First Impression (v1.1.0)

Started by Yuki, September 12, 2014, 04:01:14 PM

Previous topic - Next topic

Yuki

Hi, I'm Yuki.
Congrats for v1.2.0 :)
I wrongly assumed this product was abondoned because there's no update for blog nor forum for several months, but I'm glad to find I was wrong.
I found some possible issue when I used ReHIPS 1.1.0 and also have some suggestions so I write down them and I'll test 1.2.0 soon.

1. ReHIPS don't launch if one is using limited user account. I think ReHIPS require admin priviledge to work, but then please make UAC prompt rather than simply shutting down.

2. When I tried to launch Adobe Reader XI (Protection Mode, Protected View and Enhanced Protection are enabled), it showed error dialogue. Sorry I don't remember what it was, but it seemed that ReHIPS' pre-defined rule had some comflicts with AR's security mechanism and some configulation solved the issue.

3. 10 process limits for v1.1.0 beta makes using Chrome almost impossible as they spawn many processes, especially if --enable-strict-site-isolation switch is on.
Also, with default file access ristriction by ReHIPS, Norton Toolbar for chrome wasn't loaded.

4. As Windows_Security (aka Kees1958) suggested in Wilders Security Forum, detailed logs or preferably access violation pop-up is needed. Any good HIPS have such function which greatly increse usability and help a user to make custom rule set on least previledge principle. But I don't know it is even possible for ReHIPS because it don't use kernel hooks.

5.  Adding some templates for folder/file/registry access right will be good e.g. 'Startup Location', 'Vital System Files', 'Private Folders' etc. which user can select rather than individually make access restrictions for each process. This will help user to make access restriction rules much more easily. Those templates have to be predefined but still can be costomised.

BTW I have a question. If some 'Allow' rules for those file/folder/registry restriction are made, then access to all other location will be automatically blocked?

6. Admin Guide is very detailed and much educational. However I'll be appreciated if you can add more explanation for each priviledge. E.g. about WINSTA_ACCESSCLIPBOARD, it would be better explanation "If checked, a kind of malware called clipboard logger might steel credentials...bra bra bra" than simply saying "security impact is medium".

schelkunov

Hello, Yuki.
Thanks for your interest in our product. Don't worry about abandonware, we've got far-reaching designs and are  constantly working on new features and improvements :)

Quote1. ReHIPS don't launch if one is using limited user account. I think ReHIPS require admin priviledge to work, but then please make UAC prompt rather than simply shutting down.
Yes, administrator privileges are required to control ReHIPS. But from 1.2.0 it should explicitly say so, so this  should be already fixed.

Quote2. When I tried to launch Adobe Reader XI (Protection Mode, Protected View and Enhanced Protection are enabled), it showed error dialogue. Sorry I don't remember what it was, but it seemed that ReHIPS' pre-defined rule had some comflicts with AR's security mechanism and some configulation solved the issue.
Tried to reproduce this behavior on Adobe Reader 11.0.0. It was installed, Enable Protected Mode at startup was  checked, Protected View was set to All files, Enable Enhanced Security was checked. Then RulesPack was executed. Adobe  Reader then launched just fine. So I guess it was fixed in 1.2.0.

Quote3. 10 process limits for v1.1.0 beta makes using Chrome almost impossible as they spawn many processes, especially if --enable-strict-site-isolation switch is on.
Also, with default file access ristriction by ReHIPS, Norton Toolbar for chrome wasn't loaded.
The decision to limit 10 processes was debatable, we'll reconsider it. I've never used Norton Toolbar for chrome so  can't say anything right now but we'll look into it.

Quote4. As Windows_Security (aka Kees1958) suggested in Wilders Security Forum, detailed logs or preferably access violation pop-up is needed. Any good HIPS have such function which greatly increse usability and help a user to make custom rule set on least previledge principle. But I don't know it is even possible for ReHIPS because it don't use kernel hooks.
Yes, I understand, this feature would really be nice and helpful. But the problem is Windows grants and denies  access without calling any of our code, because no hooks are used. There are several possible solutions like setting  audit for some objects or using Process Monitor to determine objects of denied access. But these solutions are not very  convenient.

Quote5.  Adding some templates for folder/file/registry access right will be good e.g. 'Startup Location', 'Vital System Files', 'Private Folders' etc. which user can select rather than individually make access restrictions for each process. This will help user to make access restriction rules much more easily. Those templates have to be predefined but still can be costomised.

