[FAQ] ReHIPS and self-protection

Started by fixer, July 31, 2017, 12:47:02 PM

Previous topic - Next topic

fixer

Sometimes I get questions like does ReHIPS protect itself from process termination? I ran Process Hacker without isolation and terminated ReHIPS process, won't malware do the same? Let's figure this out.

ReHIPS doesn't protect itself from real user or administrator processes. Administrator can also easily stop ReHIPS Service or unload ReHIPS driver. So yes, Process Hacker without isolation indeed can kill ReHIPS processes. But it was done intentionally. For example something goes wrong, user can easily unload ReHIPS. While some other security solutions think they're smarter than me and don't want to unload unless I dance a jig with a tambourine keeping saying that I really want to unload them. But don't worry, it's not a ReHIPS vulnerability as untrusted processes are executed in isolation and isolated processes can't affect ReHIPS processes in any way.

Umbra

Maybe asking a password when the user want to unload ReHIPS will be good in term of security.

fixer

To protect from? Isolated programs already can't unload it. Besides unloading Service requires not just real user, but Admin rights. Why bother Admin? I prefer to rely on documented principles. As there also is ReHIPS enterprise for domains, maybe Admin is remote and tries to unload using some 3rd-party software or something, which expects the service to unload without any prompts, who knows. As there is no security risk, we decided not to add any additional hoops to jump through.

Umbra

To protect from stupid behaviors of security unaware people or "happy clickers" , which often run admin accounts and allow every unknown/malicious files they have their hands on.
Few people uses SUA.
Believe me, as a security forum staff,  i can witness that most of the members asking help from our malware removal specialist are in this case.
And im not even talking about Privilege Escalation from a Reflective Dll injection...

It is a serious issue for me to let ReHIPS able to being killed manually via its service or by tools like Task Manager or process hacker/explorer.
It may seems not important for you, but this will bite you in the back in the long run, especially when tested by security geeks and other "malware "Youtube" testers.
Some products lost credibility because they can't protect themselves from users mistake/bad behaviors.

i believe a tamper protection mechanism should be implemented, if the user really want disable ReHIPS , he may just tick a box in the GUI , then only he can shut ReHIPS processes/driver/service.


fixer

Hmmm, I understand you point. Though there is a question that bothers me. Should the software pretend it knows better than the user, like nope, you can't unload me unless you do this and that and prove that you're sure and not a stupid doing a silly thing. I added it to our TODO list to give it a second thought and to look for some documented ways for this as some custom dialog may really make a remote Admin sad.

Umbra

Quote from: fixer on August 01, 2017, 04:11:39 PM
Hmmm, I understand you point. Though there is a question that bothers me. Should the software pretend it knows better than the user, like nope, you can't unload me unless you do this and that and prove that you're sure and not a stupid doing a silly thing.
Yes because common users are....ummm how to say to be polite...."inexperienced and hasty to allow"

QuoteI added it to our TODO list to give it a second thought and to look for some documented ways for this as some custom dialog may really make a remote Admin sad.
for example Appguard has a "stop self protection" option (via checkbox).

perisanboy

Quote from: Umbra on August 01, 2017, 04:37:01 AM
Maybe asking a password when the user want to unload ReHIPS will be good in term of security.
it's a good idea I like it, grandpa ;)!

perisanboy

#7
Fixer I know what you mean because I already asked about it and you answered me.
but umbra is right at least the pass must be needed for stopping the Rehips process.
if it's not hard to do I mean if it does not pain just do it having this feature is better than to don't having it.sorry for my bad English.

fixer

Yeah, we already added it to our TODO list, though with low priority.

perisanboy

Good job then hahaha low priority :-)ppl are paranoid.it's simple.. even if they know Rehips can stop the malware before that malware's reach the pc still they want self protection it's about nature feels safety..:D