Need Help Build Security around ReHIPS 2.3 on a System?

Discussion in 'Apps - Questions & Help' started by AtlBo, Dec 29, 2017.

  1. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,143
    4,513
    Qihoo 360
    Operating System:
    Windows 7 Professional
    OS Architecture:
    64-bit
    Starting over with ReHIPS 2.3. Would like to build around ReHIPS to build a simple clean security setup. System currently has convoluted setup for now with the following apps:

    Q360TS
    MBAE
    Zemana Pro
    NVT ERP
    Binisoft WFC

    Likely going to keep WFC, but the rest can go. Zemana I like, so maybe it should stay for scans, etc. Where should I start? Mostly interested first in how to configure ReHIPS to get the most of its multi-container protection capabilities.
     
  2. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    I don't know much about ReHIPS but I'd upgrade to Windows 10 for internal security enhancements. There's a lot of differences between the Windows 7 and the Windows 10 kernel, and you may like to use Windows 10 Exploit Protection over MBAE if it provides enough for you as well, reducing more resource usage. Not to mention system wide SmartScreen post Windows 8.

    I'd say:
    System-wide SS/UAC on Maximum
    Qihoo 360 TS
    ReHIPS
    Binisoft WFC

    + Zemana for on-demand scanner only.

    Would be sufficient.
     
  3. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,143
    4,513
    Qihoo 360
    MBAE free is not much protection from what I have seen. If anything I think I would rather use EMET 5.5, which I have configured for W7 on another computer. It adds system wide DEP, and many good exploit protections. I could transfer the settings over easily with EMET.

    I like Q360, and I might keep it, not sure. Thinking of trying Kaspersky a-v or Bitdefender free, though. Q360s sandbox is very good for MS Office (2007), but it will conflict with ReHIPS over save locations. Qihoo will want to save in its sandbox and ReHIPS in the container. So I feel like if I want to build around ReHIPS, I probably should ditch the extras of 360. AppCheck is too good to leave off a computer. Uses no resources, and it works in the little bit of testing I have done. I'll probably use A/C, but not sure about anything yet honestly. Need to know more about ReHIPS. Thanks for the comments.
     
  4. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,484
    Utopia
    Best thing is to install just ReHIPS, and get to know it. Then you will be wiser, and you will know what else you need.
    With ReHIPS, among other things you have to get used to the prompts. They are a bit different from ERP and Comodo.
    The prompt for vulnerable processes is the one that kept confusing me, and I kept complaining until they agreed to make it clearer and more intuitive. The thing is that when a vulnerable process comes along, by default the prompt will be set to allow only once. If you want to allow that command line permanently, you have to click on the link in the UPPER part of the prompt. Because if you permanently allow it from the bottom part of prompt, you are messing things up. You are not whitelisting the command line, you are removing that process from the vulnerable process list.

    I am using the term "vulnerable process list" loosely and inexactly, because it is not a ReHIPS concept, it is a ERP concept. In ReHIPS, the so-called "vulnerable processes" are not categorized as such. Rather, they have "sub-programs" set to "alert". That way it catches the command lines.
    Regular processes have sub-processes set to "inapplicable".

    This may sound kind of esoteric, but really it's not, you just have to see it in action, and you will grasp it.
     
    Sunshine-boy, bribon77, Tiny and 3 others like this.
  5. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,143
    4,513
    Qihoo 360
    @shmu26. Helps tremendously thanks. I have not even noticed the link in the upper part of the prompt, so I must have been doing as you say and removing the process from the "alert" programs. By this I assume you mean then the applications in ERP that are vulns, and I see the large scale difference between whitelisting a command line and whitelisting the actual application running the command line (cmd.exe, powershell, etc.).

    I have been using I guess 2.2. It's on the system already, so I will uninstall that and then install 2.3 shortly. Any tips early on after the installation? Thanks again.
     
  6. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,484
    Utopia
    Roughly speaking, the vulns in ERP are set to sub-program "alert" in ReHIPS.
    But ReHIPS does this for more processes than you will find on the default vuln list in ERP beta 2015.

    EDIT: You can play with it. For instance, you can take MS Outlook out of isolation, but set sub-programs and child processes to alert.
     
