Recent Posts

81

ReHIPS / Does ReHIPS is supposed to work with this GPO elevation prompt setting?

« Last post by reasonablePrivacy on June 26, 2018, 06:07:24 pm »

User Account Control: Behavior of the elevation prompt for standard users
set to:
Automatically deny elevation requests

I had some problems with isolating programs with this setting.

82

Developers' Blog / [FAQ] What is ReHIPS? What can it do?

« Last post by fixer on June 24, 2018, 02:49:37 pm »

Sometimes new potential users come and ask "what is ReHIPS? what can it do?". Let's take a brief overview of ReHIPS features and find out what it can do. Basically ReHIPS provides the following:

1. Process control. When a process is started, inspection takes place, whether parent process is allowed to start processes, whether process being started is allowed to start, file hashes and digital signatures are checked, command lines can be inspected, etc. This provides fine-grained control over all starting and running processes.

2. Sandboxing. Any untrusted process can be executed in a sandbox (executed from a separate restricted ReHIPS-user), so it won't affect the system or other processes (non-isolated or isolated in other isolated environments). Isolated processes can have their own desktop; access to network and other system resources including file system objects and registry can be filtered.

3. Some AntiSpy stuff like disabling camera and microphone. This one is quite simple and straight-forward, but some people really like it.

4. Centralized control. It's possible to create and customize a pack of rules exactly to fit your needs and manage computers remotely or groups of computers via Active Directory. This is utilized in ReHIPS Corporate Edition, so if you plan to use ReHIPS at home, you probably won't need it.

5. Additional protection echelons. They're implemented as plugins and provide additional protection like control over common startup points or reaction to uncommon events like strange new users being added. But this is also in ReHIPS Corporate Edition, custom builds for your ultimate and precise protection, so if you plan to use ReHIPS at home, you probably won't need it.



Besides these major features ReHIPS:

-is based on well documented certified safe and secure Windows built-in security subsystems (no kernel-mode hooks, hardware virtualization-based PatchGuard bypasses and other dirty hacks), hence ReHIPS provides unprecedented protection, ensures system stability and integrity and doesn't increase attack surface;

-is compatible with all current Windows versions from Windows Vista SP1 to Windows 10 (including server editions) and doesn't require frequent updates;

-supports 32-bit and 64-bit Windows versions;

-protects from zero-day attacks, exploits and malware including previously unknown threats;

-is completely autonomous and doesn't require Internet access;

-includes initial database of rules which includes more than 400 applications, the database is regulary updated;

-includes our unique DeployHelper technology which helps to install software straight into isolated environment.

83

Developers' Blog / [BUG] Intel graphics card drivers crash

« Last post by fixer on June 18, 2018, 01:58:03 pm »

Once upon a time there was a Control Flow Guard in Windows. It's supposed to protect from exploits by filtering indirect calls by building a map of locations allowed to be called. Upon each such call address being called is compared against the map. If the address isn't in the map, it's considered a protection violation and the process is terminated. But later this protection was updated. Some dangerous functions like GetProcAddress were added as forbidden call addresses.

And it turns out Intel graphics driver namely ig9icd64.dll library doesn't cope well with this protection. It passes the initial release of this protection, but later tries to call GetProcAddress indirectly and triggers updated protection version alarm. Once alarm is triggered the process is terminated.

So ReHIPS has nothing to do with this, it's a conflict of Intel drivers and latest Windows protection mechanisms. Maybe these drivers are already updated and it's possible to solve this issue by update. In the case I was researching it was enough to simply uninstall the drivers as Windows built-in drivers work good enough without being subjected to the issue.

84

ReHIPS / Re: Isolated environment enabling of own accord

« Last post by fixer on June 14, 2018, 10:00:02 pm »

Hello, Andy.

Welcome to our forum and thank you for your interest in our product.

I think it happens because sometimes ReHIPS reinstalls its rules. It automatically reinstalls rules when it sees changes in Installed programs list. So it can install rules for newly installed programs. So rules for already existing programs like already installed Firefox may also be reinstalled. The best way to go is not to delete rules you don't like (like you don't want Firefox isolated), but instead switch them to the action you want. Just edit the rule and set Action to Allow instead of Allow in isolated environment.

85

ReHIPS / Isolated environment enabling of own accord

« Last post by asmetoma on June 14, 2018, 02:27:55 pm »

Hi all,

I have a problem whereby out of nowhere Firefox will open with a red border around it and an isolated enviroment created in the name 'Firefox'.
All this without me actually creating it?
If I remove the IE then all is well for a period of time then without warning it happens again?

Its not a major issue just slightly confusing. I use Chrome permanently isolated and Firefox not.
Anyone experienced this before or knows why this is happening?

Andy

86

Developers' Blog / [BUG] LoadUserProfile and ERROR_BADDB issue

« Last post by fixer on June 11, 2018, 12:52:46 pm »

Some time ago we faced a problem: ReHIPS fails to create isolated environments on one of test users' PCs showing "Failed to create user environment" error. When I started debugging it, it turned out it had nothing to do with ReHIPS, but it completely blocked creation of other users, so I decided to make a blogpost about it. So what went wrong?

