Troubleshoot Build Security around ReHIPS 2.3 on a System?

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Starting over with ReHIPS 2.3. Would like to build around ReHIPS to build a simple clean security setup. System currently has convoluted setup for now with the following apps:

Q360TS
MBAE
Zemana Pro
NVT ERP
Binisoft WFC

Likely going to keep WFC, but the rest can go. Zemana I like, so maybe it should stay for scans, etc. Where should I start? Mostly interested first in how to configure ReHIPS to get the most of its multi-container protection capabilities.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
There is. Limitation is it's for home use only and no application can run in a container using more than 10 instances of the application at one time. For browser, that leaves you with FF or something else that runs with a smaller number of instances than 10, if you want to run browser contained.

Here is the download. Be prepared for an uphill battle. Feel free to bring your initial questions here to this thread:

ReHIPS - An HIPS/Sandbox without kernel Hooks - (quick test included)

Once you have the basics, you can start a thread in the Security Applications->Other Security for Windows Forum. One thing about the installation. Just let it run and leave it on. No matter how long it takes, let it go until it is finished. It finds what's on the system and adds its own set of excellent rules. The rules are very good.

It's good protection, but I am also finding that it's also possible to make it more user friendly for my file storage requirements than how it sets up by default..
 
Upvote 0
D

Deleted Member 3a5v73x

This thread may not be appropriate place to say it, but I bought ReHIPS in 3. June 2017 for about 16€, used for a few months for testing purposes, then uninstalled, and now when re-checking prices, it has skyrocketed to 55€ for 1PC/1YR, I know it's high quality security software, but holy @!* I don't see a way to renew it for such price :eek:
 
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
This thread may not be appropriate place to say it, but I bought ReHIPS in 3. June 2017 for about 16€, used for a few months for testing purposes, then uninstalled, and now when re-checking prices, it has skyrocketed to 55€ for 1PC/1YR, I know it's high quality security software, but holy @!* I don't see a way to renew it for such price :eek:
It was a deal for the product launch with a 70% discount. Now the price is full with no discount hence the jump in price.
 
Upvote 0

Recrypt

From ReHIPS
Verified
Developer
May 26, 2014
11
Hello everyone!

Here is a blogpost I promised earlier about some files that may be left when ReHIPS is uninstalled. [FAQ] Uninstalled ReHIPS, but some files are left

At first I wanted to also paste text here, but later decided not to. The reason is when something is changed inside ReHIPS, I also change blogposts accordingly. But if I paste text here, this text may become outdated. Besides blogs don't require any registration, just come and read.

Best regards, fixer.
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@Recrypt , @shmu26
I am not sure what it means inapplicable. Is it equal to allow in the sandbox?
Usually you will see "inapplicable" in the rule for a process that does not need to have its command lines monitored. This could be an isolated process or an non-isolated process.
For instance, powershell has subprograms monitored. Monitored is sort of like the opposite of unapplicable.
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
By the way, there are several sets of rules for the same processes. So when inspecting rules, you need to always look which "user" you are inspecting.
There is a set of rules for "system". Those rules are generally more lenient than the rules for a regular user, and it is best not to mess with system rules, in order not to break things.
 
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Usually you will see "inapplicable" in the rule for a process that does not need to have its command lines monitored. This could be an isolated process or an non-isolated process.
For instance, powershell has subprograms monitored. Monitored is sort of like the opposite of unapplicable.
So if the program has (in User and System): 'Inspect Children + Allow + Inapplicable' settings and wants to spawn child process (without using command lines), then the child process will be always allowed? But when the program uses some suspicious command lines to run the child process, then the child will be blocked?
 
  • Like
Reactions: AtlBo and shmu26
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So if the program has (in User and System): 'Inspect Children + Allow + Inapplicable' settings and wants to spawn child process (without using command lines), then the child process will be always allowed? But when the program uses some suspicious command lines to run the child process, then the child will be blocked?
Allow means it will not run isolated (sandboxed).
Inspect children means that there is no automatic parent/child permission. Instead, the ReHIPS rule for the child will be applied. If there is none, you will see a prompt.
Inapplicable means that the command line will not be parsed as such. It will be treated as a simple parent/child execution.
If you have more detailed questions, best to ask on ReHIPS forum. First of all, they really know what they are talking about. Second of all, I am heading for bed now...
 
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Allow means it will not run isolated (sandboxed).
Inspect children means that there is no automatic parent/child permission. Instead, the ReHIPS rule for the child will be applied. If there is none, you will see a prompt.
Inapplicable means that the command line will not be parsed as such. It will be treated as a simple parent/child execution.
If you have more detailed questions, best to ask on ReHIPS forum. First of all, they really know what they are talking about. Second of all, I am heading for bed now...
Thanks. Sleep tight.:)
 
