Smart Object Blocker (Block EXE, DLL, Drivers)

Yes also for other (limited) users.

 

@novirusthanks:
Is it ready to run with the default settings ?
Does it make sense to install it with NVT EXPro ? Let me know thank you

 

+1

 

2nd answer can be found in one of the 9 pages of this thread, or in the ERP thread... the 1st one I haven't paid too much attention to yet; still reading through AppGuard thread.

 

-- Just installed and testing SOB and in it's default settings it's good to go BUT you have to tweak it more specifically for your usage. Like when you want to restrict something that run's automatically or stop an application from starting another. In NVT you can't stop that application trigger (stop an application from starting another) but in SOB you can via a rule like,

If that capability can be emrged with NVT then it would be one awesome app!

Have not actually ran both NVT and SOB at the same time though. I am tempted but as of the moment I have KasperskyPure 3 with NVT in one partition and testing SOB with Avast Premier.

I'll share if ever I make that decision here.

 

I will be waiting until the next release, hope that it comes soon.

 

@novirusthanks

Andreas,

In the defaults for %FILEPATH% you sometimes use only \ after variables and sometimes \* is that done for any reason?

As far as I understand for FILEPATH, PROCESSPATH etc only last backslash would be enough (why add the asterix)?

Thx Kees

 

@Windows_Security

[%FILEPATH%: %ROOT%\] -> Matches only C:\, not sub-folders
[%FILEPATH%: %ROOT%\*] -> Matches C:\ and any sub-folder, example C:\Example\, C:\Test\Path\, etc

The "*" means any character and any length.

@constantine76

Feel free to post here feedbacks

@Ashanta

SOB can be of help also with default settings.

You may want/need to edit them or create new one based on your needs.

 

Hi, @novirusthanks .
Here I have a problem in preventing DLLs with SOB.
Suppose that we have an exe file "CallDll.exe" and a dll file "HelloDll.dll".
The exe file will load the load the dll file.
I have tried the following three different rules in the Behavioral mode, but with any of them, the function in the dll file is still carried out successfully.

How to make a correct rule to block the dlls?
Thanks.

 

Released a new version v1.2:
http://www.novirusthanks.org/products/smart-object-blocker/

@Online_Sword

Try now, it should work. Here are the rules that can be added to \Block\DLL.DB file:

Any of the 3 rules should work fine.

 

Hi, @novirusthanks .
Thank you for your reply and the new version.
I have installed the new version. The timestamp of the digital sign is Oct 8, 2:15:26.
But even with the new version, I still cannot prevent my dll in the Behavioral mode with any of the three rules above...
In addition, I cannot block this dll in the Lockdown mode either, as long as the exe file that calls the dll file is whitelisted.
Would you have time to test my dll? I can send my test files to you.

 

Hi, Pete.
Well, since SOB is designed to have the capability of preventing DLLs, naturally I hope to test it. In George Mallory's word, "Because it's there".
So maybe you need to talk with Andreas rather than me on the significance of blocking dlls.
Then, how to only test the capability of preventing dlls? In my opinion, it is obvious that we need to whitelist the exe file in the test. Only in this way could we confirm whether the DLL (not the EXE) is properlly handled by the rules written in DLL.DB.
I mean, of course SOB has the capability of blocking EXE files. But, the object that I want to test here, is DLL, not EXE. So, we should isolate exe file from this experiment, which means we should whitelist it. I think isolation is a normal approach in scientific experiments. It can help us to focus on the object that we are interested in.

 

Isolation is the key with everything computer-based. I applaud your approach so far, trying to use SOB purely for DLL purposes. I am heading down that path too; start with a backup of my PC once I've set up AppGuard, and then remove AppGuard to see how ERP for exe, SOB for dll and DRP for driver pans out. Transparency, isolation, accountability and piss easy to troubleshoot.

 

@Online_Sword

Can you send me the files you used in your tests ?

I tried it now and it works fine:

 

Thank you for your reply.
I have sent the download link of the test files to you via PM.

 

Malware Defender and Software Restriction Policy don't block it either.

 

Fine but how about this:
https://www.wilderssecurity.com/thre...and-software-could-break-by-years-end.380509/

 

@Mister X Good point there, I was reading that Ars Technica article this morning as well.

 

I posted this one in behalf of a friend(wanted to post it here himself but still did not get an email from the admins). I actually tried this one on my own partition using Acronis Universal Restore so I can have the same partition on my vacant one. Have succeeeded certain issues he encountered with SOB like blocking opera-autoupdate.exe each time opera.exe runs and blocking specific access to drives but I had more questions. I am still learning the rules creation so pardon me if they are wrong. Might you check them out please.

1. Applied created block rules via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]. No deletion of default rules for opera.exe in Behavioral_Block_Process.DB / Exclude_Behavioral_Process.DB.

