Troubleshoot Build Security around ReHIPS 2.3 on a System?

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Starting over with ReHIPS 2.3. Would like to build around ReHIPS to build a simple clean security setup. System currently has convoluted setup for now with the following apps:

Q360TS
MBAE
Zemana Pro
NVT ERP
Binisoft WFC

Likely going to keep WFC, but the rest can go. Zemana I like, so maybe it should stay for scans, etc. Where should I start? Mostly interested first in how to configure ReHIPS to get the most of its multi-container protection capabilities.
 
D

Deleted member 65228

I don't know much about ReHIPS but I'd upgrade to Windows 10 for internal security enhancements. There's a lot of differences between the Windows 7 and the Windows 10 kernel, and you may like to use Windows 10 Exploit Protection over MBAE if it provides enough for you as well, reducing more resource usage. Not to mention system wide SmartScreen post Windows 8.

I'd say:
System-wide SS/UAC on Maximum
Qihoo 360 TS
ReHIPS
Binisoft WFC

+ Zemana for on-demand scanner only.

Would be sufficient.
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
I'd say:
System-wide SS/UAC on Maximum
Qihoo 360 TS
ReHIPS
Binisoft WFC

MBAE free is not much protection from what I have seen. If anything I think I would rather use EMET 5.5, which I have configured for W7 on another computer. It adds system wide DEP, and many good exploit protections. I could transfer the settings over easily with EMET.

I like Q360, and I might keep it, not sure. Thinking of trying Kaspersky a-v or Bitdefender free, though. Q360s sandbox is very good for MS Office (2007), but it will conflict with ReHIPS over save locations. Qihoo will want to save in its sandbox and ReHIPS in the container. So I feel like if I want to build around ReHIPS, I probably should ditch the extras of 360. AppCheck is too good to leave off a computer. Uses no resources, and it works in the little bit of testing I have done. I'll probably use A/C, but not sure about anything yet honestly. Need to know more about ReHIPS. Thanks for the comments.
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Best thing is to install just ReHIPS, and get to know it. Then you will be wiser, and you will know what else you need.
With ReHIPS, among other things you have to get used to the prompts. They are a bit different from ERP and Comodo.
The prompt for vulnerable processes is the one that kept confusing me, and I kept complaining until they agreed to make it clearer and more intuitive. The thing is that when a vulnerable process comes along, by default the prompt will be set to allow only once. If you want to allow that command line permanently, you have to click on the link in the UPPER part of the prompt. Because if you permanently allow it from the bottom part of prompt, you are messing things up. You are not whitelisting the command line, you are removing that process from the vulnerable process list.

I am using the term "vulnerable process list" loosely and inexactly, because it is not a ReHIPS concept, it is a ERP concept. In ReHIPS, the so-called "vulnerable processes" are not categorized as such. Rather, they have "sub-programs" set to "alert". That way it catches the command lines.
Regular processes have sub-processes set to "inapplicable".

This may sound kind of esoteric, but really it's not, you just have to see it in action, and you will grasp it.
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
If you want to allow that command line permanently, you have to click on the link in the UPPER part of the prompt. Because if you permanently allow it from the bottom part of prompt, you are messing things up. You are not whitelisting the command line, you are removing that process from the vulnerable process list.

I am using the term "vulnerable process list" loosely and inexactly, because it is not a ReHIPS concept, it is a ERP concept. In ReHIPS, the so-called "vulnerable processes" are not categorized as such. Rather, they have "sub-programs" set to "alert". That way it catches the command lines.
Regular processes have sub-processes set to "inapplicable".

This may sound kind of esoteric, but really it's not, you just have to see it in action, and you will grasp it.

@shmu26. Helps tremendously thanks. I have not even noticed the link in the upper part of the prompt, so I must have been doing as you say and removing the process from the "alert" programs. By this I assume you mean then the applications in ERP that are vulns, and I see the large scale difference between whitelisting a command line and whitelisting the actual application running the command line (cmd.exe, powershell, etc.).

I have been using I guess 2.2. It's on the system already, so I will uninstall that and then install 2.3 shortly. Any tips early on after the installation? Thanks again.
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I assume you mean then the applications in ERP that are vulns
Roughly speaking, the vulns in ERP are set to sub-program "alert" in ReHIPS.
But ReHIPS does this for more processes than you will find on the default vuln list in ERP beta 2015.

EDIT: You can play with it. For instance, you can take MS Outlook out of isolation, but set sub-programs and child processes to alert.
 