    BryanB, bribon77 and Opcode like this.
  7. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,167
    5,166
    IRAN
    Windows 10
    ESET
    #7 Sunshine-boy, Dec 30, 2017
    Last edited: Dec 30, 2017
    Do this: install Rehips then allow everything for Q360 processes from the Rehips program manager so it will not conflict with q360! but don't forget Rehips will inject itself into other processes(i found it while using Eset hips).not sure if Q360 allow this! But you can exclude Rehips from q360 real-time protection.
    The best way is to use expert mode! standard mode is also good but still broken.
    I will go for this: Q360+Rehips+os armor+Binisoft WFC
    Q360 sandbox>rehips sandbox! because of its zero-config sandbox and more user-friendly.
     
    bribon77, AtlBo, shmu26 and 1 other person like this.
  8. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    @Sunshine-boy ReHIPS inject code into other running processes? I'm asking because I've never properly used it nor looked into how it works, but I thought the whole point of ReHIPS was to provide restrictions without rootkit-like techniques (e.g. built-in Windows protection instead - like manual usage of the built-in AppContainer). If they really do inject code into other running processes then the marketing is unethical because I am pretty sure they say they don't use rootkit-like techniques except injecting code into running processes is indeed a very common rootkit technique... User-Mode rootkits. LOL.

    @shmu26 Do you know anything about how ReHIPS works internally? Does it indeed inject code into running processes?
     
  9. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,484
    Utopia
    @SHvFl should know how it works under the hood. There is a ReHIPS dll that gets injected into processes, I have seen it during de-bugging sessions. That is probably what @Sunshine-boy is talking about. I don't remember the exact reason for it, though.
     
  10. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    #10 Opcode, Dec 30, 2017
    Last edited: Dec 30, 2017
    Still though, injecting a DLL is still injecting code into another process -> still a rootkit-like technique to get code executed in another process for control

    Edit: Asked someone, they said it isn't for security. So not that bad, but still made me feel a bit disappointed because whatever the reason... they say no rootkit techniques, and injection is a rootkit technique. But still its a good product and works well from what I've seen
     
    Sunshine-boy, bribon77 and shmu26 like this.
  11. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,484
    Utopia
    Maybe @SHvFl can give us some input about this issue. He understands the program pretty well.
     
    SHvFl, BryanB, bribon77 and 3 others like this.
  12. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    @shmu26 Just asked him ;)

    He said that they do hook but for usability stuff, not related to security. Still a rootkit-like technique so that disappointed me but it isn't all that bad. They probably mean they don't hook for the actual functionality but then again who cares anyway. As long as it works I don't think it matters that much, I just didn't take liking to the marketing now
     
    SHvFl, bribon77, AtlBo and 1 other person like this.
  13. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,167
    5,166
    IRAN
    Windows 10
    ESET
    I'm not sure but I think yes because I remember Eset Hips fucked me and told me 100000 times the rehips want access to Eset processes(Eset blocked the access)
     
    bribon77, AtlBo, shmu26 and 1 other person like this.
  14. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,152
    16,384
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    #14 SHvFl, Dec 30, 2017
    Last edited: Dec 30, 2017
    What @Opcode said. They inject to provide some usability features but it doesn't provide or affect the security of rehips.

    tl;dr doesn't affect running the programs isolated/blocked in any way.

    EDIT: info are directly from the dev/owners and not me

    ReHIPS and Sysnative
     
  15. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,143
    4,513
    Qihoo 360
    Had some trouble removing 2.2, so I found the link for the installer and reinstalled that version. Successfully uninstalled the program, but it left the entire program directory on the PC. Reinstalled again and used Revo to get rid of everything. This kind of adds to my concerns about ReHIPS for the here and now.

    One other thing. When I downloaded 2.2, it was blocked by Chrome. Reading why, Google says that it blocks downloads from sites that have been associated with malware downloads. Anyone have any insight on this issue before I install 2.3?

    Also one question about the user/container folders. I simply deleted them. Is this a problem? Hope not. I was a little bit fed up, and decided to rid the PC of them before asking.
     
    Sunshine-boy, bribon77 and Opcode like this.
  16. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,484
    Utopia
    1 I have found ReHIPS to uninstall smoothly. Obviously, that was not true in your case. But it can leave ReHIPS user folders behind, if the contents require admin privileges to delete. If that happens, you just delete them manually.

