Ask Questions Here - ReHIPS Features & Unexpected Behaviors

[HJLBX]

Is\Are there any fundamental processes on the system that can\will ignore restricted privileges ?

For example,

• lsass
  csrss
  smss
  spoolsvc

These processes can be abused to write code... so some security vendors recommend running them with limited privileges.

?

[fixer]

Only ReHIPS processes are hardcoded, thus rules for them are applied though these processes are absent in ReHIPS database. All other processes obey corresponding rules in database.
lsass, csrss, smss-are usually privileged processes, so no isolated process will have access to them.

[shmu26]

XlbGameSave.Task.exe
this process needs to be allowed to run child processes, or it gets blocked.
see attached screenshot of log

[fixer]

Thanks for your report, fixed.

[shmu26]

C:\WINDOWS\system32\igfxHK.exe
this intel process needs to be allowed to start child processes

[fixer]

Thanks for your report, fixed.

[aDVll]

Is multi language in the plans for the next stable release and if yes what languages are coming?

Also can rehips block code injection and hollow process for isolated processes? Pretty sure it does both because they can't access other processes but just a confirmation so we can have an official answer i can post in the malwaretips topic that people were wondering about.
Btw what about not isolated application. Will it detect the change?

[fixer]

Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Btw what about not isolated application. Will it detect the change?

I don't quite follow. What do you mean?

[aDVll]

Multi language is supported, but currently only russian and english translations are available.

Isolated process can't inject or create hollow processes for other isolated environments or non-isolated environment.

Btw what about not isolated application. Will it detect the change?

I don't quite follow. What do you mean?

About translation any plans for other languages or not atm?

If i run an application not isolated does it prevent/notify about code injection and hollow process method to other not isolated applications?

[fixer]

Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers
Non-isolated programs are unrestricted, so they're free to inject in each other.

[aDVll]

Due to frequent changes in texts, we'd like to settle them down at first so they don't change so often. And then we'll handle other languages, probably with some help from out testers
Non-isolated programs are unrestricted, so they're free to inject in each other.

Maybe you can check oneskyapp to setup a translation project. It's pretty easy to use and if you keep the collaborators at 5 only it's free. I doubt at start you will need/have more.
https://www.oneskyapp.com/

[fixer]

Thanks for the hint, sounds interesting, we'll think about it.

[HJLBX]

Someone asked this question and I vaguely remember what was said here on the forum.

When it comes to:

• dll injection
  memory scraping
  reflective memory injection
  code injection
  hollow process

does the HIPS module actually block any of these ?

* * * * *

I was of the understanding that it does not - for example, hollow process, but any malicious activity is limited to the isolated environment in which the hollow process occurs.

Also code injection, dll injection, memory scraping, RMI, etc is blocked by running programs in isolated environments.

In other words, the HIPS itself doesn't detect and block memory attacks in similar fashion to some other HIPS, but it is the built-in Windows mechanisms used by ReHIPS that prevents (isolates) or limits any damage to the isolated environment.

Inter-process attacks are blocked by virtue of their isolation from one another - and this extends to real user profile process run as NT AUTHORITY\SYSTEM.  The exception is when multiple programs are run simultaneously within an isolated environment (non-recommended practice).

Finally, the isolation is two-way; SYSTEM is isolated from isolated environment and isolated environment is isolated from SYSTEM.

[aDVll]

@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

[HJLBX]

@HJLBX
It blocks access to other processes which don't run inside the isolated environment so in result nothing can affect the processes outside of it. This is my understanding from his above reply.

In that case then, the HIPS module itself does not block anything other than execution... that's the specific question that was asked at MT.