Upvote 0

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
Do this: install Rehips then allow everything for Q360 processes from the Rehips program manager so it will not conflict with q360! but don't forget Rehips will inject itself into other processes(i found it while using Eset hips).not sure if Q360 allow this! But you can exclude Rehips from q360 real-time protection.
The best way is to use expert mode! standard mode is also good but still broken.
I will go for this: Q360+Rehips+os armor+Binisoft WFC
Q360 sandbox>rehips sandbox! because of its zero-config sandbox and more user-friendly.
 
Last edited:
Upvote 0
D

Deleted member 65228

@Sunshine-boy ReHIPS inject code into other running processes? I'm asking because I've never properly used it nor looked into how it works, but I thought the whole point of ReHIPS was to provide restrictions without rootkit-like techniques (e.g. built-in Windows protection instead - like manual usage of the built-in AppContainer). If they really do inject code into other running processes then the marketing is unethical because I am pretty sure they say they don't use rootkit-like techniques except injecting code into running processes is indeed a very common rootkit technique... User-Mode rootkits. LOL.

@shmu26 Do you know anything about how ReHIPS works internally? Does it indeed inject code into running processes?
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@Sunshine-boy ReHIPS inject code into other running processes? I'm asking because I've never properly used it nor looked into how it works, but I thought the whole point of ReHIPS was to provide restrictions without rootkit-like techniques (e.g. built-in Windows protection instead - like manual usage of the built-in AppContainer). If they really do inject code into other running processes then the marketing is unethical because I am pretty sure they say they don't use rootkit-like techniques except injecting code into running processes is indeed a very common rootkit technique... User-Mode rootkits. LOL.

@shmu26 Do you know anything about how ReHIPS works internally? Does it indeed inject code into running processes?
@SHvFl should know how it works under the hood. There is a ReHIPS dll that gets injected into processes, I have seen it during de-bugging sessions. That is probably what @Sunshine-boy is talking about. I don't remember the exact reason for it, though.
 
Upvote 0
D

Deleted member 65228

Still though, injecting a DLL is still injecting code into another process -> still a rootkit-like technique to get code executed in another process for control

Edit: Asked someone, they said it isn't for security. So not that bad, but still made me feel a bit disappointed because whatever the reason... they say no rootkit techniques, and injection is a rootkit technique. But still its a good product and works well from what I've seen
 
Last edited by a moderator:
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Still though, injecting a DLL is still injecting code into another process -> still a rootkit-like technique to get code executed in another process for control. I think that is hilarious. They are no better than other vendors like they try to make out then. If they hook any APIs using the DLL injected then that is just hypocritical lol

I like ReHIPS from what I have seen but that marketing ... damn. From everything I had heard and reading their website I genuinely thought it had nothing like code injection and the alike sort, looks like that isn't true then?

Pretty misleading if you ask me. Unless the info is wrong and it doesn't inject code
Maybe @SHvFl can give us some input about this issue. He understands the program pretty well.
 
Upvote 0
D

Deleted member 65228

@shmu26 Just asked him ;)

He said that they do hook but for usability stuff, not related to security. Still a rootkit-like technique so that disappointed me but it isn't all that bad. They probably mean they don't hook for the actual functionality but then again who cares anyway. As long as it works I don't think it matters that much, I just didn't take liking to the marketing now
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Had some trouble removing 2.2, so I found the link for the installer and reinstalled that version. Successfully uninstalled the program, but it left the entire program directory on the PC. Reinstalled again and used Revo to get rid of everything. This kind of adds to my concerns about ReHIPS for the here and now.

One other thing. When I downloaded 2.2, it was blocked by Chrome. Reading why, Google says that it blocks downloads from sites that have been associated with malware downloads. Anyone have any insight on this issue before I install 2.3?

Also one question about the user/container folders. I simply deleted them. Is this a problem? Hope not. I was a little bit fed up, and decided to rid the PC of them before asking.
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Had some trouble removing 2.2, so I found the link for the installer and reinstalled that version. Successfully uninstalled the program, but it left the entire program directory on the PC. Reinstalled again and used Revo to get rid of everything. This kind of adds to my concerns about ReHIPS for the here and now.

One other thing. When I downloaded 2.2, it was blocked by Chrome. Reading why, Google says that it blocks downloads from sites that have been associated with malware downloads. Anyone have any insight on this issue before I install 2.3?

