Recent Posts

51

ReHIPS / Re: ReHIPS Questions

« Last post by fixer on December 29, 2019, 12:26:48 pm »

Hello, LimeKey.
Welcome to our forum and thank you for your interest in our product.

1. I guess you're referring to this blogpost https://forum.rehips.com/index.php?topic=11868.0 ? Even when ReHIPS is Disabled, it gets notified about processes starting and exiting and other things. You can notice it by logs, they keep coming. Slowing a process startup in 10 times is not entirely correct. You see, for these tests a special program for used that does nothing on startup to minimize the time it takes to start. For this program, yes, startup with ReHIPS takes 10 times more. But even in this case a single start takes for about 10ms, I don't think you'll notice this time interval or that you start hundreds of processes in a second to start noticing it. Let's return to the real world. In real world programs take some time to start, some bulky programs take more time. For example a program takes 1 second to start. With ReHIPS it'll take 1 second+~8ms=1.008 seconds to start, difference is 0.8%. So I don't think it's noticeable.

2. The most simple (and insecure) way to do this is to simply allow READ+WRITE access to the desired folder. And voila. More secure alternatives usually take more steps. For example if a program supports it, it can read from one folder, but save to some other. Or you can copy files to a ReHIPS folder and process them there. As usual, the more secure you want to have it, the less convenient it'll be. On the other hand, I doubt a steganography program will insert some scary exploit into the images and security should be tightened to the max in this case.

52

ReHIPS / ReHIPS Questions

« Last post by LimeKey on December 29, 2019, 11:09:14 am »

I've been researching ReHIPS as an alternative to Sandboxie for me, and I have a few questions.


1.  According to the FAQ about performance, it seemed to indicate that if ReHIPS is installed, but set to Disabled, applications will experience a 10-fold increase in startup time. 

Is that correct?  The FAQ seems to indicate that these are fantastic numbers, but slowing down application startup by an order of magnitude seems to be absolutely awful.  If I have ReHIPS set to disabled, why would application start times have any additional lag whatsoever? 
Or does it only refer to apps that are started in isolation while ReHIPS is set to Disabled?



2.  Some applications are designed to process existing files - for example, an application that adds/modifies stenography in images might do the following:

a.  Scan the contents of a folder to find the appropriate files it wants to modify.
b.  Copy each target file to a backup (e.g. Target.jpg to Target.jpg.BAK).
c.  Modify the target file or delete the original and add the new replacement.


If I run this type of application sandboxed through Sandboxie, then the original folder remains protected and untouched - but I can find all new/modified files in the sandbox and selectively decide which ones to bring over into the actual file system.

Is this something that I can do with ReHIPS?  If so, just how messy a process will it be?

53

ReHIPS / Re: Some questions

« Last post by fixer on December 21, 2019, 09:20:19 pm »

Could you please describe it step-by-step, what you do, what exactly you get and what you expect to get with full real paths and paths in ReHIPS. And we'll try to reproduce the issue. Thank you.

54

ReHIPS / Re: Is there a conflict with sandboxie?

« Last post by fixer on December 20, 2019, 11:47:50 pm »

You're welcome

55

ReHIPS / Re: Is there a conflict with sandboxie?

« Last post by nick on December 20, 2019, 10:14:35 pm »

Thank you for taking the time to explain

56

ReHIPS / Re: Some questions

« Last post by nick on December 20, 2019, 10:12:18 pm »

Thanks for clarifying all of these. About the asterisks I'm not sure where exactly is the problem. It happens when I use scoop isolated and tries to execute git:
the path is ...\scoop\apps\git\2.23.0.windows.1\cmd\git.exe (with 3 more parent folders without any space or special characters). Any combination of asterisks, even exactpath\*.exe is not working, I get a popup window asking what to do with git.exe of the above path. If you don't get the same result for a path like that I can explain with all details under what conditions it happens for me (the rule is to open it in the same isolated environment)

57

ReHIPS / Re: Is there a conflict with sandboxie?

« Last post by fixer on December 19, 2019, 11:16:38 am »

In ReHIPS it's possible to allow or block access to registry keys or file system objects (files and folders). But logging is quite complicated. You see, Sandboxie is built on hooking and proxying calls. A lot of hooking actually. And this concept has its advantages and drawbacks. For example it has performance penalty. But since it proxies each and every call it can log access attempts quite freely. ReHIPS on the other hand doesn't control access itself, it relies on Windows already implemented security checks, so ReHIPS isn't involved when a program tries to access something, ReHIPS can be even disabled, when it happens, Windows does all the heavy-lifting. As a drawback there is no simple way to log these access attempts. Well, there can something be done actually, logging access to some certain objects in possible via Windows audit system. But it isn't useful when it comes to a situtation like "this program wants something, but I don't know what".

58

ReHIPS / Re: Some questions

« Last post by fixer on December 19, 2019, 11:07:15 am »

Thank you for your report.

1. Probably we left it intentionally as something was broken, will investigate it.

2. C:\test\2.23.0.windows.1\test.exe seems to be recognized by C:\test\*\test.exe wildcard. Or am I missing something?

3. Yup, it's a bug, already fixed, will be in the new release.

4. Explorer is quite capricious. It handles a lot of things so there should be only one explorer running. Other starting explorers exit when they see they're not only ones. The thing is, they usually delegate what they're supposed to do to the running explorer. But isolated explorer is in a different position. It can't delegate anything as it's isolated and can't communicate freely with the trusted running explorer. But it also can't run as there already is one running explorer. So it basically can do nothing.

5. You can press F1 for built-in help file to open. In short words, not every user can access ReHIPS Control Center because of security reasons. By default only administrators can. But some users prefer to use simple user accounts for their every-day routine. In this case add this user to trusted users and it'll be able to interact with Control Center.

59

ReHIPS / Re: Is there a conflict with sandboxie?

« Last post by nick on December 16, 2019, 08:38:43 pm »

It's not necessarily about a malware but could be security weak/stop developed so eventually might open security holes in the system. As long as I am able to control what changes ara done and where, I can be ok with that. What I would prefer to exist as a feature is a way to be able to revoke them. As I mentioned above (because of files' owner difference), it's doable for files, although not trivial and perhaps not guaranteed without advanced skills, but it's not possible for registry changes. A log for those and a way to revoke them by deletion of an isolated environment would be nice (and that is the difference I was referring above with sandboxie)

60

ReHIPS / Re: Is there a conflict with sandboxie?

« Last post by fixer on December 16, 2019, 12:17:45 pm »

I described basic restrictions applied by default. If you want, you can weaken them. For example allow any access to system registry or files. Access to real-user registry hive and profile folder will be denied anyway, but with Copy User Data it's possible to copy required data to ReHIPSUser registry hive/profile folder.

If a program requires admin rights (and I mean it really needs them and not just asks because developer copy-pasted this code just in case), then there is no safe way to run this program. If you really need it and don't trust it, consider using some VM like VMWare or VBox.