After some debugging it turned out LoadUserProfile API for a newly created user failed with ERROR_BADDB. So what does this API do? It ensures that user profile is created and loaded. If the user has just been created, there is no profile for him, so it should be created. The profile is mostly created by copying settings from Default user (files and folders from C:\Users\Default). Among these files there is a ntuser.dat file. Registry resides in this file. Sometimes Windows may corrupt this file (maybe because of some update, maybe something else, not sure), and STATUS_REGISTRY_CORRUPT will be returned on an attempt to load this corrupted registry. This will fail user environment creation and hence ReHIPS inability to use isolated environment. While it's a Windows bug, ReHIPS may speed things up as it extensively uses user profiles. To solve this issue a valid ntuser.dat was copied from another PC.

87

Developers' Blog / [BUG] BitDefender and blue screen of death

« Last post by fixer on June 05, 2018, 10:34:51 am »

BitDefender may crash your operating system with a blue screen of death. It injects its own DLL into other processes and hooks some functions in user-mode using splicing. So when a process calls some function, this function is intercepted by BitDefender, and it inspects the call. There are some functions it doesn't like like CreateRemoteThread or WriteProcessMemory. When it sees calls it doesn't like, it communicates with its driver and terminates the target process (the one a thread is created in or the one memory of which is being written to) from the kernel with code STATUS_ACCESS_DENIED. If the target process is a critical system process, system crashes with a blue screen of death. If it's some other process, other glitches are possible, for example some visual glitches if the process terminated is a GUI process.

But the funny thing is this. If it tries to catch some malicious programs hooking this and that, they don't have problems with these hooks. It's quite easy and trivial to unhook them and no crash will happen. So these hooks are basically useless against malevolent software. But if you develop some good software and need these functions for some reason, you'll have problems. As either you have to face system crashes or you have to get involved into some kind of arms race where you try to bypass their hooks and protections. So it's a good idea to ask yourself "will I live in harmony with other inhabitants?" when such "protections" are implemented and don't try to act like you're the only one here and let any other crash and burn.

88

Developers' Blog / [Feature] Chromium and restricted token

« Last post by fixer on May 30, 2018, 02:09:27 pm »

Take care using restricted tokens (here I mean tokens created with CreateRestrictedToken API function with a non-empty list of RestrictedSids) for Chromium (and probably other Chromium-based browsers). Chromium extensively uses restricted tokens itself for security purposes creating restricted processes. It creates tokens using CreateRestrictedToken API function. But there is a catch. If you try to further restrict an already restricted token, the list of restricting SIDs for the new token is the intersection of supplied list and the list of restricting SIDs for the existing token. If the resulting list of restricting SIDs turns out to be empty, the function returns error causing Chromium to fail to create additional processes leading to empty tabs. So take care and keep in mind that Chromium uses WinRestrictedCodeSid and NULL SID for its restricted tokens. Though personally I don't think it's a good idea to use restricted tokens for Chromium at all as adding these SIDs is clearly a workaround that will stop working anytime they decide to add some additional SID.

89

Developers' Blog / [Coding] Maximized window

« Last post by fixer on May 24, 2018, 12:46:55 am »

There are 2 types of fullscreen windows. The ones that are work-area fullscreen and the ones that are monitor-area fullscreen. Work-area is basically the monitor-area without additional bars (taskbar by default, but it's possible to register more). Windows of the first type take all of the work-area up when maximized, this is default for most applications like notepad, explorer, etc. Windows of the second type take all of the monitor-area up when maximized, this is used by fullscreen applications like games, video players, etc.

When you write an application, you expect it to occupy work-area only when you have it maximized. But it's not always the case. If your window has no caption or no maximize button (I mean window styles here), monitor-area will be assigned by Windows. That's a feature. To override this behavior handle WM_GETMINMAXINFO and limit max size and position getting needed values from GetMonitorInfo API.

90

Developers' Blog / [BUG] Ctrl+Esc and different desktops

« Last post by fixer on May 17, 2018, 09:34:26 am »

As you probably know you can open Start menu with not just pressing Win button on your keyboard, but also with Ctrl+Esc shortcut. They both send WM_SYSCOMMAND with SC_TASKLIST parameter. But Ctrl+Esc is a shortcut, so when undocumented SetShellWindow API function is called to tell Windows that it's the shell, RegisterHotKey registers that shortcut for shell window. And if you have several desktops (I don't mean ReHIPS isolated desktops here, any desktops, e.g. Desktops program from former Sysinternals creates several desktops), you won't observe the same behavior on other than main desktops.

The problem is SetShellWindow should be called for every desktop as it works desktop-wise. But RegisterHotKey works system-wise. So only the first shell will be able to register the shortcut successfully, all subsequent calls from other shells will fail, so the first shell'll be the only one to receive shortcut notifications.