Also one question about the user/container folders. I simply deleted them. Is this a problem? Hope not. I was a little bit fed up, and decided to rid the PC of them before asking.
1 I have found ReHIPS to uninstall smoothly. Obviously, that was not true in your case. But it can leave ReHIPS user folders behind, if the contents require admin privileges to delete. If that happens, you just delete them manually.

2 Chrome does have the annoying habit of blocking that download you mentioned, it seems to be a computer generated block, I think that the Chrome algorithm doesn't like the site name "ReCrypt", in conjunction with the Russian-language subforum and the constant discussion of malware techniques.
To machine learning, it sounds like a bunch of hackers.
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
2 Chrome does have the annoying habit of blocking that download you mentioned, it seems to be a computer generated block, I think that the Chrome algorithm doesn't like the site name "ReCrypt", in conjunction with the Russian-language subforum and the constant discussion of malware techniques.
To machine learning, it sounds like a bunch of hackers.

Had this feeling. 2.3 download was not a problem.

Thinking of trying expert mode. Haven't tried it yet, anything specific to know before changing over to Expert?
 
  • Like
Reactions: shmu26
Upvote 0

Recrypt

From ReHIPS
Verified
Developer
May 26, 2014
11
Hello everyone and Merry Christmas.

Regarding Google and downloads. Truth to tell, I have no idea why it doesn't like us. I already posted about it here Ask Questions Here - ReHIPS Features & Unexpected Behaviors ReHIPS's served through https, certificate is OK, it's signed with a valid signature, no protectors, packers, whatsoever, no AV detections, compiler and installer are also standard and wide-spread. And I have no idea whom to write to fix this as I tried to leave tons of comments in Google webmaster feedback, but none were answered. So not sure what else we can do.

Since the question of hooking was discussed, let me copy-paste one of upcoming blogposts.

As you probably know, we state that "ReHIPS doesn't use rootkit-technologies (kernel-mode hooks etc.)". But some may wonder "hey, what's that HookDll32/64.dll then? I saw it was injected!". So let's talk about this a bit.

Since the dawn of time antiviruses were hooking the Windows kernel to intercept critical functions and inspect program behavior. And they'd been living happily till death in the person of PatchGuard did them part. Kernel Patch Protection (also known as PatchGuard) was introduced in Windows 2003 x64 (actually in Windows XP x64, but you can say it's based on 2003 kernel). Though it didn't stop some of the vendors from hooking the kernel (using hypervisor or some other shady stuff), it became something that is not just officially discouraged, but is actively being couteracted resulting in Blue Screen Of Death.

And what about user-mode hooks? They aren't something that is promoted, but if something can't be done without them, go ahead, use them, Microsoft even has a Detours project that helps hooking user-mode functions. And according to official Detours page "Under commercial release for over 10 years, Detours is licensed by over 100 ISVs and used within nearly every product team at Microsoft." So yeah, this thing is not that bad and dangerous like kernel-mode hooking, if it's "used within nearly every product team at Microsoft".

So what about ReHIPS? ReHIPS doesn't use any kernel-mode hooks. At all. And never has. And never will. We stand true to our statements. But yes, it does use some user-mode hooking. Why? They are for usability purposes only, no security or other potentially dangerous of important feature relies on it. For example when a process being started by explorer.exe (and that is pretty much every process you start double-clicking in explorer) is blocked, explorer complains about it and shows an error window. Injected HookDll intercepts this function in other processes like explorer and convinces them that everything is OK, no need to throw error windows. So it's purely a question of usability.
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
@Recrypt, thanks for the details.

Just attempted to install ReHIPS 2.3 on W7 64 SP1 but got a message that SP1 is required. SP1 is definitely on the PC, so is this a .NET thing perhaps? I have .NET 4.6 installed, but I'm not sure I ever installed 4.5. Think I installed 4.6 for ReHIPS 2.2, but I don't know what is required at this point...

EDIT: NM...running NVT ERP and using allows for the prompts led to the message. I used "Install Mode" for ERP and the installation went through.
 
  • Like
Reactions: shmu26
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
For you other guys, should I activate learning mode? Just looking for any tips for this early stage. Not going to be doing anything fancy, but I probably will run in expert mode, once I get going...

@shmu26, is this the type of alert you referred to earlier? I do want to make sure that I don't blanket allow risky apps. Thx. There is the other type of alert which has two rows of choices that look like dots (think I saw this), always, never, once and then below that Block or Allow. Don't want to get confused here. If I select "Permanent" and "Allow" for this is only the single command line allowed from the applications (in this case WScheduler)?

ReHIPS.png
 
Last edited:
Upvote 0

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top