Troubleshoot Build Security around ReHIPS 2.3 on a System?

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Starting over with ReHIPS 2.3. Would like to build around ReHIPS to build a simple clean security setup. System currently has convoluted setup for now with the following apps:

Q360TS
MBAE
Zemana Pro
NVT ERP
Binisoft WFC

Likely going to keep WFC, but the rest can go. Zemana I like, so maybe it should stay for scans, etc. Where should I start? Mostly interested first in how to configure ReHIPS to get the most of its multi-container protection capabilities.
 

Recrypt

From ReHIPS
Verified
Developer
May 26, 2014
11
ReHIPS requires Vista SP1+, so any Windows 7 should be OK, someone other than ReHIPS is complaining.

Differences between Working Modes are covered in this blogpost, you may want to take a look [FAQ] Different Working Modes I wouldn't go for Lock-Down Mode at first, but other than that you should be fine. Just more alerts on Expert Mode and that's it.

BTW, ReHIPS should be updatable, i.e. OK if installed over the already installed older version. So you don't have to uninstall 2.2.0. But if you want a completely fresh install, why not. It should delete all its files on uninstall (I'll make a blogpost about it a bit later as some files may indeed be left, it depends on user choice in some windows). Just some files may be in use, so they'll be automatically deleted on reboot. But it's completely OK if you decided not to wait and deleted them manually.
 
Upvote 0
D

Deleted member 65228

@Recrypt Apologies if my posts seemed a bit hostile, I do like ReHIPS. I was just disappointed because the marketing said one thing, but then code injection is still a rootkit-like technique for user-mode rootkits; but it is clear to me now that you were referring to kernel-mode patching only, and you're right, your product doesn't do any of that which is pretty good because such are unstable of course

Makes sense to me as to why you inject, and thank you for joining the thread to clear up the concern :) The MS Detours point was a good one, sadly they only license the x64 process supported version to companies it seems though... No idea how much they'd charge for it haha, I've heard rumours before of it being 10 grand but I doubt that is true (unless you already know and could verify it unless there's an NDA) haha
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
@Recrypt...thx, yes, I got it resolved. NVT ERP alerts must have caused a time out but it installed fine in Install Mode...
 
  • Like
Reactions: shmu26
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
For you other guys, should I activate learning mode? Just looking for any tips for this early stage. Not going to be doing anything fancy, but I probably will run in expert mode, once I get going...

@shmu26, is this the type of alert you referred to earlier? I do want to make sure that I don't blanket allow risky apps. Thx. There is the other type of alert which has two rows of choices that look like dots (think I saw this), always, never, once and then below that Block or Allow. Don't want to get confused here. If I select "Permanent" and "Allow" for this is only the single command line allowed from the applications (in this case WScheduler)?

View attachment 177249
Hi, the prompt that you took screenshot of is not the one I was talking about. Child programs is a different thing. In a prompt like this, usually the best choice is "inspect children". But if it is a very safe program, and "inspect children" leads to too many prompts, then just choose "allow".

About expert mode:
1 by default, you will not be able to double click Word files etc that are in real user space, but you can allow it, if you wish, by modifying the settings.
2 trusted publishers list is ignored, so you can expect a lot of prompts, and get ready to edit your rules with wildcards.
3 An additional tweak is to enable lockdown when there is no GUI. This way, anything new is blocked by the ReHIPS service, which starts quickly after system reboot, and this blocking continues until the GUI loads, at which point you will start to get prompts instead of blocks.

About learning mode:
I enable it, and I go through a couple reboots, and signing in and out of my various user accounts, to make sure nothing is being blocked in the boot process. Other users who are more paranoid than me don't like learning mode, because you can't be sure what you are whitelisting.
 
  • Like
Reactions: vtqhtr413
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
@shmu26, thanks for this information. Didn't realize there are different types of alerts. Haven't been working very closely with the program, because I haven't been using the ReHIPS PC much lately.

In the pic (see below) I noticed in some of them that there is in blue next to command line, where the red circle is in the pic, text that says "Trusted Command Line". If I just want to allow the single command line, do I select "Trusted Command Line" and then Allow Once? This seems to be working for me. Not getting the prompts again, yet cmd.exe for example did show up in an alert several times in a row for some differing scripts that run periodically on the PC:

ReHIPS.gif


One last thing. Should I expect that Recrypt have arranged for all the "vulnerables" to be monitored for command line usage in the same way as cmd.exe?
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
For you other guys, should I activate learning mode? Just looking for any tips for this early stage. Not going to be doing anything fancy, but I probably will run in expert mode, once I get going...

