Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

HJLBX

Do not tick "Filter Loopback Traffic" under COMODO firewall settings or create custom rules for HIPServices32 and HIPGui32 as required; see image.

Raheel99

#316
Thanks HJLBX. I have un-tick loopback traffic and add permanent rule and its working fine.

Can we add and protect any specific registry key globally.  During running malware, I allow it once in isolated environment from where we can add registry key for RW. But malware is injecting dll module in running processes like explorer, service, svchost etc. and this  malicious module checking and adding startup in AppInit_DLLs registry key.

Allowing once also result in dll file creations in c:\program files user\tmp windows\tmp folder and log showing failed to start isolated program....... 

Is it possible to globally restrict creation of executable file (dll, sys, drv, ocx etc) by the process? 

Raheel99

I am expecting that after allowing malware once, further alert will popup like injecting dll, dll file creation etc but unfortunately malicious dll attach to DesktopTool32.exe as you can see it in attach image.  How about adding some tamper protection

aDVll

By the dev a few post above
QuoteReHIPS itself monitors mostly process execution and some related stuff (like hashes of files being executed, parent-child relation, process command line). Additional monitoring includes file system and registry access to block some locations. When programs are executed in isolation, most of security is handled by certified Windows security subsystem.
So processes inside one isolated environment are free to do as they please, inject in other processes running in the same isolated environment, etc. But only inside this isolated environment. Processes in other isolated environments or non-isolated processes, including system processes are safe.

So rehips doesn't monitor injecting within the isolated environment neither file creation except default locations you can see in rehips gui. When an isolated environment is infected just delete and recreate it. The registry and anything created within that environment will be gone. In the release version you will be able to delete and recreate it on program shutdown automatically.
About globally restricting file creation of executable it's not possible but if they try to execute you will get an alert. Per isolated environment you can restrict locations which programs running with specific environmental can't access.
You can also make permanent rules about all of this that will take place on rule install(rule manager that will be released) so in result running a program you wish isolated or not and restricting and allowing access to the locations you want.

About dll injecting in DesktopTool32 i don't have the knowledge to comment so will leave it to Fixer but protection is offered by Service so in my simple mind it will not affect anything plus when you delete the isolated environment the dll will be gone.

Raheel99

#319
Thanks aDVll for detail explanation. Best practice should be never ever allowed unknown process. I have read somewhere that process is actually container with at least one thread or many threads. The malware which I am testing is actually creating thread once dll loaded in memory through widows registry InitDLL key.  One rootkit detection  tool shows message that "2 threads have been injected in to it. Do you want to kill them or not?".   Click yes kill those thread and we can further investigate about the infection.

aDVll

Quote from: Raheel99 on September 28, 2016, 06:30:01 PM
Thanks aDVll for detail explanation. Best practice should be never ever allowed unknown process. I have read somewhere that process is actually container with at least one thread or many threads. The malware which I am testing is actually creating thread once dll loaded in memory through widows registry InitDLL key.  One rootkit detection  tool shows message that "2 threads have been injected in to it. Do you want to kill them or not?".   Click yes kill those thread and we can further investigate about the infection.
In practice if you don't know if a file it's safe or you think it can be exploited run it isolated. Worse case scenario the file is infected and you delete the isolated environment. Sure it might drop some stuff in common location that blocking access would break things in many cases but you can restrict that even further if you know how the program you downloaded operates or you delete them later. 
I assume you didn't run it isolated though because you said it dropped something in program files and also injected other processes not running in the isolated environment.

Raheel99

You are right, I did'nt ran program isolated. Testing Re-Hips about showing some more alert but it is still much better than comodo HIPS.  I am testing it inside virtual box using shadow defender.


aDVll

Quote from: Raheel99 on September 28, 2016, 07:32:55 PM
You are right, I did'nt ran program isolated. Testing Re-Hips about showing some more alert but it is still much better than comodo HIPS.  I am testing it inside virtual box using shadow defender.
Rehips and Comodo hips are not the same because they have a different way on how to achieve protection. They are not really comparable because rehips is trying to achieve protection with mostly isolation. The hips part is just for execution. The real protection comes from isolation. 
Yeah i saw the shadow defender sign i just mentioned the cleaning remains in general.  ;)

HJLBX

Quote from: Raheel99 on September 28, 2016, 05:00:10 PM
Thanks HJLBX. I have un-tick loopback traffic and add permanent rule and its working fine.

Can we add and protect any specific registry key globally.  During running malware, I allow it once in isolated environment from where we can add registry key for RW. But malware is injecting dll module in running processes like explorer, service, svchost etc. and this  malicious module checking and adding startup in AppInit_DLLs registry key.

Allowing once also result in dll file creations in c:\program files user\tmp windows\tmp folder and log showing failed to start isolated program....... 

Is it possible to globally restrict creation of executable file (dll, sys, drv, ocx etc) by the process?

You mean by configuring COMODO rules or ReHIPS ?

As others have stated, ReHIPS' HIPS module is:


  • Application control (execution)
    Child process (inspection)
    Sub-Programs (command line whitelisting)


If you want much more control over processes, file creation, registry keys, etc - then use COMODO.  However, with all COMODO's power, I still choose something more simple - like ReHIPS.

