Any Reported Conflicts with Other Security Softs ?

Started by HJLBX, April 02, 2016, 10:56:10 PM

Previous topic - Next topic

HJLBX

Combining ReHIPS with other security softs that will block items inside ReHIPSUser is problematic.

For example, Webroot will auto-block items executed in ReHIPSUser without generating an alert.  Also, if there is any alert while inside the Isolated Environment, then the user will not see the alert.

I only discovered some blocked items in ReHIPSUser after doing some routine inspection of Webroot rules.

* * * * *

This is an issue to which there is no easy solution.  That's all there is to it.  ReHIPS actually has nothing to do with it.  Each user will have to sort it out for themselves - depending upon what they combo ReHIPS with.

Actually, it should be a general recommendation that any security soft that auto-blocks or has HIPS functionality is NOT recommended to combine with ReHIPS.  If the user disregards this recommendation, then it is on the user to manage any problems.

ReCrypt can't accommodate every single use situation.

Umbra

Quote from: HJLBX on April 14, 2016, 03:47:36 AM
* * * * *

After entering\exiting Shadow Mode a few times (5X), ReHIPS reverted to unregistered version.

Prompt to activate ReHIPS appeared.


had similar issue with Rollbak RX (i made a thread for it)

fixer

HJLBX
Looks like it's the similar issue umbrapolaris reported. Does it show the same HWID, but ReHIPS unregisters?

HJLBX

Quote from: fixer on April 14, 2016, 12:32:55 PM
HJLBX
Looks like it's the similar issue umbrapolaris reported. Does it show the same HWID, but ReHIPS unregisters?

Different HWID.

You can see in the attached image in the initial report that the HWID begins with 8....

My actual HWID begins with 5....

fixer

If your HWID changed, it's not exactly a bug, it's a feature :) HWID is bound to the hardware components, HDD to be more exact. If it detects changes in HWID, it thinks it was moved to some other PC and asks for the new key. I guess Shadow Defender is somehow affects the HDD information so ReHIPS doesn't recognize it as the same HDD. I'll look at it later, maybe I'll think of something.
BTW, added mountvol.exe to RulesPack, thanks for report.

aDVll

Tested 2 antikeyloggers.
Works great with Zemana antikeylogger free.
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.

fixer

Checked Shadow Defender. Looks like it installs its own filtering drivers on disk partitions. And it doesn't support SCSI_INQUIRY command to that filtered partitions returning STATUS_ACCESS_DENIED, which leads to change of HWID, which leads to unregistered state. So it's partially Shadow Defender issue and partially ReHIPS feature.

Umbra

yes because Shadow Defender protect the MBR from changes while in Shadow Mode.

fixer

#23
Actually as Shadow Defender doesn't restrict driver loading in any way, it won't be able to protect anything from kernel-mode threats. SCSI_INQUIRY is a standard read-only command and poses no threat, besides it's issued by a driver, so I don't know why they did it, most likely they just didn't implement all the possible codes (some of which are usually not used).

fixer

Quote from: aDVll on April 14, 2016, 08:16:14 PM
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.
As I couldn't reproduce it, could you describe it with more details? What browser were you using? Was it on a separate desktop or not? If it was, separate desktops are most likely not supported by this antikeylogger, try it on the main desktop.

aDVll

#25
Quote from: fixer on April 19, 2016, 04:47:28 PM
Quote from: aDVll on April 14, 2016, 08:16:14 PM
Fails to work with keyscrambler. Protects the keys so nothing i type appears. Don't understand the how and why but probably because rehips launches the browser.
As I couldn't reproduce it, could you describe it with more details? What browser were you using? Was it on a separate desktop or not? If it was, separate desktops are most likely not supported by this antikeylogger, try it on the main desktop.
Wait i will test again with Chrome and Firefox latest and tell you exactly what i did.

Ok Firefox works ok but Chrome does not. While running Chrome isolated(default rules you guys make) any key pressed doesn't appear because Keyscrambler protects the keys. If you disable rehips and launch Chrome normally then keyscrambler works great.
As you see in this gif keyscrambler is showing i am in an unprotected application and keys i pressed get protected(keyscrambler icon showing the letters changed).
Chrome has Appcontainer and Win32k Lockdown flags on.

http://i.imgur.com/wSWrNbo.gifv

fixer

Try to enable DESKTOP_HOOKCONTROL access right, KeyScrambler seems to be in need of it, or use separate desktop, KeyScrambler doesn't work with them, thus doesn't block any printing. This is the solution if you want to keep KeyScrambler. Or you can discard it as ReHIPS also protects you from keyloggers.

aDVll

Quote from: fixer on April 20, 2016, 08:46:39 PM
Try to enable DESKTOP_HOOKCONTROL access right, KeyScrambler seems to be in need of it, or use separate desktop, KeyScrambler doesn't work with them, thus doesn't block any printing. This is the solution if you want to keep KeyScrambler. Or you can discard it as ReHIPS also protects you from keyloggers.
Nah i don't need to use it. Was just testing applications i already had for possible issues so i can report them.

HJLBX

#28
Another version of HitmanPro.Alert was recently released.

Any program run inside the Isolated Environment will still trigger a ROP alert and that program will be terminated by HMP.A.

ROP mitigation must be disabled for any program run inside Isolated Environment.

* * * * *

HookDll64.dll causes the ROP false positive.  Erik Loman from SOPHOS\Surf Right will help if asked.

* * * * *

HMP.A protective border\keystroke encryption will not display for any program run inside the Isolated Environment.

Umbra

not only isolated ones, but any of them involved with hookdll64.dll and hookdll32.dll.

i reported it earlier.