ReHIPS and Files Access

Started by AtlBo, July 15, 2017, 05:44:47 AM

Previous topic - Next topic

AtlBo

I am learning how to deal with the issue of files in various locations on the system.  Has there been any consideration of creating a single files space?  Just curious on this because it seems like it could be done and might help with situations where users need to keep files in more than one location but require quick access.

I got into a discussion about how malware can run inside a container in ReHIPS but write only to the container it is isolated inside.  That confused me some.  For one thing, I want to bring files together but it seems even C:\ReHIPS\... isn't 100% safe from malware.  Then I worry that that malware that doesn't need admin privs or command line might be able to edit/delete files outside the container, etc.  So I'm just trying to determine what to expect from ReHIPS protection-wise.  I guess my confusion is compounded by not being able to save to a location outside of the ReHIPS areas.  If contained malware can only affect the container, then why not save outside of the contained areas?

I like the protection sequence.  It's super smooth and seems really powerful.  File access has me down though.  Seriously, I would much rather ReHIPS take ownership of the documents folders of Windows and make it possible for me to access and save there if possible somehow or maybe bring together links to them or something.  I have the C:\ReHIPS folder on the desktop to use this way.

Ultimately, can malware inside a container write to files outside or say delete files outside?  I am aware that command-line will cause an alert btw.  I am speaking of purely self contained malware that needs no privileges.  Also, why not save outside the ReHIPS areas?

fixer

Single files space - you mean for trusted programs and isolated ones?

I have 2 blogposts here https://forum.rehips.com/index.php?topic=9484.0 and here https://forum.rehips.com/index.php?topic=9487.0 that have some explanations about file system access details.

In general if you decide to make a single files space, you'll face 2 dangers.
1. The first one is more obvious and straightforward. For example you executed a ransomware/crypter/some other nasty malware in isolation. It'll encrypt/corrupt/delete any file it has write access to. By default it's basically just ReHIPS user profile folder that has nothing interesting in it, just recreate isolated environment and you're good to go. But if you decide to make a single files space, you may have some problems as it'll also corrupt all the files it has access to=all the files and folders you allowed access to.
2. The second one is less obvious and more theoretical as I haven't seen it myself yet, but forewarned is forearmed. For example our isolated environment is compromised. And compromised in a tricky way that it infects every opened file with exploit. Like compromised Word infects doc files it opens. So these files seem OK and open OK, but if you open them without isolation (for example on other PC without ReHIPS), you can get infected.

So you can allow additional access if you want to. But consider these dangers. By default ReHIPS is designed to completely isolate programs and somehow quarantine all the data they have access to like untrusted programs touched this data, it may be tainted so handle it with care.

AtlBo

#2
Thanks for the answer.  OK, I was thinking the exact opposite way...that ReHIPS was meant to protect the system first.  I have been using Comodo on another PC for a long time so maybe that's why I can't get it through my head.  I mean, command-line monitoring is so powerful, I just had this impression and the fact that Comodo uses containment too I guess.  I'll take your advice and stay clear or granting contained apps access to standard user spaces.  Maybe I can come up with something for files access.  :)

Umbra

From what i heard from Fixer , v2.3 (the next major build) may/will implement a feature a requested that will allow to make rules for folders also and not just programs.
Basically , you would be allowed to create a rule for a folder so any executed files in it would be auto-isolated/blocked.