Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

schelkunov

QuoteNo.  I didn't change anything on system.  No installs\uninstalls - just delete USER & SYSTEM - then sit back and observe.
What about Windows updates?

HJLBX

Quote from: schelkunov on April 19, 2016, 10:57:31 AM
QuoteNo.  I didn't change anything on system.  No installs\uninstalls - just delete USER & SYSTEM - then sit back and observe.
What about Windows updates?

No.  No Windows update.

* * * * *

We have three possibilities:

User installation
Windows update
App store query\update

* * * * *

Not concerned about it really - just getting to know how ReHIPS behaves.

Experimenting & observing.

fixer

Try to look at ReHIPS log, when RulesPack32/64.exe was started, it'll give you time, when rules were installed. And maybe some other processes around it will hint at what happened. Currently it installs rules: on ReHIPS install if user chose so, on user demand, on new user login, on changes in Uninstall registry key.

fixer

Quote from: HJLBX on April 14, 2016, 12:23:20 PM
Cyberfox 45.0.3
LastPass 3.3.1 (for Firefox)

Once again same issue.

If I use DeployHelper, then LastPass extension will never get loaded.

If I create the Isolated Environment manually, and tick "Copy User Data," then it gets loaded.
I looked into this issue. When you use DeployHelper, it creates a separate ReHIPSUser-oriented installation. So in order for it to use LastPass extension, you should install it into that instance of Cyberfox.
But ReHIPS release should already have initial rules for Cyberfox, so it should load all existing extensions.

HJLBX

In ReHIPS alerts, "Block" = block & terminate correct ?

fixer


HJLBX

I have been testing ReHIPS Trusted Command Lines by setting all system processes to Ask.

Everything appears to be working as expected.

Wildcard support working fine.

* * * * *

It will take 3 or 4 days of further testing.  If I find anything I will report it.

HJLBX

How do you plan on handling critical Windows processes ?

Will you remove them from the GUI and hard code them - or leave them exposed with an additional guard against modification ?

* * * * *

Before you finalize the list of critical Windows processes can you let us beta testers take a look ?

SpyShelter made some mistakes in their hard coded allowed processes of which I am aware.  Other beta testers might detect potential problems as well.

HJLBX

Is it accurate to refer to ReHIPS' Isolated Environment as an access restriction enhanced limited user container ?

The reason I am asking is that some have asked me and, instead of a lengthy explanation, I am trying to use fairly clear terminology.

HJLBX

If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?

Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?

HJLBX

I am noticing some SYSTEM System32 and SysWOW64 rules are reverting to their default settings after I have modified\customized the rules.

Is this a feature ?

aDVll

Quote from: HJLBX on April 21, 2016, 09:28:56 AM
If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?

Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?
From my gui you can't run any system rules to run isolated. You can?

HJLBX

Quote from: aDVll on April 21, 2016, 09:50:42 AM
Quote from: HJLBX on April 21, 2016, 09:28:56 AM
If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?

Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?
From my gui you can't run any system rules to run isolated. You can?

You are correct.  No option available to do so for programs assigned to SYSTEM.

aDVll

Anw i am also interested on what is the point of the system rules. I tried to find in the help file but failed unfortunately.

fixer

Quote from: HJLBX on April 21, 2016, 12:58:29 AM
How do you plan on handling critical Windows processes ?
Will you remove them from the GUI and hard code them - or leave them exposed with an additional guard against modification ?
* * * * *
Before you finalize the list of critical Windows processes can you let us beta testers take a look ?
We don't want to block anything completely from the user like we know it better than everyone else. So processes will definitely be exposed, maybe in Expert Mode only, maybe with some extra warnings on modification. It won't be included in the upcoming release, but it's in our TODO list. So when it's ready, active beta-testers will get the first look.

Quote from: HJLBX on April 21, 2016, 01:02:17 AM
Is it accurate to refer to ReHIPS' Isolated Environment as an access restriction enhanced limited user container ?
Yes, I think so.

Quote from: HJLBX on April 21, 2016, 09:28:56 AM
If I limit a program to open only in an isolated environment for USER, should I create the same rule also for SYSTEM ?
Wouldn't this be best practice for tighter security - or with the ReHIPS container it doesn't need to be done ?
SYSTEM user is for the most priveleged programs only, like core Windows components and privileged services. Besides by default these programs are non-interactive. So it's unlikely that some graphical user-oriented program will ever be executed from SYSTEM user. Thus no rules are usually required for it. But even if it will be executed, standard ReHIPS alert will be shown, so you won't miss it. Also keep in mind that SYSTEM user has more strict security, it isn't allowed to isolate as only trusted programs should be executed, thus any initial rules that are allowed with isolation for other real users are block-rules for SYSTEM user.

Quote from: HJLBX on April 21, 2016, 09:46:42 AM
I am noticing some SYSTEM System32 and SysWOW64 rules are reverting to their default settings after I have modified\customized the rules.
If you deleted some rules, they may be reinstalled, when RulesPack is executed (either on user request to Install Rules, or some program was installed/uninstalled, or some new user is logged-in). But if you have some rules in the database, RulesPack won't affect them in any way. And also modification of one rule doesn't affect any other rules, they're completely independent. So if it doesn't behave as intended, create a separate topic with detailed description and we'll look into this issue.

Quote from: aDVll on April 21, 2016, 09:58:08 AM
Anw i am also interested on what is the point of the system rules. I tried to find in the help file but failed unfortunately.
ReHIPS is designed to support different real users with different set of rules in case computer is used by different persons. SYSTEM user is a privileged built-in Windows user for privileged processes. So it's treated as a separate entity in terms of users with its own set of rules.