Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

fixer

Quote from: winuser on September 29, 2019, 02:26:45 PM
Anyway, the "ReHIPS FAQ"section of forum is very informative! Why do you guys hide such interesting documentation inside a forum?  :( why not ship it along with the software?
This part is constantly changing. Sometimes we add something new and write about it as we get questions about new topic. Or some side topic is poorly covered in one of our previous blogposts and we expand it. Besides something may be true for older versions and in a new version it gets improved. To avoid duplication and to keep it always up-to-date we recommend checking the forum instead of including it in the setup.

winuser

in case the following issues are already discussed/solved, please (if possible) point me to the right direction/topic.

1. there's a compatibility issue with virtualbox, maybe due to virtualbox's security precaution during its startup. ReHIPS uses dll injection WITHOUT exceptions/whitelist in place (an option like "processes excluded from injection" ). I think this is a case of Cobra Effect. lets assume a user is unable to run virtualbox because of this seemingly unnecessary feature (dll injection) so he/she stops ReHIPS Service (and maybe Driver) leaving the host system vulnerable. PLEASE at least provide users an option, perhaps something called "Enable Compatibility Mode", stopping user mode hooks and injections for a certain amount of time or even better than that, an option to exclude certain files permanently.

2. Alt+F4 kills main GUI process. It should be minimized to tray, right? the same thing happens if you close the GUI from taskbar (just hover then press the tiny close button). weird!

3. under [setting >> log] there is a sub-program - blocked option that can not be unchecked permanently. I don't mean to be rude, but why do you provide an option that can not be disabled? this is very annoying and it makes users feel like you're ..... well, like I said, I don't mean to be rude  :)
Edit:
4. one more thing, please add passive mode for testing purposes, in which ReHIPS does not block anything and only logs/notifies user about events. this ensures system stability and is a safe way to test new rules too. "Disabled Mode" sure logs/notifies already but is not designed for testing.

fixer

Thank you for your feedback, it's really helpful. Let's see.

1. Could you please tell us more about it? What exactly goes wrong with VirtualBox? And what VirtualBox, Windows and ReHIPS versions do you use?

2. I agree, it should do the same as clicking the small X in the top right corner, will be fixed in the next release.

3. What do you mean it can't be unchecked? It's checked by default, I go and uncheck it, close settings, open again, not checked. Try to start a blocked subprogram, no pop-ups. Am I missing something?

4. ReHIPS Working Modes are described in this blogpost https://forum.rehips.com/index.php?topic=9539.0 Could you please describe Passive Mode, how you see it and how it should behave like other Modes are described in the blogpost?

winuser

Thanks for the reply, Sir
1. I have a notebook with Windows 7 x86 (fully-patched) , Virtualbox v5.2.32 and Rehips v2.4 . I ran Virtualbox and waited for about 5 minutes; nothing happened on the screen (it normally takes about a few seconds for its GUI to load) so I had to kill its process in taskmanager. The protection was already disabled so the first thing I tried was stopping both ReHIPSService and ReHIPSSrvc and the problem was gone. I was not happy with that solution so started those services and this time I blocked dll injection (I did that by another security software). The issue is kind of solved now but may I ask you something: Is this injection necessary? (seems to me it is not). Could you please consider adding a whitelist option, as mentioned in my previous post?

2. Glad to hear that. Thanks.

3. Please disable the sub-program-blocked box, then restart the system. obviously the same thing happens after killing Rehips's GUI, service and driver then starting them all again. You'll see that the box can not be disabled permanently in the 32bit version. not sure about 64bit.

4. Suppose I have a rule to block/isolate notepad.exe . What I mean by Passive Mode is:
I run notepad >> Rehips blocks/isolates nothing >> notepad runs as usual >> Rehips logs/notifies me that notepad is blocked/isolated
In other words, If I have Standard Mode enabled then:
Passive Mode = Disabled Mode + Standard Mode logs and notifications
This would be great for those who want to check their rules before enabling Lockdown Mode.

ps: I was a Faronics-AntiExe user, Rehips beats it performance-wise, and it's free too at least by now  :) good job guys!

fixer

1. It's not about some protection. It hangs somewhere in windows kernel. Not sure why. Probably ReHIPS triggers some race condition as the code deals with timers and ReHIPS doesn't affect them in any way. Will try to find a workaround.