BTW I have a question. If some 'Allow' rules for those file/folder/registry restriction are made, then access to all other location will be automatically blocked?
As restricted processes are executed on behalf of a separate ReHIPS user they don't have any access to other users'  (including real user's) folders including 'Startup Location' or 'Private Folders' like Desktop. And they don't have  write access to 'Vital System Files' in Windows or Program Files folders. And truth to tell I don't think this access  should be granted manually. Actually practice shows that denying access to files/folders is used quite rare as most  locations are already secured by default if you follow Operation features and Recommendations from documentation  placing executable files in write-protected directories (in particular, Program Files) and data in user's home  directory (on the desktop, in «My documents» directory, etc.). Allowing access is used sometimes to specific folders  (e.g. Folder with docs for Word, these folders are created by RulesPack). So I don't see much use of adding 'Startup  Location' or 'Vital System Files' to the templates, but we'll think about it.
And answering your question, some locations are allowed or blocked by default according to default Windows access  control lists. Manual allowing or blocking allows or denies access only to the specified location without affecting  other locations.

Quote6. Admin Guide is very detailed and much educational. However I'll be appreciated if you can add more explanation for each priviledge. E.g. about WINSTA_ACCESSCLIPBOARD, it would be better explanation "If checked, a kind of malware called clipboard logger might steel credentials...bra bra bra" than simply saying "security impact is medium".
You're right, manuals were written mostly from security administrator point of view which sometimes be may be hard  to follow, we'll try to fix it.

Once again thank you for your interest in our product and we appreciate your feedback. Feel free to contact us should  you have any questions or suggestions :)

Yuki

Thank you for reply.
Quote from: schelkunov on September 15, 2014, 03:40:43 PM
Yes, administrator privileges are required to control ReHIPS. But from 1.2.0 it should explicitly say so, so this  should be already fixed.

I don't think it is fixed as I still want to use LUA for nealy all activity.
I have to manually run ReHIPS as admin to use it in LUA and it's really inconvenient.
Please consider to make UAC prompt than warning.

Quote
Tried to reproduce this behavior on Adobe Reader 11.0.0. It was installed, Enable Protected Mode at startup was  checked, Protected View was set to All files, Enable Enhanced Security was checked. Then RulesPack was executed. Adobe  Reader then launched just fine. So I guess it was fixed in 1.2.0.

I couldn't verify this as I got a more serious problem.
After installing & extracting rules, I tried to launch some programs which ReHIPS monitors.
But I just get error message that 'Failed to start restricted...' or something like that.
It seems ReHIPS couldn't make any ReHIPS-User as there's no ReHIPS-User folder in C:\Users\ and Windows' event log said network connection or access right is missing.
It is likely to be some conflicts with other security program on my machine or OS configuration I made, for in default Windows image ReHIPS worked fine (sorry but I forgot to test Adobe Reader).
My setting is:

Windows7SP1 Home Premium 64 bit (Japanese Lang)
Intel Core i3 Mem 8GB
All unnecessary services & functions are disabled.
Software Restriction Policy is applied to restrict all execution outside Program Folder or Windows folder, except for Admin & some custom location (some subfolders in Program Files or Windows are restricted while some other locations are allowed).
Included file types are: A3X,ADE,ADP,BAS,BAT,CHM,CMD,COM,CPL,CRT,EML,EXE,HLP,HTA,INF,INS,ISP,ISU,JSE,MDB,MDE,MSC,MSI,
MSP,MST,OCX,PAF,PCD,PIF,PS1,REG,RGS,SCR,SCT,SHB,SHS,U3P,VB,VBE,VBS,WS,WSC,WSF,APPLICATION,GADGET

Norton Internet Security v21.5.0.19
Malwarebytes Anti-Malware Pro 2.0.2.1012
Zemana AntiLogger 1.9.3.525
KeyScrambler Personal 3.4.0.4
SecureAPlus v2.3.2 full version
EMET 5.0
Malwarebytes Anti-Exploit 1.04.1.1012
K9 Web Protection 4.4.276
Peerblock 1.2
Secunia PSI v3.0

Sorry for having such complicated machine which definitely makes hunting culprit harder,
But I'll try to investigate some more in next testing.

QuoteYes, I understand, this feature would really be nice and helpful. But the problem is Windows grants and denies  access without calling any of our code, because no hooks are used. There are several possible solutions like setting  audit for some objects or using Process Monitor to determine objects of denied access. But these solutions are not very  convenient.

