Author Topic: ReHIPS folders  (Read 133 times)

Stephen

  • Jr. Member
  • **
  • Posts: 48
ReHIPS folders
« on: July 03, 2019, 09:27:21 am »
I would like to ask about the ReHIPS directory and its subdirectories. I have read a few postings about it, including in the FAQ https://forum.rehips.com/index.php?topic=9487.0 where it ends with "So consider these subfolders as some kind of a transit point between the trusted land and the land of isolated and potentially untrusted programs". Just to be clear in my mind, is it true that anything rnding up in these folders, for example as a result of browsing, could be a potential threat? In other words, these folders are not part of any isolated environment?

If so, I would like to ask if it's advisable not to rely 100% on ReHIPS and consider also installing an antivirus or malware detecting program. I had problems with ReHIPS and Bitdefender which as a result made me uninstall Bitdefender completely. I now feel a bit "naked" as it were because I only have ReHIPS (and Windows Defender) as my protection mechanism.

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 461
  • Win10 x64 latest stable
Re: ReHIPS folders
« Reply #1 on: July 03, 2019, 09:40:11 am »
Files ending up in the ReHIPS folder, or any other location for that matter, are not protected by the isolated environment. Even if the file lands in the IE itself. That's why ReHIPS has a set of default/deny rules that function similar to other anti-exe programs. Isolated environments are just there to serve the isolated application, so it can function without compromising the security of the system.

It is always recommended to run an AV. With the exception of Bitdefender, most other AVs should work with ReHIPS, after the proper exceptions are made.

My personal preference in AV is Windows Defender tweaked by Andy Ful's ConfigureDefender tool. If you use Microsoft Office, some of the ASR rules might cause an error message when used together with ReHIPS isolation. You can either ignore them, or disable the offending ASR rules.

Some advanced users run ReHIPS in expert mode without any AV. You can do that if you want.

fixer can surely explain these things better than me, but in the mean time, I hope this post helps you a little...

Stephen

  • Jr. Member
  • **
  • Posts: 48
Re: ReHIPS folders
« Reply #2 on: July 03, 2019, 10:10:39 am »
Thank you shmu26 for the helpful information. Ideally I would like to become confident to run ReHIPS in expert mode, but that will take some time and lots of help!

I'll have a look at Andy Ful's ConfigureDefender tool. No problem with Microsoft Office as although I have it installed on my laptop I generally prefer to run LibreOffice.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1474
Re: ReHIPS folders
« Reply #3 on: July 03, 2019, 12:07:42 pm »
There are 2 types of possible threats: code and data.

Code is pretty simple: you download some executable file and it turns out to be malicious. A separate program is started in this case. ReHIPS program control detects it and deals with this by allowing to execute untrusted programs in isolated environments.

Data is more tricky and usually called exploits. For example you download a Word file, open it and because of some critical Word bug it gets exploited and executes some malicious code. In this case no additional program is started (at least on this stage) and supposedly trusted Word starts to misbehave. Executing Word in an isolated environment contains the threat. But what if it can infect other data files? Then any opened Word file may become infected spreading the threat. Your PC is isolated, but if you take infected file to another PC without ReHIPS, there may be trouble.

But that is more a theoretical threat as it's quite complicated and very rarely can be seen in the wild.

Stephen

  • Jr. Member
  • **
  • Posts: 48
Re: ReHIPS folders
« Reply #4 on: July 03, 2019, 01:30:43 pm »
Thank you fixer. That is a very clear explanation about the potential threats. For one thing, in future I'll try and open one Office document at a time! At least this may reduce the risk of propagation, to some degree.  :D