Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    We have released a new program named Smart Object Blocker, it is on its first version:

    NoVirusThanks Smart Object Blocker is a valid approach to prevent malware and rootkit infections without requiring virus signatures or updates. It monitors in kernel-mode all processes, dlls and drivers loaded in the system, best bulletproof protection. The program is very stable and resources-friendly, you’ll not even notice it is installed in the system. With this awesome program you can create a whitelist and block all the rest (Lockdown Mode) or you can create a blacklist (Behavioral Mode), with support for exclusions, to block only specific objects. Block DLL injections. Supports all Microsoft Windows OS (32/64-bit).

    http://www.novirusthanks.org/products/smart-object-blocker/


    smart-object-blocker-gui2.PNG


    You should read the Readme for a basic usage guide:

    For ERP users, this is an enhanced ERP with no GUI controls, no alert mode, but with "only" Lockdown Mode and Behavioral Mode (with support for exclusions), plus it can monitor DLLs and drivers, so it is a very complete protection. You can create very smart rules, filtering almost every field of the to-be-loded object (process, commandline, hash, parent process, etc) with support for mixing/grouping rules, for example, you can allow Firefox to execute processes located in a particular folder, signed by a trusted vendor, and that match a specific command-line string. Moreover, you can easily share/combine rules with other users, thanks to the custom environment variables and aliases that we have created. Check the product page for more information.

    Basic usage: install the program, by default it is set to "Behavioral Mode", click the button "Block Rules" to edit the rules to block specific processes, dlls, drivers.

    Feedbacks are of course welcome :)
     
    Last edited: Jul 30, 2015
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
    Thank you very much. This is impressive and looks promising.
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    Sounds like the type of application I have been looking for! Andrea, now we know where you have been. You have been busy developing a new application on top of the many you have already developed.
     
  4. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Nice and perfect timing! While I haven't ended up using the other products you've made available (there was one canceled 32bit one I used for a short time though I don't recall it's name) this one sounds great, it *might* even be able to replace my HIPS as it sounds as if it would help protect me against the things I am actually concerned with anyhow. I assume it works w W10? /crosses fingers....if so I'll certainly test it out (to see if it behaves as expected on W10) and you'll likely have a convert on your hands if so.
     
    Last edited: Jul 29, 2015
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    There's no tray icon. Will it notify me if it blocks something?
     
  6. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    In the readme, it says this...


    ProtectionDisabled = n --> It means the protection is enabled

    ProtectionDisabled = n --> It means the protection is disabled

    is this right?
     
  7. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    1] When an object is blocked, there is no alert as of now, so check the program's GUI, there are displayed all blocked objects
     
  8. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    For quite some time, I've been using NVT ERP and NVT DRP, and have been extremely happy with both of them. It sounds like Smart Object Blocker would replace both of these -- right?

    Should I decide to move to SOB, would I first uninstall ERP and DRP? And is there a way to import all of the ERP lists and settings -- and the DRP Whitelists into SOB?
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    Thank you. I had just found that in the readme file, and was about to say disregard my post. Maybe your post will keep other users from asking the same question.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    I was wondering the same thing. It says the same thing for each, or am I overlooking something?
     
  11. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
    Pretty sure it's a typo... ;)
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,627
    Location:
    Toronto, Canada
    This is really quite intriguing and interesting. I really like the idea behind this and will continue to follow development.

    @novirusthanks
    Congrats on another awesome kernel-mode program. Are the intentions for this program to remain free or potentially a paid product?
     
  13. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    seems like it would be better as an enhanced ERP than a new program entirely unless there is some reason not to do this
     
    Last edited: Jul 29, 2015
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    It seems similar to a policy based anti-executable I use called Bouncer, but harder to configure. Is there somewhere I can get more instructions on how to set this up? I'm not understanding the read me file very well. I would like to see more example rules.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    This was already mentioned above by infected, but shouldn't one of the following below say ProtectionEnabled = y? The following below came directly from the readme file.
     
  16. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
    I believe it is:
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    Edited: Disregard. I thought it looked backwards initially, but maybe it is not. It's still wrong in the readme file.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Got to give this a try. Thanks Andreas.
     
