Separate names with a comma.
Discussion in 'Other Security for Windows' started by Umbra, May 25, 2014.
ReHips: could be the reincarnation of GesWall, pitty
When does ReHIPS decide to show the special command line prompt, and when does it simply inspect children? Is it mode-dependent?
Actually, there is another thing I don't understand, maybe it is related: what is the difference between "children" processes and "sub" processes? (My terminology might not be exact)
Yes, Expert Mode show all kind of stuff, almost an HIPS.
same thing , different names; like Process Hollowing is also Dynamic Forking
It shows special commands when the sub program option is set to alert. Children is what you normally understand, it's something that is going to get spawned by the parent. Sub programs is when a program tries to execute with command line parameters hence the alerts we talked earlier for command lines when you have it on alert.
So for example I have a program that executes cmd.exe when it launches. Is that called child or sub?
It will be sub program because cmd will launch with some parameters to execute something. For example my vpn applications calls cmd to clear dns and i get this command line "cmd.exe" /c ipconfig /flushdns.
Cool. That is exactly what I wanted to know.
Hello everybody and Merry Christmas.
We proudly present to you release of ReHIPS 2.3.0 DOWNLOAD As usual there are lots of changes.
We'd like to express our sincerest and deepest gratitude to beta-testers and other guys (and gals?), who tested, reported problems, endured remote debugging sessions, gave suggestions and really helped a lot to fix issues and shape ReHIPS as it is now. Thank you all very much, we really appreciate it.
Enjoy this release. And as usual, don't hesitate to contact me should you have any questions or suggestions.
P.S. You may want to read this blogpost entry https://forum.rehips.com/index.php?topic=9742.0 , if you've been using RulesManager and updating from an older version.
BTW, forgot to add changelog. Here it is.
-wildcards are ready;
-all top level windows are now mirrored on all desktops;
-added custom taskbar on isolated desktops;
-added restricted token, which allows to use main desktop without danger of DLL injection with allowed hooks;
-user SID is shown in isolated environment;
-made rules in RulesManager disablebale;
-fixed process isolation with UAC and UIAccess;
-separate isolated desktops can be globally disabled;
-hashes were changed to more informative entities;
-fixed Windows bug with non-shown icon (default icon) for RulesManager (see blogpost about this bug here https://forum.rehips.com/index.php?topic=9496.0);
-agent injects DLL asynchronously now, it removes queue and waiting time;
-desktops widget could be closed with UAC disabled, fixed;
-clients close socket immediately, speeds up socket server part shutdown;
-all the data is read before socket shutdown, fixed error with incorrect server connection code;
-blocked access to several new Windows 10 locations;
-Open File Access feature security improved;
-Copy User Data feature security improved;
-custom recycle bin added not to loose files involved in Open File Access;
-RulesManager registry now supports wildcards * and ?;
-Copy User Data metadata is now available not to copy the same data several times;
-string comparison is locale-independent now;
-some isolated processes were missing from the list;
-some rare deadlock was possible during processes processing;
-DLL may not be injected after Service restart;
-fixed Windows bug with printing and devices list (see blogpost about this bug here https://forum.rehips.com/index.php?topic=9713.0);
-DLL may not be injected into some processes due to race condition;
-rules could be installed for a user with wrong SID;
-carriage return wasn't correctly covered by wildcard in trusted command lines;
-improved installed software detection;
-rare deadlock due to race condition on shutdown was fixed;
-added several programs and trusted command lines/vendors to RulesManager;
-added Spanish translation (thanks to Mr.X);
-real user whose rule was enforced is now output;
-isolated windows border and color make their comeback to the settings;
-moved help file to CHM;
-Lock-Down Mode can be changed from tray menu;
-ReHIPS folder can be opened from tray menu;
-isolated processes list update on GUI startup was missing;
-some other small fixes and improvements (confirmation prompt to remove several programs from database, HWID is automatically passed on Buy, etc.).
Thanks fixer, great release!
Thanks and Merry Christmas.
I've a query regarding ReHIPS's isolation of web browser. In my Windows 10 pro system Firefox doen't open when its in ReHIPS's web browser isolation. I got messages that the Firefox is running but not responding...close Firefox then try etc.. I got no help from Mozilla support as well as from ReHIPS's forum, so posting here, hoping to get a solution from the experts. Below are few screenshots:
In the above settings Firefox doesn't open but in the below settings it opens and I can surf the web.
My question is: Does this settings good for better protection or it needs some other settings/tweaking to get it worked?
How can I get it worked in fully browser isolation in ReHIPS? Same goes with Sandboxie, Sandboxie forced Firefox to run in sanboxed but it doesn't.
Any advice to run Firefox in sandboxed or in isolation mode?
If you also can't run FF in sandboxie , then you have a problem with FF on your system. FF ran fine on my systems with either Sandboxie or ReHIPS.
What do you think about the problem that my FF browser is having that is not able to run in sandboxed or in isolation?
I've newly installed Win 10 a month back and the system is clean as far as I know. New version of FF is installed and there is no trace of old FF, still it couldn't be run in isolation!
Any help please?
Maybe a 3rd party security software block the sandboxes.
1- Uninstall all security softwares and FF then reboot.
2- Reinstall FF.
3- install ReHIPS.
4- launch FF.
I've Eset, AppGuard, NVTERP from the beginning and newly added NVT OSArmor and HMPA then this ReHIPS.
Would you like to guide me what is causing the problem for FF to force run in sandboxed or in isolated environment?
On the same system? this is madness.
Just ReHIPS + Appguard is already more than enough.
The issue is with Appguard, you need to add ReHIPS' hipsagent64.exe to Appguard's Power Apps..
You stockpile softs without fully knowing their mechanisms, so you get obvious issues. Each of the software you listed are good enough to be used on their own; no need stockpiling them.
The same basic idea that @Umbra gave you will solve your sandboxie problem, too. Appguard needs to be configured.
In Appguard, you need to make an appropriate exception rule for the c:/sandbox folder.
See this post for details:
AppGuard and Sandboxie
Thanks for your tips. I've added ReHIPS' hipsagent32.exe to Appguard's Power Apps and I'm able to run FF in an isolation environment.
You're right here. As you know I'm organising giveaway at MDL so at times I'm tempted to test some security software just out of curiosity and again you're right that I'm unable to configure them accordingly, therefore, causing this issue. These software are for the testing purposes only but I can get rid of them whenever I want but will keep few of them i.e AppGuard, Sandboxie, NVTERP and ESET (I've paid license for these apps)
P.S. I don't visit any restricted site or download any stuffs from the net i.e Torrents or any other files sharing sites. I've had downloaded 3 or 4 big files that was also from the MSFT-like Windows 7 then Office 2013 then the Windows 10 etc.. So I'm not worried about the system security as I'm using this PC since 2009 from WinXP to Win 7 & now Win 10 still my system has not been infected with any malware.
Thanks for your information and now I'm checking the tutorials.