you want to block powershell completely for some reason use block instead of alert because removing MS from trusted vendor list is a bad idea. Too many alerts.
Title: Re: can be executed: alert
Post by: fixer on January 06, 2017, 03:06:47 PM
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Quote from: aDVll on January 06, 2017, 12:47:23 PM
removing MS from trusted vendor list is a bad idea. Too many alerts.
It gives alerts for programs absent in RulesPack. Can you give a list of these programs so we could add them to RulesPack?
Title: Re: can be executed: alert
Post by: aDVll on January 06, 2017, 03:15:28 PM
Quote from: fixer on January 06, 2017, 03:06:47 PM
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Quote from: aDVll on January 06, 2017, 12:47:23 PM
removing MS from trusted vendor list is a bad idea. Too many alerts.
It gives alerts for programs absent in RulesPack. Can you give a list of these programs so we could add them to RulesPack?
It's mostly their store programs that change version often. I would report all but first not all use them(i do because they run in appcontainer) and second change all the time. I can list all if you wish but i was waiting until you add folder and wildcard support to fix it that way.
Title: Re: can be executed: alert
Post by: shmu26 on January 06, 2017, 03:29:08 PM
thanks to both of you

Title: Re: can be executed: alert
Post by: shmu26 on January 07, 2017, 07:58:44 PM
okay, so here's an idea for the devs, based on what I was trying to do here:
ReHIPS will detect when the user disables isolation for a key app, and will activate a vulnerable processes list, along the lines of NVT ERP.
This will make ReHIPS much for flexible for  a wide base of users, some of whom will inevitably will want to disable isolation for certain apps
Title: Re: can be executed: alert
Post by: aDVll on January 07, 2017, 08:52:13 PM
Quote from: shmu26 on January 07, 2017, 07:58:44 PM
okay, so here's an idea for the devs, based on what I was trying to do here:
ReHIPS will detect when the user disables isolation for a key app, and will activate a vulnerable processes list, along the lines of NVT ERP.
This will make ReHIPS much for flexible for  a wide base of users, some of whom will inevitably will want to disable isolation for certain apps
It already does though buddy. You set it to inspect or alert and with the change Fixer mentioned above you can actually easily have a vulnerable process list as you wish. There is 0 reason to have an extra tab for them and rehips already has pretty secure rules for them.
Might be missing what you want.
Title: Re: can be executed: alert
Post by: shmu26 on January 07, 2017, 09:17:16 PM
fixer's proposed change is great.
The idea here is to take the work out of it, for intermediate users who disable isolation on some apps . ReHIPS could build them a  nice vulnerable processes list, to trigger execution alerts for whatever they need to keep themselves safe. The pros on the ReHIPS team know what processes need to be alerted when you don't have isolation.
Just an idea, take it or leave it...
Title: Re: can be executed: alert
Post by: aDVll on January 07, 2017, 10:59:06 PM
Quote from: shmu26 on January 07, 2017, 09:17:16 PM
fixer's proposed change is great.
The idea here is to take the work out of it, for intermediate users who disable isolation on some apps . ReHIPS could build them a  nice vulnerable processes list, to trigger execution alerts for whatever they need to keep themselves safe. The pros on the ReHIPS team know what processes need to be alerted when you don't have isolation.
Just an idea, take it or leave it...
I see what you are saying but it does do that already. The point is not to block the execution of vulnerable processes but them executing something else. The dev team i believe did a good job of setting all of those to inspect so you get a notification.
Let's say potato.exe is a malware downloader and i allow it to run powershell. Good it run it and it tries to execute the actual malware and i get an alert because powershell is on inspect by default.

