Path for the isolated environnement

Started by SparknLight, May 23, 2016, 08:07:22 PM

Previous topic - Next topic

SparknLight

Hello,

I'm news user with ReHIPS.
The isolated environnement creates directories in the \user path : ReHIPSuser1, ReHIPSuser2, ...
It is possible to change the path for these directories ? I have in mind a second drive; not by boot system (C:\).


Thank you.

fixer

Hello, SparknLight.
Yes, ReHIPS creates users for isolated environments. And each ReHIPS user, like any other Windows user, has its profile folder. By default its location is in <system_disk>:\Users. These folders usually don't eat much space and I don't think there is a nice and documented way to change it for some users. But I'll look into it.

SparknLight

Thanks for the answer fixer.

I asked that because, I tried severals "suspicious files", typically keygen etc, to test ReHIPS.
Right clic, "Run isolated in ReHIPS". All attempts failed ("Failed to start isolated program ..."), except if I let the "Copy User Data" option checked, but in this case, the isolated environment takes many Go, and take a very very long time to be created (Laptop, 1 HDD - 5400tr/min).

On the other hand, I have not yet understood fully what should be run in a isolated environment and what should not be. (I suppose suspicious files yes ...).
Softs like Bittorrent client (Tixati), Sumatra PDF etc are not isolated; softs typically sandboxed by users who use 'Sandboxie' but ReHIPS is primarily a HIPS program if I'm not wrong.

aDVll

#3
I personally run everything connecting to the internet and everything that opens stuff from the internet isolated.
So office,media player,image viewer,pdf reader,image editing software,browsers,notepad.....etc. So you can isolate pretty much anything you sandbox atm with sandboxie. You just need to create the rules from gui manually or when you first launch a program or from logs when you launch the program if they are not in the rule pack provided by the devs.
Rehips it's both a sandbox and a hips module together with the benefit that program updates don't break the sandbox.

About the keygen and stuff they probably need to access a file from your installed program which they can't do if they are isolated and without copy user data. Such keygen are usually sketchy and do weird stuff. Though it doesn't make sense taking more than a few seconds. You might want to go inside the folder and see what it copied and how big it was but i don't think it's that.

fixer

#4
I looked into it. There is no documented way to create a user with non-standard home profile directory, it's read directly from the registry. There are a few tricks to change user home profile directory later when profile is already created, but they're more of a hacks/workarounds rather than nice and documented ways.

My guess is that you're trying to execute programs in isolation from your real user profile folder (for example, from your Desktop). By default isolated programs have no access to your real user profile folder, so they fail to be started. So you either move them to some other folder out of your real user home profile folder (the best solution) or allow to Copy user data so the file being executed could be copied to the isolated environment and executed from there (worse solution by means of security, also may be slower and more HDD-space consuming as some files and maybe even folders are copied to the isolated environment). In general it's best to avoid using Copy user data option. The only scenario it was meant for is this.
There is some program, that is absent in initial rules (RulesPack), and you want to use it in isolation. But this program keeps its settings somewhere in your real user profile, you don't know where, but you want the program to use these settings in isolation. So you enable Copy user data option upon first program start, start it in isolation, push some buttons in your program for it to access all of its settings (settings are copied on access), close the program. And then you can clear this option, you don't need it anymore.

What should be isolated? It depends on level of security you want to achieve. Most of the applications may be executed in isolation as long as they don't need administrator privileges. But personally I think that only popular exploitable and network-facing applications should be isolated: browsers, office applications, PDF viewers, maybe media players and archivers.

SparknLight

Yes, you're right fixer,  it is exactly the case: I tried to execute in isolation from the Desktop (a sub-sub folder in the Desktop).