It's good that you have some possible solutions for this even though it is inconvenient.

QuoteAs restricted processes are executed on behalf of a separate ReHIPS user they don't have any access to other users'  (including real user's) folders including 'Startup Location' or 'Private Folders' like Desktop. And they don't have  write access to 'Vital System Files' in Windows or Program Files folders. And truth to tell I don't think this access  should be granted manually. Actually practice shows that denying access to files/folders is used quite rare as most  locations are already secured by default if you follow Operation features and Recommendations from documentation  placing executable files in write-protected directories (in particular, Program Files) and data in user's home  directory (on the desktop, in «My documents» directory, etc.). Allowing access is used sometimes to specific folders  (e.g. Folder with docs for Word, these folders are created by RulesPack). So I don't see much use of adding 'Startup  Location' or 'Vital System Files' to the templates, but we'll think about it.
And answering your question, some locations are allowed or blocked by default according to default Windows access  control lists. Manual allowing or blocking allows or denies access only to the specified location without affecting  other locations.

Okay I understood.
But it raises another problem/suggestion which I somehow missed in previous post.
Some programs, like Firefox or Chrome, save settings in user folder (%AppData%). But since ReHIPS uses another user, when I launch Firefox all personal settings and addons are lost.
Most Firefox users heavily configure their own one, so it means I can't protect Firefox with ReHIPS unless I uncheck USE_SEPARATE_DESKTOP which is, according to your documentation, quite risky.
Internet Explorer was okay, probably because its settings are stored in HKCU (though actually HKLM also affects)
Also when I try to launch a program within user folder such as desktop, I can't launch it with restricted.
In this case, ReHIPS works as if it is anti-executable (this is already explained if malwaretips forum).
But I don't need anti-exe.

As to setting issue, maybe one possible solution is to import specific setting files into ReHIPS user folder, maybe through custom setting option (and include it in default rule set).

Or specify certain program to always use certain ReHIPS User so that I can make persistent configuration for that ReHIPS user.
But I don't know whether a contents of a ReHIPS user which is no more used will be purged. (From my limited testing, it seems to be 'No'.)

schelkunov

Thank you for so detailed testing, Yuki!

QuoteI have to manually run ReHIPS as admin to use it in LUA and it's really inconvenient.
Please consider to make UAC prompt than warning.
Oh, we understand the problem now. Administrator privileges are required to control ReHIPS. But you don't have to run it under elevated admin. Even UAC-limited admin should be recognized and accepted. That is one of the reasons why we didn't mark it as require admin in the manifest. The other reason is that GUI can be autostarted with Windows. But applications requiring admin are not autostarted. Thanks for your suggestion, we'll think about requiring elevation when it's run locally from limited user account.

QuoteSorry for having such complicated machine which definitely makes hunting culprit harder,
But I'll try to investigate some more in next testing.

It seems like some antimalware solutions you have installed prevented ReHIPS from creating restricted users. It's really hard to say which one it was and why. But we'll investigate this issue.

QuoteAs to setting issue, maybe one possible solution is to import specific setting files into ReHIPS user folder, maybe through custom setting option (and include it in default rule set).

You're right, an application running on behalf of another (restricted) user can't access its settings if they're stored in user's profile folder or in HKCU registry hive. We've got 2 solutions to solve this problem. If you installed ReHIPS and then want to install some untrusted software, install it with DeployHelper, it will install software directly to the restricted user placing all the settings there from the beginning. If some software is already installed before ReHIPS, try RulesPack, for known software it copies registry keys from the real user's HKCU to the restricted user's and symlinks settings folders from user's profile folder. So known software should work just fine. If you didn't find your favourite program in RulesPack and you really need to run it restricted, we'll try to add it. If some already known software fails, we'll try to fix it.

QuoteOr specify certain program to always use certain ReHIPS User so that I can make persistent configuration for that ReHIPS user.
But I don't know whether a contents of a ReHIPS user which is no more used will be purged. (From my limited testing, it seems to be 'No'.)

From version 1.2.0 in advanced mode you can control ReHIPS users: delete them or specify applications that you want to run on their behalf. By default existing users are not purged. They're deleted only when you explicitly delete them or when no applications are specified to run on their behalf (a user is deleted when the last application in it is deleted).