Created block rule applied,

No blocks. Opera.exe connected to the internet normally with opera_autoupdate.exe and opera_crashreporter.exe.
See image:

xttp://imgur.com/nhhAaO6.png


2. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB. Retained default rules for opera.exe in Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]

Created block rule applied,

with deletion of default rules for Behavioral_Process.DB,

No blocks. Opera.exe connected to the internet normally with opera_autoupdate.exe and opera_crashreporter.exe.

See image:

xttp://imgur.com/RUdonkD.png


3. Applied created block rules plus deleted default rules for opera.exe Exclude_Behavioral_Process.DB. Retained default rules for opera.exe in Behavioral_Block_Process.DB. Take note of rule via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]

Created block rule applied,

with deletion of default rules for Exclude_Behavioral_Process.DB,

See image:

xttp://imgur.com/lCtlLoJ.png

SOB blocked opera.exe and opera_autoupdate.exe. Opera.exe also did not run normally. See SOB log below:

4. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB / Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*]

Created block rule applied,

Deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB in place,

SOB did not block "opera_autoupdate.exe" and "opera_crashreporter.exe".

See image:

xttp://imgur.com/bZsz4CD.png


5. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB / Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]

Created block rule applied,

with deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB,

See image:

xttp://imgur.com/rk6thzA.png

SOB blocked opera_autoupdate.exe / opera_crashreporter.exe while opera.exe ran normally. See SOB logs below.

6. Applied created block rules plus deleted default rules for opera.exe Exclude_Behavioral_Process.DB. Retained default rules for opera.exe in Behavioral_Block_Process.DB. Take note of rule via the rule with grouping: [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*]

Created block rule applied,

with deletion of default rules for Exclude_Behavioral_Process.DB,

See image:

xttp://imgur.com/lIjYe4G.png

Same behavior/observation as of #3. SOB blocked opera.exe and opera_autoupdate.exe. Opera.exe also did not run normally. See SOB log below:

7. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB. Retained default rules for opera.exe in Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*]

Created block rule applied,

with deletion of default rules for Behavioral_Process.DB,

Same behavior/observations as of #2. No blocks. Opera.exe connected to the internet normally with opera_autoupdate.exe and opera_crashreporter.exe.

See image:

xttp://imgur.com/DyaLT5C.png

Based on the observations above. Both #2 and #7 gave the same results. Also with #3 and #6.

The only effective method to block opera_autoupdate.exe / opera_crashreporter.exe without affecting performnce of opera.exe is #5. By applying,

[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
[%PROCESS%: *\opera_crashreporter.exe][%PARENTPROCESS%: *\opera.exe]

with deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB,

Now I do not know why did #4 failed using rule grouping, [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*].

Ain't it supposed to be the same with #5...?


8. Block specific file type from executing

Are there only specific file types that SOB can block? I ask because I tried to block certain file types and the only ones that I have blocked successfully are all .exe. File types that I have tried so far are video files of .mp4, .avi, .wmv, .html and .txt. I have had no success with all mentioned.
The rules that were created to block the file types I mentioned are below. Can you check them out if they are correct?

//Block a file type from executing
[%FILENAME%: *.avi][%FILEPATH%: *]
[%FILENAME%: *.mp4][%FILEPATH%: *]
[%FILENAME%: *.wmv][%FILEPATH%: *]
[%FILENAME%: *.txt][%FILEPATH%: I:\VLCPortable\*]
[%FILENAME%: *.html][%FILEPATH%: I:\VLCPortable\*]
-- Did not work. These despite the removal of Allow Default rules in Process.DB / Drivers.DB / DLL.DB,

//Block specific video file Terminator2_JudgementDay.mp4
[%FILENAME%: Terminator2_JudgementDay.mp4][%FILEPATH%: L:\My Videos]
[%FILENAME%: Terminator2_JudgementDay.mp4][%FILEPATH%: D:\My Videos]
-- Did not work. Double clicking the file will launch the default video player which is PotPlayerMini.

//Block VLCPortable.exe from accessing files in L:\My Videos or D:\My Videos
[%PROCESS%: *\VLCPortable.exe][%FILEPATH%: L:\My Videos\*]
[%PROCESS%: *\VLCPortable.exe][%FILEPATH%: D:\My Videos\*]
--Did not work. File accessed via the VLCPortable Media>Open file> "file path".

//Block specific video file from being accessed by default player
[%FILENAME%: Terminator2_JudgementDay.mp4][%PROCESS%: *\PotPlayerMini.exe]
[%FILENAME%: Terminator2_JudgementDay.mp4][%PARENTPROCESS%: *\PotPlayerMini.exe]
[%PROCESS%: *\PotPlayerMini.exe][%FILEPATH%: D:\My Videos]
-- Did not work. Double-clicking launch the default player. Accessing the file from the PotPlayerMini.exe gui (Add> "file") was also led to the file being played.

