Isolated Cyberfox and IDM

Started by XhenEd, June 18, 2016, 05:51:16 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

fixer

#15
June 26, 2016, 10:59:48 PM
I looked into this issue. This is how it all works. We've got 2 possible cases.
1. Some program addon. This is Cyberfox case. IDM engine is implemented as DCOM (distributed COM) object and started from current real user. Isolated browser is started from ReHIPS user, and isolation denies access to DCOM, running from real user. So it fails with access denied error. Running browser non-isolated is a security risk. Running IDM isolated won't be of much use as it's restarted from real user. So not much can be done here.
2. Some unknown program without addon. This is PaleMoon case. IDM uses driver to intercept network traffic. If something looks like download, it spawns DCOM process and shows windows for download. Driver works across all sessions and users, so it works fine for isolated environment.
In other words one of possible solutions is to use second scenario with Advanced browser integration and without addons. Other than that... I don't think much can be done as IDM is based on hooks, multiple processes (some of which are designed to be non-isolated) and heavily relies on interprocess communication, and ReHIPS denies this communication for security purposes.

XhenEd

#16
June 27, 2016, 06:28:48 AM
Quote from: fixer on June 26, 2016, 10:59:48 PM
I looked into this issue. This is how it all works. We've got 2 possible cases.
1. Some program addon. This is Cyberfox case. IDM engine is implemented as DCOM (distributed COM) object and started from current real user. Isolated browser is started from ReHIPS user, and isolation denies access to DCOM, running from real user. So it fails with access denied error. Running browser non-isolated is a security risk. Running IDM isolated won't be of much use as it's restarted from real user. So not much can be done here.
2. Some unknown program without addon. This is PaleMoon case. IDM uses driver to intercept network traffic. If something looks like download, it spawns DCOM process and shows windows for download. Driver works across all sessions and users, so it works fine for isolated environment.
In other words one of possible solutions is to use second scenario with Advanced browser integration and without addons. Other than that... I don't think much can be done as IDM is based on hooks, multiple processes (some of which are designed to be non-isolated) and heavily relies on interprocess communication, and ReHIPS denies this communication for security purposes.
Thanks for taking a look at the issue, fixer!
Cyberfox, then, in isolated environment, has to give up IDM.

There must be a thread here, or something of sorts, in the future about incompatibilities/issues just like Sandboxie's forum thread and MBAE's forum thread.
Print
Go Up Pages 1 2
User actions