Need Help Build Security around ReHIPS 2.3 on a System?

Discussion in 'Apps - Questions & Help' started by AtlBo, Dec 29, 2017.

  1. Recrypt

    Recrypt Level 1
    Developer

    May 26, 2014
    36
    216
    ReHIPS requires Vista SP1+, so any Windows 7 should be OK, someone other than ReHIPS is complaining.

    Differences between Working Modes are covered in this blogpost, you may want to take a look [FAQ] Different Working Modes I wouldn't go for Lock-Down Mode at first, but other than that you should be fine. Just more alerts on Expert Mode and that's it.

    BTW, ReHIPS should be updatable, i.e. OK if installed over the already installed older version. So you don't have to uninstall 2.2.0. But if you want a completely fresh install, why not. It should delete all its files on uninstall (I'll make a blogpost about it a bit later as some files may indeed be left, it depends on user choice in some windows). Just some files may be in use, so they'll be automatically deleted on reboot. But it's completely OK if you decided not to wait and deleted them manually.
     
  2. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    891
    6,324
    Caille
    Windows 10
    @Recrypt Apologies if my posts seemed a bit hostile, I do like ReHIPS. I was just disappointed because the marketing said one thing, but then code injection is still a rootkit-like technique for user-mode rootkits; but it is clear to me now that you were referring to kernel-mode patching only, and you're right, your product doesn't do any of that which is pretty good because such are unstable of course

    Makes sense to me as to why you inject, and thank you for joining the thread to clear up the concern :) The MS Detours point was a good one, sadly they only license the x64 process supported version to companies it seems though... No idea how much they'd charge for it haha, I've heard rumours before of it being 10 grand but I doubt that is true (unless you already know and could verify it unless there's an NDA) haha
     
    shmu26, Sunshine-boy, AtlBo and 2 others like this.
  3. Recrypt

    Recrypt Level 1
    Developer

    May 26, 2014
    36
    216
    @Opcode
    It's OK, don't worry. You don't have to know all the ReHIPS internals :)
    Nope, sorry, I don't know Detours price. Haven't dealt with it. We use our own engine.
     
  4. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    @Recrypt...thx, yes, I got it resolved. NVT ERP alerts must have caused a time out but it installed fine in Install Mode...
     
    shmu26 likes this.
  5. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,282
    13,615
    Utopia
    Hi, the prompt that you took screenshot of is not the one I was talking about. Child programs is a different thing. In a prompt like this, usually the best choice is "inspect children". But if it is a very safe program, and "inspect children" leads to too many prompts, then just choose "allow".

    About expert mode:
    1 by default, you will not be able to double click Word files etc that are in real user space, but you can allow it, if you wish, by modifying the settings.
    2 trusted publishers list is ignored, so you can expect a lot of prompts, and get ready to edit your rules with wildcards.
    3 An additional tweak is to enable lockdown when there is no GUI. This way, anything new is blocked by the ReHIPS service, which starts quickly after system reboot, and this blocking continues until the GUI loads, at which point you will start to get prompts instead of blocks.

    About learning mode:
    I enable it, and I go through a couple reboots, and signing in and out of my various user accounts, to make sure nothing is being blocked in the boot process. Other users who are more paranoid than me don't like learning mode, because you can't be sure what you are whitelisting.
     
    BryanB likes this.
  6. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    @shmu26, thanks for this information. Didn't realize there are different types of alerts. Haven't been working very closely with the program, because I haven't been using the ReHIPS PC much lately.

    In the pic (see below) I noticed in some of them that there is in blue next to command line, where the red circle is in the pic, text that says "Trusted Command Line". If I just want to allow the single command line, do I select "Trusted Command Line" and then Allow Once? This seems to be working for me. Not getting the prompts again, yet cmd.exe for example did show up in an alert several times in a row for some differing scripts that run periodically on the PC:

    ReHIPS.gif

    One last thing. Should I expect that Recrypt have arranged for all the "vulnerables" to be monitored for command line usage in the same way as cmd.exe?
     
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,282
    13,615
    Utopia
    This is the prompt I was talking about.
    In the upper half, you click on "add to trusted", and then at the bottom, you click on "allow".
    Note that "allow" is set by default to "only once", so you are good. You only mess things up if you change it to "permanent", and then click on "allow".
    Capture.PNG
     
    Sunshine-boy and AtlBo like this.
  8. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,282
    13,615
    Utopia
    "If I just want to allow the single command line, do I select "Trusted Command Line" and then Allow Once?"
    Yes.
    "Should I expect that Recrypt have arranged for all the "vulnerables" to be monitored for command line usage in the same way as cmd.exe?"
    Yes.

    I posted a screenshot of my own, before I saw this post. I see that you already figured everything out...
     
    Sunshine-boy and AtlBo like this.
  9. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    Thanks very much @shmu26. The details for expert mode are fantastic. This gives me a great place to start.

    I was whitelisting vulnerables on 2.2 as things turn out. :LOL: Luckily I had NVT ERP running too because I really wasn't sure I knew what I was doing with ReHIPS.