@shmu26, is this the type of alert you referred to earlier? I do want to make sure that I don't blanket allow risky apps. Thx. There is the other type of alert which has two rows of choices that look like dots (think I saw this), always, never, once and then below that Block or Allow. Don't want to get confused here. If I select "Permanent" and "Allow" for this is only the single command line allowed from the applications (in this case WScheduler)?

View attachment 177249
This is the prompt I was talking about.
In the upper half, you click on "add to trusted", and then at the bottom, you click on "allow".
Note that "allow" is set by default to "only once", so you are good. You only mess things up if you change it to "permanent", and then click on "allow".
Capture.PNG


@shmu26, thanks for this information. Didn't realize there are different types of alerts. Haven't been working very closely with the program, because I haven't been using the ReHIPS PC much lately.

In the pic (see below) I noticed in some of them that there is in blue next to command line, where the red circle is in the pic, text that says "Trusted Command Line". If I just want to allow the single command line, do I select "Trusted Command Line" and then Allow Once? This seems to be working for me. Not getting the prompts again, yet cmd.exe for example did show up in an alert several times in a row for some differing scripts that run periodically on the PC:

View attachment 177257

One last thing. Should I expect that Recrypt have arranged for all the "vulnerables" to be monitored for command line usage in the same way as cmd.exe?
"If I just want to allow the single command line, do I select "Trusted Command Line" and then Allow Once?"
Yes.
"Should I expect that Recrypt have arranged for all the "vulnerables" to be monitored for command line usage in the same way as cmd.exe?"
Yes.

I posted a screenshot of my own, before I saw this post. I see that you already figured everything out...
 
Last edited by a moderator:
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Thanks very much @shmu26. The details for expert mode are fantastic. This gives me a great place to start.

I was whitelisting vulnerables on 2.2 as things turn out. :LOL: Luckily I had NVT ERP running too because I really wasn't sure I knew what I was doing with ReHIPS.

Going over the list of Unbound, I notice the "vulnerables" there, and I see how the rules are generally set to "Inspect Children". That helps with the parent/child explaination on things. The protections seem to be here, but I can see why you pushed to have the choice for whitelisting a single command line handled in a more obvious way. True, it can become routine with use, but someone could start off on the wrong foot.

The more I look this over, the more I am liking NVT ERP, ironically. I have about 100 or so vulnerables in ERP, and I am gaining a new respect for using it with this set of them in place. Not to take away from ReHIPS o/c, but it is interesting having both on the same machine. I'll probably keep the setup for awhile to make some comparisons.

Really appreciate your always reliable help and also @SHvFl...:)
 
  • Like
Reactions: SHvFl and shmu26
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thanks very much @shmu26. The details for expert mode are fantastic. This gives me a great place to start.

I was whitelisting vulnerables on 2.2 as things turn out. :LOL: Luckily I had NVT ERP running too because I really wasn't sure I knew what I was doing with ReHIPS.

Going over the list of Unbound, I notice the "vulnerables" there, and I see how the rules are generally set to "Inspect Children". That helps with the parent/child explaination on things. The protections seem to be here, but I can see why you pushed to have the choice for whitelisting a single command line handled in a more obvious way. True, it can become routine with use, but someone could start off on the wrong foot.

The more I look this over, the more I am liking NVT ERP, ironically. I have about 100 or so vulnerables in ERP, and I am gaining a new respect for using it with this set of them in place. Not to take away from ReHIPS o/c, but it is interesting having both on the same machine. I'll probably keep the setup for awhile to make some comparisons.

Really appreciate your always reliable help and also @SHvFl...:)
Thanks.
"Inspect children" gives you some basic parent/child control, but the setting that really monitors the command lines is the other one, alert for sub-processes. It is roughly parallel to embedded code detection in Comodo.

BTW I think I understand why you like ERP better, personally I do like the prompts better in ERP, maybe because my brain got used to it.
But the rules in ReHIPS are built out much more than in the ancient ERP from 2015 that people are using. ReHIPS was designed by very smart and very paranoid people who already thought of everything, and keep things up to date, so you don't have to write rules and add vulns on your own.
 
Last edited:
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
@shmu26...OK, so for the "vulnerables", "Can Execute Sub-Programs" should all be set to "Alert"? I guess I should also set "Can be Executed" to 'Alert' too?

I wonder why I am seeing them set to "Allow" now. Execute programs is set to "Inspect Children" as I mentioned, but the rest are set to "Allow"...
 