Yuki

Quote from: schelkunov on September 19, 2014, 07:31:01 PM
You're right, an application running on behalf of another (restricted) user can't access its settings if they're stored in user's profile folder or in HKCU registry hive. We've got 2 solutions to solve this problem. If you installed ReHIPS and then want to install some untrusted software, install it with DeployHelper, it will install software directly to the restricted user placing all the settings there from the beginning. If some software is already installed before ReHIPS, try RulesPack, for known software it copies registry keys from the real user's HKCU to the restricted user's and symlinks settings folders from user's profile folder. So known software should work just fine.

Now I understood why I couldn't install NIS(Norton) when I tried to install it with deploy helper on default OS image.

Also got what happened to my Firefox.
I of course installed ReHIPS with admin priviledge, say my admin account is 'User2', but it don't have Firefox Profile as I don't use this account for internet.
My LUA is just 'User' so my Firefox profile is stored in Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\.
I assume RulesPack imported User2's setting but not Useer's.
This is probably the reason I didn't see my customization in protected firefox, but see in IE 'cause I also customised User2's IE settings.

Another possible problem is when I download any file in restricted browser, I can't get that file in usual account unless I modify ACE in one of ReHIPS user folder and copy & paste that file from there.
It's not only inconvenient but maybe dangerous, though I can save ACL from icacls command and recover it after I got the file.
Also what if I want to edit a document in the User\Documents\ and save it?
Copying the document into USB thumb drive can be solution but not safe according to your documentation.

QuoteIf you didn't find your favourite program in RulesPack and you really need to run it restricted, we'll try to add it. If some already known software fails, we'll try to fix it.

Not really need but I personlly want to strip any rights which is not needed to that software for all programs I have, even for security software as recently some incidents occured that well-known software's update server was hacked and it distributed poisoned update. Maybe you can remember Opera whose certificate was stolen and it distributed poisoned Opera with legitimate certificate.  Only HIPS can fight against those if Antivirus didn't catch them.

Quote
From version 1.2.0 in advanced mode you can control ReHIPS users: delete them or specify applications that you want to run on their behalf. By default existing users are not purged. They're deleted only when you explicitly delete them or when no applications are specified to run on their behalf (a user is deleted when the last application in it is deleted).

Oh I didn't noticed that. Thank you for explanation!
I'll do another go with ReHIPS as soon as I finished current task.

schelkunov

Hi, Yuki!

QuoteI assume RulesPack imported User2's setting but not Useer's.
RulesPack installs rules only for the software it found globally (HKLM) or for the current user (HKCU). It doesn't install rules for the software installed by other users. It will be fixed in the 1.3.0 version as different rules for different real users will be intoduced there.

QuoteAnother possible problem is when I download any file in restricted browser, I can't get that file in usual account unless I modify ACE in one of ReHIPS user folder and copy & paste that file from there.
The recommended folders to exchange files with restricted software are created by RulesPack. By the way it was slightly touched in our latest video. For example C:\ReHIPS\Browser is added for the browser. Access to it is allowed to the real and the corresponding ReHIPS users. So yes, you won't be able to access it if you use another real user. And it should also be fixed with the introduction of real users.

Many thanks for your questions!  Do not hesitate to contact us anytime for further assistance.

Yuki

Quote from: schelkunov on September 24, 2014, 09:16:30 AM
Hi, Yuki!

Quote
RulesPack installs rules only for the software it found globally (HKLM) or for the current user (HKCU). It doesn't install rules for the software installed by other users. It will be fixed in the 1.3.0 version as different rules for different real users will be intoduced there.
Good to hear it will be fixed. :)

Quote
The recommended folders to exchange files with restricted software are created by RulesPack. By the way it was slightly touched in our latest video. For example C:\ReHIPS\Browser is added for the browser. Access to it is allowed to the real and the corresponding ReHIPS users. So yes, you won't be able to access it if you use another real user. And it should also be fixed with the introduction of real users.

Sorry I didn't watch the video 'cause I assumed Admin guide covers everything but it's my misunderstanding.
So RelusPack creates sharing folder and it is restricted to minimize risks.
Thanks for clarify!

BTW I downloaded beta program's rar pack and will test soon.
But please be patient!

Yuki

#7
It's a log file of my ReHIPS beta v1.2.0
I'll send you the password.

One more thing I noteced is when I downloaded in IE and tried "Open the folder" IE freezed and says "Server execution failed".
But I can use & navigate through explorer if I choose "Save as" firstly.