    Going over the list of Unbound, I notice the "vulnerables" there, and I see how the rules are generally set to "Inspect Children". That helps with the parent/child explaination on things. The protections seem to be here, but I can see why you pushed to have the choice for whitelisting a single command line handled in a more obvious way. True, it can become routine with use, but someone could start off on the wrong foot.

    The more I look this over, the more I am liking NVT ERP, ironically. I have about 100 or so vulnerables in ERP, and I am gaining a new respect for using it with this set of them in place. Not to take away from ReHIPS o/c, but it is interesting having both on the same machine. I'll probably keep the setup for awhile to make some comparisons.

    Really appreciate your always reliable help and also @SHvFl...:)
     
    SHvFl and shmu26 like this.
  10. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,282
    13,615
    Utopia
    #30 shmu26, Dec 31, 2017
    Last edited: Dec 31, 2017
    Thanks.
    "Inspect children" gives you some basic parent/child control, but the setting that really monitors the command lines is the other one, alert for sub-processes. It is roughly parallel to embedded code detection in Comodo.

    BTW I think I understand why you like ERP better, personally I do like the prompts better in ERP, maybe because my brain got used to it.
    But the rules in ReHIPS are built out much more than in the ancient ERP from 2015 that people are using. ReHIPS was designed by very smart and very paranoid people who already thought of everything, and keep things up to date, so you don't have to write rules and add vulns on your own.
     
    Sunshine-boy and AtlBo like this.
  11. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    #31 AtlBo, Dec 31, 2017
    Last edited: Dec 31, 2017
    @shmu26...OK, so for the "vulnerables", "Can Execute Sub-Programs" should all be set to "Alert"? I guess I should also set "Can be Executed" to 'Alert' too?

    I wonder why I am seeing them set to "Allow" now. Execute programs is set to "Inspect Children" as I mentioned, but the rest are set to "Allow"...
     
    bribon77 likes this.
  12. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,282
    13,615
    Utopia
    It depends where you look. You are probably looking in the rules for "system" (I am going on the assumption that you make the same mistakes that I do), rather than in the rules for your particular user account. System has more lenient rules, so your system won't break. Best not to mess with them.

    But when it really comes down to it, you should direct specific questions about rules to @SHvFl or to fixer. They know ReHIPS on a much deeper level than I do.
     
    bribon77, AtlBo and SHvFl like this.
  13. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,408
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    You must have messed up and selected an alert with allow permanently. Applications that are of issue have sub programs to alert and children to inspect. Either that or your definition of vulnerable process is different. Of which ones are you talking about. Show me an image.

    Example with cmd below.

    https://i.imgur.com/vnhJQSP.png
     
    bribon77, AtlBo and shmu26 like this.
  14. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    Thanks both of you. The pic is exactly what I am seeing under the machine "Unbound" rules. I checked they all have alert for sub-programs. @shmu was right, I was looking at the Unbound for the System.

    @SHvFl, could you quickly pass on again how to link an application to use of the ReHIPS folder? I know about your system for creating the file in a desired location, but I will probably just use the ReHIPS folder since its there. If I recall I go into the rules for the app process and allow it access, and it's that simple. Just can't recall.

    Thx...
     
    bribon77, SHvFl and shmu26 like this.
  15. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,408
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    Have no idea what you mean.You want to give access to what and where exactly?
     
    AtlBo likes this.
  16. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    #36 AtlBo, Dec 31, 2017
    Last edited: Dec 31, 2017
    Would like to easily save to the c:\ReHIPS folder. Excel is running contained. Here is the save dialog I see. I added c:\ReHIPS to the favorites so no navigation is required to save there:

    Save Excel in ReHIPS Folder.png

    Then I get this message when I try to save:

    Permissions.png

    I added the c:\ReHIPS to the Favorites of Excel in the save dialog as you can see.

    EDIT: I also added a shortcut to the folder on the desktop. I can protect it with EasyFileLocker no problem. Plan is to save all office and other files saved from a contained application in that folder rather than in separate containers. Plan to even point downloads to the folder.
     
    bribon77 and SHvFl like this.
  17. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,408
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    Excel has access to the office folder. Is that where you are trying to save and did you mess with the settings or it's the same as my image. If everything is as shown and you are saving to C:\ReHIPS\Office then another program you use is messing things up.

    https://i.imgur.com/Pt0vYqT.png
     
    AtlBo and bribon77 like this.
  18. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    Thanks @SHvFl. Well, seems it works now. No idea what was going on LOL.

    Couldn't have been EasyFileLocker. Must seem likely it was I know, but I promise, EFL was only set to block writes to backup drives prior to the last few minutes (after I took the screenshots). Hadn't opened the app since yesterday I think...

    Just a weird quirky permissions hiccup I think... :alien:
     
    SHvFl likes this.
  19. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,408
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    You tried to save in C:\ReHIPS and not C:\ReHIPS\Office i believe. Anw it works now.
     
    AtlBo likes this.
  20. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,517
    Qihoo 360
    Exactly what happened. Thanks again...
     
    bribon77 and SHvFl like this.
Loading...