3. Ooops, I guess you're right. Will be fixed in the next release.

4. Aha, I see what you mean. We'll definitely give it a thought, thanks for your suggestion. BTW, Lockdown Mode is mostly meant for fixed and closed environments like ATMs. I wouldn't recommend enabling it on a production PC with possibly changing environment unless you know what you're doing.

BTW, a blogpost about ReHIPS performance since you noticed it :) https://forum.rehips.com/index.php?topic=11868.0

Umbra

Quote from: winuser on October 03, 2019, 12:08:00 AM
4. Suppose I have a rule to block/isolate notepad.exe . What I mean by Passive Mode is:
I run notepad >> Rehips blocks/isolates nothing >> notepad runs as usual >> Rehips logs/notifies me that notepad is blocked/isolated
In other words, If I have Standard Mode enabled then:
Passive Mode = Disabled Mode + Standard Mode logs and notifications
This would be great for those who want to check their rules before enabling Lockdown Mode.
i +1 this, would be useful for me too since i create an heavy list of LOLbins blocks rules.

Quoteps: I was a Faronics-AntiExe user, Rehips beats it performance-wise, and it's free too at least by now  :) good job guys!
not really free, the demo (the free thingy) allows only 10 isolated processes which nullify the use of multi-processes browsers.

kruts

Bitdefender - is Rehips compatible with Bitdefender? I installed Rehips and it installed successfully but when I attempt to run a program in Isolation like excel.exe it does not work and the ui becomes unstable and I just have to close down Rehips. I didn't make any modification to bitdefender like adding an exception or adding a certificate thumbprint of rehips into bitdefender but I could try that when I go back to work

Are there any known issues or does it work with bitdefender?

fixer

Hello, kruts. Thank you for your interest in ReHIPS and welcome to our forum.

There was at least one documented and researched issue, it's described here https://forum.rehips.com/index.php?topic=11168 In short words, this was not ReHIPS fault, but Bitdefender funny way of acting.

winuser

Hi, two questions about Rehips isolation

1. Considering both Rehips and Windows with default settings:
Isolation is mostly based on OS built-in access management, right? So what if an isolated malware bypasses those restrictions? Remember NotPetya malware?! That malware could bypass standard user account (SUA) restrictions with no UAC prompt and could gain administrative privilege. I just mentioned that malware as an example so you guys better understand what i mean here.
Imagine a malware (capable of bypassing SUA) running in Rehips isolated user account. Here is my question: What does Rehips do to prevent elevation of that malware? Does it have any mitigation technique to stop privilege escalation?


2. Should I change the following Group Policy setting:
"User Account Control: Behavior of the elevation prompt for standard users"
To:
"Automatically deny elevation requests" ?
Does it make Rehips isolation safer? Or am i just being paranoid?


I have to use an admin user account and that's why i use Rehips isolation in the first place. Any help would be greatly appreciated.

fixer

1. UAC is not a security boundary. In other words, it's for usability/foolproofing, not for real security. So it's bypassable and it may not even be considered a bug. ReHIPS on the other hand relies on security boundaries. And if they somehow are bypassed, it's considered a serious bug (usually with CVE) and will be patched by MS in a prioritized manner. And even successful exploits for unpatched OS sometimes get caught by ReHIPS trying to spawn additional processes. As an additional anti-elevation measure ReHIPS can block spawning elevated processes by isolated ones. To further tighten the security ReHIPS has second and third protection echelons, but they're for corporate environments.

2. Doesn't really matter. It'll be visible enough when an isolated program requests elevation. If you don't expect it to do so, just deny. It's more of a usability thing than security. Showing the prompt increases number of questions OS asks the user on one hand, but on the other hand it won't block something silently leaving the user wondering why it doesn't work.

