Smart Object Blocker (Block EXE, DLL, Drivers)

@Windows_Security

Yes that rules should work fine.

Will fix it tomorrow, thanks for reporting it.

 

PARENTPROCESS is very useful, I would like to see CHILD also.

 

@novirusthanks

If I want to use ERP to monitor processes, and SOB to monitor dlls and drivers only, what rule do I need to create in SOB so there is no duplication of effort between ERP and SOB ?

Without some form of alerts from SOB I have no idea when it blocks something; I have to continually look in the log. I know it is very early beta, but no alerts makes no sense from a usability perspective. It just isn't practical. I'm not bashing SOB... just sayin' it is very frustrating to use - especially for someone who knows next to nothing about writing rules - and gets no feedback\indication from the security soft.

If I perform a clean install of OS, then immediately install ERP and place into Alert or Lock-Down mode, what is the advantage of SOB over ERP in that case ?

I tested ERP against pack after pack of malwares... and eventually stopped because it was an exercise in utter futility - because ERP blocks everything. In fact, I had to ask around if anyone had ever even heard of a single instance where ERP had been by-passed. Everyone I asked stated "No."

Thanks,

HJLBX

 

@novirusthanks

What would work to block a parent-child process combination?

Stop a specific executable from being started by another process in PROCESS.db
[%FILENAME%: example.exe] [%PARENTPROCESS%: *\winword.exe]

OR/AND

[%PROCESS%: *\example.exe] [%PARENTPROCESS%: *\winword.exe]

Thanks Kees

 

i did a test but it didn't work (so i guess i missed something)

- Used executable:

DNS Jumper portable located on D:

- Block rules:

Process.db:
[%PROCESS%: D:\*]
[%FILEPATH%: D:\*]

Drivers.db:
[%FILE%: D:\*]

Dll.db:
[%FILE%: D:\*]

- Result:

DNS Jumper is executed , i can use it normally , no intervetion from SOB despite SOB log :

Code:

[24-Aug-15 14:30:49] Blocked Process: D:\DnsJumper.exe
Rule: [%PROCESS%: D:\*]
Command Line: D:\DnsJumper.exe
Process Id: 5192
Parent Process Id: 4844
Parent Process: C:\Windows\explorer.exe

 

@guest maybe passive logging is enabled.
I just fire one more question on my mind, would be possible block specific folder for specific process?

 

i enabled it.

 

New build 1.1 with the "-hidegui" issue fixed:
http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

I have added an option to show the balloon hints and it can be enabled/disabled via Configuration.ini (enabled by default):

@Windows_Security

It should be fixed now, try the build above.

Both rules do the same thing, you can use either the first one or the second one.

@nezic

You can block child process like this:

With the above rule you block the parent process explorer.exe from executing a (child) process abc.exe

Yes, you can block abc.exe located in different folders, example:

@hjlbx

You need to make sure SOB auto-allows any process, how do you want to use SOB ? In Behavioral Mode or Lockdown Mode ?

This is an example rule to auto-allow all processes when SOB is in Lockdown Mode:

The above rule allows any process to run.

It can now show balloon hints, try the build above.

SOB can monitor for dlls and drivers and allows you to write more customized/granular rules, that's all mainly.

SOB can be used, for example, to restrict the loading of some DLLs in some processes (useful to mitigate exploits) and to block kernel-mode drivers.

No process can run without ERP consent, if you want to monitor also DLLs and/or drivers, SOB can be handy.

@guest

That looks really strange, can you try to see if the process started was located somehow in a different location or if it was already opened ?

 

located on D: (in a folder i created for portable apps) , clicked the exe after SOB is active. (check the screenshot ).

Note: UAC alerted me and i allowed DNS Jumper to run.

http://i.imgur.com/WM4Nvnt.png

 

@novirusthanks

I am learning SOB so I have opted to use only Behavioral Mode at this time and not create nor modify any rules. Later, if I choose I can mess with the Lock-Down mode.

The only widely-exploited apps that I have installed on system are IE11 and, sometimes, Firefox... so exploit mitigation is minimal need in my case.

So, in essence, SOB acts as anti-exploit when monitoring .dlls and anti-rootkit (kernel level\driver-based) when monitoring .sys files. Am I understanding this correctly ?

However, ERP is still brilliant protection... it may not be able to block an exploit, but it will block the payload(s)... correct ? Also, it will block any installers that would otherwise deposit a .sys file in the driver directory... correct ?

Thanks,

HJLBX

 

1. Confirmed is solved now

2. Andreas great program with endless possibilities, See for example of total lockdown Chrome and better than EMET's ASR of Outlook

Thx kees

 

@guest

You seem to have the "Passive Logging" enabled, disable it like this:

1) Close SOB
2) Edit Configuration.ini
3) Set PassiveLogging = n
4) Save Configuration.ini
5) Start SOB

Now the processes on D:\* should be blocked.

Let me know the result.

@hjlbx

It can help to mitigate exploits by restricting the DLLs allowed to be loaded by commonly exploited apps and can block loading of malicious .sys driver files (such as rootkits and nasty malware).

Absolutely, with ERP you have complete control over what is executed in the system, blocking malware, apps installations and payloads.

