Request Help Build Security around ReHIPS 2.3 on a System?

AtlBo

Level 24
Joined
Dec 29, 2014
Messages
1,390
Antivirus
Qihoo 360
#41
There is. Limitation is it's for home use only and no application can run in a container using more than 10 instances of the application at one time. For browser, that leaves you with FF or something else that runs with a smaller number of instances than 10, if you want to run browser contained.

Here is the download. Be prepared for an uphill battle. Feel free to bring your initial questions here to this thread:

ReHIPS - An HIPS/Sandbox without kernel Hooks - (quick test included)

Once you have the basics, you can start a thread in the Security Applications->Other Security for Windows Forum. One thing about the installation. Just let it run and leave it on. No matter how long it takes, let it go until it is finished. It finds what's on the system and adds its own set of excellent rules. The rules are very good.

It's good protection, but I am also finding that it's also possible to make it more user friendly for my file storage requirements than how it sets up by default..
 

davisd

Level 13
Joined
Feb 2, 2016
Messages
628
OS
Windows 10
Antivirus
Panda
#42
This thread may not be appropriate place to say it, but I bought ReHIPS in 3. June 2017 for about 16€, used for a few months for testing purposes, then uninstalled, and now when re-checking prices, it has skyrocketed to 55€ for 1PC/1YR, I know it's high quality security software, but holy @!* I don't see a way to renew it for such price :eek:
 

SHvFl

Level 32
Content Creator
Trusted
Joined
Nov 19, 2014
Messages
2,193
OS
Windows 10
Antivirus
Emsisoft
#43
This thread may not be appropriate place to say it, but I bought ReHIPS in 3. June 2017 for about 16€, used for a few months for testing purposes, then uninstalled, and now when re-checking prices, it has skyrocketed to 55€ for 1PC/1YR, I know it's high quality security software, but holy @!* I don't see a way to renew it for such price :eek:
It was a deal for the product launch with a 70% discount. Now the price is full with no discount hence the jump in price.
 

Recrypt

Level 2
Developer
Joined
May 26, 2014
Messages
52
#44
Hello everyone!

Here is a blogpost I promised earlier about some files that may be left when ReHIPS is uninstalled. [FAQ] Uninstalled ReHIPS, but some files are left

At first I wanted to also paste text here, but later decided not to. The reason is when something is changed inside ReHIPS, I also change blogposts accordingly. But if I paste text here, this text may become outdated. Besides blogs don't require any registration, just come and read.

Best regards, fixer.
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,108
OS
Windows 10
#46
@Recrypt , @shmu26
I am not sure what it means inapplicable. Is it equal to allow in the sandbox?
Usually you will see "inapplicable" in the rule for a process that does not need to have its command lines monitored. This could be an isolated process or an non-isolated process.
For instance, powershell has subprograms monitored. Monitored is sort of like the opposite of unapplicable.
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,108
OS
Windows 10
#47
By the way, there are several sets of rules for the same processes. So when inspecting rules, you need to always look which "user" you are inspecting.
There is a set of rules for "system". Those rules are generally more lenient than the rules for a regular user, and it is best not to mess with system rules, in order not to break things.
 
Joined
Dec 23, 2014
Messages
1,576
OS
Windows 10
Antivirus
Microsoft
#48
Usually you will see "inapplicable" in the rule for a process that does not need to have its command lines monitored. This could be an isolated process or an non-isolated process.
For instance, powershell has subprograms monitored. Monitored is sort of like the opposite of unapplicable.
So if the program has (in User and System): 'Inspect Children + Allow + Inapplicable' settings and wants to spawn child process (without using command lines), then the child process will be always allowed? But when the program uses some suspicious command lines to run the child process, then the child will be blocked?
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,108
OS
Windows 10
#49
So if the program has (in User and System): 'Inspect Children + Allow + Inapplicable' settings and wants to spawn child process (without using command lines), then the child process will be always allowed? But when the program uses some suspicious command lines to run the child process, then the child will be blocked?
Allow means it will not run isolated (sandboxed).
Inspect children means that there is no automatic parent/child permission. Instead, the ReHIPS rule for the child will be applied. If there is none, you will see a prompt.
Inapplicable means that the command line will not be parsed as such. It will be treated as a simple parent/child execution.
If you have more detailed questions, best to ask on ReHIPS forum. First of all, they really know what they are talking about. Second of all, I am heading for bed now...
 
Joined
Dec 23, 2014
Messages
1,576
OS
Windows 10
Antivirus
Microsoft
#50
Allow means it will not run isolated (sandboxed).
Inspect children means that there is no automatic parent/child permission. Instead, the ReHIPS rule for the child will be applied. If there is none, you will see a prompt.
Inapplicable means that the command line will not be parsed as such. It will be treated as a simple parent/child execution.
If you have more detailed questions, best to ask on ReHIPS forum. First of all, they really know what they are talking about. Second of all, I am heading for bed now...
Thanks. Sleep tight.:)
 