Last edited:
  • Like
Reactions: bribon77
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@shmu26...OK, so for the "vulnerables", "Can Execute Sub-Programs" should all be set to "Alert"? I guess I should also set "Can be Executed" to 'Alert' too?

I wonder why I am seeing them set to "Allow" now. Execute programs is set to "Inspect Children" as I mentioned, but the rest are set to "Allow"...
It depends where you look. You are probably looking in the rules for "system" (I am going on the assumption that you make the same mistakes that I do), rather than in the rules for your particular user account. System has more lenient rules, so your system won't break. Best not to mess with them.

But when it really comes down to it, you should direct specific questions about rules to @SHvFl or to fixer. They know ReHIPS on a much deeper level than I do.
 
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
@shmu26...OK, so for the "vulnerables", "Can Execute Sub-Programs" should all be set to "Alert"? I guess I should also set "Can be Executed" to 'Alert' too?

I wonder why I am seeing them set to "Allow" now. Execute programs is set to "Inspect Children" as I mentioned, but the rest are set to "Allow"...
You must have messed up and selected an alert with allow permanently. Applications that are of issue have sub programs to alert and children to inspect. Either that or your definition of vulnerable process is different. Of which ones are you talking about. Show me an image.

Example with cmd below.

https://i.imgur.com/vnhJQSP.png
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
You must have messed up and selected an alert with allow permanently. Applications that are of issue have sub programs to alert and children to inspect. Either that or your definition of vulnerable process is different. Of which ones are you talking about. Show me an image.

Example with cmd below.

Thanks both of you. The pic is exactly what I am seeing under the machine "Unbound" rules. I checked they all have alert for sub-programs. @shmu was right, I was looking at the Unbound for the System.

@SHvFl, could you quickly pass on again how to link an application to use of the ReHIPS folder? I know about your system for creating the file in a desired location, but I will probably just use the ReHIPS folder since its there. If I recall I go into the rules for the app process and allow it access, and it's that simple. Just can't recall.

Thx...
 
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Thanks both of you. The pic is exactly what I am seeing under the machine "Unbound" rules. I checked they all have alert for sub-programs. @shmu was right, I was looking at the Unbound for the System.

@SHvFl, could you quickly pass on again how to link an application to use of the ReHIPS folder? I know about your system for creating the file in a desired location, but I will probably just use the ReHIPS folder since its there. If I recall I go into the rules for the app process and allow it access, and it's that simple. Just can't recall.

Thx...
Have no idea what you mean.You want to give access to what and where exactly?
 
  • Like
Reactions: AtlBo
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Have no idea what you mean.You want to give access to what and where exactly?

Would like to easily save to the c:\ReHIPS folder. Excel is running contained. Here is the save dialog I see. I added c:\ReHIPS to the favorites so no navigation is required to save there:

Save Excel in ReHIPS Folder.png


Then I get this message when I try to save:

Permissions.png


I added the c:\ReHIPS to the Favorites of Excel in the save dialog as you can see.

EDIT: I also added a shortcut to the folder on the desktop. I can protect it with EasyFileLocker no problem. Plan is to save all office and other files saved from a contained application in that folder rather than in separate containers. Plan to even point downloads to the folder.
 
Last edited:
  • Like
Reactions: bribon77 and SHvFl
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Excel has access to the office folder. Is that where you are trying to save and did you mess with the settings or it's the same as my image. If everything is as shown and you are saving to C:\ReHIPS\Office then another program you use is messing things up.

https://i.imgur.com/Pt0vYqT.png
 
  • Like
Reactions: AtlBo and bribon77
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Thanks @SHvFl. Well, seems it works now. No idea what was going on LOL.

Couldn't have been EasyFileLocker. Must seem likely it was I know, but I promise, EFL was only set to block writes to backup drives prior to the last few minutes (after I took the screenshots). Hadn't opened the app since yesterday I think...

Just a weird quirky permissions hiccup I think... :alien:
 
  • Like
Reactions: SHvFl
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Thanks @SHvFl. Well, seems it works now. No idea what was going on LOL.

Couldn't have been EasyFileLocker. Must seem likely it was I know, but I promise, EFL was only set to block writes to backup drives prior to the last few minutes (after I took the screenshots). Hadn't opened the app since yesterday I think...

Just a weird quirky permissions hiccup I think... :alien:
You tried to save in C:\ReHIPS and not C:\ReHIPS\Office i believe. Anw it works now.
 
  • Like
Reactions: AtlBo
Upvote 0

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top