Troubleshoot Build Security around ReHIPS 2.3 on a System?

[AtlBo]

Starting over with ReHIPS 2.3. Would like to build around ReHIPS to build a simple clean security setup. System currently has convoluted setup for now with the following apps:

Q360TS
MBAE
Zemana Pro
NVT ERP
Binisoft WFC

Likely going to keep WFC, but the rest can go. Zemana I like, so maybe it should stay for scans, etc. Where should I start? Mostly interested first in how to configure ReHIPS to get the most of its multi-container protection capabilities.

 

[Recrypt]

Hello everybody.

I see there is some confusion between child processes and command lines (subprocesses) inspection. There is a blogpost about it here [FAQ] How does ReHIPS process processes? that should cover all dark areas.

'Print to pdf' does not work from isolated MS Office 2007, the final PDF document is not created in the target directory in the real system.

Could you please describe it step-by-step, so we could try and reproduce this issue? You have isolated Word 2007, you open some DOC file and try to print it to PDF? Where do you save it? Does it show any error or everything seems to go fine, but you don't see the generated file?
We've just tested it on Word 2016, everything seems to work fine. I suspect you saved it into real user profile folder, security redirection took place and the file was saved in isolated user profile folder.

I also noticed a comparison of ReHIPS with AppContainer, I get that question sometimes, so I wrote a blogpost about it here [FAQ] ReHIPS isolation and AppContainer

I noticed that ReHips monitors many Windows system programs.
Most of them have the settings: Allow, Allow, Inapplicable. I wonder what is the purpose of putting them on the list, because they look like fully allowed???

You see, ReHIPS monitors all processes. If it doesn't know some process, it'll ask about it. We didn't want the user to see tons of alerts, so we tried our best to include all widely-used programs on an average Joe PC, even if they're system processes and have to be allowed.

I thought that in Permissive mode there will be no alerts, but it is not true. Rarely, some programs can cause alerts when executing sub-programs (bcdedit.exe, cmd.exe, cscript.exe, dvsvc.exe, InstallUtil.exe, mmc.exe, msdt.exe, mshta.exe, msiexec.exe, netsh.exe, PresentationHost.exe, reg.exe, regedit.exe, RegAsm.exe, RegSvcs.exe, regsvr32.exe, rundll32.exe, setx.exe, wscript.exe, wusa.exe).

Could you please show an example, so we could reproduce it? Permissive Mode is indeed supposed not to show any alerts.

Best regards, fixer.

 

[Andy Ful]

...
You have isolated Word 2007, you open some DOC file and try to print it to PDF? Where do you save it?
...
I suspect you saved it into real user profile folder, security redirection took place and the file was saved in isolated user profile folder.
...

Correct. That happened as follows.
The user opens a document in the ReHips sandbox. The document can be saved by default in the real folder from where it was opened. So the user thinks that ReHips saves files into the real (not virtualized) folders.
But, if one choose C:\Users\Username\Documents to save the file, then the document is not saved in this folder but in the 'C:\Users\ReHIPSUser1\Documents' (virtualized folder), and the user has no chance to realize this.
That is the case with 'Microsoft Print to PDF', because default target location is the Document folder.
If the Permissive mode is for non-expert users, then it would be more usable to save documents by default into real (not virtualized) folders.
Yes, I know that it would be also less secure, but worth rethinking anyway, because average users have a big problem with virtualized folders.
I have another suggestion. The sandbox for document editors/viewers should by default block the Internet connection (thanks @cruelsister).

...
Could you please show an example, so we could reproduce it? Permissive Mode is indeed supposed not to show any alerts.
...

The important question is as follows: Does ReHips in Permissive mode work as it shows via Rules Database?
If so, then all mentioned by me processes have the setting: 'Can Execute Sub-Programs : Alert'.
If not, that it would be necessary to give a note about it somewhere.
.
I would like to thank the developer for such an interesting application, and helpful posts.

 

[Recrypt]

Thank you for your feedback. I agree, this transparent folder virtualization is not that transparent for the user. We have it in our TODO list to rethink this concept, maybe link or mirror some folders to the real user profile, not sure yet.

The sandbox for document editors/viewers should by default block the Internet connection (thanks @cruelsister).

