Author Topic: Ask Questions Here - ReHIPS Features & Unexpected Behaviors  (Read 199994 times)

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1478
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #735 on: September 29, 2019, 05:36:00 pm »
Anyway, the "ReHIPS FAQ"section of forum is very informative! Why do you guys hide such interesting documentation inside a forum?  :( why not ship it along with the software?
This part is constantly changing. Sometimes we add something new and write about it as we get questions about new topic. Or some side topic is poorly covered in one of our previous blogposts and we expand it. Besides something may be true for older versions and in a new version it gets improved. To avoid duplication and to keep it always up-to-date we recommend checking the forum instead of including it in the setup.

winuser

  • Jr. Member
  • **
  • Posts: 4
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #736 on: October 01, 2019, 08:31:31 pm »
in case the following issues are already discussed/solved, please (if possible) point me to the right direction/topic.

1. there's a compatibility issue with virtualbox, maybe due to virtualbox's security precaution during its startup. ReHIPS uses dll injection WITHOUT exceptions/whitelist in place (an option like "processes excluded from injection" ). I think this is a case of Cobra Effect. lets assume a user is unable to run virtualbox because of this seemingly unnecessary feature (dll injection) so he/she stops ReHIPS Service (and maybe Driver) leaving the host system vulnerable. PLEASE at least provide users an option, perhaps something called "Enable Compatibility Mode", stopping user mode hooks and injections for a certain amount of time or even better than that, an option to exclude certain files permanently.

2. Alt+F4 kills main GUI process. It should be minimized to tray, right? the same thing happens if you close the GUI from taskbar (just hover then press the tiny close button). weird!

3. under [setting >> log] there is a sub-program - blocked option that can not be unchecked permanently. I don't mean to be rude, but why do you provide an option that can not be disabled? this is very annoying and it makes users feel like you're ..... well, like I said, I don't mean to be rude  :)
Edit:
4. one more thing, please add passive mode for testing purposes, in which ReHIPS does not block anything and only logs/notifies user about events. this ensures system stability and is a safe way to test new rules too. "Disabled Mode" sure logs/notifies already but is not designed for testing.
« Last Edit: October 01, 2019, 10:22:28 pm by winuser »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1478
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #737 on: October 02, 2019, 07:29:17 pm »
Thank you for your feedback, it's really helpful. Let's see.

1. Could you please tell us more about it? What exactly goes wrong with VirtualBox? And what VirtualBox, Windows and ReHIPS versions do you use?

2. I agree, it should do the same as clicking the small X in the top right corner, will be fixed in the next release.

3. What do you mean it can't be unchecked? It's checked by default, I go and uncheck it, close settings, open again, not checked. Try to start a blocked subprogram, no pop-ups. Am I missing something?

4. ReHIPS Working Modes are described in this blogpost https://forum.rehips.com/index.php?topic=9539.0 Could you please describe Passive Mode, how you see it and how it should behave like other Modes are described in the blogpost?

winuser

  • Jr. Member
  • **
  • Posts: 4
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #738 on: October 03, 2019, 12:08:00 am »
Thanks for the reply, Sir
1. I have a notebook with Windows 7 x86 (fully-patched) , Virtualbox v5.2.32 and Rehips v2.4 . I ran Virtualbox and waited for about 5 minutes; nothing happened on the screen (it normally takes about a few seconds for its GUI to load) so I had to kill its process in taskmanager. The protection was already disabled so the first thing I tried was stopping both ReHIPSService and ReHIPSSrvc and the problem was gone. I was not happy with that solution so started those services and this time I blocked dll injection (I did that by another security software). The issue is kind of solved now but may I ask you something: Is this injection necessary? (seems to me it is not). Could you please consider adding a whitelist option, as mentioned in my previous post?

2. Glad to hear that. Thanks.

3. Please disable the sub-program-blocked box, then restart the system. obviously the same thing happens after killing Rehips's GUI, service and driver then starting them all again. You'll see that the box can not be disabled permanently in the 32bit version. not sure about 64bit.

4. Suppose I have a rule to block/isolate notepad.exe . What I mean by Passive Mode is:
I run notepad >> Rehips blocks/isolates nothing >> notepad runs as usual >> Rehips logs/notifies me that notepad is blocked/isolated
In other words, If I have Standard Mode enabled then:
Passive Mode = Disabled Mode + Standard Mode logs and notifications
This would be great for those who want to check their rules before enabling Lockdown Mode.

ps: I was a Faronics-AntiExe user, Rehips beats it performance-wise, and it's free too at least by now  :) good job guys!
« Last Edit: October 03, 2019, 12:22:54 am by winuser »

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1478
Re: Ask Questions Here - ReHIPS Features & Unexpected Behaviors
« Reply #739 on: October 03, 2019, 08:31:42 pm »
1. It's not about some protection. It hangs somewhere in windows kernel. Not sure why. Probably ReHIPS triggers some race condition as the code deals with timers and ReHIPS doesn't affect them in any way. Will try to find a workaround.

3. Ooops, I guess you're right. Will be fixed in the next release.

4. Aha, I see what you mean. We'll definitely give it a thought, thanks for your suggestion. BTW, Lockdown Mode is mostly meant for fixed and closed environments like ATMs. I wouldn't recommend enabling it on a production PC with possibly changing environment unless you know what you're doing.

BTW, a blogpost about ReHIPS performance since you noticed it :) https://forum.rehips.com/index.php?topic=11868.0