Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    So, do I add on to the existing OpenPipePath=*\mailslot\NVTInj\* that I already have for ERP.

    Or, do I add the entire SOB config including OpenPipePath=*\mailslot\NVTInj\* as a discrete entry along with the discrete entry OpenPipePath=*\mailslot\NVTInj\* for ERP

    EDIT: just remembered. Maybe I should not run SOB with ERP..?
    DRP has been on the bench for problems posted to DRP thread.
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    The Sandboxie configuration file should look like this: http://postimg.org/image/a24fb07fr/

    Just make sure to use the correct file path for the two DLL files:

    The following line is used from both ERP and SOB, so it needs to be always present:

    About your two other questions:

    You can run SOB with ERP, it works without issues, it is just a little redundant only for the monitoring of running processes.

    SOB allows you to block or allow kernel-mode drivers using more advanced rules compared to DRP (but you need to write rules manually).
    These are an example of rules that you can use with SOB to allow Hitman Pro and Norton Security with Backup drivers:

     
    Last edited: Aug 14, 2015
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Thanks....so, one OpenPipePath=*\mailslot\NVTInj\* as it applies to SOB and ERP :thumb:
    I'm just a little redundant too. :isay:
    Thanks re #127 !
     
    Last edited: Aug 14, 2015
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Yes, that line is needed for both of them :)
     
  5. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    @novirusthanks
    i see your other tool "MD5 Checksum Tool".it is good.
    but i can not see "MD5 Checksum Tool" context menu on folder.
    so if you want add my request add to this tool.to generate rule.and thanks for attention to my request
    edit:it can be done with gui.
     
    Last edited: Aug 14, 2015
  6. @novirusthanks

    Andreas, two questions

    1. Would SmartObjectBlocker reduce the risks of kernel attacks through user mode callbacks? (as explained by this study of Norman threat research?)

    2. Do you have plans of making the injected SOB dll's ASLR enabled?

    Thanks

    Kees
     
    Last edited by a moderator: Aug 16, 2015
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    utilities_locker.jpg SMART OBJECT BLOCKER :D
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Windows_Security

    1) No, that article pertains to Win32k.sys/GUI callbacks. Smart Object Blocker only uses undocumented NTDLL/System callbacks to prevent DLL injection.

    2) Sure, we can add it on the next build.

    @co22

    We'll see what we can do about that :)
     
  10. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I am lost! Does someone have an ini to share so I can sort of understand how to make rules?
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Overkill

    I will write below a mini tutorial:

    The program can be configured by editing the Configuration.ini file:

    Behavioral Mode uses these rules:

    Block\Process.DB ---------------> Rules to block processes
    Block\DLL.DB ---------------> Rules to block DLLs
    Block\Driver.DB ---------------> Rules to block drivers
    Exclude\Exclude-Behavioral.DB ---------------> Rules to handle exclusions

    Lockdown Mode uses these files:

    Allow\Process.DB ---------------> Rules to allow processes
    Allow\DLL.DB ---------------> Rules to allow DLLs
    Allow\Driver.DB ---------------> Rules to allow drivers
    Exclude\Exclude-Lockdown.DB ---------------> Rules to handle exclusions

    By default the program is set to Behavioral Mode.

    To switch to Lockdown Mode you need to edit Configuration.ini and set:

    Then restart the program for the changes to take effect.

    The default rules on \Allow\Process.DB are these ones:

    That means all processes located in \Windows\, \Program Files\, \Program Files (x86)\ (and subfolders, note the * character) are allowed, all the rest is blocked.

    You may need to add more rules based on the programs you have installed, for example, if you have Chrome installed, it needs to execute files located in AppData folder.

    So you can add a new rule that allows updating of Chrome application:

    All executable files located in %LOCALAPPDATA%\Google\Chrome\* and digitally signed by Google Inc are allowed to execute.

    This is just an example, you can create custom rules for applications that need particular executions (click the button "Variables" to view all available aliases/variables).

    I would recommend to not add rules to allow execution of files on Temp folders as many malware are executed from there.

    For this reasons I would recommend to disable SOB protection (if you use Lockdown Mode) when you need to install/update/uninstall trusted software.

    I will create a new thread where users can share their rules.
     