//Block specific video file from being accessed by video player
[%FILENAME%: Return.to.Sender.2015.BRRip.XviD.AC-EVO.avi] [%PARENTPROCESS%: *\VLCPortable.exe]
[%FILENAME%: Return.to.Sender.2015.BRRip.XviD.AC-EVO.avi] [%PROCESS%: *\VLCPortable.exe]
-- Did not work. The file was played via the "right-click>Open With>VLCPortable". File as also accessed via the VLCPortable Media>Open file> "file path".

//Block VLCPortable.exe
[%PROCESS%: *\VLCPortable.exe]
--WORKED. But it will just deter me from using VLCPortable.exe. This is also the same if I use, "[%PROCESS%: *\VLCPortable.exe][%FILEPATH%: *]"..correct..?

//Block VLCPortable.exe
[%PROCESS%: *\VLCPortable.exe][%FILEPATH%: *]
--WORKED. Copy/paste the VLCPortable folder to a different location outside the main partition and tried to double-click the "VLCPortable.exe" from there. Removed default Allow Rule "[%FILEPATH%: %PROGRAMFILESX86%\*\*]" in Process.DB. SOB blocked it.

SOB Log:

//Block specific file from being accessed bu default player(.wmv)
[%FILE%: I:\New folder\Wildlife.wmv]
[%FILENAME%: Wildlife.wmv][%FILEPATH%: I:\New folder\]
[%FILENAME%: Wildlife.wmv][%PROCESS%: *\wmplayer.exe]
-- Did not work even if you remove default Allow Rule "[%FILEPATH%: %PROGRAMFILESX86%\*\*]" in Process.DB and copy/paste Wildlife.wmv to a different folder outside the main partition (I:\New folder\). Double-click will launch the file in wmplayer.exe. File can also be accessed via the Windows Media Player gui.

9. Tried these rules below to restrict access to drives or any file in stated drives.


//Block access to anything on stated specific drives:

---WORKED ONLY ON .EXE FILES. MS Office 2013 files, video files, .txt files, .html files, also were not blocked by SOB.

Now I have observed that with the rules created above and I continue to block Kingsoft applications in D:\Program Files (x86) SOB seemed to stop functioning. et.exe -- Kingsoft Spreadsheets 2013, wpp.exe Kingsoft Presentation 2013 and wps.exe -- Kingsoft Writer 2013 did not launch but that was as far as I can go. No logs were seen. Any files that I wanted to run like CCleaner or Process Hacker portable all within the main partition did not run. I can't even restart the pc so I had to use the restart button on the desktop. After restart, I could now block the remaining. See logs after "[10/16/2015 8:14:28 PM]".

Then a funny thing happened as I tried to launch CCleaner.exe / HitmanPro.exe / Cyberfox.exe in D:\Program Files. All were blocked but no logs and pop-up were seen. Then tried to launch Process Hacker Portable in the main partition but the same thing happened. Can't launch anything in C:\. Had to restart using the restart button on the desktop again.

 

We are working on SOB to fix one issue identified only in Windows 8\10 OS (related to dll injection monitoring) and we're adding many improvements, hope to have the new build ready in one week.

@constantine76

1. + 2.

That is because in the Exclude\Behavioral\Process.DB there are references of Opera digital signature "Opera Software ASA" and\or process names "opera.exe". SOB first checks for exclusions, and then check the block or allow rules (Behavioral or Lockdown). Your rule should work fine only if you delete the rules related to Opera in the Exclude rules or you need to restrict the Exclude rules.

3.

That may be related to the fact that you block all the executions from "opera.exe" as parent process, but opera.exe may be able to run if you double click on it because it is started for the first time by explorer.exe (not by opera.exe itself). After the first time opera.exe is executed, I see it tries to re-execute itself but that executions are blocked by SOB as opera.exe is now the parent process too.

5.

Correct, that rules work fine.

There may be a bug on SOB when parsing vars like %FILENAME% or %FILEPATH% for Process.DB, I'll check this. It is also possible that Opera needs some specific rules caused by the need to run as parent process some of its processes, I'll have to check this too.

You can't block file types with SOB that way, you need to filter the %PROCESSCMDLINE% variable, because when you run a .AVI file with VLC, I think VLC is started with the .AVI file as parameter, example:

SOB does not monitor for file access but just for process executions, dll injection and loading of kernel-mode drivers. However, you may allow\block what files are opened with specific processes by filtering the command-line of specific processes (video players, audio players, documents, notepad, etc).

Same as before, SOB doesn't monitor file accesses but you can instead filter process command-lines.

I'll show more examples after we've released the new SOB version

 

@novirusthanks

Andreas, any news on the next release?

I was wondering whether SOB also protects against reflective DLL-injection?

Regards Kees

 

Additionally add remote shellcode injection and process hollowing methods.