ReHIPS and Shadow Defender now compatible

Started by Mr.X, June 13, 2016, 03:54:42 PM

Previous topic - Next topic

Mr.X

Good news!

After mailing Tony from Shadow Defender and pointed him to the HWiD issue he finally managed to solve it with a new version. At least on my machine (Win8.1 x64) testing for 35 min. Therefore I believe this topic deserves a separate thread due the importance of Shadow Defender, well at least for me.

Here's the new version if you want to test:
http://www.shadowdefender.com/download/SD1.4.0.635_Setup.exe


Mr.X

It's been 60 min. since I installed Shadow Defender and ReHIPS hasn't unregistered itself at all. Good.

However when I enter shadow mode I get some blocks by ReHIPS I want to share with you all, mostly conhost.exe, mountvol.exe, WerFault.exe, dllhost.exe with different PIDs:


13-Jun-16 7:33:21 AM: Connected to Local Server
13-Jun-16 7:33:21 AM: Expert Mode activated
13-Jun-16 7:33:26 AM: Program C:\Windows\System32\svchost.exe with PID 352 executing program C:\Windows\System32\taskhost.exe with PID 4420 - allowed with children inspection
13-Jun-16 7:33:26 AM: Program C:\Windows\System32\taskhost.exe with PID 4420 execution - allowed
13-Jun-16 7:33:26 AM: Program C:\Windows\System32\taskhost.exe with PID 4420 terminated
13-Jun-16 7:33:26 AM: Program C:\Windows\System32\svchost.exe with PID 352 executing program C:\Windows\System32\taskhost.exe with PID 4468 - allowed with children inspection
13-Jun-16 7:33:26 AM: Program C:\Windows\System32\taskhost.exe with PID 4468 execution - allowed
13-Jun-16 7:33:26 AM: Program C:\Windows\System32\taskhost.exe with PID 4468 terminated
13-Jun-16 7:33:33 AM: Program C:\Windows\System32\mobsync.exe with PID 4316 terminated
13-Jun-16 7:33:33 AM: Program C:\Windows\System32\userinit.exe with PID 2084 terminated
13-Jun-16 7:33:40 AM: Program C:\Program Files\Shadow Defender\Service.exe with PID 1160 terminated
13-Jun-16 7:33:47 AM: Program C:\Windows\System32\sppsvc.exe with PID 3960 terminated
13-Jun-16 7:34:42 AM: Program C:\Windows\System32\wbem\WmiPrvSE.exe with PID 2348 terminated
13-Jun-16 7:35:10 AM: Program C:\Windows\System32\svchost.exe with PID 732 executing program C:\Windows\System32\dllhost.exe with PID 4140 - allowed with children inspection
13-Jun-16 7:35:10 AM: Program C:\Windows\System32\dllhost.exe with PID 4140 execution - allowed
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\services.exe with PID 644 executing program C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe with PID 4280 - allowed
13-Jun-16 7:35:12 AM: Program C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe with PID 4280 terminated
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\services.exe with PID 644 executing program C:\Program Files (x86)\Google\Update\GoogleUpdate.exe with PID 4348 - allowed
13-Jun-16 7:35:12 AM: Program C:\Program Files (x86)\Google\Update\GoogleUpdate.exe with PID 4348 terminated
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\SearchProtocolHost.exe with PID 3784 terminated
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\SearchFilterHost.exe with PID 3824 terminated
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\services.exe with PID 644 executing program C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe with PID 2768 - allowed
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\svchost.exe with PID 732 executing program C:\Windows\System32\wbem\WmiPrvSE.exe with PID 4472 - allowed with children inspection
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\wbem\WmiPrvSE.exe with PID 4472 execution - allowed
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\services.exe with PID 644 executing program C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe with PID 4516 - allowed
13-Jun-16 7:35:12 AM: Program C:\Windows\System32\services.exe with PID 644 executing program C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe with PID 4544 - allowed
13-Jun-16 7:35:14 AM: Program C:\Windows\System32\services.exe with PID 644 executing program C:\Windows\System32\sppsvc.exe with PID 4576 - allowed
13-Jun-16 7:35:15 AM: Program C:\Windows\System32\dllhost.exe with PID 4140 terminated
13-Jun-16 7:35:15 AM: Program C:\Windows\System32\svchost.exe with PID 732 executing program C:\Windows\System32\dllhost.exe with PID 4672 - allowed with children inspection
13-Jun-16 7:35:15 AM: Program C:\Windows\System32\dllhost.exe with PID 4672 execution - allowed
13-Jun-16 7:35:17 AM: Program C:\Windows\System32\svchost.exe with PID 732 executing program C:\Windows\System32\rundll32.exe with PID 4712 - allowed with children inspection
13-Jun-16 7:35:17 AM: Program C:\Windows\System32\rundll32.exe with PID 4712 execution - allowed
13-Jun-16 7:35:17 AM: Sub-Program C:\Windows\System32\rundll32.exe with PID 4712 and command line C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding - allowed
13-Jun-16 7:35:17 AM: Program C:\Windows\System32\rundll32.exe with PID 4712 terminated
13-Jun-16 7:35:21 AM: Program C:\Windows\System32\dllhost.exe with PID 4672 terminated
13-Jun-16 7:35:25 AM: Program C:\Program Files\Shadow Defender\DefenderDaemon.exe with PID 3552 executing program C:\Program Files\Shadow Defender\Defender.exe with PID 2012 - allowed
13-Jun-16 7:35:25 AM: Program C:\Program Files\Shadow Defender\Defender.exe with PID 2012 terminated
13-Jun-16 7:35:26 AM: Program C:\Windows\System32\svchost.exe with PID 352 executing program C:\Windows\System32\consent.exe with PID 2216 - allowed with children inspection
13-Jun-16 7:35:26 AM: Program C:\Windows\System32\consent.exe with PID 2216 execution - allowed
13-Jun-16 7:35:26 AM: Program C:\Windows\System32\svchost.exe with PID 732 executing program C:\Windows\System32\dllhost.exe with PID 3000 - allowed with children inspection
13-Jun-16 7:35:26 AM: Program C:\Windows\System32\dllhost.exe with PID 3000 execution - allowed
13-Jun-16 7:35:26 AM: Program C:\Windows\System32\consent.exe with PID 2216 terminated
13-Jun-16 7:35:26 AM: Program C:\Windows\System32\svchost.exe with PID 732 executing program C:\Windows\System32\dllhost.exe with PID 3172 - allowed with children inspection
13-Jun-16 7:35:26 AM: Program C:\Windows\System32\dllhost.exe with PID 3172 execution - allowed
13-Jun-16 7:35:26 AM: Program C:\Program Files\Shadow Defender\DefenderDaemon.exe with PID 3552 executing program C:\Program Files\Shadow Defender\Defender.exe with PID 848 - allowed
13-Jun-16 7:35:26 AM: Program C:\Program Files\Shadow Defender\Defender.exe with PID 848 executing program C:\Program Files\Shadow Defender\DefenderDaemon.exe with PID 2460 - allowed
13-Jun-16 7:35:26 AM: Program C:\Program Files\Shadow Defender\DefenderDaemon.exe with PID 2460 terminated
13-Jun-16 7:35:28 AM: Program C:\Windows\System32\svchost.exe with PID 732 executing program C:\Windows\System32\wbem\WmiPrvSE.exe with PID 2572 - allowed with children inspection
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\wbem\WmiPrvSE.exe with PID 2572 execution - allowed
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\SearchIndexer.exe with PID 3288 executing program C:\Windows\System32\SearchProtocolHost.exe with PID 832 - allowed
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\SearchIndexer.exe with PID 3288 executing program C:\Windows\System32\SearchFilterHost.exe with PID 3312 - allowed
13-Jun-16 7:35:29 AM: Program C:\Program Files\Shadow Defender\Defender.exe with PID 848 executing program C:\Windows\System32\mountvol.exe with PID 2276 - allowed
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\mountvol.exe with PID 2276 executing program C:\Windows\System32\conhost.exe with PID 3756 - blocked
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\conhost.exe with PID 3756 terminated
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\services.exe with PID 644 executing program C:\Windows\System32\svchost.exe with PID 1276 - allowed
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\mountvol.exe with PID 2276 executing program C:\Windows\System32\WerFault.exe with PID 2288 - blocked
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\WerFault.exe with PID 2288 terminated
13-Jun-16 7:35:29 AM: Program C:\Windows\System32\mountvol.exe with PID 2276 terminated
13-Jun-16 7:35:29 AM: Program C:\Program Files\Shadow Defender\Defender.exe with PID 848 executing program C:\Windows\System32\mountvol.exe with PID 2556 - allowed
13-Jun-16 7:35:30 AM: Program C:\Windows\System32\mountvol.exe with PID 2556 executing program C:\Windows\System32\conhost.exe with PID 1560 - blocked
13-Jun-16 7:35:30 AM: Program C:\Windows\System32\conhost.exe with PID 1560 terminated
13-Jun-16 7:35:30 AM: Program C:\Windows\System32\mountvol.exe with PID 2556 executing program C:\Windows\System32\WerFault.exe with PID 2752 - blocked
13-Jun-16 7:35:30 AM: Program C:\Windows\System32\WerFault.exe with PID 2752 terminated
13-Jun-16 7:35:30 AM: Program C:\Windows\System32\mountvol.exe with PID 2556 terminated
13-Jun-16 7:35:31 AM: Program C:\Windows\System32\dllhost.exe with PID 3000 terminated
13-Jun-16 7:35:31 AM: Program C:\Windows\System32\dllhost.exe with PID 3172 terminated
13-Jun-16 7:35:44 AM: Program C:\Windows\System32\sppsvc.exe with PID 4576 terminated

