Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

perisanboy

#645
let's say im surfing the web inside the Rehips sandbox and suddenly my browser DW a keylogger(just saying) or I installed an extension which has inbuilt keylogger!
Question 1= if I have an av and my av can detect that malware will Rehips let the av to work with sandbox? I mean Rehips let your av to monitor the isolated desktop or no?
Question 2=what if I downloaded a keylogger and it went to Rehips user folder can you let us wipe the Rehips user folder every time we finished our work?
Question 3= what kind of access C: Rehips user folders have? I mean can smth infect or inject or ... your windows from that foldeR? or that folder can't access the real system.
:)

perisanboy

#646
Hey, :)
Since I installed the win 10 every time I logged to the windows I was facing an ugly black screen.
I did everything to fix it, read about 20 forums and also did some tweaks in the registry but the problem didn't fix.
Tonight I was thinking maybe this issue is about one of my software so decided to remove them one by one but the problem didn't fix. :-\

30 min ago I just uninstalled the Rehips and restarted the pc and black screen went :)
I Told myself maybe this is an accident so again installed the Rehips and after that restarted the pc and again the black screen of death :-X
So I uninstalled it again and everything goes well.
My solution for this black screen was restarting the explorer via the taskbar.
Because of the epxlorer.exe was not in the process list and I had to run it manually which was painful but when I uninstalled the Rehips I could see the windows can start without any problem
How can I fix it?Omfg
Windows 10 Pro/ 1703 Build 15063.483
Also, I have the latest updates even drivers updated, everything up to dated  :-[

aDVll

Quote from: perisanboy on September 06, 2017, 04:48:59 AM
Hey, :)
Since I installed the win 10 every time I logged to the windows I was facing an ugly black screen.
I did everything to fix it, read about 20 forums and also did some tweaks in the registry but the problem didn't fix.
Tonight I was thinking maybe this issue is about one of my software so decided to remove them one by one but the problem didn't fix. :-\

30 min ago I just uninstalled the Rehips and restarted the pc and black screen went :)
I Told myself maybe this is an accident so again installed the Rehips and after that restarted the pc and again the black screen of death :-X
So I uninstalled it again and everything goes well.
My solution for this black screen was restarting the explorer via the taskbar.
Because of the epxlorer.exe was not in the process list and I had to run it manually which was painful but when I uninstalled the Rehips I could see the windows can start without any problem
How can I fix it?Omfg
Windows 10 Pro/ 1703 Build 15063.483
Also, I have the latest updates even drivers updated, everything up to dated  :-[
Do you have any blocks? Attach your logs and mention what other security software you might use.

fixer

Quote from: perisanboy on September 05, 2017, 10:20:22 PM
let's say im surfing the web inside the Rehips sandbox and suddenly my browser DW a keylogger(just saying) or I installed an extension which has inbuilt keylogger!
Question 1= if I have an av and my av can detect that malware will Rehips let the av to work with sandbox? I mean Rehips let your av to monitor the isolated desktop or no?
Question 2=what if I downloaded a keylogger and it went to Rehips user folder can you let us wipe the Rehips user folder every time we finished our work?
Question 3= what kind of access C: Rehips user folders have? I mean can smth infect or inject or ... your windows from that foldeR? or that folder can't access the real system.
:)

1. ReHIPS doesn't block non-isolated processes from accessing isolated folders or processes. So it's completely up to AV, I think it shouldn't have any problems.
2. We have this feature in our TODO list.
3. You can take a look at our blogpost series (link to the first blogpost https://forum.rehips.com/index.php?topic=9544.0 ). It explains what file system access isolated processes have. Another blogpost is coming about processes access and memory injections. But in two words: nope, isolated processes can't harm non-isolated processes or Windows system processes.

perisanboy


Do you have any blocks? Attach your logs and mention what other security software you might use.
[/quote]

I didn't have win process in block list also I have Eset internet security but this problem existed even the first time I installed the win 10 without Eset.
I removed the windows that time because of this ugly black screen though its windows problem.
Again 4 days ago installed the win 10 and again black screen I was telling my self maybe im unlucky or maybe my graphic card is bad but when I removed the rehips black screen gone like wtf:P

Umbra

do anyone have any issues with Chrome extensions crashing in IE.?

aDVll

Quote from: Umbra on September 07, 2017, 01:04:47 PM
do anyone have any issues with Chrome extensions crashing in IE.?
Only Chrome extensions or you can't even load a website? It used to be EAM injecting into Chrome and you having different appcontainer settings in isolated chrome and normal chrome. Though i am testing appcontained with EAM atm and it works fine. Maybe something else you use injects appcontainer and breaks it? Try disabling it because i think you enabled it a few days ago?

Umbra


Ozone

In the past I used to use "Run as different user" with different user locale (date/time formats) to run some old programs which require different date/time formats.
So my question is, is it possible to change user locale for IE, similarly to changing variables for TEMP folders.

