Author Topic: Ask Questions Here - ReHIPS Features & Unexpected Behaviors  (Read 172970 times)

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #285 on: September 06, 2016, 01:35:07 am »
Is\Are there any fundamental processes on the system that can\will ignore restricted privileges ?

For example,

  • lsass
    csrss
    smss
    spoolsvc

These processes can be abused to write code... so some security vendors recommend running them with limited privileges.

?

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #286 on: September 06, 2016, 07:36:38 pm »
Only ReHIPS processes are hardcoded, thus rules for them are applied though these processes are absent in ReHIPS database. All other processes obey corresponding rules in database.
lsass, csrss, smss-are usually privileged processes, so no isolated process will have access to them.

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #287 on: September 07, 2016, 05:46:48 pm »
XlbGameSave.Task.exe
this process needs to be allowed to run child processes, or it gets blocked.
see attached screenshot of log
« Last Edit: September 07, 2016, 05:49:14 pm by shmu26 »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #288 on: September 08, 2016, 03:51:38 pm »
Thanks for your report, fixed.

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #289 on: September 15, 2016, 04:59:13 pm »
C:\WINDOWS\system32\igfxHK.exe
this intel process needs to be allowed to start child processes

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #290 on: September 18, 2016, 01:59:07 pm »
Thanks for your report, fixed.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #291 on: September 20, 2016, 12:07:16 pm »
Is multi language in the plans for the next stable release and if yes what languages are coming?

Also can rehips block code injection and hollow process for isolated processes? Pretty sure it does both because they can't access other processes but just a confirmation so we can have an official answer i can post in the malwaretips topic that people were wondering about.
Btw what about not isolated application. Will it detect the change?
« Last Edit: September 20, 2016, 12:32:37 pm by aDVll »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #292 on: September 20, 2016, 05:37:59 pm »
Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Btw what about not isolated application. Will it detect the change?
I don't quite follow. What do you mean?

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #293 on: September 20, 2016, 06:38:23 pm »
Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Btw what about not isolated application. Will it detect the change?
I don't quite follow. What do you mean?
About translation any plans for other languages or not atm?

If i run an application not isolated does it prevent/notify about code injection and hollow process method to other not isolated applications?
« Last Edit: September 20, 2016, 07:17:36 pm by aDVll »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #294 on: September 20, 2016, 08:20:16 pm »
Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers ;)
Non-isolated programs are unrestricted, so they're free to inject in each other.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #295 on: September 20, 2016, 08:25:40 pm »
Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers ;)
Non-isolated programs are unrestricted, so they're free to inject in each other.
Maybe you can check oneskyapp to setup a translation project. It's pretty easy to use and if you keep the collaborators at 5 only it's free. I doubt at start you will need/have more.
https://www.oneskyapp.com/

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #296 on: September 21, 2016, 01:12:57 am »
Thanks for the hint, sounds interesting, we'll think about it.

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #297 on: September 21, 2016, 05:23:56 am »
Someone asked this question and I vaguely remember what was said here on the forum.

When it comes to:

  • dll injection
    memory scraping
    reflective memory injection
    code injection
    hollow process

does the HIPS module actually block any of these ?

* * * * *

I was of the understanding that it does not - for example, hollow process, but any malicious activity is limited to the isolated environment in which the hollow process occurs.

Also code injection, dll injection, memory scraping, RMI, etc is blocked by running programs in isolated environments.

In other words, the HIPS itself doesn't detect and block memory attacks in similar fashion to some other HIPS, but it is the built-in Windows mechanisms used by ReHIPS that prevents (isolates) or limits any damage to the isolated environment.

Inter-process attacks are blocked by virtue of their isolation from one another - and this extends to real user profile process run as NT AUTHORITY\SYSTEM.  The exception is when multiple programs are run simultaneously within an isolated environment (non-recommended practice).

Finally, the isolation is two-way; SYSTEM is isolated from isolated environment and isolated environment is isolated from SYSTEM.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #298 on: September 21, 2016, 02:58:50 pm »
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #299 on: September 22, 2016, 03:33:27 am »
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

In that case then, the HIPS module itself does not block anything other than execution... that's the specific question that was asked at MT.