Any Reported Conflicts with Other Security Softs ?

Started by HJLBX, April 02, 2016, 10:56:10 PM

Previous topic - Next topic

HJLBX

Have there been any reports or known issues with any other security softs ?

Would like any infos so I do not combo with a soft for which there is a known conflict - and then needlessly report a bug with upcoming release.

TIA

schelkunov

Hello, HJBX!

We didn't face any conflicts between ReHIPS 2.xx and other security software.

Best regards.

Umbra

#2
After Installing Rehips,

- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.

- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.

schelkunov

Quote- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
I think I know why. If I'm right, there are a lot conflicted with Hitman Pro Alert security (and not only) programs.

Quote- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
Is Chrome isolated with ReHIPS too?

Umbra

Quote from: schelkunov on April 07, 2016, 03:34:54 PM
Quote- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
I think I know why. If I'm right, there are a lot conflicted with Hitman Pro Alert security (and not only) programs.

on my system, only my portable apps.


Quote from: schelkunov on April 07, 2016, 03:34:54 PM
Quote- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
Is Chrome isolated with ReHIPS too?

it is not isolated since i allowed the sandboxie's processes.

HJLBX

#5
ReHIPS and AppGuard (NOT A CONFLICT):

User must set AppGuard to Install before using ReHIPS Deploy Helper or manually configuring isolated environment for application the very first time.

AppGuard is software restriction policy security soft.

It blocks\interferes with ReHIPS DeployHelper access to User Profile.

It blocks execution of files from User Space - unless digitally signed and LUA policy is applied.

User must also make all ReHIPSUSser folders exception folders with read\write access.

That's it... pretty simple.

HJLBX

#6
Dr Web Katana - even in Paranoid Mode working fine with ReHIPS.

However, there is one problem in Paranoid Mode.

If user blocks desktoptools64.exe, then isolated application will still execute in isolated environment, but CPU will be increased.

See images.

* * * * *

Solution:  Don't block desktoptools64.exe if you enable Paranoid Mode.  Better yet, create AutoRun exception in Katana for desktoptools.exe.

fixer

Quote from: umbrapolaris on April 07, 2016, 01:59:05 PM
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.
But I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?

HJLBX

#8
Quote from: fixer on April 12, 2016, 08:14:19 PM
Quote from: umbrapolaris on April 07, 2016, 01:59:05 PM
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.
But I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?

If Umbra doesn't respond within a few days, the best way to reach him is to send a PM at MalwareTips.  He will respond.

Any how, I sent PM to him already to take a look at your questions.

Umbra

#9
Quote from: fixer on April 12, 2016, 08:14:19 PM
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.


HMPA has now issues with ROP , MS Office applications are now also blocked by HMPA (see HMPA thread on wilders, some companies has to remove HMPA from their workers machines); temporary fix is disabling ROP protection for concernedapps. I guess HMPA devs will issue a fix.

https://www.wilderssecurity.com/threads/hitmanpro-alert-support-and-discussion-thread.324841/page-374 (the issue reports start at middle of the page)

QuoteBut I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?

yes,  your procedure is using Chrome inside default sandbox by manually sandboxing it. That is working for default settings and average user of Sandboxie, So no problem in this case.

unfortunately, long time (Paid) users of Sandboxie , we have several different setting, in my case:

- Chrome run in its own dedicated Sandbox, hence this sandbox has lot of custom tighter settings than the default sandbox.
- Chrome is "Forced" (means when i clicked on any shortcut of Chrome, it always start sandboxed.
- This chrome sandbox has some restriction access settings  (some are surely conflicting with ReHIPs); i have to do tests.

will keep you informed.

fixer

HMPA hooks several functions (like LdrLoadDll in ReHIPS case) by splicing, walks the stack frames and checks the caller address if it looks like ROP by trying to disassemble up. IMHO, this can give false positives for delay load import and some compiler optimizations along with some other programs hooks.

If Chrome processes aren't isolated by ReHIPS, ReHIPS shouldn't affect them in any way. So it's somewhat strange that pages are stuck. Could you give more details? Maybe try do Disable ReHIPS in the main window. Or try to "net stop ReHIPSSrvc" to shutdown it completely and check if error still persists.

Umbra

#11
Found my issue:

- Appguard : Rehips' processes (hipsagent64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...

HJLBX

Quote from: umbrapolaris on April 13, 2016, 11:05:21 AM
Found my issue:

- Appguard : Rehips' processes (hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...

Same softs, two different systems, two different behaviors... LOL.

I haven't had to do this is AppGuard.

aDVll

Quote from: umbrapolaris on April 13, 2016, 11:05:21 AM
Found my issue:

- Appguard : Rehips' processes (hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...
I tested this and also had to put them in power application or else isolated applications didn't start. Except if it's something with appguard trial which i doubt. Seemed to work ok.

HJLBX

#14
ReHIPS & Shadow Defender

No problems experienced at initiation of Shadow Mode.

User just needs to create an Allow rule manually for C:\System32\mountvol.exe outside of Shadow Mode.

This is same behavior as with SpyShelter HIPS; user must manually create the allow execution rule for mountvol.exe.

However, the first time I manually created the Allow execution rule for mountvol.exe outside of Shadow Mode, when I entered\exited Shadow Mode the rule disappeared; I had to recreate the rule manually using the ReHIPS filehelper again.

* * * * *

After entering\exiting Shadow Mode a few times (5X), ReHIPS reverted to unregistered version.

Prompt to activate ReHIPS appeared.

See image of About ReHIPS; not activated\registered in Shadow Mode.

* * * * *

Exit Shadow Mode and return to real user desktop, then ReHIPS is activated\registered.