So for example, if you block Rootkit.exe execution, it is unable to load the malicious .sys driver file.

@Windows_Security

Great!

 

@novirusthanks

Awesome just simply awesome. Excellent effort with SOB. I dribble over the tray icon alert too. Makes checking the screen all the time less tiresome. Let us know should you decide to throw in and enhance a form of an alert box option like ERP. In ERP it's absolutely phenomenal. Well thought out and so useful.

Whatta combo!

 

@novirusthanks

Is it possible for dll or .sys file to be installed surreptitiously (hidden) onto a system without an executable ? If that is indeed possible then I see the added value of SOB...

From what I understand, for a dll it simply requires install to System32 directory and then registration on the system with regsvr32.exe.

I am not too sure about .sys files. I thought the System32, SysWOW64 and Driver Locker directories were protected objects on Windows...

 

indeed , i had it enabled. now the exe is blocked as it should be. I thought Passive Logging was just for logging , missed that it let the exe run.

 

NVT's apps rock !

Using ERP on my main box and I am a happy user but I think the GUI needs some minor polishing (window sizes and layout) to make it close to perfect.

I've got licences for ERP, AppGuard and Sandboxie and I'm running these apps on old technology (netbook, CPU Atom N450, 2 gigs of RAM) so I'm always keeping an eye on resource usage.

At the moment the combo ERP/AG/SBIE is too demanding in this area, especially on my low end HW.
I really want to cut resource usage down and I am thinking of replacing ERP by SOB to start with.

Just downloaded the latest SOB and I will start testing soon.

 

Don't feel bad. I done the exact same thing when he released the passive logging version thinking I had the rulesets wrong.

It's gonna be a monumental setup when all the "granularity" rules are put all in their respective places. This is some pretty intense security

 

yes i was scratching my head for hours thinking "what i made wrongly..?"

indeed , we can already foresee the endless possibilities we may have.

 

@novirusthanks

Andreas,

Is SOB also capable of blocking OCX (active X) objects?

regards

Kees

 

@Windows_Security

Yes, it can do that, example:

@guest

Glad now it works.

@NT Five

If you need any help with SOB just post here so we can help.

@hjlbx

A DLL can be loaded also if placed in other folders, not only System32 folder, same for SYS files, some Anti-Rootkit software used to drop the driver file in Temp folder and load it from there.

SOB gives you total control about what is executed/loaded in the system, you just need to get used to how it works and then you should be able to create rules very quickly when needed.

 

@novirusthanks

Both of the above can only be accomplished by an executable... correct ?

 

@novirusthanks

Andreas the combinations are mindblowing, would you have a look at these rules to check whether I have applied them correctly.

Block DLL.DB
[%FILENAME%: *.dll] [%PARENTPROCESS%: *\chrome.exe] Block chrome loading dll's

Block PROCESS.DB
[%PARENT%: *\chrome.exe] %PARENT% VARIABLE NOT LONGER VALID?
[%PROCESS%: *] [%PARENTFILENAME%: chrome.exe] Block chrome starting other programs
[%PROCESS%: *\chrome.exe] [%PARENTPROCESS%: *] Block chrome being started by any program

Exclude BEHAVIORAL.DB
Allow chrome to load dll's signed by Google from Chrome folder
[%FILE%: %PROGRAMFILES%\Google\Chrome\*] [%SIGNER%: Google Inc] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

Allow chrome to load dll's signed by Microsoft from Windows folder
[%FILE%: %WINDOWS%\*] [%SIGNER%: Microsoft Corporation] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

Allow chrome to launch Google Update
[%PROCESS%: %PROGRAMFILES%\Google\Update\GoogleUpdate.exe] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

Allow chrome to be launched by explorer, delegate-execute and chrome
[%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe] [%PARENTPROCESS%: %WINDOWS%\explorer.exe]
[%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\*\delegate_execute.exe]
[%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

Allow GoogleUpdate (signed by Google) to run Google signed programs and dlls from TEMP folder
[%FILE%: %TEMP%\*] [%SIGNER%: Google Inc] [%PARENTFILENAME%: GoogleUpdate.exe] [%PARENTSIGNER%: Google Inc]
[%PROCESS%: %TEMP%\*] [%SIGNER%: Google Inc] [%PARENTFILENAME%: GoogleUpdate.exe] [%PARENTSIGNER%: Google Inc]

 

@novirusthanks

Andreas, two questions:
1. Would it also be possible to add comment lines in the config files (e.g. lines starting with ; )?
2. Could you add the %Downloads% variable for the downloads directory?

Thx Kees

 

this is a keeper.and easy enough to set up.cheers and keep up the great work...Thanks to all that posted there config's

 

@Windows_Security

The rules are all correct.

The variable should be %PARENTPROCESS%

Sure, we are adding it.

I think it is better to write it like this:

So it handles \Downloads\ folder for both XP and Vista+ OS, example:

@hjlbx

Correct, however, if a process is already started, it can be exploited to load new DLLs and with SOB you can control it.

Check this rule wrote by @Windows_Security:

With SOB you can also monitor/control loading of Active X (OCX) files.

You have really more control, as you do not have to worry about checking command-line for regsvr32, rundll32, etc you control the modules to be loaded.