Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

shmu26

Standard User account quirks:
1 If I install ReHIPS, and later I change one of the admin users to standard, sooner or later I start to get service link errors that are unsolvable even by uninstall/reinstall. I have to uninstall/reinstall+delete rules.

2 A few days ago, I installed LibreOffice in a standard user account, and it did not get isolation rules. Today I installed it in an admin account, and it got isolation rules.

fixer

1. Service link error may mean that you need Administrator rights to connect to the Service, so you have to start GUI as Administrator or add this user to trusted users list in ReHIPS settings. This error was fixed to more obvious text in the upcoming 2.3.0 build.

2. It didn't get isolation rules or it didn't get any rules at all?

shmu26


fixer

You mean you have 2 users: Admin and non-Admin. Rules were installed for both users, but for the first user LibreOffice rules were isolating and for the second user just allowed it to execute without isolation?

shmu26

I installed Libreoffice from the standard user. I forgot to check what happened to the admin user.

fixer

Thanks for your report. Added this issue to our TODO list, we'll take a look at it.

shmu26

Quote from: fixer on August 26, 2017, 10:49:01 PM
add this user to trusted users list in ReHIPS settings.
I tried that. I also tried, on a different occasion, turning the standard user back into an admin user. But the error messages kept coming.

perisanboy

Hey,
Sometimes when I allow a file to run(permanent rule)and then exit the application the next time I want to run that tool again Rehips ask me and wants me to allow or block it.

Example: happened 2 times for Securemybit
Has any one this issue?

aDVll

Quote from: perisanboy on September 04, 2017, 09:48:49 PM
Hey,
Sometimes when I allow a file to run(permanent rule)and then exit the application the next time I want to run that tool again Rehips ask me and wants me to allow or block it.

Example: happened 2 times for Securemybit
Has any one this issue?
Either the application spawns a new process each time with a different hash or you didn't allow with the permanent option but instead used the allow once option.

perisanboy

Quote from: aDVll on September 04, 2017, 10:01:40 PM
Quote from: perisanboy on September 04, 2017, 09:48:49 PM
Hey,
Sometimes when I allow a file to run(permanent rule)and then exit the application the next time I want to run that tool again Rehips ask me and wants me to allow or block it.

Example: happened 2 times for Securemybit
Has any one this issue?
Either the application spawns a new process each time with a different hash or you didn't allow with the permanent option but instead used the allow once option.
thnx for the answer but I'm sure it was the permanent rule.
IDK about hash...maybe that's why.

perisanboy

I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?


HJLBX

Quote from: perisanboy on September 05, 2017, 12:29:30 AM
I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?

https://msdn.microsoft.com/en-us/library/windows/desktop/ms632589(v=vs.85).aspx


  • Windows itself uses hooks
    3rd-party programs use hooks
    Hooking can be done in both the kernel and user mode
    ReHIPS uses no hooks except probably for some specific GUI\limited monitoring stuff (ask fixer)
    The hooks settings you find in ReHIPS are to enable\disable Windows hooks

1.  Operating System vulnerabilities (serious ones are very rare - the incidence is perhaps once every 10 years or more)
2.  Windows Hooks (advanced attack with probably the same incidence as No. 1)

If you can avoid it, don't set more hooks via ReHIPS GUI Settings\Configuration than what is already enabled by default; if you do not need default enabled hook(s), then disable them.

aDVll

Quote from: perisanboy on September 05, 2017, 12:29:30 AM
I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?
They probably meant having hook control on and the isolated program running on the real desktop. If you use the default setting with hook control and different desktop then nothing to worry about.

perisanboy

Quote from: HJLBX on September 05, 2017, 08:57:02 AM
Quote from: perisanboy on September 05, 2017, 12:29:30 AM
I just found Rehips has only one weakness and that's hook attacks?honestly, idk what is it :) :P
But can you pls tell us how to secure our mahcine from these attacks?some one told me to don't set hooks but how?

https://msdn.microsoft.com/en-us/library/windows/desktop/ms632589(v=vs.85).aspx


  • Windows itself uses hooks
    3rd-party programs use hooks
    Hooking can be done in both the kernel and user mode
    ReHIPS uses no hooks except probably for some specific GUI\limited monitoring stuff (ask fixer)
    The hooks settings you find in ReHIPS are to enable\disable Windows hooks

1.  Operating System vulnerabilities (serious ones are very rare - the incidence is perhaps once every 10 years or more)
2.  Windows Hooks (advanced attack with probably the same incidence as No. 1)

If you can avoid it, don't set more hooks via ReHIPS GUI Settings\Configuration than what is already enabled by default; if you do not need default enabled hook(s), then disable them.
Hello,
thanks for the answer.
I know it's rare because another guy told me the same but I just wanted to know if there is a fix or patch for it :D
Sorry, but where is that enabled Hook?do you mean lock down mode?


perisanboy

QuoteIf you use the default setting with hook control and different desktop then nothing to worry about.
I see thanks for the info.