Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

HJLBX

I just want to confirm this - objects can be elevated to admin privileges inside the Isolated Environment - correct ?

But even if they get elevated, what they can do inside the Isolated Environment is still restricted - correct ?

HJLBX

What is the default folder content of C:\ReHIPS folder ?

Is it dependent upon what programs are detected during program detection\installation of RulesPack ?

Do the sub-folders have the same restrictions as the main C:\ReHIPS folder ?

fixer

I have these rules in RulesPack:
Cyberfox.exe: process - ALLOW_RESTRICTED, parenting - ALLOW.
plugin-container.exe: process - ALLOW_RESTRICTED, parenting - ALLOW.
I don't have any rules for helper.exe as it resides in uninstall folder and seems to be uninstall-related.
plugin-container is only started by Cyberfox, thus it'll inherit all rights and privileges, so it doesn't matter if it's restricted or not. But just for security precautions it's marked as restricted.

I'll check LastPass and come back with more information later.

Quote from: HJLBX on April 14, 2016, 12:36:32 PM
So, if I understand correctly, there is no way to gain access to pictures I have stored in the real user profile from inside the Isolated Environment ?
If you have Copy User Data flag set, it's possible. For example you have C:\Users\HJLBX\Pictures\picture.bmp you wish to open in isolated Paint. You start isolated Paint (don't forget to set Copy User Data flag), File-Open menu, navigate to C:\Users\ReHIPSUserX\Pictures (Paint isolated ReHIPS User) or C:\Users\HJLBX\Pictures (doesn't matter which one as the latter will be redirected to the former), type picture.bmp as File name and click Open. Yes, you might not see this file in the list of files in folder as it hasn't been copied to the isolated environment yet. But when you enter the file name and try to open it, it'll be copied and successfully opened.

Quote from: HJLBX on April 14, 2016, 12:42:13 PM
I just want to confirm this - objects can be elevated to admin privileges inside the Isolated Environment - correct ?
Nope, they can't. They can try to ask you for elevation showing standard UAC dialog and asking for admin username/password. But they can't do it themselves.

Quote from: HJLBX on April 14, 2016, 12:44:45 PM
What is the default folder content of C:\ReHIPS folder ?

Is it dependent upon what programs are detected during program detection\installation of RulesPack ?

Do the sub-folders have the same restrictions as the main C:\ReHIPS folder ?
RulesPack during installation of initial rules creates this folder if any restricted program needs it (in the current version, by release it will always create this folder). For example browsers may need some folder to save downloaded files to, so subfolder Browser is created in ReHIPS folder. Or office programs need some storage for documents to work with, so Office folder is created. The access rights were borrowed from the user profile folders in Windows (will be slightly tightened by release): any user can view and read from immediate ReHIPS folder, but only current real user (the one the rules were installed for) and respective ReHIPS user have access to the subfolders (Browser, Office, etc) and files in them.

HJLBX

Quote from: fixer on April 14, 2016, 01:38:33 PMI don't have any rules for helper.exe as it resides in uninstall folder and seems to be uninstall-related.

If I use DeployHelper, then Cyberfox.exe will execute helper.exe.

If I create the Isolated Environment manually and tick "Copy User Data", then Cyberfox.exe doesn't execute helper.exe.

fixer

I added initial rules for RulesPack, it expects Cyberfox to be already installed. So it doesn't need helper.exe rule.

HJLBX

Quote from: fixer on April 14, 2016, 01:38:33 PM
If you have Copy User Data flag set, it's possible. For example you have C:\Users\HJLBX\Pictures\picture.bmp you wish to open in isolated Paint. You start isolated Paint (don't forget to set Copy User Data flag), File-Open menu, navigate to C:\Users\ReHIPSUserX\Pictures (Paint isolated ReHIPS User) or C:\Users\HJLBX\Pictures (doesn't matter which one as the latter will be redirected to the former), type picture.bmp as File name and click Open. Yes, you might not see this file in the list of files in folder as it hasn't been copied to the isolated environment yet. But when you enter the file name and try to open it, it'll be copied and successfully opened.

I tried it.  It works.

I didn't know that FileHelper wouldn't populate the list; unexpected behavior.

The user needs to know the file name - so a little inconvenient, but it works.

HJLBX

Quote from: fixer on April 14, 2016, 01:38:33 PM
RulesPack during installation of initial rules creates this folder if any restricted program needs it (in the current version, by release it will always create this folder). For example browsers may need some folder to save downloaded files to, so subfolder Browser is created in ReHIPS folder. Or office programs need some storage for documents to work with, so Office folder is created. The access rights were borrowed from the user profile folders in Windows (will be slightly tightened by release): any user can view and read from immediate ReHIPS folder, but only current real user (the one the rules were installed for) and respective ReHIPS user have access to the subfolders (Browser, Office, etc) and files in them.
[/quote]

Any way to have a complete set of subfolders installed by default ?

That way user doesn't have create the individual subfolders and figure out access rights and all that sort of rigmarole ?

For example, user installs ReHIPS but doesn't have Office installed at the time.  So ReHIPS will not create an Office subfolder during install.  User installs Office at some point in the future - and they don't know how to create the correct access rights.

HJLBX

Is it really necessary\safe to have C:\ReHIPS with execution rights ?

