Author Topic: Ask Questions Here - ReHIPS Features & Unexpected Behaviors  (Read 173002 times)

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #300 on: September 22, 2016, 10:20:47 am »
@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

In that case then, the HIPS module itself does not block anything other than execution... that's the specific question that was asked at MT.
I think rehips only monitors execution and change of hash file of the whitelisted/blocked files. All the other protections are a result of running program isolated as another user without access to the rest of the system. Let's wait for Fixer though to confirm because i might be totally wrong.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #301 on: September 23, 2016, 12:59:33 pm »
ReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #302 on: September 24, 2016, 03:01:45 am »
ReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.

This is exactly how I understood it.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 568
  • Beta tester
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #303 on: September 24, 2016, 06:41:20 am »
It was expected; ReHIPS is a sandbox + HIPS not a HIPS with sandbox ^^

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #304 on: September 25, 2016, 08:20:05 pm »
Have you been able to figure out a way to:

1.  auto-delete ReHIPSUSer profile upon closing all programs run isolated in ReHIPS
2.  auto-generate the clean, base-line ReHIPSUser profile after Step 1 above

?

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #305 on: September 25, 2016, 09:06:29 pm »
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #306 on: September 26, 2016, 12:35:36 am »
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 568
  • Beta tester
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #307 on: September 26, 2016, 07:02:13 am »
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.

In fact the automatic deletion of the IE's content (aka IE reset) is important, there should be an option/checkbox, that allow the IE to be recreated "as new" without the user intervention. without it, it is quite risky in term of privacy/security.

i know that rules can be reinstalled, why not an option that save and re-install IE , maybe it is technically difficult, i dont know, im not developer^^
« Last Edit: September 26, 2016, 07:05:45 am by umbrapolaris »

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #308 on: September 26, 2016, 10:02:15 am »
You can manually remove isolated environment and then reinstall the rules. It requires the desired program to be in rules database, but it shouldn't be a problem with RulesManager.
And we've got in our TODO list checkbox to do it automatically to recreate isolated environment upon isolated program termination.

I was wondering if the ReHIPSUser profile could be re-created with any prior user tweaks fully intact.  Technically, I don't know if that is possible and potentially a stumbling block.  That's why I asked.

At least at a basic level, it appears to me that it is possible - if there is an isolated environment "configuration" file - something along the lines of a configuration *.ini or *.xml file - associated with the isolated environment and not deleted when ReHIPSUser is deleted.
If you use the application without isolation for a while until it's fixed as you like it when you isolate and rehips copies everything it will be perfect on every isolate environment creation. Minus things that can't be copied like browser cookies, outlook emails and in general anything associated with user account.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #309 on: September 26, 2016, 01:55:43 pm »
Isolated environment recreation is basically deletion and reinstallation from rules. Why completely delete? It may be compromised in any way, so it may be dangerous to keep some objects from old isolated environment. Why reinstallation from rules? Firstly, because these rules can be user-tweaked to suit any needs. And secondly, there are so called Special Objects (folders and registry keys) in RulesManager. They're processed when rules are being installed. But ReHIPS database doesn't have any information about these folders. So isolated environment recreation involves rules database.
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.

Umbra

  • Active Testers
  • Hero Member
  • *****
  • Posts: 568
  • Beta tester
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #310 on: September 27, 2016, 06:46:01 am »
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.
exactly what i want !  ;)

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #311 on: September 27, 2016, 09:23:31 am »
Isolated environment recreation is basically deletion and reinstallation from rules. Why completely delete? It may be compromised in any way, so it may be dangerous to keep some objects from old isolated environment. Why reinstallation from rules? Firstly, because these rules can be user-tweaked to suit any needs. And secondly, there are so called Special Objects (folders and registry keys) in RulesManager. They're processed when rules are being installed. But ReHIPS database doesn't have any information about these folders. So isolated environment recreation involves rules database.
It will be implemented as a checkbox in program settings. When all instances of the program with this option set are terminated, isolated environment will be recreated.

OK, I get it.

Raheel99

  • Jr. Member
  • **
  • Posts: 9
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #312 on: September 27, 2016, 04:57:43 pm »
After installation got "Failed to open service link".  I am using Comodo Firewall with custom rule and  Network was disable.  After getting this message, I temporarily disable firewall, after which re-hips started from desktop icon without any problem. 
For rechecking I quit re-hip, enabled firewall and got again same message.



fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #313 on: September 27, 2016, 05:03:36 pm »
ReHIPS uses sockets to communicate with its service. Socket is open for local connections only. But looks like for some reason comodo blocks it.

Raheel99

  • Jr. Member
  • **
  • Posts: 9
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #314 on: September 27, 2016, 06:07:21 pm »
ReHIPS uses sockets to communicate with its service. Socket is open for local connections only. But looks like for some reason comodo blocks it.

That is the reasons that HIPServices32.exe and HIPGui32.exe are showing TCP ESTABLISHED connection to 127.0.0.1.
« Last Edit: September 27, 2016, 06:08:54 pm by Raheel99 »