Recent Posts

Pages: 1 2 3 4 5 6 7 8 9 10
ReHIPS / Re: Task Scheduler ALPC Exploit and Rehips
« Last post by fixer on October 16, 2018, 11:06:30 pm »
Hello, KentonMac and welcome to our forum.
As far as I know ReHIPS-protected PCs (including unpatched) aren't vulnerable to Task Scheduler ALPC Exploit. So nothing to worry about.
But yes, we constantly monitor for newest threats and trends and try to mitigate them the best possible way.
ReHIPS / Re: Any issues with 1809?
« Last post by aDVll on October 16, 2018, 09:14:22 pm »
Any issues, or any rules that should be added/changed?
No issues. If you use default mode and not lockdown i don't think there is anything you need to specifically allow. At least i don't think i did.
ReHIPS / Re: Task Scheduler ALPC Exploit and Rehips
« Last post by KentonMac on October 16, 2018, 02:51:11 pm »
That's good to know, Fixer. Is stuff like this considered by the devs? I'd feel a lot safer if it is.
Developers' Blog / [FAQ] Isolated programs and profile folder
« Last post by fixer on October 15, 2018, 10:52:18 pm »
Sometimes I get questions like: "Looks like real user profile folder is special. I can't add it in File System Objects Access Rights in isolated environment. I can't save anything there from isolated program, even when I browse it from there, the contents don't look right. What's the deal with it?" Let's figure it out.

As you already probably know, isolated programs don't have any access to real user profile folder or registry hive. And while there are folders they don't have any access to, but it can be granted, real user profile folder is some kind of a sacred cow. It's meant to be a sanctuary for user files and folders, for his eyes only, no other can enter there under no circumstances. That's why no way you can allow isolated programs get into that folder. This should answer the question why you can't add files and folders from there in File System Objects Access Rights in isolated environment.

But if it's such a sacred location, how can you browse there and even try to save files there from isolated environment? The answer is simple: actually you don't browse or save files there, you access corresponding isolated user profile folder. That's why you see strange contents, you don't browse real user profile folder. And you save files in corresponding isolated user profile folder. Why? Because ReHIPS transparently redirects for isolated programs all access to real user profile folders to isolated user profile folders. Why? Copy User Data feature blogpost here answers this question. In short words: programs usually keep their data in user profile folder, they don't have access to real user profile folder, so it's redirected to isolated user profile folder where program data can be copied and accessed.

All of the said above also applies to real user registry hive.
Developers' Blog / [FAQ] Isolating files from real user profile folder
« Last post by fixer on October 09, 2018, 06:35:04 pm »
You probably already read a blogpost about Copy User Data feature here Then you know that isolated programs don't have any access to the real user profile directory. It means if you have some program for example on your real user desktop (which is usually C:\Users\YOUR_REAL_USER\Desktop folder) executing this program in isolation will fail unless you enable Copy User Data. This is partially mitigated for your convenience in DeployHelper, it implicitly allows access to the installer file, but if there are multiple installer files, this limitation may also manifest.
So keep in mind this security limitation and don't get too surprised if isolation of a program from some real user profile folder fails.
ReHIPS / Any issues with 1809?
« Last post by shmu26 on October 05, 2018, 09:10:23 am »
Any issues, or any rules that should be added/changed?
Developers' Blog / [FAQ] Rules installation and files in use
« Last post by fixer on October 01, 2018, 07:36:29 am »
When ReHIPS rules for programs are installed, some files and folders may be copied from real user profile folder into isolated user profile folder. Why? You can read about it here under Special Folders paragraph. But some programs open their files without any sharing allowed thus locking them. And no other program including ReHIPS can't access them and hence can't copy.
So make sure that no program is running when ReHIPS rules are being installed or some files may remain uncopied.
Developers' Blog / [FAQ] When does ReHIPS install rules?
« Last post by fixer on September 24, 2018, 08:16:24 am »
Sometimes I get questions like "hey, I manually and deliberately deleted some rule X, but after a while I see it again, how come?". Let's talk about it.

At first I'd like to mention that it's generally not a good idea to delete a rule you don't need, better to set it to Blocked, it was already explained in one of previous blogposts here Having this covered let's take a look at rules. As you already probably know ReHIPS comes with a set of predefined rules for RulesManager. These rules get installed when you install ReHIPS (that console-like looking window with running strings). But they are also installed on some other events. That's why you have the rule you previously deleted reinstalled.

So RulesManager installs rules when:
-ReHIPS is installed/reinstalled/updated to install/update rules for System and all logged-in users;
-a user request to reinstall rules is made, either from ReHIPS Control Center or from RulesManager;
-a new user is logged in to install rules for him;
-changes are detected in installed programs list to install rules for new programs, this one installs rules for all users or for the current user only depending on the location of the installed program, system-wide or user-wide.
Developers' Blog / [FAQ] ReHIPS system requirements and performance
« Last post by fixer on September 17, 2018, 10:15:26 am »
Let's take a look at ReHIPS system requirements and then move to performance to find out how fast it can be. Keep in mind that all these numbers are approximate due to the volatile nature of measured properties. They were taken for the latest stable release ReHIPS 2.4.0 unless explicitly stated otherwise running on Windows 10 x86 version 10.0.17134.1 in a virtual machine.

At first disk space requirements:
-installer file is about 35Mb; it includes both x86 and x64 builds;
-installed ReHIPS occupies about 65Mb of disk space, most of which (~90%) are standard runtime libraries; so the ReHIPS code itself is about 6Mb.

Let's move to network requirements and usage for ReHIPS Corporate Edition which is able to operate remotely via network:
-it can satisfiably work with 64 kbit/s network connection with 15% packets loss; it generates for about 400-600Kb of traffic per hour.

Now let's take a look at RAM memory usage:
-ReHIPS usually has 3 processes running: Service, Agent and Control Center that use around 4Mb, 1Mb and 22Mb of RAM respectively; so it roughly uses 27Mb of RAM; it can also operate in so-called "headless mode" with no Control Center running, in this case 5Mb of RAM is used.

And last, but not least, some performance numbers.
There is an internal benchmark.exe that simply starts 100 instances of itself and tells how much time it took. Some numbers for the latest stable release ReHIPS 2.4.0:
100-300ms   - no ReHIPS at all;
1000-1100ms - Disabled ReHIPS, no Control Center running;
1500-1600ms - Expert+Lock-Down Mode, no Control Center running;
2600-2700ms - Expert Mode with Control Center running.

And now some numbers for the latest unreleased yet ReHIPS 2.5.0 alpha.
Expert Mode with Control Center running, process itself allowed, parenting is allowed with children inspection, all entries are in permanent database. It basically means all checks are made by maximum and nothing is skipped.
1500-1600ms - with 1 processor.
800-900ms   - with 2 processors.
700-800ms   - with 2 processors, 2 cores each=4 cores.
It means that Windows starts a process in ~2ms and ReHIPS does a full and complete check in ~8ms.

Can your security solution beat these numbers?
Developers' Blog / Re: [FAQ] DeployHelper
« Last post by fixer on September 12, 2018, 04:49:14 pm »
Yes, it's possible to do it all in a manual way. Allow installer in isolation and then add all programs it installs into the same isolated environment. DeployHelper does something similar, just with some bells and whistles like tries to copy shortcuts installer creates to the real user environment (for example on real user desktop).
Pages: 1 2 3 4 5 6 7 8 9 10