Also for some reason ReHIPS won't create default rules for MS Office 2016 (365), I have to download  Rules Manager and edit rules.
IIRC I have to replace "Office1?\EXCEL.EXE" with "Office16\EXCEL.EXE". Only this edit and ReHIPS will detect other programs (word, powerpoint, ...) automatically.

I am using RAMdisk and I've allowed program to access some folder on it, but each time I reboot that permission is "lost". It is in rules but it doesn't work, I have to recreate it again (delete old and create new).

perisanboy

#654
This is the third time I install the win in this week.
But this time didn't install Rehips to see what will happen and there is no black screen.
I Guess when I have Eset and Rehips together the problems come.
The last time When I installed the windows and after that Rehips everything WAS good but when I installed Eset the system goes worse.
Eset alone works good and I think Rehips alone will work well too... but I'm not sure and can't try it.
Also, that time I updated the drivers with Iobit drivers booster and I think this Animal made these problems but this time didn't install it and didn't update the drivers maybe all of these issues were about iobit?
I scared to install Rehips again because if the black screen comes it will make me to the trouble.
I mean even if I remove the Rehips after that I have explorer crashes and the win goes worst and slow.
is there any tool that let you install smth and restore the system after 2 restarts? No just one restart? Because first I need to install the rehips and after that restart it to see what will happen.

perisanboy

@aDVll I guess you are right and this is about other security software and in my case its Eset.
I should try to disable eset and install rehips to see what will happen :P

aDVll

Quote from: perisanboy on September 10, 2017, 08:29:56 AM
@aDVll I guess you are right and this is about other security software and in my case its Eset.
I should try to disable eset and install rehips to see what will happen :P
Try whitelisting rehips agent and service in eset gui.

perisanboy

Quote from: aDVll on September 10, 2017, 08:51:48 AM
Quote from: perisanboy on September 10, 2017, 08:29:56 AM
@aDVll I guess you are right and this is about other security software and in my case its Eset.
I should try to disable eset and install rehips to see what will happen :P
Try whitelisting rehips agent and service in eset gui.
I did but didn't work... they don't work with each other.
can you fix this problem Fixer? I mean what if some one wants to use Rehips with Eset? idk about other AVs but you can try yourself.
personally, I  like to have an av on my pc I mean I want cloud and some fancy features on avs like the firewall.
I have only one way to use Rehips and that's installing the virtual os on my machine and I think it will be a good idea:/

fixer

Quote from: Ozone on September 09, 2017, 05:29:26 PM
In the past I used to use "Run as different user" with different user locale (date/time formats) to run some old programs which require different date/time formats.
So my question is, is it possible to change user locale for IE, similarly to changing variables for TEMP folders.
It's possible to change environment variables, it's described here https://forum.rehips.com/index.php?topic=2032.msg16131#msg16131 I think locale settings are also stored in ReHIPS user registry hive and can be changed the similar way. The only problem is to find their registry location. Google says it's Control Panel\International and Control Panel\International\Geo, but I didn't check them.

Quote from: Ozone on September 09, 2017, 05:29:26 PM
IIRC I have to replace "Office1?\EXCEL.EXE" with "Office16\EXCEL.EXE". Only this edit and ReHIPS will detect other programs (word, powerpoint, ...) automatically.
Are you sure this was the only change and it solved the issue? This is supposed to be a wildcard, and wildcards were tested. That'd be weird if wildcards are the issue.

Quote from: Ozone on September 09, 2017, 05:29:26 PM
I am using RAMdisk and I've allowed program to access some folder on it, but each time I reboot that permission is "lost". It is in rules but it doesn't work, I have to recreate it again (delete old and create new).
Changing file system or registry permissions may take some time, especially on slow HDDs, that's why they're set only on new items, old permissions aren't reset. It's supposed that already set permissions are set and written in stone. But it seems that RAMdisk doesn't save them across reboots. Added this issue to our TODO list.

perisanboy
If ReHIPS is uninstalled, no way it can interfere with the OS, it's uninstalled completely without any traces left. So if the problem persists after ReHIPS is uninstalled, 99.999% it's not about ReHIPS.
Anyway like I wrote in PM, don't worry we'll look into this issue and we'll definitely solve it if we manage to reproduce it.

Ozone

Quote from: fixer on September 10, 2017, 02:33:11 PM
It's possible to change environment variables, it's described here https://forum.rehips.com/index.php?topic=2032.msg16131#msg16131 I think locale settings are also stored in ReHIPS user registry hive and can be changed the similar way. The only problem is to find their registry location. Google says it's Control Panel\International and Control Panel\International\Geo, but I didn't check them.

I can't try it now, but I will test it when I get more time.

Quote from: fixer on September 10, 2017, 02:33:11 PM
Are you sure this was the only change and it solved the issue? This is supposed to be a wildcard, and wildcards were tested. That'd be weird if wildcards are the issue.

I don't know why but ReHIPS detect Office 2007 normally.
btw this path for 2007 "C:\Program Files (x86)\Microsoft Office\Office12" and for 2016 (365) "C:\Program Files (x86)\Microsoft Office\root\Office16"