Troubleshoot Build Security around ReHIPS 2.3 on a System?

[AtlBo]

Starting over with ReHIPS 2.3. Would like to build around ReHIPS to build a simple clean security setup. System currently has convoluted setup for now with the following apps:

Q360TS
MBAE
Zemana Pro
NVT ERP
Binisoft WFC

Likely going to keep WFC, but the rest can go. Zemana I like, so maybe it should stay for scans, etc. Where should I start? Mostly interested first in how to configure ReHIPS to get the most of its multi-container protection capabilities.

 

[Andy Ful]

I honestly don't know what to say about your Office 2007. Beats me. We need to get @Recrypt back into the discussion...

Maybe you were opening documents when not in Permissive mode? The sandbox has the option:
Open File Access : Protection Mode-dependent.

 

[shmu26]

Maybe you were opening documents when not in Permissive mode?

Right, I was not in Permissive mode, but I don't think that should make a difference. The mechanism of isolation should work the same. It is utilizing basic Windows user account boundaries that should not be changeable. Limited users account A cannot access files in limited users account B.
I PMed fixer to make another visit to this discussion...

 

[Andy Ful]

Right, I was not in Permissive mode, but I don't think that should make a difference. The mechanism of isolation should work the same. It is utilizing basic Windows user account boundaries that should not be changeable. Limited users account A cannot access files in limited users account B.
I PMed fixer to make another visit to this discussion...

I edited my last post when you wrote yours. There is a difference.

 

[shmu26]

Open File Access : Protection Mode-dependent.

That setting applies also to standard mode, it allows you to edit office docs located in real user space.

 

[Recrypt]

1. The malicious document is opened when the Confidential private document was not closed or was saved into Documents folder (and redirected to ReHips User profile). That can happen to the inexperienced user.
2. Malware in the sandbox will exploit the application (for example not supported by Microsoft - Office 2007), and then it will have the read access to all user's documents.
3. Malware in the sandbox will scan the disk, read registry keys, .ini files, installed software, etc. to gather the information about the system.

1. I agree, it's possible to mess something up. In the end, it's up to the user to follow the best practices. User being the final and ultimate judge can just disable the security and no product can protect from it. What I mean is ReHIPS is trying to provide a way for security, but it's up to the user to follow that way and yeah, sometimes it requires knowledge and not that easy as we'd like it to be, but that's why we're here and we're working on it
2. Exploiting the isolated program will grant basically the same rights and privileges as something executed in the same isolated environment. So it'll have no access to real user profile. And will have access to at most 1 document in C:\ReHIPS subfolder.
3. I agree, it can gather some information, but will it be a security incident? All sensitive data should be stored in real user profile, malware will have no access to it. It can read public and already well-known files from Windows directory, from Program Files directory, it'll probably learn that I have for example Opera installed. Maybe it's not comfortable to know that this information left PC, but it doesn't look critical.

And I see there is a discussion of Open File Access feature. It's described in this blogpost [FAQ] Convenient yet treacherous Open File Access feature
In short words: it's not recommended to rely on it, it's more of a "workaround" for usability. But if you indend to build a secure and reliable system, it's preferred to disable it.
But what you see as a real user will be slightly different for isolated programs. For example I say that isolated programs don't have any access to real user profile. When you browse there in explorer and double-click on some document, Open File Access feature kicks in and does some magic for the isolated program to successfully access the document. But isolated programs can't do it on their own, this magic won't work for them. When they try to browse real user profile folder (or registry hive) they're transparently redirected into their own isolated (ReHIPSUserX) profile folder (or registry hive) and can see and access only files from there.

Best regards, fixer.

 

[shmu26]

When they try to browse real user profile folder (or registry hive) they're transparently redirected into their own isolated (ReHIPSUserX) profile folder and can see and access only files from there.
.

@Andy Ful I wonder if that is maybe the behavior you were seeing in Word 2007? Any file that you opened from real user space gets immediately copied into ReHIPSUserX profile folder. Sometimes I thought I was viewing real user folder but it turned out I was really viewing ReHIPSUserX folder.

 

[Andy Ful]

@Andy Ful I wonder if that is maybe the behavior you were seeing in Word 2007? Any file that you opened from real user space gets immediately copied into ReHIPSUserX profile folder. Sometimes I thought I was viewing real user folder but it turned out I was really viewing ReHIPSUserX folder.

Sadly no. I can open the DOCX files from the real location on another disk (D:\), using isolated MS Word 2007 (sandbox created automatically by ReHips in Permissive mode). There is only one difference, the file is opened in the read-only mode.
I think, that the documents are not visible for isolated applications only when located in the User profile. It is OK, because ReHips create different user profiles for different sandboxes.
But, this will be a problem for inexperienced users, because they often leave downloaded documents in the Download folder or another disk / pendrive.
So, when Office 2007 is exploited, then the isolated malware will have access only to the documents placed outside of the User profile.
As I said, the ReHips protection is impressive. The question is if it can be used in Permissive mode by inexperienced user (with occasional help).

 

[shmu26]

I think, that the documents are not visible for isolated applications only when located in the User profile.

This is correct. I discovered this at one point, and I couldn't understand why protection was not working. For those other locations, by default there are no "write" permissions, but there ARE read and execute permissions -- unless you customize it. So yes, there is a privacy risk for those locations, unless customized.

Word cannot write a temp file over there, which is needed for the doc to open in regular format, so that is why it is read-only.

If the doc was in user profile, then the "magical" feature that fixer mentioned would start to work. It copies the doc to ReHIPS user folder, and copies it back when you close the doc. It took them a long time to perfect that feature.

 

[Andy Ful]

...
If the doc was in user profile, then the "magical" feature that fixer mentioned would start to work. It copies the doc to ReHIPS user folder, and copies it back when you close the doc. It took them a long time to perfect that feature.
...

That is a very convenient solution for an average user. I noticed that this feature works not only in the User profile, but for any document location. I can open the DOCX file located on drive D:\ and edit/save it at the same location, even save with the changed name. That is not possible if I change the initial location.

 

[Andy Ful]

@Recrypt
One thing should be improved. If the user opens a document outside of the user profile (for example from a pendrive or default Downloads folder) then he cannot save it in Documents folder (in the User profile).
The document is stored in the ReHips sandbox, but it is not copied to the real Documents folder in the User profile.
I think, that this improvement will also solve the problem with 'Print to PDF' feature.

 

[Andy Ful]

I tested macros in the MS Office sandbox in Permissive mode. MS Word 2007 was executed as standard user.
The macro can use PowerShell to download a payload and run it in the sandbox as standard user. If the payload requires elevation it is blocked by the sandbox restrictions. In higher modes, the user will see the ReHips prompt and the payload will be run only if the user will allow it.