Quote from: fixer on May 23, 2016, 10:46:44 PM
...enable Copy user data option upon first program start, start it in isolation, push some buttons in your program for it to access all of its settings (settings are copied on access), close the program. And then you can clear this option, you don't need it anymore.
This trick is useful to know.
Now things are clearer to me. Thank you very much for these detailed explanations, adVII and fixer !

fixer

Quote from: SparknLight on May 24, 2016, 12:57:08 AM
I tried to execute in isolation from the Desktop (a sub-sub folder in the Desktop).
That's what I thought. If you had it simply on a desktop, only one exe-file would have been copied. But you said it took quite some time, so I expected it to be in a subfolder, it lead to whole subfolder copying.

BTW, you mentioned SumatraPDF. I added it to the initial rules database in RulesPack.

SparknLight

My folder named "Downloads" in the desktop is around 20Go, my test was on several .exe in a folder inside this "Downloads" and the ReHIPSuserX was around 20Go, so yes, the whole folder was certainly copied.
I will re-test to be sure, in the same process (and check inside the isolated folder what is in), but the same size makes me think now that this is not a coincidence.

To come back on the possibility to choice the drive for the isolated program. If the boot system is a SSD and if we have a dedicated Hard Drive, like a scratch disk or a RAM Disk, we can direct the isolated folders on it and reduce in these conditions the SSD activities (caches and others stuff from browsers etc).
It is not a vital option IMO, just a "one more thing".

Umbra

#8
Quote from: SparknLight on May 23, 2016, 09:42:40 PM
On the other hand, I have not yet understood fully what should be run in a isolated environment and what should not be. (I suppose suspicious files yes ...).

suspicious files obviously, and i personally isolate internet facing apps,  media players, pdf readers.

QuoteSofts like Bittorrent client (Tixati), Sumatra PDF etc are not isolated;

some Apps need to be isolated manually or rules for them created that will force them isolated.

Quotebut ReHIPS is primarily a HIPS program if I'm not wrong.

ReHIPS is similar to what Sandboxie Endpoint Protection aim.  ReHIPS is a sandboxing apps that integrates an HIPS for greater control (Sandboxie EP uses a Behavior Blocker from what i heard)

QuoteTo come back on the possibility to choice the drive for the isolated program. If the boot system is a SSD and if we have a dedicated Hard Drive, like a scratch disk or a RAM Disk, we can direct the isolated folders on it and reduce in these conditions the SSD activities (caches and others stuff from browsers etc).
It is not a vital option IMO, just a "one more thing".

i asked for it somewhere , but i think it would reduce the security ReHIPS offers, since ReHIPS' way of working is based on virtual user profiles to generate virtual desktops.

aDVll

Most ssd this days will live a lot of time so don't really worry about the few MB it will write on rehips profile. JUst let as much stuff you have space for on the ssd to make your pc usage experience better. For reference check this.
http://techreport.com/review/27909/the-ssd-endurance-experiment-theyre-all-dead

riddler

After reading this thread I am still not sure whether external partition (non C) can be utilized or not.
I would like to isolate the programs I have installed on C but are they able they read/write data to another partition.

I have windows installed in 30 GB ssd and have another internal 1 TB hard drive, which is mounted as drive D.
I have Firefox on C. If download larger files, can ReHIPS save the data to D  or does it use only C ?

What is the current state of file recovery. Can I move the downloaded data out of the original partition to non-system partition?

aDVll

#11
Quote from: riddler on January 22, 2017, 11:18:39 PM
After reading this thread I am still not sure whether external partition (non C) can be utilized or not.
I would like to isolate the programs I have installed on C but are they able they read/write data to another partition.

I have windows installed in 30 GB ssd and have another internal 1 TB hard drive, which is mounted as drive D.
I have Firefox on C. If download larger files, can ReHIPS save the data to D  or does it use only C ?

What is the current state of file recovery. Can I move the downloaded data out of the original partition to non-system partition?
External partition can be utilized only if you manually redirect traffic using symbolic links. Note i didn't try this neither know if it will break something.

Rehips can download data in any folder you wish at any drive you wish. Just give the program permissions to write in that folder. So you don't need to manually copy data you can set a download location to the drive you want.


riddler