See attached image.

fixer

Quote from: HJLBX on April 14, 2016, 01:53:56 PM
The user needs to know the file name - so a little inconvenient, but it works.
This was mostly designed for copying programs settings, and programs know their files names, so it works. As it's a dangerous feature it's discouraged to use it to open some files that's why it's inconvenient. If you want to work with some file in an isolated program, the best solution is to copy it to the appropriate C:\ReHIPS subfolder. The less secure (but still more secure than Copy User Data flag), but more convenient solution is to use double-click to open file, but Open File Access should be set in isolated environment options.

Quote from: HJLBX on April 14, 2016, 01:59:05 PM
That way user doesn't have create the individual subfolders and figure out access rights and all that sort of rigmarole ?

For example, user installs ReHIPS but doesn't have Office installed at the time.  So ReHIPS will not create an Office subfolder during install.  User installs Office at some point in the future - and they don't know how to create the correct access rights.
ReHIPS monitors the Windows registry for changes in uninstall applications. Thus it detects that some new program was installed (office for example) and updates rules. So there shouldn't be any problems for the user who installs Office later, after ReHIPS.
This list of possible subfolders is as follows: Browser, Mail, Office and PDF.

Quote from: HJLBX on April 14, 2016, 02:00:14 PM
Is it really necessary\safe to have C:\ReHIPS with execution rights ?
Nothing to worry about, ReHIPS will alert about new processes from this folder just the way it alerts about any other new processes, ReHIPS is not affected by this right in any way.

aDVll

Quote from: fixer on April 14, 2016, 03:53:02 PM
Quote from: HJLBX on April 14, 2016, 01:53:56 PM
The user needs to know the file name - so a little inconvenient, but it works.
This was mostly designed for copying programs settings, and programs know their files names, so it works. As it's a dangerous feature it's discouraged to use it to open some files that's why it's inconvenient. If you want to work with some file in an isolated program, the best solution is to copy it to the appropriate C:\ReHIPS subfolder. The less secure (but still more secure than Copy User Data flag), but more convenient solution is to use double-click to open file, but Open File Access should be set in isolated environment options.

Quote from: HJLBX on April 14, 2016, 01:59:05 PM
That way user doesn't have create the individual subfolders and figure out access rights and all that sort of rigmarole ?

For example, user installs ReHIPS but doesn't have Office installed at the time.  So ReHIPS will not create an Office subfolder during install.  User installs Office at some point in the future - and they don't know how to create the correct access rights.
ReHIPS monitors the Windows registry for changes in uninstall applications. Thus it detects that some new program was installed (office for example) and updates rules. So there shouldn't be any problems for the user who installs Office later, after ReHIPS.
This list of possible subfolders is as follows: Browser, Mail, Office and PDF.

Quote from: HJLBX on April 14, 2016, 02:00:14 PM
Is it really necessary\safe to have C:\ReHIPS with execution rights ?
Nothing to worry about, ReHIPS will alert about new processes from this folder just the way it alerts about any other new processes, ReHIPS is not affected by this right in any way.
Does it create the folder, for example Office, if i install office after installing rehips or folder creation is only when rehips is installed?
Also i saw you have rules for adobe reader but not for Adobe Acrobat which i use(so PDF folder was not created). Might want to add those if you have the time.

fixer

It creates ReHIPS subfolders every time initial rules are installed. By default they are installed when ReHIPS is installed. But they are also installed when Windows registry changes are detected in uninstall programs or by user request from the main ReHIPS GUI window.
Added notes about initial rules for Adobe Acrobat to our TODO list.

HJLBX

When I try to save a file to C:\ReHIPS, it returns message "You do not have access rights to save to this location.  Contact your Administrator."

It is only possible to save files to ReHIPSUser profile ?

If I understand correctly, then the workaround is user must download inside ReHIPSUser, close Isolated Enviornment and then copy to C:\ReHIPS ?

HJLBX

Is there any way to optimize the alerts so that multiple alerts do not appear all at one time ?

This commonly occurs during program installations.

It has never caused a problem in my experience, but some users complain about HIPS that permit a flurry of alerts to appear all at once.

I suppose it causes confusion and\or the user might worry that it will cause errors, problems, failed installs, etc - if they respond to the alerts out-of-sequence with the actual run sequence (asynchronous response to alerts).

aDVll

Quote from: HJLBX on April 15, 2016, 12:23:12 AM
When I try to save a file to C:\ReHIPS, it returns message "You do not have access rights to save to this location.  Contact your Administrator."

It is only possible to save files to ReHIPSUser profile ?

If I understand correctly, then the workaround is user must download inside ReHIPSUser, close Isolated Enviornment and then copy to C:\ReHIPS ?
You need to save to C:\ReHIPS\Browser or PDF,Office,etc. You can't save in the main folder. Assuming you are talking about a browser if you go in rehips settings for that browser you can see it has permission for C:\ReHIPS\Browser and subfolders only.

HJLBX

Quote from: aDVll on April 15, 2016, 10:49:32 AM
Quote from: HJLBX on April 15, 2016, 12:23:12 AM
When I try to save a file to C:\ReHIPS, it returns message "You do not have access rights to save to this location.  Contact your Administrator."

It is only possible to save files to ReHIPSUser profile ?

If I understand correctly, then the workaround is user must download inside ReHIPSUser, close Isolated Enviornment and then copy to C:\ReHIPS ?
You need to save to C:\ReHIPS\Browser or PDF,Office,etc. You can't save in the main folder. Assuming you are talking about a browser if you go in rehips settings for that browser you can see it has permission for C:\ReHIPS\Browser and subfolders only.

ReHIPS installed C:\ReHIPS for Internet Explorer.

I manually added C:\ReHIPS for Cyberfox isolated environment.  Access denied.