Author Topic: Any Reported Conflicts with Other Security Softs ?  (Read 52494 times)

HJLBX

  • Guest
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #15 on: April 14, 2016, 04:33:28 am »
Combining ReHIPS with other security softs that will block items inside ReHIPSUser is problematic.

For example, Webroot will auto-block items executed in ReHIPSUser without generating an alert.  Also, if there is any alert while inside the Isolated Environment, then the user will not see the alert.

I only discovered some blocked items in ReHIPSUser after doing some routine inspection of Webroot rules.

* * * * *

This is an issue to which there is no easy solution.  That's all there is to it.  ReHIPS actually has nothing to do with it.  Each user will have to sort it out for themselves - depending upon what they combo ReHIPS with.

Actually, it should be a general recommendation that any security soft that auto-blocks or has HIPS functionality is NOT recommended to combine with ReHIPS.  If the user disregards this recommendation, then it is on the user to manage any problems.

ReCrypt can't accommodate every single use situation.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 604
  • Beta tester
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #16 on: April 14, 2016, 06:41:50 am »
* * * * *

After entering\exiting Shadow Mode a few times (5X), ReHIPS reverted to unregistered version.

Prompt to activate ReHIPS appeared.


had similar issue with Rollbak RX (i made a thread for it)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1581
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #17 on: April 14, 2016, 12:32:55 pm »
HJLBX
Looks like it's the similar issue umbrapolaris reported. Does it show the same HWID, but ReHIPS unregisters?

HJLBX

  • Guest
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #18 on: April 14, 2016, 12:39:27 pm »
HJLBX
Looks like it's the similar issue umbrapolaris reported. Does it show the same HWID, but ReHIPS unregisters?

Different HWID.

You can see in the attached image in the initial report that the HWID begins with 8....

My actual HWID begins with 5....

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1581
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #19 on: April 14, 2016, 01:47:25 pm »
If your HWID changed, it's not exactly a bug, it's a feature :) HWID is bound to the hardware components, HDD to be more exact. If it detects changes in HWID, it thinks it was moved to some other PC and asks for the new key. I guess Shadow Defender is somehow affects the HDD information so ReHIPS doesn't recognize it as the same HDD. I'll look at it later, maybe I'll think of something.
BTW, added mountvol.exe to RulesPack, thanks for report.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1120
  • Windows 10 latest 64 bit
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #20 on: April 14, 2016, 08:16:14 pm »
Tested 2 antikeyloggers.
Works great with Zemana antikeylogger free.
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1581
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #21 on: April 19, 2016, 03:32:03 pm »
Checked Shadow Defender. Looks like it installs its own filtering drivers on disk partitions. And it doesn't support SCSI_INQUIRY command to that filtered partitions returning STATUS_ACCESS_DENIED, which leads to change of HWID, which leads to unregistered state. So it's partially Shadow Defender issue and partially ReHIPS feature.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 604
  • Beta tester
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #22 on: April 19, 2016, 03:38:25 pm »
yes because Shadow Defender protect the MBR from changes while in Shadow Mode.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1581
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #23 on: April 19, 2016, 04:01:52 pm »
Actually as Shadow Defender doesn't restrict driver loading in any way, it won't be able to protect anything from kernel-mode threats. SCSI_INQUIRY is a standard read-only command and poses no threat, besides it's issued by a driver, so I don't know why they did it, most likely they just didn't implement all the possible codes (some of which are usually not used).
« Last Edit: April 19, 2016, 04:15:33 pm by fixer »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1581
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #24 on: April 19, 2016, 04:47:28 pm »
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.
As I couldn't reproduce it, could you describe it with more details? What browser were you using? Was it on a separate desktop or not? If it was, separate desktops are most likely not supported by this antikeylogger, try it on the main desktop.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1120
  • Windows 10 latest 64 bit
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #25 on: April 19, 2016, 04:56:00 pm »
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.
As I couldn't reproduce it, could you describe it with more details? What browser were you using? Was it on a separate desktop or not? If it was, separate desktops are most likely not supported by this antikeylogger, try it on the main desktop.
Wait i will test again with Chrome and Firefox latest and tell you exactly what i did.

Ok Firefox works ok but Chrome does not. While running Chrome isolated(default rules you guys make) any key pressed doesn't appear because Keyscrambler protects the keys. If you disable rehips and launch Chrome normally then keyscrambler works great.
As you see in this gif keyscrambler is showing i am in an unprotected application and keys i pressed get protected(keyscrambler icon showing the letters changed).
Chrome has Appcontainer and Win32k Lockdown flags on.

http://i.imgur.com/wSWrNbo.gifv
« Last Edit: April 19, 2016, 05:18:57 pm by aDVll »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1581
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #26 on: April 20, 2016, 08:46:39 pm »
Try to enable DESKTOP_HOOKCONTROL access right, KeyScrambler seems to be in need of it, or use separate desktop, KeyScrambler doesn't work with them, thus doesn't block any printing. This is the solution if you want to keep KeyScrambler. Or you can discard it as ReHIPS also protects you from keyloggers.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1120
  • Windows 10 latest 64 bit
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #27 on: April 21, 2016, 09:51:30 am »
Try to enable DESKTOP_HOOKCONTROL access right, KeyScrambler seems to be in need of it, or use separate desktop, KeyScrambler doesn't work with them, thus doesn't block any printing. This is the solution if you want to keep KeyScrambler. Or you can discard it as ReHIPS also protects you from keyloggers.
Nah i don't need to use it. Was just testing applications i already had for possible issues so i can report them.

HJLBX

  • Guest
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #28 on: April 27, 2016, 12:46:34 pm »
Another version of HitmanPro.Alert was recently released.

Any program run inside the Isolated Environment will still trigger a ROP alert and that program will be terminated by HMP.A.

ROP mitigation must be disabled for any program run inside Isolated Environment.

* * * * *

HookDll64.dll causes the ROP false positive.  Erik Loman from SOPHOS\Surf Right will help if asked.

* * * * *

HMP.A protective border\keystroke encryption will not display for any program run inside the Isolated Environment.
« Last Edit: April 27, 2016, 01:03:36 pm by HJLBX »

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 604
  • Beta tester
Re: Any Reported Conflicts with Other Security Softs ?
« Reply #29 on: April 27, 2016, 03:57:06 pm »
not only isolated ones, but any of them involved with hookdll64.dll and hookdll32.dll.

i reported it earlier.