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I tried ReHips in Permissive mode and it seems that this can be a way to protect people against malicious documents, because popular document editors/viewers are run sandboxed (MS Office, OpenOffice, Libre Office, WPS Office, Adobe Reader, Adobe Acrobat, Foxit Reader, SumatraPdf). Furthermore, other vulnerable applications can be easily added. All protected by default applications can be seen when using RulesManager64.exe (default.rdb should be loaded).
The good thing (for inexperienced users) is also that one can save documents in the real system. But, I noticed that "print to pdf" does not work. I am curious if normal printing from the sandboxed editor works well.
ReHips sandbox is not as secure as AppContainer, but I did not hear about dangerous bypasses.
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I tried ReHips in Permissive mode and it seems that this can be a way to protect people against malicious documents, because popular document editors/viewers are run sandboxed (MS Office, OpenOffice, Libre Office, WPS Office, Adobe Reader, Adobe Acrobat, Foxit Reader, SumatraPdf). Furthermore, other vulnerable applications can be easily added. All protected by default applications can be seen when using RulesManager64.exe (default.rdb should be loaded).
The good thing (for inexperienced users) is also that one can save documents in the real system. But, I noticed that "print to pdf" does not work. I am curious if normal printing from the sandboxed editor works well.
ReHips sandbox is not as secure as AppContainer, but I did not hear about dangerous bypasses.
Sometimes there are problems with the isolated application accessing the print spooler, it depends which application it is, or what printer driver you are using. MS Office applications should print from isolation, and Chrome should print from isolation. I do remember that printing to fax from Chrome did not work, though.
Which isolated app didn't print for you?
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
ReHips sandbox is not as secure as AppContainer, but I did not hear about dangerous bypasses.
There are blog posts on the ReHIPS forum that give interesting under-the-hood explanations of ReHIPS sandbox. It builds on native Windows features (i.e., separation between user accounts), but it is more than that.
 
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Sometimes there are problems with the isolated application accessing the print spooler, it depends which application it is, or what printer driver you are using. MS Office applications should print from isolation, and Chrome should print from isolation. I do remember that printing to fax from Chrome did not work, though.
Which isolated app didn't print for you?
'Print to pdf' does not work from isolated MS Office 2007, the final PDF document is not created in the target directory in the real system. But, it does not mean that printing from isolated MS Office 2007 is not possible with a standard printer. I do not have a real printer connected to my computer.
Some posts on ReHips forum indicate that printing is possible, but I did not research this topic. I remember that there were problems with printing in Sandboxie (actually solved), so some problems can also be in ReHips.
 
Last edited:
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
'Print to pdf' does not work from isolated MS Office 2007, the final PDF document is not created in the target directory in the real system. But, it does not mean that printing from isolated MS Office 2007 is not possible with a standard printer. I do not have a real printer connected to my computer.
Some posts on ReHips forum indicate that printing is possible, but I did not research this topic. I remember that there were problems with printing in Sandboxie (actually solved), so some problems can also be in ReHips.
ReHIPS fixed some of the printing issues that were reported, but some issues remain.
 
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I noticed that ReHips monitors many Windows system programs.
Most of them have the settings: Allow, Allow, Inapplicable. I wonder what is the purpose of putting them on the list, because they look like fully allowed???
Some of the processes on the list have settings: Inspect Children, Allow, Inapplicable and some other (like Universal Applications) have the settings: Block, Allow, Inapplicable.
Anyway, they are un-bounded, so this should be safer for system stability, as compared to Comodo Firewall with auto-sandbox (set to Restricted).
 
Last edited:
Upvote 0

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
I noticed that ReHips monitors many Windows system programs.
The list is smth similar to Bouncer list.
Sometimes windows need to use some of them and if the process isn't on the list the user has to answer the Question. i guess fixer did it to make Rehips more user-friendly.
inapplicable means it can use commands but with some limits(if I remember right)
 
Upvote 0

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I noticed that ReHips monitors many Windows system programs.
Most of them have the settings: Allow, Allow, Inapplicable. I wonder what is the purpose of putting them on the list, because they look like fully allowed???
Some of the processes on the list have settings: Inspect Children, Allow, Inapplicable and some other (like Universal Applications) have the settings: Block, Allow, Inapplicable.
Anyway, they are un-bounded, so this should be safer for system stability, as compared to Comodo Firewall with auto-sandbox (set to Restricted).
Yeah, fixer -- here he is called @Recrypt -- knows exactly why each process has the rules it does. Get on the ReHIPS forum and ask him, he knows why they did it that way.
And let us know what he said!
 
Upvote 0

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The list is smth similar to Bouncer list.
Sometimes windows need to use some of them and if the process isn't on the list the user has to answer the Question. i guess fixer did it to make Rehips more user-friendly.
inapplicable means it can use commands but with some limits(if I remember right)
Yes, It does not make sense for the Permissive mode, but is required for Expert and Standard modes.:)
ReHips list includes many processes from the Bouncer blacklist, but also many other. This is possible because all processes on the list are allowed to run (in Permissive mode) and only some of them cannot execute programs (subprograms).
I thought that in Permissive mode there will be no alerts, but it is not true. Rarely, some programs can cause alerts when executing sub-programs (bcdedit.exe, cmd.exe, cscript.exe, dvsvc.exe, InstallUtil.exe, mmc.exe, msdt.exe, mshta.exe, msiexec.exe, netsh.exe, PresentationHost.exe, reg.exe, regedit.exe, RegAsm.exe, RegSvcs.exe, regsvr32.exe, rundll32.exe, setx.exe, wscript.exe, wusa.exe).
 
Last edited:
Upvote 0

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top