[FAQ] How does ReHIPS process processes?

Started by fixer, September 26, 2017, 11:51:46 AM

Previous topic - Next topic

fixer

Some process is getting started. How does ReHIPS check it and what checks does it make? Let's figure this out. It's recommended to read previous blogpost about ReHIPS Working Modes at first here https://forum.rehips.com/index.php?topic=9539.0

There are basically 4 types of checks. For example we have "explorer.exe" starting "cmd.exe" with command line "cmd.exe C:\batch.bat".
1. Some internal checks. Like is ReHIPS disabled.
2. Parent process checks. Parent process is the one that starts some process. So in our example explorer.exe is the parent process.
3. Process checks. Process is the one being started. So notepad.exe is the one in our example.
4. Subprocess checks. They involve command line checking. They're called subprocess because they're aimed at batch-files control, scripts control for different scripting processes, msi-files for installers, etc. These files are not processes by themselves, their interpreter like cmd.exe is the process, but they can be very different and sometimes malignant, so they have to be monitored. So in our example command line "cmd.exe C:\batch.bat" is inspected here. Not all programs support command lines that can lead to malicious actions and have to be inspected, for example there is hardly anything dangerous about calculator command line, so these programs have "inapplicable", it means "don't check its command line".

At first a couple of internal checks take place:
-allow Agent child service processes, EmptyStub and GUI processes;
-if it's RunRestricted process, then process it;
-if rules are being installed, allow - we don't want to interfere with initial rules installation not to block some system process;
-if Working Mode is Disabled, allow;
-if Working Mode is Learning, process it - as we need to add this process to ReHIPS database;
-if Lock-Down Mode is not enabled and GUI is not connected, allow it - we can't block because Lock-Down Mode isn't enabled and we can't alert as no GUI is running, we don't want to hang the system blocking some system process, so allow;
-otherwise, process it.

Parent process check involves: it's hash at first and then the process itself. It's looked up in the database. Rules used from database, if found there, otherwise ReHIPS acts according to Working Mode as described in the previous blogpost about Working Modes.
If it results in Block, process execution is denied and this processing is done.
It it results in Allow, subprocess check is performed next.
If it results in Allow with children inspection, process is checked next.

Process check involves: it's hash at first and then the process itself. It's looked up in the database. Rules used from database, if found there, otherwise ReHIPS acts according to Working Mode as described in the previous blogpost about Working Modes.
If it results in Block, process execution is denied and this processing is done.
It it results in Allow, subprocess check is performed next.
If it results in Allow is isolation, initial process is denied, it's restarted in isolation and this processing is done.

Subprocess check works according to Working Mode as described in the previous blogpost about Working Modes.
If it results in Block, process execution is denied and this processing is done.
It it results in Allow, process execution is allowed and this processing is done.