Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

Ozone

Quote from: fixer on May 24, 2017, 04:59:54 PM
Ozone, don't worry, we've got this issue in our TODO list to fix it. But it'll be in the next release, not 2.2.0.

I don't mind, I was just testing something

but I have some issues with latest ReHIPS

I had reinstalled ReHIPS (deleted settings and all ReHIPS folders except C:\ReHIPS) but now all files in C:\ReHIPS\Office can't be opened by isolated programs, in security tab of files is unknown ID (previous rehips ID)

fortunately moving files around will remove/reset this unknown ID and allow me open these files

also C:\ReHIPS folder has not changed icon

another issue is that HIPSService64.exe and HIPSAgent64.exe in latest ReHIPS always use 1-2% even thought I do nothing


 


fixer

Umbra, we'll add something like active/inactive rule, we've got it in our TODO list.

Ozone, thanks for your report, we'll check these issues.
Regarding 1-2% CPU load, that's possible, even if you don't do anything visible, sometimes processes start and die somewhere out there, sometimes they read and write files, load should be minimal, but Service needs to check if it's not isolated processes. I'll take a look at possible bottlenecks to lighten the load.

Ozone

I have rehips log opened and nothing appears, but it's new reinstall so I will wait some time and see if this issue disappear

Umbra

Quote from: fixer on May 24, 2017, 08:33:51 PM
Umbra, we'll add something like active/inactive rule, we've got it in our TODO list.
Good ! it will be useful because , while reinstalling rules , i could launch Chrome non-isolated...which was surprising until i realized rules were reinstalled.

Ozone

after some testing it seems that  HIPSAgent64.exe cpu usage is related to IE – isolation border and renamed window

in previous version I didn't have this problem

Ozone

just cosmetic, but could you add in windows with "File Hashes" that you're using  sha512, something like this "File Hashes (SHA512)"

could you add timestamp for when was file added in rehips (rules) and option to open file location from rehips setting window

also it is possible to edit initial rulespack

btw
will you solve the problem with google safe browsing, it's really annoying


fixer

OK, we'll add SHA512 marker.

Open file location button is already planned. Timestamp... hmmm, what's the use-case for this feature?

Initial rulespack is already completely editable, I'll announce RulesManager separately in a couple of days I think. It's really powerful, but not so nice and pretty and not so stable, that's why we haven't included it in a default build.

Google safe browsing - you mean that red window popping-up and scaring users that this site serves malware?
Ogh, it's a funny story actually. Well, "funny" also depends on your point of view. Anyway at first they didn't like ReHIPS setup. Have no idea why actually, it's served through https, certificate is OK, it's signed with a valid signature, no protectors, packers, whatsoever, no AV detections, compiler and installer are also standard and wide-spread. I decided it's not good and tried to fix it via google webmaster tools. Now the whole forum and site are banned as their crawler found links to the setup. I'm afraid to fix it further, maybe they'll ban the whole server :)
In other words we're working on it, but google is google. I never had any hard feelings towards it. But when you face this and don't have many options what to do and there is no adequate support, it's hard to remain unbiased.

shmu26

Quote from: Ozone on May 25, 2017, 08:51:35 PM
after some testing it seems that  HIPSAgent64.exe cpu usage is related to IE – isolation border and renamed window

in previous version I didn't have this problem
I am on the 2.2.0 public release, and for the first couple minutes after startup, I see CPU usage of about 30% for  HIPSAgent64.exe. This causes a very significant delay in the launching of isolated apps, until the CPU finally goes down.
It doesn't seem to matter whether or not I enable isolation border and renamed window.

Windows 10 x64 CU
Windows Defender
NVT ERP


fixer

I can't reproduce this issue with CPU-eating-on-startup Agent, but I'll try to solve it in PM.

fixer

Looks like Google came to senses and Google Safe Browsing issue is solved.

aDVll

Quote from: shmu26 on June 06, 2017, 10:15:32 PM
Quote from: Ozone on May 25, 2017, 08:51:35 PM
after some testing it seems that  HIPSAgent64.exe cpu usage is related to IE – isolation border and renamed window

in previous version I didn't have this problem
I am on the 2.2.0 public release, and for the first couple minutes after startup, I see CPU usage of about 30% for  HIPSAgent64.exe. This causes a very significant delay in the launching of isolated apps, until the CPU finally goes down.
It doesn't seem to matter whether or not I enable isolation border and renamed window.

Windows 10 x64 CU
Windows Defender
NVT ERP
You sure it matters if you launch something isolated? Try not launching anything and see if cpu load drops. If it actually drops how long did it take and when you launch what does it happen? Also if you don't mind, to compare with my test, what cpu model do you have.
I personally see a high cpu load for the first few seconds the system boots(10-20s).

Also something else to consider do you use lockdown mode and if yes in what setting?

Ozone

Quote from: fixer on June 06, 2017, 10:11:14 PM
OK, we'll add SHA512 marker.

Open file location button is already planned. Timestamp... hmmm, what's the use-case for this feature?

Initial rulespack is already completely editable, I'll announce RulesManager separately in a couple of days I think. It's really powerful, but not so nice and pretty and not so stable, that's why we haven't included it in a default build.

Google safe browsing - you mean that red window popping-up and scaring users that this site serves malware?
Ogh, it's a funny story actually. Well, "funny" also depends on your point of view. Anyway at first they didn't like ReHIPS setup. Have no idea why actually, it's served through https, certificate is OK, it's signed with a valid signature, no protectors, packers, whatsoever, no AV detections, compiler and installer are also standard and wide-spread. I decided it's not good and tried to fix it via google webmaster tools. Now the whole forum and site are banned as their crawler found links to the setup. I'm afraid to fix it further, maybe they'll ban the whole server :)
In other words we're working on it, but google is google. I never had any hard feelings towards it. But when you face this and don't have many options what to do and there is no adequate support, it's hard to remain unbiased.

I should be more specific, I mean timestamps for file hashes (when hash was added), so it will be possible to figure out when file was modified because if "Ignore File Modification" is checked there is no warning. (unless you check "Program file modified – allowed")

CPU usage now is better, HIPSService64.exe is using around 0,2 %, so it's okay and only on windows 7 HIPSAgent64.exe is using 1 % (on windows 10 no problem at all).


crasher

Quote from: Ozone on June 09, 2017, 03:29:02 PM
I should be more specific, I mean timestamps for file hashes (when hash was added), so it will be possible to figure out when file was modified because if "Ignore File Modification" is checked there is no warning.

Thanks for your suggestion. We'll think about it. May be we will add additional info about files like version, etc.

Ozone

I was trying https://www.airlockdigital.com/application-whitelisting-auditor/ and after "hundreds" popups ReHIPS GUI crashed

additional info
I have only allowed program to launch, later (other) permissions were blocked
after crash I have run GUI again (ApplicationWhitelistAuditor.exe was still running) and after "hundreds" popups ReHIPS GUI again crashed
I was in shadow mode so no log




crasher

Quote from: Ozone on June 15, 2017, 03:39:00 PM
I was trying https://www.airlockdigital.com/application-whitelisting-auditor/ and after "hundreds" popups ReHIPS GUI crashed

additional info
I have only allowed program to launch, later (other) permissions were blocked
after crash I have run GUI again (ApplicationWhitelistAuditor.exe was still running) and after "hundreds" popups ReHIPS GUI again crashed
I was in shadow mode so no log

Thank you for your bugreport. We'll try to reproduce this problem and fix it.