Noverco

I am hoping to install and test ReHips soon, so it is great news that Shadow Defender is compatible with ReHips.  You posting this information is very helpful to Shadow Defender users!!

fixer

It's good to know that some people take reports seriously and fix issues quite fast.

Quote from: Mr.X on June 13, 2016, 04:05:37 PM
However when I enter shadow mode I get some blocks by ReHIPS I want to share with you all, mostly conhost.exe, mountvol.exe, WerFault.exe, dllhost.exe with different PIDs:
Fixed.

Mr.X

Quote from: fixer on June 13, 2016, 07:54:33 PM
Quote from: Mr.X on June 13, 2016, 04:05:37 PM
However when I enter shadow mode I get some blocks by ReHIPS I want to share with you all, mostly conhost.exe, mountvol.exe, WerFault.exe, dllhost.exe with different PIDs:
Fixed.
Thanks a lot @fixer.

Mr.X

What paths and/or files I need to add to exclusions in Shadow Defender in order to preserve new rules or their modifications?

fixer

ReHIPS settings reside in settings.xml, database is in ReHIPS.xml, both in ReHIPS installation directory, by default in Program Files\ReCrypt\ReHIPS. ReHIPS users profile folders are in Users\ReHIPSUser<X>. ReHIPS shared folder is ReHIPS on system disk. But there may also be some implicit registry or file entries regarding ReHIPS users. And that's undocumented and up to Windows, may even change from version to version.