Don't get me wrong i am trying to understand what you mean. You want to also block the execution of powershell in my example when i change 1 isolated application to allow?
Title: Re: can be executed: alert
Post by: shmu26 on January 07, 2017, 11:11:05 PM
I want it not to block powershell, but to alert upon execution.
why? Because maybe powershell -- or another process -- will be abused by an exploit to make certain system changes such as modifying the registry, or loading dlls, or disabling all security softs from startup. These are changes that, as far as I understand, do not necessarily require executing a second process, so they won't be blocked or alerted, as things stand now. 
Once you take away the isolation, you become vulnerable to this kind of thing.
Please correct me if I am out to lunch on this issue
Title: Re: can be executed: alert
Post by: aDVll on January 07, 2017, 11:14:37 PM
Quote from: shmu26 on January 07, 2017, 11:11:05 PM
I want it not to block powershell, but to alert upon execution.
why? Because maybe powershell -- or another process -- will be abused by an exploit to make certain system changes such as modifying the registry, or loading dlls, or disabling all security softs from startup. These are changes that, as far as I understand, do not necessarily require executing a second process, so they won't be blocked or alerted, as things stand now. 
Once you take away the isolation, you become vulnerable to this kind of thing.
Please correct me if I am out to lunch on this issue
Powershell and things like that need to execute something to do harm. Them just running doesn't do anything it's just like you run it manually. When they try to execute something you will get an alert by default.
Title: Re: can be executed: alert
Post by: shmu26 on January 07, 2017, 11:32:48 PM
okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.
Title: Re: can be executed: alert
Post by: aDVll on January 07, 2017, 11:37:50 PM
Quote from: shmu26 on January 07, 2017, 11:32:48 PM
okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.
Cool the valid windows process runs. Then?
No windows process does anything malicious without executing something not from windows and not whitelisted.

Reason NVT and programs like that have a vulnerable processes list is that the only way to control issues is by stopping the first execution because they just allow or block. Rehips have an alert mode and an inspect mode which feels that role giving you more granular control.
Title: Re: can be executed: alert
Post by: shmu26 on January 07, 2017, 11:47:59 PM
okay, I don't have a proper background in these things, but I thought that valid windows processes could be used to disable your security softs from startup, download dlls, and make changes to the registry. Then it's gameover.
Title: Re: can be executed: alert
Post by: aDVll on January 07, 2017, 11:56:43 PM
Quote from: shmu26 on January 07, 2017, 11:47:59 PM
okay, I don't have a proper background in these things, but I thought that valid windows processes could be used to disable your security softs from startup, download dlls, and make changes to the registry. Then it's gameover.
It can but it has to execute something not just launch the process. Execution of child and sub programs is monitored for the vulnerable processes. If you see one that is not maybe report it so the defaults can change.
Also i suggest you enabled uac at max and then you stop most of this from start if they try to mess with windows crap getting admin rights.
Title: Re: can be executed: alert
Post by: shmu26 on January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?
Title: Re: can be executed: alert
Post by: Ozone on January 08, 2017, 11:17:13 AM
Quote from: shmu26 on January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?
I have similar situation
I am testing nighly (firefox) which has updates almost every day

I think rehips will alert you and than you can replace hash, unless you check ignore file modification

Title: Re: can be executed: alert
Post by: aDVll on January 08, 2017, 11:35:39 AM
Quote from: shmu26 on January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?
Yes, the rules auto update because MS is in the trusted vendor list. They don't change from what you set them.
Title: Re: can be executed: alert
Post by: aDVll on January 08, 2017, 11:36:28 AM
Quote from: Ozone on January 08, 2017, 11:17:13 AM
Quote from: shmu26 on January 08, 2017, 09:19:08 AM
what happens to my custom rules when Windows updates the file and the hash changes? Do my rules still work?
I have similar situation
I am testing nighly (firefox) which has updates almost every day

