Author Topic: Any Reported Conflicts with Other Security Softs ?  (Read 38013 times)

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Any Reported Conflicts with Other Security Softs ?
« on: April 02, 2016, 10:56:10 pm »
Have there been any reports or known issues with any other security softs ?

Would like any infos so I do not combo with a soft for which there is a known conflict - and then needlessly report a bug with upcoming release.

TIA

schelkunov

  • Jr. Member
  • **
  • Posts: 65
    • ReCrypt
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #1 on: April 04, 2016, 10:25:59 am »
Hello, HJBX!

We didn't face any conflicts between ReHIPS 2.xx and other security software.

Best regards.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 568
  • Beta tester
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #2 on: April 07, 2016, 01:59:05 pm »
After Installing Rehips,

- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.

- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
« Last Edit: April 07, 2016, 02:04:46 pm by umbrapolaris »

schelkunov

  • Jr. Member
  • **
  • Posts: 65
    • ReCrypt
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #3 on: April 07, 2016, 03:34:54 pm »
Quote
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
I think I know why. If I'm right, there are a lot conflicted with Hitman Pro Alert security (and not only) programs.

Quote
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
Is Chrome isolated with ReHIPS too?

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 568
  • Beta tester
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #4 on: April 07, 2016, 05:30:50 pm »
Quote
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
I think I know why. If I'm right, there are a lot conflicted with Hitman Pro Alert security (and not only) programs.

on my system, only my portable apps.


Quote
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
Is Chrome isolated with ReHIPS too?

it is not isolated since i allowed the sandboxie's processes.

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #5 on: April 12, 2016, 07:26:40 am »
ReHIPS and AppGuard (NOT A CONFLICT):

User must set AppGuard to Install before using ReHIPS Deploy Helper or manually configuring isolated environment for application the very first time.

AppGuard is software restriction policy security soft.

It blocks\interferes with ReHIPS DeployHelper access to User Profile.

It blocks execution of files from User Space - unless digitally signed and LUA policy is applied.

User must also make all ReHIPSUSser folders exception folders with read\write access.

That's it... pretty simple.
« Last Edit: April 12, 2016, 08:58:18 am by HJLBX »

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #6 on: April 12, 2016, 07:27:16 am »
Dr Web Katana - even in Paranoid Mode working fine with ReHIPS.

However, there is one problem in Paranoid Mode.

If user blocks desktoptools64.exe, then isolated application will still execute in isolated environment, but CPU will be increased.

See images.

* * * * *

Solution:  Don't block desktoptools64.exe if you enable Paranoid Mode.  Better yet, create AutoRun exception in Katana for desktoptools.exe.
« Last Edit: April 12, 2016, 08:08:16 am by HJLBX »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #7 on: April 12, 2016, 08:14:19 pm »
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.
But I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #8 on: April 13, 2016, 01:47:50 am »
- Hitman Pro Alert : now my apps are detected as exploited, can't run them unless i disable HMPA's protection against  ROP attacks.
- Sandboxie + Chrome : pages are stuck in a endless loading or stop loading.
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.
But I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?

If Umbra doesn't respond within a few days, the best way to reach him is to send a PM at MalwareTips.  He will respond.

Any how, I sent PM to him already to take a look at your questions.
« Last Edit: April 13, 2016, 01:56:10 am by HJLBX »

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 568
  • Beta tester
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #9 on: April 13, 2016, 06:36:12 am »
After some research I think I know how to make Hitman Pro Alert happy. Need to test it though.


HMPA has now issues with ROP , MS Office applications are now also blocked by HMPA (see HMPA thread on wilders, some companies has to remove HMPA from their workers machines); temporary fix is disabling ROP protection for concernedapps. I guess HMPA devs will issue a fix.

https://www.wilderssecurity.com/threads/hitmanpro-alert-support-and-discussion-thread.324841/page-374 (the issue reports start at middle of the page)

Quote
But I can't reproduce Sandboxie + Chrome issue. I've got ReHIPS, Sandboxie and Chrome installed. I manually start Chrome in Sandboxie by clicking the right mouse button on Chrome executable file. Some alerts from ReHIPS are shown, I allow them all (as I supposedly trust Sandboxie) so I allow Sandboxie's Start.exe to start processes. Thus Chrome runs in Sandboxie without any problems. Could you describe it step-by-step with more details?

yes,  your procedure is using Chrome inside default sandbox by manually sandboxing it. That is working for default settings and average user of Sandboxie, So no problem in this case.

unfortunately, long time (Paid) users of Sandboxie , we have several different setting, in my case:

- Chrome run in its own dedicated Sandbox, hence this sandbox has lot of custom tighter settings than the default sandbox.
- Chrome is "Forced" (means when i clicked on any shortcut of Chrome, it always start sandboxed.
- This chrome sandbox has some restriction access settings  (some are surely conflicting with ReHIPs); i have to do tests.

will keep you informed.
« Last Edit: April 13, 2016, 06:40:31 am by umbrapolaris »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #10 on: April 13, 2016, 10:28:14 am »
HMPA hooks several functions (like LdrLoadDll in ReHIPS case) by splicing, walks the stack frames and checks the caller address if it looks like ROP by trying to disassemble up. IMHO, this can give false positives for delay load import and some compiler optimizations along with some other programs hooks.

If Chrome processes aren't isolated by ReHIPS, ReHIPS shouldn't affect them in any way. So it's somewhat strange that pages are stuck. Could you give more details? Maybe try do Disable ReHIPS in the main window. Or try to "net stop ReHIPSSrvc" to shutdown it completely and check if error still persists.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 568
  • Beta tester
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #11 on: April 13, 2016, 11:05:21 am »
Found my issue:

- Appguard : Rehips' processes (hipsagent64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...
« Last Edit: April 13, 2016, 11:20:28 am by umbrapolaris »

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #12 on: April 13, 2016, 11:07:04 am »
Found my issue:

- Appguard : Rehips' processes (hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...

Same softs, two different systems, two different behaviors... LOL.

I haven't had to do this is AppGuard.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #13 on: April 13, 2016, 11:16:27 am »
Found my issue:

- Appguard : Rehips' processes (hipsagnt64.exe, hipsgui64.exe, hipsservice64.exe) must be added to appguard power applications...
I tested this and also had to put them in power application or else isolated applications didn't start. Except if it's something with appguard trial which i doubt. Seemed to work ok.

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #14 on: April 14, 2016, 03:47:36 am »
ReHIPS & Shadow Defender

No problems experienced at initiation of Shadow Mode.

User just needs to create an Allow rule manually for C:\System32\mountvol.exe outside of Shadow Mode.

This is same behavior as with SpyShelter HIPS; user must manually create the allow execution rule for mountvol.exe.

However, the first time I manually created the Allow execution rule for mountvol.exe outside of Shadow Mode, when I entered\exited Shadow Mode the rule disappeared; I had to recreate the rule manually using the ReHIPS filehelper again.

* * * * *

After entering\exiting Shadow Mode a few times (5X), ReHIPS reverted to unregistered version.

Prompt to activate ReHIPS appeared.

See image of About ReHIPS; not activated\registered in Shadow Mode.

* * * * *

Exit Shadow Mode and return to real user desktop, then ReHIPS is activated\registered.

« Last Edit: April 14, 2016, 04:18:07 am by HJLBX »