So, isolated environment gets infected - so what ?  Delete isolated environment and start over with clean isolated environment.

No need to clean install OS.  No complicated cleanup of User Space directories.  No complicated registry\file system cleanup.

Don't keep valuable datas\files in isolated environment...

That's it... simple.

Raheel99

HJLBX I mean configuring Re-HIPS.  I already used sandboxie which also run program completely isolated but using Re-HIPS where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

Umbra

Quote from: Raheel99 on October 03, 2016, 03:45:17 PM
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.

HJLBX

Quote from: umbrapolaris on October 04, 2016, 09:09:48 AM
Quote from: Raheel99 on October 03, 2016, 03:45:17 PM
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.

As Umbra points out.

For vulnerable programs - like browser, office suite, etc - that are routinely exploited - it is recommended that you install them directly into their own individual, dedicated isolated environment (ReHIPSUser1, ReHIPSUser2,...,ReHIPSUserN) using DeployHelper.

Each ReHIPSUser is a separate user profile.  You can install a program only into that specific user profile - and not into the real user profile.  This keeps it isolated.  Isolated prevents damage to the real user profile.

As far as updates, whether a program is installed to real user or ReHIPSUser profiles I am not sure of all the technicalities.  You have to ask fixer.

I can understand your confusion.  Chrome is installed to C:\Program Files, is always run isolated, so how do updates get onto real system ?  Most soft updates involve directories in C:\Users\* and direct access to real file system from isolated environment is denied.

Alternatively, Chrome is installed to ReHIPSUser, is always run isolated, so how are updates handles ?

Ask fixer -- he will explain with more specific details than I am able.

aDVll

Quote from: HJLBX on October 04, 2016, 11:09:29 AM
Quote from: umbrapolaris on October 04, 2016, 09:09:48 AM
Quote from: Raheel99 on October 03, 2016, 03:45:17 PM
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.

As Umbra points out.

For vulnerable programs - like browser, office suite, etc - that are routinely exploited - it is recommended that you install them directly into their own individual, dedicated isolated environment (ReHIPSUser1, ReHIPSUser2,...,ReHIPSUserN) using DeployHelper.

Each ReHIPSUser is a separate user profile.  You can install a program only into that specific user profile - and not into the real user profile.  This keeps it isolated.  Isolated prevents damage to the real user profile.

As far as updates, whether a program is installed to real user or ReHIPSUser profiles I am not sure of all the technicalities.  You have to ask fixer.

I can understand your confusion.  Chrome is installed to C:\Program Files, is always run isolated, so how do updates get onto real system ?  Most soft updates involve directories in C:\Users\* and direct access to real file system from isolated environment is denied.

Alternatively, Chrome is installed to ReHIPSUser, is always run isolated, so how are updates handles ?

Ask fixer -- he will explain with more specific details than I am able.
Already did here
https://forum.re-crypt.com/index.php/topic,2419.msg4454.html#msg4454

and here with the exception
https://forum.re-crypt.com/index.php/topic,2498.msg4913.html#msg4913

HJLBX

Quote from: aDVll on October 04, 2016, 11:14:14 AM
Quote from: HJLBX on October 04, 2016, 11:09:29 AM
Quote from: umbrapolaris on October 04, 2016, 09:09:48 AM
Quote from: Raheel99 on October 03, 2016, 03:45:17 PM
where can find out that what files/folders have been created in isolated mode? I have seen folder rehipsuser1, rehipuser2... and so  on in user folder but where are other modification to windows, program files etc folders are saved by isolated program? I assume it may be some temp folder but I have not check it.

all are either in ReHIPSUsers folders or in the container on C:\ReHIPS or any folder you gave access to.

As Umbra points out.

For vulnerable programs - like browser, office suite, etc - that are routinely exploited - it is recommended that you install them directly into their own individual, dedicated isolated environment (ReHIPSUser1, ReHIPSUser2,...,ReHIPSUserN) using DeployHelper.

Each ReHIPSUser is a separate user profile.  You can install a program only into that specific user profile - and not into the real user profile.  This keeps it isolated.  Isolated prevents damage to the real user profile.

As far as updates, whether a program is installed to real user or ReHIPSUser profiles I am not sure of all the technicalities.  You have to ask fixer.

I can understand your confusion.  Chrome is installed to C:\Program Files, is always run isolated, so how do updates get onto real system ?  Most soft updates involve directories in C:\Users\* and direct access to real file system from isolated environment is denied.

Alternatively, Chrome is installed to ReHIPSUser, is always run isolated, so how are updates handles ?

Ask fixer -- he will explain with more specific details than I am able.
Already did here
https://forum.re-crypt.com/index.php/topic,2419.msg4454.html#msg4454

and here with the exception
https://forum.re-crypt.com/index.php/topic,2498.msg4913.html#msg4913

Thanks for links... I couldn't remember where they were and did not bother to search.

HJLBX

Where can I buy one of these ?:

ReCrypt matryoshka - correct ?