I think rehips will alert you and than you can replace hash, unless you check ignore file modification
It will not ask if Mozilla is in the trusted vendor list.
Title: Re: can be executed: alert
Post by: shmu26 on January 08, 2017, 11:41:28 AM
so I now noticed that for all those system files for which ReHIPS has default rules, "ignore file modification" is ticked by default.
So I assume that means the rule will stay unchanged, even if the file changes due to a Windows update or whatever.
Title: Re: can be executed: alert
Post by: aDVll on January 08, 2017, 11:43:17 AM
Quote from: shmu26 on January 08, 2017, 11:41:28 AM
so I now noticed that for all those system files for which ReHIPS has default rules, "ignore file modification" is ticked by default.
So I assume that means the rule will stay unchanged, even if the file changes due to a Windows update or whatever.
Yeah. It would have stayed unchanged anw i believe because of MS being in the trusted file list. I just tested this with another program just now and that was the case. I assume the same would happen with this MS files.
Title: Re: can be executed: alert
Post by: shmu26 on January 08, 2017, 11:46:38 AM
that's a very cool setting, I guess it is crucial in order for ReHIPS to keep working as intended after a major Windows update wreaks havoc on the system files.
Title: Re: can be executed: alert
Post by: aDVll on January 08, 2017, 11:47:51 AM
Quote from: shmu26 on January 08, 2017, 11:46:38 AM
that's a very cool setting, I guess it is crucial in order for ReHIPS to keep working as intended after a major Windows update wreaks havoc on the system files.
Check above edit i made. It's not really needed in this case i believe.
Title: Re: can be executed: alert
Post by: shmu26 on January 08, 2017, 12:03:36 PM
even if you are in expert mode, the trusted publishers list does something?
Title: Re: can be executed: alert
Post by: aDVll on January 08, 2017, 12:06:08 PM
Quote from: shmu26 on January 08, 2017, 12:03:36 PM
even if you are in expert mode, the trusted publishers list does something?
Nope, expert mode ignores the trusted vendor list so then the setting to ignore file changes is needed.
Title: Re: can be executed: alert
Post by: shmu26 on March 30, 2017, 08:09:41 AM
Quote from: fixer on January 06, 2017, 03:06:47 PM
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Was this implemented in ReHIPS 2.2.0_RC4_prosperity?
Title: Re: can be executed: alert
Post by: Umbra on March 30, 2017, 10:25:02 AM
Quote from: aDVll on January 07, 2017, 11:37:50 PM
Quote from: shmu26 on January 07, 2017, 11:32:48 PM
okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.
Cool the valid windows process runs. Then?
No windows process does anything malicious without executing something not from windows and not whitelisted.
Exact, i don't see the point to block a valid process if it does nothing wrong. And if it spawn something else, you get the alert. so who cares. If you don't like it to run at first place , just change the rule yourself.
And you should be prepared to use powershell because MS plan to remove cmd.exe and only use powershell...

QuoteReason NVT and programs like that have a vulnerable processes list is that the only way to control issues is by stopping the first execution because they just allow or block. Rehips have an alert mode and an inspect mode which feels that role giving you more granular control.
Exact, first ReHIPS isn't an anti-exe. It is a sandbox with Application Control. if you wan't an ERP feature, just use ERP.
Shmu you are too obssessed with ERP's vulnerable process list, i told you many times already, don't try to push this on every softs you want to use... if you want something similar in ReHIPS, you can build it yourself via rules manager.

ReHIPS has lot of options to make it very tight, just learn to use them before asking features.
Title: Re: can be executed: alert
Post by: fixer on March 30, 2017, 10:55:16 AM
Quote from: shmu26 on March 30, 2017, 08:09:41 AM
Quote from: fixer on January 06, 2017, 03:06:47 PM
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Was this implemented in ReHIPS 2.2.0_RC4_prosperity?
Yup.
Title: Re: can be executed: alert
Post by: shmu26 on March 30, 2017, 11:06:45 AM

Yup.
[/quote]
Thanks.
@Umbra: my feature request is not a change in concept. It merely allows the user more freedom in defining rules.
Each user is entitled to his own paranoia...
Title: Re: can be executed: alert
Post by: Umbra on March 30, 2017, 12:38:09 PM
Quote from: shmu26 on March 30, 2017, 11:06:45 AM
It merely allows the user more freedom in defining rules.
They can already do it, they just have to change the settings of the  said rules.