Recent Posts

51

ReHIPS / Task Scheduler ALPC Exploit and Rehips

« Last post by Reset on August 31, 2018, 04:32:04 pm »

As far as I know, the task scheduler alpc vulnerability allows the malicious program to call a hijack dll as SYSTEM. Could a program running inside the isolated environment of ReHIPS to escape from the isolated environment with this exploit? Thanks.

52

Developers' Blog / [FAQ] ReHIPS HWID

« Last post by fixer on August 27, 2018, 04:34:52 pm »

This blogpost should cover most frequently asked HWID questions. It'll be updated with new questions if there are any.

Q: What is HWID?
A: HWID or HardWare IDentification is a big number which uniquely identifies your PC.

Q: Why do we need HWID?
A: ReHIPS license key is bound to HWID. This prevents using one license on many PCs.

Q: Is it safe to give us your HWID?
A: HWID is just a number, it doesn't mean anything and it doesn't contain any sensitive information.

Q: Where can I see my HWID?
A: You should install ReHIPS and once its Control Center starts for the first time, it usually asks you to buy it. This window can later be opened from the ReHIPS Control Center main window->Buy button. HWID can be seen in the top of this window, it looks like this 169C08618DCCAB32EF152BFEEAF104A696B86C08.

53

Developers' Blog / [FAQ] DeployHelper

« Last post by fixer on August 20, 2018, 10:45:20 am »

You probably noticed "Run in ReHIPS DeployHelper" and "Run in ReHIPS DeployHelper as administrator" context menu items for .exe and .msi files in explorer. So what is this DeployHelper? Let's take a closer look.

As you probably know from this blogpost https://forum.rehips.com/index.php?topic=9529.0 DeployHelper is one of the ways to install ReHIPS rules. It's meant for installers/setup-files only. For example you have a setup.exe for some program. And you want to have the program isolated. Of course you can install it the usual way and then choose to Allow in isolation during first start. But some settings may be lost, you'll have to copy it enabling Copy User Data, why the hassle. Install it straight into the isolated environment. That's where DeployHelper comes into play.

Basically it starts the setup from the isolated user, so everything is installed for that user, i.e. straight into the isolated environment. It's also possible to "Run in ReHIPS DeployHelper as administrator" in case setup requires administrative privileges, in that case the user will be temporarily added to the administrator group.

But keep in mind, DeployHelper doesn't provide protection! It's there to help you install programs only.

54

ReHIPS / Re: Air vpn

« Last post by fixer on August 15, 2018, 11:43:13 am »

After some investigation looks like it was AirVPN issue that has nothing to do with ReHIPS. And as far as I know it was already addressed and fixed by AirVPN developers. So this one is solved.

55

Developers' Blog / [FAQ] ReHIPS best practices (part 6)

« Last post by fixer on August 13, 2018, 03:55:27 pm »

13. Don't do something unless you're sure of what you're doing. I know, I know, there already are literary tons of articles about this. But user-awareness is still one of the major reasons of why security incidents happen. This section includes all the advices of not to execute programs from untrusted sources, don't visit suspicious sites, etc. Even if you have all the top-notch security, do you really want to get in a battle against unknown adversary? I believe the best outcome of a battle is battle avoided.

14. Mind Trusted Users. ReHIPS Trusted Users are some kind of non-official administrators. So really think twice or better three times before you add someone there.

15. It's a good idea to know the instruments you're using well. To help know ReHIPS we made this blog subforum, so it's recommended to read it. At least topics marked with "FAQ", they're all listed here https://forum.rehips.com/index.php?topic=9520.0 They contain some ReHIPS internals, best practices, non-obvious tricks and other useful advices to help use ReHIPS to the fullest extent of its capabilities creating ultimate protection.

56

Developers' Blog / [FAQ] ReHIPS best practices (part 5)

« Last post by fixer on August 06, 2018, 03:55:29 pm »

10. Don't use Open File Access feature. This feature was already discussed in one of the previous blogposts here https://forum.rehips.com/index.php?topic=9484.0 If you want to build a safe and secure system, don't use it.