Joined
Dec 23, 2014
Messages
1,576
OS
Windows 10
Antivirus
Microsoft
#51
I tried ReHips in Permissive mode and it seems that this can be a way to protect people against malicious documents, because popular document editors/viewers are run sandboxed (MS Office, OpenOffice, Libre Office, WPS Office, Adobe Reader, Adobe Acrobat, Foxit Reader, SumatraPdf). Furthermore, other vulnerable applications can be easily added. All protected by default applications can be seen when using RulesManager64.exe (default.rdb should be loaded).
The good thing (for inexperienced users) is also that one can save documents in the real system. But, I noticed that "print to pdf" does not work. I am curious if normal printing from the sandboxed editor works well.
ReHips sandbox is not as secure as AppContainer, but I did not hear about dangerous bypasses.
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,108
OS
Windows 10
#53
I tried ReHips in Permissive mode and it seems that this can be a way to protect people against malicious documents, because popular document editors/viewers are run sandboxed (MS Office, OpenOffice, Libre Office, WPS Office, Adobe Reader, Adobe Acrobat, Foxit Reader, SumatraPdf). Furthermore, other vulnerable applications can be easily added. All protected by default applications can be seen when using RulesManager64.exe (default.rdb should be loaded).
The good thing (for inexperienced users) is also that one can save documents in the real system. But, I noticed that "print to pdf" does not work. I am curious if normal printing from the sandboxed editor works well.
ReHips sandbox is not as secure as AppContainer, but I did not hear about dangerous bypasses.
Sometimes there are problems with the isolated application accessing the print spooler, it depends which application it is, or what printer driver you are using. MS Office applications should print from isolation, and Chrome should print from isolation. I do remember that printing to fax from Chrome did not work, though.
Which isolated app didn't print for you?
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,108
OS
Windows 10
#54
ReHips sandbox is not as secure as AppContainer, but I did not hear about dangerous bypasses.
There are blog posts on the ReHIPS forum that give interesting under-the-hood explanations of ReHIPS sandbox. It builds on native Windows features (i.e., separation between user accounts), but it is more than that.
 
Joined
Dec 23, 2014
Messages
1,576
OS
Windows 10
Antivirus
Microsoft
#55
Sometimes there are problems with the isolated application accessing the print spooler, it depends which application it is, or what printer driver you are using. MS Office applications should print from isolation, and Chrome should print from isolation. I do remember that printing to fax from Chrome did not work, though.
Which isolated app didn't print for you?
'Print to pdf' does not work from isolated MS Office 2007, the final PDF document is not created in the target directory in the real system. But, it does not mean that printing from isolated MS Office 2007 is not possible with a standard printer. I do not have a real printer connected to my computer.
Some posts on ReHips forum indicate that printing is possible, but I did not research this topic. I remember that there were problems with printing in Sandboxie (actually solved), so some problems can also be in ReHips.
 
Last edited:

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,108
OS
Windows 10
#56
'Print to pdf' does not work from isolated MS Office 2007, the final PDF document is not created in the target directory in the real system. But, it does not mean that printing from isolated MS Office 2007 is not possible with a standard printer. I do not have a real printer connected to my computer.
Some posts on ReHips forum indicate that printing is possible, but I did not research this topic. I remember that there were problems with printing in Sandboxie (actually solved), so some problems can also be in ReHips.
ReHIPS fixed some of the printing issues that were reported, but some issues remain.
 
Joined
Dec 23, 2014
Messages
1,576
OS
Windows 10
Antivirus
Microsoft
#57
I noticed that ReHips monitors many Windows system programs.
Most of them have the settings: Allow, Allow, Inapplicable. I wonder what is the purpose of putting them on the list, because they look like fully allowed???
Some of the processes on the list have settings: Inspect Children, Allow, Inapplicable and some other (like Universal Applications) have the settings: Block, Allow, Inapplicable.
Anyway, they are un-bounded, so this should be safer for system stability, as compared to Comodo Firewall with auto-sandbox (set to Restricted).
 
Last edited:
Joined
Apr 1, 2017
Messages
1,454
OS
Windows 10
Antivirus
ESET
#58
I noticed that ReHips monitors many Windows system programs.
The list is smth similar to Bouncer list.
Sometimes windows need to use some of them and if the process isn't on the list the user has to answer the Question. i guess fixer did it to make Rehips more user-friendly.
inapplicable means it can use commands but with some limits(if I remember right)
 

shmu26

Level 62
Joined
Jul 3, 2015
Messages
5,108
OS
Windows 10
#59
I noticed that ReHips monitors many Windows system programs.
Most of them have the settings: Allow, Allow, Inapplicable. I wonder what is the purpose of putting them on the list, because they look like fully allowed???
Some of the processes on the list have settings: Inspect Children, Allow, Inapplicable and some other (like Universal Applications) have the settings: Block, Allow, Inapplicable.
Anyway, they are un-bounded, so this should be safer for system stability, as compared to Comodo Firewall with auto-sandbox (set to Restricted).
Yeah, fixer -- here he is called @Recrypt -- knows exactly why each process has the rules it does. Get on the ReHIPS forum and ask him, he knows why they did it that way.
And let us know what he said!
 
Joined
Dec 23, 2014
Messages
1,576
OS
Windows 10
Antivirus
Microsoft
#60
The list is smth similar to Bouncer list.
Sometimes windows need to use some of them and if the process isn't on the list the user has to answer the Question. i guess fixer did it to make Rehips more user-friendly.
inapplicable means it can use commands but with some limits(if I remember right)
Yes, It does not make sense for the Permissive mode, but is required for Expert and Standard modes.:)
ReHips list includes many processes from the Bouncer blacklist, but also many other. This is possible because all processes on the list are allowed to run (in Permissive mode) and only some of them cannot execute programs (subprograms).
I thought that in Permissive mode there will be no alerts, but it is not true. Rarely, some programs can cause alerts when executing sub-programs (bcdedit.exe, cmd.exe, cscript.exe, dvsvc.exe, InstallUtil.exe, mmc.exe, msdt.exe, mshta.exe, msiexec.exe, netsh.exe, PresentationHost.exe, reg.exe, regedit.exe, RegAsm.exe, RegSvcs.exe, regsvr32.exe, rundll32.exe, setx.exe, wscript.exe, wusa.exe).
 
Last edited: