Author Topic: Ask Questions Here - ReHIPS Features & Unexpected Behaviors  (Read 172957 times)

Ozone

  • Jr. Member
  • **
  • Posts: 80
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #555 on: June 18, 2017, 12:16:57 am »
it is possible to add number of matches when searching files, similar to browsers (2 of 4, 1 of 1, ...)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #556 on: June 18, 2017, 01:57:15 am »
Do you mean search in Programs tree?

Ozone

  • Jr. Member
  • **
  • Posts: 80
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #557 on: June 18, 2017, 10:58:14 am »
Do you mean search in Programs tree?

yes

crasher

  • ReHIPS team
  • Jr. Member
  • *****
  • Posts: 97
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #558 on: June 18, 2017, 04:15:55 pm »
it is possible to add number of matches when searching files, similar to browsers (2 of 4, 1 of 1, ...)

Thanks for your suggestion. We'll add this in one of the following releases.

Ozone

  • Jr. Member
  • **
  • Posts: 80
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #559 on: July 06, 2017, 01:10:51 pm »
it is possible to add option to create temporary rules for apps with existing rules (so I don't have to revert to/change existing rules) or option to create several rules set (profile) for apps with option to choose which one would be active

also I've noticed that you can't change settings duration, would you add option to change them

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #560 on: July 10, 2017, 08:53:43 pm »
It's possible to have several RDB-files for RulesManager. But it isn't currently possible to have multiple rules for the same program in ReHIPS itself. As a workaround you can allow it and create shortcut to execute it in isolation. It's also possible to set Ask in execution options, and you'll get Alert each time the program is executed, you can set Only Once not to save your choice in the database for it to ask every time.

I don't think multiple rules for the same program is a good idea, you have to prioritize them somehow, it may lead to undesired effects like you set it to block and think it's OK, but there is an allow rule with higher priority.
Adding profiles is possible. But I'm not sure if it's worth the effort. You see, we already have 3 levels in the programs tree, 4th will be added soon. Adding 5th profile level may be an overkill as I don't see an often used use-case which will be covered by this change.

Settings duration - do you mean for Working Mode? Like set Learning Mode for 30 mins?

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #561 on: July 13, 2017, 11:24:44 pm »
C:\WINDOWS\system32\igfxTray.exe
This processes comes from Intel integrated graphics
It needs permission to execute programs, so the user can open the intel graphics control panel from the system tray icon.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #562 on: July 14, 2017, 12:24:26 am »
Thanks for your report, but that one is already set. I guess you updated from some older version, so existing rules weren't overwritten, that's why you have old value.
« Last Edit: July 14, 2017, 12:33:36 am by fixer »

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 438
  • Win10 x64 latest stable
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #563 on: July 14, 2017, 08:21:06 am »
That's funny -- I reinstalled Windows and then installed ReHIPS from the release version, 2.2.0.0.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #564 on: July 14, 2017, 01:14:53 pm »
Yeah, release ReHIPS 2.2.0 allows C:\Windows\system32\igfxTray.exe to execute processes. So I guess either rules are from some older version or something was manually changed.

aDVll

  • Active Testers
  • Hero Member
  • *****
  • Posts: 1119
  • Windows 10 latest 64 bit
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #565 on: July 15, 2017, 10:44:44 am »
@fixer

I assume if notpetya runs isolated it doesn't have access to other processes to do the access level elevation it requires. Am i correct?

https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/

https://www.youtube.com/watch?v=hZKLEw-Our4

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #566 on: July 15, 2017, 11:08:02 am »
@fixer

I assume if notpetya runs isolated it doesn't have access to other processes to do the access level elevation it requires. Am i correct?

https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/

https://www.youtube.com/watch?v=hZKLEw-Our4

NotPetya\PetWrap uses a trusted computing base bypass of UAC with cross over to the Admin account.  If run in a SUA, it will simply encrypt files, but if the user signs out of the SUA and signs into the Admin account, then rundll32 runs with the elevated privileges needed to execute the malicious dll\PsExec and encrypt the MBR.
« Last Edit: July 15, 2017, 11:10:08 am by HJLBX »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #567 on: July 15, 2017, 01:20:47 pm »
We haven't checked Petya and the second one (NotPetya, Netya, whatever it's called) ourselves yet.
But according to research articles I don't think it'll bypass ReHIPS.
If it's executed directly in isolation, it may encrypt just files it has write access to, that is by default basically isolated user profile folder, which is completely harmless.
If it spreads as a result of exploit, this case is more dangerous as exploit itself is quite interesting and remotely subverts a privileged Windows process. But it spawns several processes like rundll32 or other interpreters that should be flagged by ReHIPS and alerted of.

HJLBX

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 495
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #568 on: July 15, 2017, 09:22:10 pm »

If it spreads as a result of exploit, this case is more dangerous as exploit itself is quite interesting and remotely subverts a privileged Windows process.

It is a trusted computing base bypass of UAC and therefore is able to attain "run as operating system."

If you watch the video, (unless I am missing something) you will see that launching the malware in the SUA crosses over to the Admin account; the video author signs-out of the SUA, and then logs back into the Admin account - where rundll32, launched in the SUA, runs the malicious dll with elevated privileges and encrypts the MBR.

The ability to cross-over from the SUA to Admin account surprised me.  However, I've read some discussions of trusted computing base vulnerabilities to accomplish unexpected things on Windows.

Just a FYI on the NotPetya samples...

There are samples on hybrid-analysis.com.  Some are listed\labeled as .exe, but are actually .dll (check the file description notes).  I tested "PetWrap.exe" but it is actually PetWrap.dll and is launched using argument rundll32 c:\<directory>\PetWrap.dll#1 1.  There are better .exe samples for testing.

I did not test it in ReHIPS isolated environment, so apologies fixer that I have nothing helpful with regards to ReHIPS that I can report here.
« Last Edit: July 15, 2017, 09:38:35 pm by HJLBX »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1395
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #569 on: July 16, 2017, 05:04:18 pm »
UAC bypasses are possible as UAC was never designed to be a security boundary, more like simple and usable feature for admin-account users. So UAC bypass is possible, but looks like it's not a LUA account (admin account stripped to user by UAC), but a real SUA account (a simple non-admin user account). In this case my guess it either bruteforced admin password somehow or exploited PC locally to gain additional privileges as this eternal blue exploit targets a privileged Windows process. So I don't think any magic or supersecret bypass is used.

Anyway ReHIPS should alert about these new processes thus preventing it.