Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

aDVll

Quote from: HJLBX on September 22, 2016, 03:33:27 AM
Quote from: aDVll on September 21, 2016, 02:58:50 PM
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

In that case then, the HIPS module itself does not block anything other than execution... that's the specific question that was asked at MT.
I think rehips only monitors execution and change of hash file of the whitelisted/blocked files. All the other protections are a result of running program isolated as another user without access to the rest of the system. Let's wait for Fixer though to confirm because i might be totally wrong.

fixer

ReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.

HJLBX

Quote from: fixer on September 23, 2016, 12:59:33 PM
ReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.

This is exactly how I understood it.

Umbra

It was expected; ReHIPS is a sandbox + HIPS not a HIPS with sandbox ^^

HJLBX

Have you been able to figure out a way to:

1.  auto-delete ReHIPSUSer profile upon closing all programs run isolated in ReHIPS
2.  auto-generate the clean, base-line ReHIPSUser profile after Step 1 above

?

fixer

You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

HJLBX

Quote from: fixer on September 25, 2016, 09:06:29 PM
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.

Umbra

#307
Quote from: HJLBX on September 26, 2016, 12:35:36 AM
Quote from: fixer on September 25, 2016, 09:06:29 PM
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.

In fact the automatic deletion of the IE's content (aka IE reset) is important, there should be an option/checkbox, that allow the IE to be recreated "as new" without the user intervention. without it, it is quite risky in term of privacy/security.

i know that rules can be reinstalled, why not an option that save and re-install IE , maybe it is technically difficult, i dont know, im not developer^^

aDVll

Quote from: HJLBX on September 26, 2016, 12:35:36 AM
Quote from: fixer on September 25, 2016, 09:06:29 PM
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.
If you use the application without isolation for a while until it's fixed as you like it when you isolate and rehips copies everything it will be perfect on every isolate environment creation. Minus things that can't be copied like browser cookies, outlook emails and in general anything associated with user account.

fixer

Isolated environment recreation is basically deletion and reinstallation from rules. Why completely delete? It may be compromised in any way, so it may be dangerous to keep some objects from old isolated environment. Why reinstallation from rules? Firstly, because these rules can be user-tweaked to suit any needs. And secondly, there are so called Special Objects (folders and registry keys) in RulesManager. They're processed when rules are being installed. But ReHIPS database doesn't have any information about these folders. So isolated environment recreation involves rules database.
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.

Umbra

Quote from: fixer on September 26, 2016, 01:55:43 PM
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.
exactly what i want !  ;)

HJLBX

Quote from: fixer on September 26, 2016, 01:55:43 PM
Isolated environment recreation is basically deletion and reinstallation from rules. Why completely delete? It may be compromised in any way, so it may be dangerous to keep some objects from old isolated environment. Why reinstallation from rules? Firstly, because these rules can be user-tweaked to suit any needs. And secondly, there are so called Special Objects (folders and registry keys) in RulesManager. They're processed when rules are being installed. But ReHIPS database doesn't have any information about these folders. So isolated environment recreation involves rules database.
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.

OK, I get it.

Raheel99

After installation got "Failed to open service link".  I am using Comodo Firewall with custom rule and  Network was disable.  After getting this message, I temporarily disable firewall, after which re-hips started from desktop icon without any problem. 
For rechecking I quit re-hip, enabled firewall and got again same message.



fixer

ReHIPS uses sockets to communicate with its service. Socket is open for local connections only. But looks like for some reason comodo blocks it.

Raheel99

#314
Quote from: fixer on September 27, 2016, 05:03:36 PM
ReHIPS uses sockets to communicate with its service. Socket is open for local connections only. But looks like for some reason comodo blocks it.

That is the reasons that HIPServices32.exe and HIPGui32.exe are showing TCP ESTABLISHED connection to 127.0.0.1.