11. Keep your software number to a minimum. Each and every software may have bugs, including security ones. The problem with security software is that they usually require highest privileges possible. And it means when they're exploited, the whole system is subverted, not just a single user. And there are enough published papers showing how vulnerable some security software is, that having it installed exposes your system to a higher risk compared to a bare system without any security software at all. So the less programs you have installed and running, the less attack surface you have.

12. Move files you're working on in isolation in respective ReHIPS subfolder. ReHIPS folder was already discussed in one of the previous blogposts here https://forum.rehips.com/index.php?topic=9487.0 The best practice here is as follows. At usual times your ReHIPS subfolders are empty. When for example you download some file with an isolated browser into ReHIPS subfolder, you move it into your user profile folder right away. When you need to view or edit some document with an isolated program you move it from user profile folder (as you should keep it there along with other private data) into respective ReHIPS subfolder, view/edit it with the isolated program and move back. Bothersome? Probably. But safe and secure.

57

ReHIPS / Re: Air vpn

« Last post by aDVll on August 04, 2018, 04:11:52 pm »

it's not airvpn as i am using it forever with rehips without issues.

You need to allow a few files from airvpn though or whitelist in trusted vendors AIR DI PAOLO BRINI and if you decide to use beta version you need AIR DI PAOLO BRINI and Simon Tatham.

Also need these few command lines. I added them in the xml format as it's easier but make sure i didn't miss any. Take a note at rehi[s logs when airvpn connects to see if you have any blocks.

<TrustedCmdLine CmdLine="netsh  interface ipv4 set dns name=&quot;*&quot; source=static address=* register=primary validate=no" />
<TrustedCmdLine CmdLine="&quot;cmd.exe&quot; /c netsh interface ipv4 set dns name=&quot;Ethernet*&quot; source=static address=* register=primary validate=no" />
<TrustedCmdLine CmdLine="&quot;cmd.exe&quot; /c ipconfig /flushdns" />
<TrustedCmdLine CmdLine="&quot;cmd.exe&quot; /c ipconfig /registerdns" />
<TrustedCmdLine CmdLine="&quot;cmd.exe&quot; /c route -? PRINT" />
<TrustedCmdLine CmdLine="&quot;cmd.exe&quot; /c route add * mask 255.255.255.255 * if 19" />
<TrustedCmdLine CmdLine="&quot;cmd.exe&quot; /c route delete * if 19" />

58

Developers' Blog / [FAQ] ReHIPS best practices (part 4)

« Last post by fixer on July 31, 2018, 11:40:01 am »

7. Keep all your executable files in secure locations. By default Windows tries to provide security. That's why it suggests you to install software in either Program Files (for system-wide installation) or in user profile folder (for user-wide installation). User profile folder is already discussed in the previous paragraph, so it can be called a secure loction. Program Files (also Program Files (x86), Windows, System32 or SysWOW64 folders) are also secure locations. It means no isolated program can write there, meaning all your executable files will be perfectly safe and not tampered with.

8. Use Expert Mode. It's always preferred to use Expert Mode. Yes, you'll get more alerts. At first. But once all the programs that are often started are in ReHIPS database, there will be no more programs to alert of. And that's not a high price to pay for security, right?

9. Use separate desktops. This feature was already discussed in one of the previous blogposts here https://forum.rehips.com/index.php?topic=9483.0 In short words: it's always more secure to use separate desktops even when desktop hooks aren't allowed.

59

ReHIPS / Re: Air vpn

« Last post by fixer on July 30, 2018, 02:23:32 pm »

Thank you for the log. But unfortunately looks like you copy-pasted it from ReHIPS Log tab, it doesn't have older events like when AirVPN crashed. That's why I asked to go to Event Log and save all events. This way it'll also have events of past days. In the current log I don't see Eddie-UI crashing.

60

ReHIPS / Re: Air vpn

« Last post by Denis on July 30, 2018, 10:49:50 am »

Was not sure how to send it, so i email it