  19. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    @novirusthanks

    I noticed a strange behaviour, try this

    Start a program from a blocked location: it blockes (as expected)
    Start same program from an allowed location: it allows (as expected)
    Start same program from the blocked location: it allows (strange)

    After restarting the smart object blocker. it blocks the program again
     
    Last edited: Jul 30, 2015
  20. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    @novirusthanks

    Tried it with these settings, so you van replay strange behaviour of above post

    Behavioral Mode - protection ON

    I allow right click admin (SRP) to install from TEMP directory, with smart object blocker I want to close that to trusted publishers only (set and forget), so added a block rule for %TEMP%* for processes, drivers and DLL's with an exclusion for trusted publishers

    I also want to use Smart Process Blocker as vulnarablke program hardening for Chrome, Outlook and Windows Media Player, so added block rules for the parent process (the allow publisher Chrome probably allows chrome to start chrome sub-processes).

    Exclude Rules
    [%PUBLISHER%: Microsoft Corporation]
    [%PUBLISHER%: Google Inc]
    [%PUBLISHER%: Intel Corporation - Software and Firmware Products]
    [%PUBLISHER%: Surfright B.V.]


    Block Rules - Process
    [%PROCESS%: %TEMP%*]
    [%PARENT%: *\chrome.exe]
    [%PARENT%: *\OUTLOOK.exe]
    [%PARENT%: *\wmplayer.exe]

    Block Rules - Driver
    [%FILE%: %TEMP%*]

    Block Rules - DLL
    [%FILE%: %TEMP%*]
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @Cutting_Edgetech @Infected

    Yes, it is a typo, the correct text is this:

    I'm improving the txt files to explain more about its usage. I'll also make a video in case.

    @TomAZ

    SOB should be used without ERP or DRP installed, but wait some more versions before use SOB in production.

    @syrinx

    Yes, SOB support from Win XP to Win 10.

    @Snoop3

    This is a completely different product, we'll keep it extremely clean/simple without GUI controls/configurations, all will be handled by INI files for settings and .DB files for rules.

    @Windows_Security

    The rules seem correct, I'll try to replicate your behaviour.
     
    Last edited: Jul 30, 2015
  22. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    It sure does, just missing a ripper user manual!
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Hi Andreas

    Are you saying this new program shouldn't be run with ERP?

    Pete
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @Windows_Security

    I tested now your configuration, and here is what I did:

    1) I placed "nvtfg.sys" (kernel-mode driver of File Governor) on Temp folder
    2) I placed "7-zip.dll" (dll related to 7-Zip) on Temp folder
    3) I placed "NOTEPAD.EXE" (that has file publisher as Microsoft Corporation) on Temp folder
    4) I placed "sfcfiles.dll" (that has file publisher as Microsoft Corporation) on Temp folder

    Then to test SOB I did this:

    1) I opened cmd.exe
    2) I tried to load "7-zip.dll" with regsvr32.exe -i <dll> and it was blocked (as expected)
    3) I tried to load "sfcfiles.dll" with regsvr32.exe -i <dll> and it was allowed (as expected) -> matches file publisher in Exclude.DB
    4) I tried to execute "NOTEPAD.EXE" and it was allowed (as excpected)
    5) I tried to load "nvtfg.sys" with Kernel-Mode Driver Loader and it was blocked (as expected)

    This is a screenshot of the blocked objects: http://postimg.org/image/kgf12uywb/

    Do you have more info to replicate the strange behaviour ?

    @Peter2150

    Using SOB with ERP is like redundant, because they use the same method to monitor processes, so ERP would be the first to detect the process execution, and then it will be SOB to filter the execution, so for example, if you allow the process with ERP, before the process is fully executed, SOB will re-check it with its own rules and based on the SOB's rule it may be allowed or blocked, and on ERP you would see the action (allowed/blocked) that was selected on ERP (so it may not be true due to SOB re-check). However, you may use SOB with ERP if you plan to use SOB to only monitor DLLs and drivers.
     
    Last edited: Jul 30, 2015
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    [30-7-2015 14:28:40] Blocked Process: C:\Users\Desktop\AppData\Local\Temp\AppTimer.exe
    Rule: [%PROCESS%: C:\Users\Desktop\AppData\Local\Temp*]
    Command Line: "C:\Users\Desktop\AppData\Local\Temp\AppTimer.exe"
    Process Id: 3416
    Parent Process Id: 1956
    Parent Process: C:\Windows\Explorer.EXE


    Next run AppTimer from folder C:\Program Files\Utilities\AppTimer as expected allow

    Run again from C:\Users\Desktop\AppData\Local\Temp\AppTimer.exe and it allows it

    Untitled.png
     
Loading...