We tried to allow network access only to the programs that really need it. I guess you mean Office isolated environment? At first we tried to leave it network-less, but there were some troubles with 365-editions that are basically online-editions, some versions want to login online, to activate. So we had to allow network access. Are there some other programs that don't need it, but we allowed it?

I have blogpost here describing different ReHIPS Working Modes [FAQ] Different Working Modes
I'll quote it here for Permissive Mode:
Permissive Mode. If a program is already in the ReHIPS database, these existing rules are used. If a program is not in the ReHIPS database, it's just allowed once. So new programs are allowed without any alerts, but only once, nothing is automatically added to the database.
So yeah, it's supposed not to harass user by any alerts in this mode.
But you're right, if "Can Execute Programs" is set to "Alert", it indeed generates alerts. We'll fix it.

Thank you for your interest in our product and for your feedback.

Best regards, fixer.

 

[Andy Ful]

...
We tried to allow network access only to the programs that really need it. I guess you mean Office isolated environment? At first we tried to leave it network-less, but there were some troubles with 365-editions that are basically online-editions, some versions want to login online, to activate. So we had to allow network access. Are there some other programs that don't need it, but we allowed it?
...

For home users safety, restricting Internet connection in Office sandbox is very important, because most malicious office documents are trojan downloaders. So maybe allow only connections to Microsoft domains?
Anyway, for other MS Office versions and for other Office editors (LibreOffice, OpenOffice, WPS Office) the Internet connection is needed only once to activate the application - this could be made by temporarily exiting ReHips.
The same is probably true for PDF editors/viewers.

 

[Recrypt]

Currently ReHIPS doesn't provide deep network filtering like protocols, ports, destinations, etc. It's possible to implement and not that hard, but like every feature it requires time and effort. We have this in our plans, but I don't think it'll be soon. So for now we don't position ReHIPS as a firewall, just some basic features like allow network access or not.

And yeah, I remember as I enabled network access for Office with a heavy heart Other document-related programs like Libre Office, Open Office, WPS Office, Adobe PDF or Foxit Reader shouldn't have this access right as far as I remember.

 

[Andy Ful]

Currently ReHIPS doesn't provide deep network filtering like protocols, ports, destinations, etc. It's possible to implement and not that hard, but like every feature it requires time and effort. We have this in our plans, but I don't think it'll be soon. So for now we don't position ReHIPS as a firewall, just some basic features like allow network access or not.

And yeah, I remember as I enabled network access for Office with a heavy heart Other document-related programs like Libre Office, Open Office, WPS Office, Adobe PDF or Foxit Reader shouldn't have this access right as far as I remember.

I installed Foxit Reader and it has not the access to Internet.

 

[shmu26]

For home users safety, restricting Internet connection in Office sandbox is very important, because most malicious office documents are trojan downloaders. So maybe allow only connections to Microsoft domains?
Anyway, for other MS Office versions and for other Office editors (LibreOffice, OpenOffice, WPS Office) the Internet connection is needed only once to activate the application - this could be made by temporarily exiting ReHips.
The same is probably true for PDF editors/viewers.

If a trojan downloads an exe file or a script file into the isolated environment, it won't run, because ReHIPS application control will stop it.
This assumes you are at least in standard mode. If you are in permissive mode, and it is an exe, it will run, but if it is a script, it will be stopped.

Even in permissive mode, the trojan -- running inside the isolated environment -- will not be able to launch a payload that can escape the isolated environment. The payload will have memory protection, system space protection, and real user space protection.
If you are in permissive mode, and you click on the payload in order to run it, if it is an exe file, it will run without protection. But that is not the usual scenario.

 

[Deleted member 65228]

If a trojan downloads an exe file or a script file into the isolated environment, it won't run, because ReHIPS application control will stop it.

What if it didn't require a new process spawn? For example, executing code belonging to a downloaded PE from memory. Of course the executed malicious code would still be contained within the isolated environment, but data theft could still then occur, or does ReHIPS have mitigations for that as well?

 

[shmu26]

What if it didn't require a new process spawn? For example, executing code belonging to a downloaded PE from memory. Of course the executed malicious code would still be contained within the isolated environment, but data theft could still then occur, or does ReHIPS have mitigations for that as well?

