ReHIPS - An HIPS/Sandbox without kernel Hooks - (quick test included)

Discussion in 'Other Security for Windows' started by Umbra, May 25, 2014.

  1. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    612
    2,867
    Holland
    Windows 7
    Default-Deny
    ReHips: could be the reincarnation of GesWall, pitty
     
    TerrakionSmash and SHvFl like this.
  2. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,243
    13,473
    Utopia
    #882 shmu26, Oct 17, 2017
    Last edited: Oct 17, 2017
    When does ReHIPS decide to show the special command line prompt, and when does it simply inspect children? Is it mode-dependent?
    Actually, there is another thing I don't understand, maybe it is related: what is the difference between "children" processes and "sub" processes? (My terminology might not be exact)
     
  3. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Yes, Expert Mode show all kind of stuff, almost an HIPS.

    same thing , different names; like Process Hollowing is also Dynamic Forking
     
  4. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,151
    16,383
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    It shows special commands when the sub program option is set to alert. Children is what you normally understand, it's something that is going to get spawned by the parent. Sub programs is when a program tries to execute with command line parameters hence the alerts we talked earlier for command lines when you have it on alert.
     
    AtlBo, simmerskool and shmu26 like this.
  5. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,243
    13,473
    Utopia
    So for example I have a program that executes cmd.exe when it launches. Is that called child or sub?
     
    AtlBo and SHvFl like this.
  6. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,151
    16,383
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    It will be sub program because cmd will launch with some parameters to execute something. For example my vpn applications calls cmd to clear dns and i get this command line "cmd.exe" /c ipconfig /flushdns.
     
    AtlBo, simmerskool and shmu26 like this.
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,243
    13,473
    Utopia
    Cool. That is exactly what I wanted to know.
     
    AtlBo and SHvFl like this.
  8. Recrypt

    Recrypt Level 1
    Developer

    May 26, 2014
    36
    216
    #888 Recrypt, Dec 28, 2017
    Last edited: Dec 28, 2017
    Hello everybody and Merry Christmas.

    We proudly present to you release of ReHIPS 2.3.0 DOWNLOAD As usual there are lots of changes.

    We'd like to express our sincerest and deepest gratitude to beta-testers and other guys (and gals?), who tested, reported problems, endured remote debugging sessions, gave suggestions and really helped a lot to fix issues and shape ReHIPS as it is now. Thank you all very much, we really appreciate it.

    Enjoy this release. And as usual, don't hesitate to contact me should you have any questions or suggestions.

    P.S. You may want to read this blogpost entry https://forum.rehips.com/index.php?topic=9742.0 , if you've been using RulesManager and updating from an older version.

    BTW, forgot to add changelog. Here it is.
    -wildcards are ready;
    -all top level windows are now mirrored on all desktops;
    -added custom taskbar on isolated desktops;
    -added restricted token, which allows to use main desktop without danger of DLL injection with allowed hooks;
    -user SID is shown in isolated environment;
    -made rules in RulesManager disablebale;
    -fixed process isolation with UAC and UIAccess;
    -separate isolated desktops can be globally disabled;
    -hashes were changed to more informative entities;
    -fixed Windows bug with non-shown icon (default icon) for RulesManager (see blogpost about this bug here https://forum.rehips.com/index.php?topic=9496.0);
    -agent injects DLL asynchronously now, it removes queue and waiting time;
    -desktops widget could be closed with UAC disabled, fixed;
    -clients close socket immediately, speeds up socket server part shutdown;
    -all the data is read before socket shutdown, fixed error with incorrect server connection code;
    -blocked access to several new Windows 10 locations;
    -Open File Access feature security improved;
    -Copy User Data feature security improved;
    -custom recycle bin added not to loose files involved in Open File Access;
    -RulesManager registry now supports wildcards * and ?;
    -Copy User Data metadata is now available not to copy the same data several times;
    -string comparison is locale-independent now;
    -some isolated processes were missing from the list;
    -some rare deadlock was possible during processes processing;
    -DLL may not be injected after Service restart;
    -fixed Windows bug with printing and devices list (see blogpost about this bug here https://forum.rehips.com/index.php?topic=9713.0);
    -DLL may not be injected into some processes due to race condition;
    -rules could be installed for a user with wrong SID;
    -carriage return wasn't correctly covered by wildcard in trusted command lines;
    -improved installed software detection;
    -rare deadlock due to race condition on shutdown was fixed;
    -added several programs and trusted command lines/vendors to RulesManager;
    -added Spanish translation (thanks to Mr.X);
    -real user whose rule was enforced is now output;
    -isolated windows border and color make their comeback to the settings;
    -moved help file to CHM;
    -Lock-Down Mode can be changed from tray menu;
    -ReHIPS folder can be opened from tray menu;
    -isolated processes list update on GUI startup was missing;
    -some other small fixes and improvements (confirmation prompt to remove several programs from database, HWID is automatically passed on Buy, etc.).
     
    simmerskool, XhenEd, SHvFl and 11 others like this.
  9. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,243
    13,473
    Utopia
    Thanks fixer, great release!
     
    simmerskool, SHvFl, Opcode and 5 others like this.
  10. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,699
    11,803
    AppGuard LLC Virginia, U.S.
  11. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,151
    16,383
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    Thanks and Merry Christmas.
     
    simmerskool and harlan4096 like this.
Loading...
Similar Threads Forum Date
Poll Is it worth it to sandbox Firefox with ReHIPS? General Security Discussions Nov 28, 2017
Q&A ReHIPS Isolation: Run Chrome in sandbox? Other Security for Windows Jul 21, 2016
Need Help Build Security around ReHIPS 2.3 on a System? Apps - Questions & Help Dec 29, 2017