    2 Chrome does have the annoying habit of blocking that download you mentioned, it seems to be a computer generated block, I think that the Chrome algorithm doesn't like the site name "ReCrypt", in conjunction with the Russian-language subforum and the constant discussion of malware techniques.
    To machine learning, it sounds like a bunch of hackers.
     
  17. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,143
    4,513
    Qihoo 360
    Had this feeling. 2.3 download was not a problem.

    Thinking of trying expert mode. Haven't tried it yet, anything specific to know before changing over to Expert?
     
    shmu26 likes this.
  18. Recrypt

    Recrypt Level 1
    Developer

    May 26, 2014
    36
    216
    Hello everyone and Merry Christmas.

    Regarding Google and downloads. Truth to tell, I have no idea why it doesn't like us. I already posted about it here Ask Questions Here - ReHIPS Features & Unexpected Behaviors ReHIPS's served through https, certificate is OK, it's signed with a valid signature, no protectors, packers, whatsoever, no AV detections, compiler and installer are also standard and wide-spread. And I have no idea whom to write to fix this as I tried to leave tons of comments in Google webmaster feedback, but none were answered. So not sure what else we can do.

    Since the question of hooking was discussed, let me copy-paste one of upcoming blogposts.

    As you probably know, we state that "ReHIPS doesn't use rootkit-technologies (kernel-mode hooks etc.)". But some may wonder "hey, what's that HookDll32/64.dll then? I saw it was injected!". So let's talk about this a bit.

    Since the dawn of time antiviruses were hooking the Windows kernel to intercept critical functions and inspect program behavior. And they'd been living happily till death in the person of PatchGuard did them part. Kernel Patch Protection (also known as PatchGuard) was introduced in Windows 2003 x64 (actually in Windows XP x64, but you can say it's based on 2003 kernel). Though it didn't stop some of the vendors from hooking the kernel (using hypervisor or some other shady stuff), it became something that is not just officially discouraged, but is actively being couteracted resulting in Blue Screen Of Death.

    And what about user-mode hooks? They aren't something that is promoted, but if something can't be done without them, go ahead, use them, Microsoft even has a Detours project that helps hooking user-mode functions. And according to official Detours page "Under commercial release for over 10 years, Detours is licensed by over 100 ISVs and used within nearly every product team at Microsoft." So yeah, this thing is not that bad and dangerous like kernel-mode hooking, if it's "used within nearly every product team at Microsoft".

    So what about ReHIPS? ReHIPS doesn't use any kernel-mode hooks. At all. And never has. And never will. We stand true to our statements. But yes, it does use some user-mode hooking. Why? They are for usability purposes only, no security or other potentially dangerous of important feature relies on it. For example when a process being started by explorer.exe (and that is pretty much every process you start double-clicking in explorer) is blocked, explorer complains about it and shows an error window. Injected HookDll intercepts this function in other processes like explorer and convinces them that everything is OK, no need to throw error windows. So it's purely a question of usability.
     
    XhenEd, d0ts, Sunshine-boy and 6 others like this.
  19. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,143
    4,513
    Qihoo 360
    @Recrypt, thanks for the details.

    Just attempted to install ReHIPS 2.3 on W7 64 SP1 but got a message that SP1 is required. SP1 is definitely on the PC, so is this a .NET thing perhaps? I have .NET 4.6 installed, but I'm not sure I ever installed 4.5. Think I installed 4.6 for ReHIPS 2.2, but I don't know what is required at this point...

    EDIT: NM...running NVT ERP and using allows for the prompts led to the message. I used "Install Mode" for ERP and the installation went through.
     
    shmu26 likes this.
  20. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,143
    4,513
    Qihoo 360
    #20 AtlBo, Dec 30, 2017
    Last edited: Dec 30, 2017
    For you other guys, should I activate learning mode? Just looking for any tips for this early stage. Not going to be doing anything fancy, but I probably will run in expert mode, once I get going...

    @shmu26, is this the type of alert you referred to earlier? I do want to make sure that I don't blanket allow risky apps. Thx. There is the other type of alert which has two rows of choices that look like dots (think I saw this), always, never, once and then below that Block or Allow. Don't want to get confused here. If I select "Permanent" and "Allow" for this is only the single command line allowed from the applications (in this case WScheduler)?

    ReHIPS.png
     
Loading...