winuser

Alright, It makes sense. Thanks for the reply, I really appreciate it. I also wanted to report:
1. A serious bug:
When I run "MS Office Powerpoint 2016" in isolation, it works fine but if I put it in slide show mode (F5) everything freezes so I have to press Ctrl+Alt+Delete, only then I realize Rehips has an alert in the background. It says powerpoint.exe is trying to run wisptis.exe. I have no idea why the alert window doesn't stay on top! ok, after allowing that (with allow only for once option), Powerpoint still remains hanged!
Edit: I have modified the "default.rdb" database before installation (shrinking the list to Windows pre-installed apps only) and added office apps to isolated apps list later. Maybe the default "default.rdb" file Allows the operation and such problem never happens there but still I wonder why the alert window doesn't show itself on top of other windows causing the issue.
Edit-2: I tested this on another computer and everything works fine. Apparently there is a problem with this computer. I'm so sorry, please ignore this till I find out what is going on.
2. A few minor bugs:
A) When running full-screen applications (like a full-screen youtube video in a browser) , the isolation taskbar sometimes stays on top and sometimes it doesn't and I'm not sure why.
Edit: I think I'm getting the hang of it. With a few clicks on isolation taskbar and isolated app/video, it hides. so probably not an issue here. sorry.
B) In the Allowed section (tab) of Rules Database, I can not change the "ignore file modification" state of any of the programs listed. It always reverts back to "checked" state no matter what! This is actually a cool feature and I think unchecking that option makes Rehips compare sha512 hashes. BTW, The option works fine with programs listed in the Isolated tab!
Edit: OK, it seems it's behavior is dependent on the current protection mode. I'm a bit confused.
C) For some reason On-Screen Keyboard (osk.exe) can not run in isolation! It's a windows accessibility app and might be important for some users.

That said, your software is awesome  :)

ps: Don't you think the forum needs a "known issues" section, with descriptions and links to original posts. Users (like me) could have a quick look at that post before reporting here.

fixer

1. Yup, by default ReHIPS shows alert in a top-level window. But if other top-level windows come into play, you can't make your window toppest of all in a nice way, there is a somewhat funny blogpost about it here https://devblogs.microsoft.com/oldnewthing/20110310-00/?p=11253 So yeah, sometimes alerts can be in the background.
Try to allow it in current session and see if it still keeps hanging. That's unexpected, ReHIPS doesn't do something messy, so everything should work.

2A. If there is any way to reproduce the issue, I'd be glad to look into it. As it's quite hard to troubleshoot without having the issue happening.

2B. Yup, that's a known bug, will be fixed.

2C. Should be working in the upcoming version.

P.S. There is blogposts section which is already quite big. It covers Windows bugs that can affect ReHIPS. But current ReHIPS bugs aren't covered, you're right here. Hopefully there aren't that many of them and they should be fixed in the upcoming version.

winuser

Hi, I don't know whether it's an unexpected behavior or not:
yesterday I disabled Rehips temporarily and installed a new antivirus. to test it, I opened Firefox normally (ie not isolated) and searched for eicar test file on google, then I noticed Rehips' state and enabled it (standard mode) and went to the website (www.eicar.org I guess) but suddenly Rehips' alternate desktop poped up causing Firefox to freeze with the following error:
The Instruction at 0x[SomeNumbersHere] referenced memory at 0x00000000. The memory could not be read. Click OK to termnate the program
pressing the ok button didn't help, it poped up again and again, so I had to kill Frefox in taskmanager
OS = Windows 7 x86
Rehips = Demo v2.4
Firefox = v74 set to run isolated in Rehips

fixer

Thank you for your report.
That's a hard thing to diagnose without having a way to reproduce it. Besides it may have nothing to do with ReHIPS like antivirus injected its DLL and something went wrong in it.
Is it reproducible? Any detailed step-by-step guide to reproduce it?
Thank you for your time.

winuser

Sir, not sure but I think this is what happens:

- Firefox (or maybe any other multi-process browser) is set to run isolated in Rehips
- I set Rehips to disabled mode
- I run Firefox. Since Rehips is disabled, Firefox will run as the real user (i.e. not isolated). It creates (lets say) six processes
- I set Rehips to standard mode
- I open some more tabs in Firefox, this makes Firefox create another process (now total of seven processes)
- Rehips is now enabled and tries to isolate that new "Firefox.exe" process. Rehips "separate desktop" pops up along with an error window (mentioned in the previous post)

I wonder if anybody else has noticed this. BTW, I'm not a tech savvy, maybe you're right and it's all AV's fault

ps: Does Rehips check the state of the parent process before isolating its children? I mean if the parent is "firefox.exe" in the real user account, trying to run "firefox.exe", Rehips should be smart about it and show an alert to the user, something like:
" hey dude! you have a rule to isolate that browser, it's not isolated now and is trying to run multiple instance of itself, what would you like to do? "