1 Processes running in isolated environment cannot interact with memory of other processes
2 Processes running in isolated environment cannot even see files that are located in real user space. That is where you as an intelligent ReHIPS user are supposed to be keeping your sensitive data -- in real user space.

 

[shmu26]

You can customize additional locations to have privacy protection, if you wish, but in theory, the user is assumed to be stashing his precious stuff in real user space, by default.

 

[Deleted member 65228]

1 Processes running in isolated environment cannot interact with memory of other processes
2 Processes running in isolated environment cannot even see files that are located in real user space. That is where you as an intelligent ReHIPS user are supposed to be keeping your sensitive data -- in real user space.

About #1, I am referring to executing from memory under the context of your already-isolated process, not touching another process' address space or spawning another process. E.g. manual mapping a downloaded DLL into your own process and not another process

But I see from your point #2 about the data theft thing so that isn't an issue anyway (under the isolation still + there is data theft mitigations). Interesting feature and makes sense.

 

[Andy Ful]

If a trojan downloads an exe file or a script file into the isolated environment, it won't run, because ReHIPS application control will stop it.
This assumes you are at least in standard mode. If you are in permissive mode, and it is an exe, it will run, but if it is a script, it will be stopped.
Even in permissive mode, the trojan -- running inside the isolated environment -- will not be able to launch a payload that can escape the isolated environment. The payload will have memory protection, system space protection, and real user space protection.
If you are in permissive mode, and you click on the payload in order to run it, if it is an exe file, it will run without protection. But that is not the usual scenario.

That is an old problem of sandboxing - the malware can run in the sandbox, spying the user and sending out the information. There are other dangerous possibilities like escaping the sandbox, but they are much less probable.
The Office documents are opened in the same sandbox, so there is a danger that the user will open a malicious document and a private document (containing confidential data) during the same session. Also, the user can use the same sandbox profile for PDF files, and then the danger is even greater, because many banks allow saving financial information in this format.

 

[Andy Ful]

...
2 Processes running in isolated environment cannot even see files that are located in real user space. That is where you as an intelligent ReHIPS user are supposed to be keeping your sensitive data -- in real user space.

So, why can I see all my files from the isolated text editor? I can also open regedit from the isolated text editor (Permissive mode - Inspect Children/Allow in Isolated Environment/Inapplicable).

 

[Recrypt]

With recommended usage it's hard to spy on user from isolated environment.

System and critical files are protected, isolated programs can't write there. Actually writing abilities are quite limited, so basically the only thing it can do is try to read something.
Being executed on a separate desktop it can't intercept keystrokes, make screenshots or somehow spy or sniff information from other windows or processes.
All documents should be stored in real user profile folder and isolated programs have no access to that folder (no write, neither read). The same goes for the Current User registry hive, but not many people store something private there.
All documents being edited should be temporary moved into respective C:\ReHIPS subfolder. Having at most 1 document there, malware will be able to access it, maybe even write to it, but I don't think it's critical.

So overall you'll be secure enough, more than enough, but yeah, it's if you follow all the best practices

Best regards, fixer.

 

[Andy Ful]

With recommended usage it's hard to spy on user from isolated environment.

System and critical files are protected, isolated programs can't write there. Actually writing abilities are quite limited, so basically the only thing it can do is try to read something.
Being executed on a separate desktop it can't intercept keystrokes, make screenshots or somehow spy or sniff information from other windows or processes.
All documents should be stored in real user profile folder and isolated programs have no access to that folder (no write, neither read). The same goes for the Current User registry hive, but not many people store something private there.
All documents being edited should be temporary moved into respective C:\ReHIPS subfolder. Having at most 1 document there, malware will be able to access it, maybe even write to it, but I don't think it's critical.

So overall you'll be secure enough, more than enough, but yeah, it's if you follow all the best practices

Best regards, fixer.

So, it is quite secure even when the Internet connection is not blocked.
There are still some possibilities to spy when:

1. The malicious document is opened when the Confidential private document was not closed or was saved into Documents folder (and redirected to ReHips User profile). That can happen to the inexperienced user.
2. Malware in the sandbox will exploit the application (for example not supported by Microsoft - Office 2007), and then it will have the read access to all user's documents.
3. Malware in the sandbox will scan the disk, read registry keys, .ini files, installed software, etc. to gather the information about the system.

