Recent Posts

41

Developers' Blog / [FAQ] Rules installation and files in use

« Last post by fixer on October 01, 2018, 07:36:29 am »

When ReHIPS rules for programs are installed, some files and folders may be copied from real user profile folder into isolated user profile folder. Why? You can read about it here https://forum.rehips.com/index.php?topic=9530.0 under Special Folders paragraph. But some programs open their files without any sharing allowed thus locking them. And no other program including ReHIPS can't access them and hence can't copy.
So make sure that no program is running when ReHIPS rules are being installed or some files may remain uncopied.

42

Developers' Blog / [FAQ] When does ReHIPS install rules?

« Last post by fixer on September 24, 2018, 08:16:24 am »

Sometimes I get questions like "hey, I manually and deliberately deleted some rule X, but after a while I see it again, how come?". Let's talk about it.

At first I'd like to mention that it's generally not a good idea to delete a rule you don't need, better to set it to Blocked, it was already explained in one of previous blogposts here https://forum.rehips.com/index.php?topic=11838.0 Having this covered let's take a look at rules. As you already probably know ReHIPS comes with a set of predefined rules for RulesManager. These rules get installed when you install ReHIPS (that console-like looking window with running strings). But they are also installed on some other events. That's why you have the rule you previously deleted reinstalled.

So RulesManager installs rules when:
-ReHIPS is installed/reinstalled/updated to install/update rules for System and all logged-in users;
-a user request to reinstall rules is made, either from ReHIPS Control Center or from RulesManager;
-a new user is logged in to install rules for him;
-changes are detected in installed programs list to install rules for new programs, this one installs rules for all users or for the current user only depending on the location of the installed program, system-wide or user-wide.

43

Developers' Blog / [FAQ] ReHIPS system requirements and performance

« Last post by fixer on September 17, 2018, 10:15:26 am »

Let's take a look at ReHIPS system requirements and then move to performance to find out how fast it can be. Keep in mind that all these numbers are approximate due to the volatile nature of measured properties. They were taken for the latest stable release ReHIPS 2.4.0 unless explicitly stated otherwise running on Windows 10 x86 version 10.0.17134.1 in a virtual machine.

At first disk space requirements:
-installer file is about 35Mb; it includes both x86 and x64 builds;
-installed ReHIPS occupies about 65Mb of disk space, most of which (~90%) are standard runtime libraries; so the ReHIPS code itself is about 6Mb.

Let's move to network requirements and usage for ReHIPS Corporate Edition which is able to operate remotely via network:
-it can satisfiably work with 64 kbit/s network connection with 15% packets loss; it generates for about 400-600Kb of traffic per hour.

Now let's take a look at RAM memory usage:
-ReHIPS usually has 3 processes running: Service, Agent and Control Center that use around 4Mb, 1Mb and 22Mb of RAM respectively; so it roughly uses 27Mb of RAM; it can also operate in so-called "headless mode" with no Control Center running, in this case 5Mb of RAM is used.

And last, but not least, some performance numbers.
There is an internal benchmark.exe that simply starts 100 instances of itself and tells how much time it took. Some numbers for the latest stable release ReHIPS 2.4.0:
100-300ms   - no ReHIPS at all;
1000-1100ms - Disabled ReHIPS, no Control Center running;
1500-1600ms - Expert+Lock-Down Mode, no Control Center running;
2600-2700ms - Expert Mode with Control Center running.

And now some numbers for the latest unreleased yet ReHIPS 2.5.0 alpha.
Expert Mode with Control Center running, process itself allowed, parenting is allowed with children inspection, all entries are in permanent database. It basically means all checks are made by maximum and nothing is skipped.
1500-1600ms - with 1 processor.
800-900ms   - with 2 processors.
700-800ms   - with 2 processors, 2 cores each=4 cores.
It means that Windows starts a process in ~2ms and ReHIPS does a full and complete check in ~8ms.

Can your security solution beat these numbers?

44

Developers' Blog / Re: [FAQ] DeployHelper

« Last post by fixer on September 12, 2018, 04:49:14 pm »

Yes, it's possible to do it all in a manual way. Allow installer in isolation and then add all programs it installs into the same isolated environment. DeployHelper does something similar, just with some bells and whistles like tries to copy shortcuts installer creates to the real user environment (for example on real user desktop).

45

Developers' Blog / Re: [FAQ] I don't need rule X, should I delete it?

« Last post by fixer on September 12, 2018, 04:46:27 pm »

Yes, it's in our TODO list. But not sure of when exactly. Maybe in the next 2.5.0 release, maybe in the one after it.

46

Developers' Blog / Re: [FAQ] DeployHelper

« Last post by Umbra on September 12, 2018, 05:10:38 am »

I used to do the usual way, so i can tweak the IE in the fly. but i can see the advantage of DeployHelper for those who are not tinkerers.

47

Developers' Blog / Re: [FAQ] I don't need rule X, should I delete it?

« Last post by Umbra on September 12, 2018, 05:06:55 am »

Will auto-cleaning of obsolete rules will be implemented?

48

Developers' Blog / [FAQ] I don't need rule X, should I delete it?

« Last post by fixer on September 10, 2018, 05:14:29 pm »

This question applies to both rules in ReHIPS Control Center on Programs tab in Settings and rules in RulesManager. For example you zealously examine each and every Windows update disabling any one that has telemetry features. Then you obviously don't need any telemetry rules in ReHIPS. But should you delete these rules? If not, what to do with them?

The best way is to leave them, but set to Blocked. Why? Because if you delete these rules, they'll be most likely installed again the next time you install rules or merge with newer pack of initial rules bundled with ReHIPS. If you intend to support the rules entirely by yourself and delete the unneeded rules from both Programs tab and RulesManager you'll be fine. But if you intend to merge your pack of rules with newer ReHIPS initial rules (when new ReHIPS version is released), you better leave them and set to Block. This way they won't be installed again or overwritten during merging. Besides who knows, maybe later you'll change your mind or accidentally miss some telemetry update. And ReHIPS will be there for you blocking all these processes and letting you think again.

49

Developers' Blog / [FAQ] Settings local and global

« Last post by fixer on September 03, 2018, 09:41:56 am »

I'm sure you're all familiar with the Settings window. But you probably don't know that there are 2 types of Settings: global system-wide and local user-wide.
Interface tab of Settings and lower part of Log tab are local user-wide settings. It means different real users running ReHIPS Control Center can set different settings for them, for example use different GUI languages.
All other settings are global system-wide. It means they are set globally for all users.

50

ReHIPS / Re: Task Scheduler ALPC Exploit and Rehips

« Last post by fixer on August 31, 2018, 10:01:55 pm »

I haven't researched this in detail, but I believe ReHIPS will protect from this threat as isolated programs can't create files (and hence the hardlink) in "C:\Windows\Tasks" And without it it's not possible to change DACL and thus violate anything.