  12. nezic

    nezic Registered Member

    Joined:
    Jul 7, 2013
    Posts:
    8
    Lockdownd should auto block driver hardvare instalation (USB, HDD...).
    Add proces to start with limited privileges.
     
  13. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I appreciate your help Andreas! The new thread will really help as well :thumb:
     
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    We've added few new options:

    1) Match the parent process on DLLs

    Block parent process cmd.exe from calling regsvr32.exe to load a DLL file:

    2) Match parent process signer

    Block parent process signed by *NoVirusThanks* to start a new process:

    3) Copy blocked objects to a custom folder

    Will release the new build soon.

    @nezic

    We should add support for limited user accounts soon.
     
  15. To understand for me correctly: is that an option in the DLL config? Is it possible to specifically mention dll's, so I could use this option to replace EMET's ASR?

    Could you please let me now when DLL's are ALSR enabled?
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Is this something that a simple user can use? I don't know how to insert code and these kinds of things but I would like to try it. Would it be safe? Or would it be useless for someone like me?
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
  19. guest

    guest Guest

    i set SOB on behavioral mode , add D: partition in Block "Process.DB" with this line : [%FILEPATH%: D:\*] to block any process to run from D: drive; im i correct?
     
    Last edited by a moderator: Aug 22, 2015
  20. Add these to block rules

    PROCESS.db
    [%PROCESS%: D:\*]

    DLL.db
    [%FILE%: D:\*]

    DRIVER.db
    [%FILE%: D:\*]
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Released stable version v1.1:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    This is the full changelog:

    ** Click on Variables button to see the new object variables **

    We've updated the \Block\ rules for the Behavioral Mode (default) so that SOB auto-blocks the execution of processes, dlls and drivers located in folders commonly abused by malware and exploit kits, plus it blocks web browsers, adobe reader, MS Edge, etc from executing cmd.exe, rundll32.exe, regsvr32.exe, etc and from loading kernel-mode drivers and DLLs located in specific folders. So as it is configured by default in Behavioral Mode, it can be effective in preventing a malware infection, you just need to install it and forget it. We will keep improving the block rules in next versions.

    Example Block rules we've recently added in Process.DB:

    To update:

    1) Close SOB
    2) Make a backup of the \Allow\, \Block\ and \Exclude\ (folders if needed)
    3) Uninstall SOB
    4) Reboot the PC (important)
    5) Install the new SOB

    @guest

    Correct.

    @Windows_Security

    Added in this new version.

    Correct, that new object variable allows you to block/allow parent processes from loading a DLL.

    Example in \Block\DLL.DB:

    [%PARENTPROCESS%: *\process.exe]

    In the above rule, the process named "process.exe" is blocked from loading any DLL file.

    [%FILENAME%: abc.dll] [%PARENTPROCESS%: *\process.exe]

    In the above rule, the process named "process.exe" is blocked from loading the DLL file named abc.dll
     
  22. guest

    guest Guest

    so now i have portable apps located in D: (say DNS Jumper for example) what should be the needed variables to block their execution?

    note: i use portable apps as "dummies" to test SOB :D
     
  23. Great, so SOB now also has EMET's ASR (Attack Surface Reduction) capabilities. I will update my post where SOB is the star, with ASR-like block rules for office apps to block them loading vbscript.dll, j*script.dll etc

    Would this be correct (in DLL.db) to stop scripting dll's from loading in Word?
    [%FILENAME%: jscript?.dll] [%PARENTPROCESS%: *\winword.exe]
    [%FILENAME%: vbscript.dll] [%PARENTPROCESS%: *\winword.exe]
    [%FILENAME%: cscript.dll] [%PARENTPROCESS%: *\winword.exe]
    [%FILENAME%: flash*.dll] [%PARENTPROCESS%: *\winword.exe]
    [%FILENAME%: pwrsh*.dll] [%PARENTPROCESS%: *\winword.exe]

    Thanks
     
    Last edited by a moderator: Aug 23, 2015
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Holy cow! I'm gonna have to throw myself deeper into some more rules constructions :thumb:

    Thanks Again.
     
  25. @novirusthanks

    When I use -hidegui SmartObjectBlocker ends with can't find confiuration file error
     
    Last edited by a moderator: Aug 23, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.