The points 3. and 2. can be connected because the malware can gather information, and next the targetted exploit will be applied to MS Office 2007. I cannot say if the danger is real nowadays, but the malware evolves in that direction, so it may be real in the future.
Anyway, I am impressed by anti-spying capabilities of ReHips sandbox.
.
Post edited in green.

 

[shmu26]

So, it is quite secure even when the Internet connection is not blocked.
There are still some possibilities to spy when:

1. The malicious document is opened when the Confidential private document was not closed or was saved into Documents folder (and redirected to ReHips User profile). That can happen to the inexperienced user.
2. Malware in the sandbox will exploit the application (for example not supported by Microsoft - Office 2007), and then it will have access to all user's documents.
3. Malware in the sandbox will scan the disk, read registry keys, .ini files, installed software, etc. to gather the information about the system.

The points 3. and 2. can be connected because the malware can gather information, and next the targetted exploit will be applied to MS Office 2007. I cannot say if the danger is real nowadays, but the malware evolves in that direction, so it may be real in the future.
Anyway, I am impressed by anti-spying capabilities of ReHips sandbox.

You mentioned earlier about PDF . Each PDF reader, such as Adobe, Foxit, etc, has its own separate isolated environment, so it can't spy on your Word documents or Excel documents, or vice versa, even if the docs are open and you are working on them. This is because each isolated environment is a world unto itself. Note also that MS Outlook is separate from the other MS Office apps.

If malware exploits an isolated app, it still won't gain permission to modify system files or to read data in real user space. But you are right that malware could scan to gain info about the system.

 

[shmu26]

So, why can I see all my files from the isolated text editor? I can also open regedit from the isolated text editor (Permissive mode - Inspect Children/Allow in Isolated Environment/Inapplicable).

I think I know what the problem is.
The restrictions of the isolated environment only apply to the specific application that is tied to it. For instance, if I open isolated Word, I cannot browse from within Word to a doc in real user space, in order to open it. I have to find the doc in Windows File Explorer (or equivalent) in order to open it.
But, and here comes the big but, files located in a ReHIPS user folder are NOT restricted. If I execute malware from a ReHIPS user folder, it will trash my whole system (that is, if I click allow in every prompt that appears).
In this way, ReHIPS is unlike Sandboxie. SBIE is virtualization, but ReHIPS is not.

 

[Andy Ful]

You mentioned earlier about PDF . Each PDF reader, such as Adobe, Foxit, etc, has its own separate isolated environment, so it can't spy on your Word documents or Excel documents, or vice versa, even if the docs are open and you are working on them. This is because each isolated environment is a world unto itself. Note also that MS Outlook is separate from the other MS Office apps.

We agree. I wrote that this can be if the user uses the PDF viewer/editor with Office isolation profile (by the ReHips option).

If malware exploits an isolated app, it still won't gain permission to modify system files or to read data in real user space. But you are right that malware could scan to gain info about the system.

Are you sure? I can open any Office document (read access) from isolated MS Office 2007. So, after successful exploitation, the malware will be able to do this too.

 

[Andy Ful]

I think I know what the problem is.
The restrictions of the isolated environment only apply to the specific application that is tied to it. For instance, if I open isolated Word, I cannot browse from within Word to a doc in real user space, in order to open it. I have to find the doc in Windows File Explorer (or equivalent) in order to open it.

I can with isolated MS Office 2007 (sandbox created automatically by ReHips, Permissive mode). Maybe you were using another ReHips mode?

But, and here comes the big but, files located in a ReHIPS user folder are NOT restricted. If I execute malware from a ReHIPS user folder, it will trash my whole system (that is, if I click allow in every prompt that appears).
In this way, ReHIPS is unlike Sandboxie. SBIE is virtualization, but ReHIPS is not.

That is interesting, I have to test it.

 

[shmu26]

I can with isolated MS Office 2007 (sandbox created automatically by ReHips).

I honestly don't know what to say about your Office 2007. Beats me. We need to get @Recrypt back into the discussion...