Recent Posts

31

ReHIPS / Re: Isolate desktop versions of web apps?

« Last post by shmu26 on October 22, 2018, 05:21:04 pm »

Thanks fixer.
Since apps of this type display content from a remote server, I thought they might be similar to a browser. Some apps, such as Slack, display what you would see if you logged on to the website.
Toggl used to be like that, but now it has a very different GUI from the webpage, although the data it presents is essentially the same.

32

Developers' Blog / [FAQ] Lock-Down Mode

« Last post by fixer on October 22, 2018, 12:22:25 pm »

From help file:

When "Lock-Down Mode" is enabled, ReHIPS works silently without notification messages showing. ReHIPS blocks all unknown and untrusted programs according to its database and Protection mode.

Lock-Down Mode is really useful in some cases, but it should be used with care. Let's talk about it.

There are 2 main scenarios where Lock-Down Mode comes in really handy.

1. Time "windows" when ReHIPS Control Center isn't connected to Service. This includes "windows" when Windows starts or shuts down and ReHIPS Control Center hasn't yet started or already exited, maybe some really rare cases when Control Center crashes (that's definitely a bug and should be fixed, but we have to be ready for anything) or when remote connection (corporate editions support remote administration) is lost because of network issues. When ReHIPS Control Center isn't connected to Service, ReHIPS doesn't filter processes as without its main GUI it won't be able to ask user and silently blocking processes may not be a good idea. Unless Lock-Down Mode is enabled. In this case Lock-Down Mode without GUI is the best option.

2. Headless ReHIPS installation. This use-case scenario is more corporate than home user. For example it's useful in domain environments where administrator does all the installation and setup and ReHIPS provides high level of security working completely without GUI not to bother accountants or other employees with technicalities. Or for example it's perfect for computers with rarely changing set of programs like ATM, payment terminals, etc. In this case enabled Lock-Down Mode is really useful.

But make sure you know what you're doing before you enable this mode. If you have this mode enabled and some critical or important system process isn't allowed when you boot, your system may become unstable. Of course there is nothing irreversible, you can always boot in safe mode (ReHIPS doesn't automatically load in this mode allowing you to troubleshoot freely) or manually edit settings.xml file (even with notepad) setting this option to false thus disabling it. But it's always best to prevent than to fix the consequences. So double check everything before you enable this mode.

33

ReHIPS / Re: Isolate desktop versions of web apps?

« Last post by fixer on October 22, 2018, 12:18:50 pm »

There was a blogpost about what programs should be isolated here https://forum.rehips.com/index.php?topic=9542.0
From this blogpost and from the official site description of what this program does, I personally wouldn't isolate Toggl.

34

ReHIPS / Isolate desktop versions of web apps?

« Last post by shmu26 on October 22, 2018, 08:12:34 am »

What about the desktop versions of Slack, Wavebox, Toggl, etc?
Should they be isolated? What are the security risks?
And what if I run them from Program Files, instead of from Appdata?
I am particularly interested in Toggldesktop, because that's the one I actually use.
https://toggl.com
https://toggl.com/toggl-desktop/
Toggldesktop works when isolated, but it does not respond to keyboard shortcuts to start and stop the timer.

35

ReHIPS / Re: Task Scheduler ALPC Exploit and Rehips

« Last post by fixer on October 16, 2018, 11:06:30 pm »

Hello, KentonMac and welcome to our forum.
As far as I know ReHIPS-protected PCs (including unpatched) aren't vulnerable to Task Scheduler ALPC Exploit. So nothing to worry about.
But yes, we constantly monitor for newest threats and trends and try to mitigate them the best possible way.

36

ReHIPS / Re: Any issues with 1809?

« Last post by aDVll on October 16, 2018, 09:14:22 pm »

Any issues, or any rules that should be added/changed?

No issues. If you use default mode and not lockdown i don't think there is anything you need to specifically allow. At least i don't think i did.

37

ReHIPS / Re: Task Scheduler ALPC Exploit and Rehips

« Last post by KentonMac on October 16, 2018, 02:51:11 pm »

That's good to know, Fixer. Is stuff like this considered by the devs? I'd feel a lot safer if it is.

38

Developers' Blog / [FAQ] Isolated programs and profile folder

« Last post by fixer on October 15, 2018, 10:52:18 pm »

Sometimes I get questions like: "Looks like real user profile folder is special. I can't add it in File System Objects Access Rights in isolated environment. I can't save anything there from isolated program, even when I browse it from there, the contents don't look right. What's the deal with it?" Let's figure it out.

As you already probably know, isolated programs don't have any access to real user profile folder or registry hive. And while there are folders they don't have any access to, but it can be granted, real user profile folder is some kind of a sacred cow. It's meant to be a sanctuary for user files and folders, for his eyes only, no other can enter there under no circumstances. That's why no way you can allow isolated programs get into that folder. This should answer the question why you can't add files and folders from there in File System Objects Access Rights in isolated environment.

But if it's such a sacred location, how can you browse there and even try to save files there from isolated environment? The answer is simple: actually you don't browse or save files there, you access corresponding isolated user profile folder. That's why you see strange contents, you don't browse real user profile folder. And you save files in corresponding isolated user profile folder. Why? Because ReHIPS transparently redirects for isolated programs all access to real user profile folders to isolated user profile folders. Why? Copy User Data feature blogpost here https://forum.rehips.com/index.php?topic=9560.0 answers this question. In short words: programs usually keep their data in user profile folder, they don't have access to real user profile folder, so it's redirected to isolated user profile folder where program data can be copied and accessed.

All of the said above also applies to real user registry hive.

39

Developers' Blog / [FAQ] Isolating files from real user profile folder

« Last post by fixer on October 09, 2018, 06:35:04 pm »

You probably already read a blogpost about Copy User Data feature here https://forum.rehips.com/index.php?topic=9560.0 Then you know that isolated programs don't have any access to the real user profile directory. It means if you have some program for example on your real user desktop (which is usually C:\Users\YOUR_REAL_USER\Desktop folder) executing this program in isolation will fail unless you enable Copy User Data. This is partially mitigated for your convenience in DeployHelper, it implicitly allows access to the installer file, but if there are multiple installer files, this limitation may also manifest.
So keep in mind this security limitation and don't get too surprised if isolation of a program from some real user profile folder fails.

40

ReHIPS / Any issues with 1809?

« Last post by shmu26 on October 05, 2018, 09:10:23 am »

Any issues, or any rules that should be added/changed?