Smart Object Blocker (Block EXE, DLL, Drivers)

Any news (next release)?

 

Should be released soon, can't say an exact date for now.

Nope, it's a direct memory write and not a DLL on disk. Windows stores no file information on it (no name etc).
Microsoft's definition of DLL injection is what we block, the file must be on disk for LoadLibrary variants to load it.
Trying to detect executable memory access that we'd label malicious would be a nightmare full of false positives.

 

Okay,

Always good to stick your stronghold

Thx

 

When will you implement a user friendly GUI? I would love to be able to block DLL injection and driver loading, but then with an alert window like in ERP.

 

Well, it can be done. Eset's HIPS process modification function for example monitors these API calls:

VirtualAllocEx/VirtualFreeEx
WriteProcessMemory
CreateRemoteThread

 

Count EASTER in on the GUI support feature. An alert function like in ERP would be the visual icing on the cake IMO.

 

SoB definitely needs a Gui , it is too boring to type rules especially if you have many softs...

 

Yup, I'm stuck with it, the lack of a nice GUI is painful lol
Same goes to SOB's rival: Bouncer.

Moreover, I want to see ERP to evolve or rest peacefully once and for all and SOB to shine with a nice GUI if it's going to be an ERP on steroids.

I'm with @guest : no GUI = boring and frustrating to configure.

 

Yes exactly, and we all know that Andreas has the skills to do it, ERP is one of the best apps ever.

 

@Rasheed187, @EASTER, @guest, @Mister X

Start a crowd fund raising action, so @novirusthanks has money to buy food and pay for shelter while programming the GUI

Regards Kees

 

no , we just need buy him large amount of coffee , he shouldn't be allowed to sleep until we have a GUI !

i totally agree.

 

I'm in. You are receiving all this right Andreas?

 

I agree, you can also count me in.

 

Wow it's got kind of quiet in here after that suggestion

 

*

yep it was the "killing demand"

 

@EASTER

Even if I am quiet I always read the posts

We'll think about the GUI, before that we want to release the new build that has many fixes and improvements.

We are busy with few internal projects, will be more active very soon

 

Andreas,

Could you share some information about the improvements ?

regards Kees

 

Sure, here it is:

The remained bug to fix is the blocking of DLLs that are loaded by protected processes in Windows 8+ OS.

 

i think what is crucial right now, if not a real GUI , in the meanwhile is at least a popup alert that create rules.

 

Okay, thanks

Thanks for the info. Because protected objects are protected by internal mechanisms of the OS, it will be harder to tackle than the others. May be an idea to release a version with other improvements so Wilders folks can test it?

 

Why is this in the Exclude\Lockdown\Process.DB?

[%PROCESSCMDLINE%: *rundll32*Shell32.dll*Control_RunDLL*\*.exe*]
[%PROCESSCMDLINE%: *rundll32*javascript:*]
[%PROCESSCMDLINE%: *rundll32*;*eval*(*]
[%PROCESSCMDLINE%: *vssadmin*Delete*Shadows*/All*/Quiet*]
[%PROCESSCMDLINE%: *bcdedit*/set*recoveryenabled* No*]
[%PROCESSCMDLINE%: *bcdedit*/set*bootstatuspolicy*ignoreallfailures*]
[%PROCESSCMDLINE%: *bcdedit*-set*loadoptions*DDISABLE_INTEGRITY_CHECKS*]
[%PROCESSCMDLINE%: *bcdedit*/deletevalue*safeboot*/set*safebootalternateshell*false*]

This does not make sense or?

As the same are under Block\Process.DB
//Block command-line strings used by Cryptolocker family

 

@solhuebner

Lockdown mode means "allow any process that matches the rules", so in the exceptions I added to not-allow that bad command-lines, this because if the user allows "C:\WINDOWS\*" then that commandlines would be allowed.

 

Yeah that makes perfect sense

Only one minor thing. I use a dual screen setup with the second screen above the first one. When I start your great program it always center in the middle of the two screens so that half the program is on one screen and the other half on the other one. Can you maybe just center it on one screen or remember the position from last time? Your program is very cool! Keep up the great work. And sorry for my question. After re-reading the manual it makes perfect sense...

 

No problem, you're welcome

I'll check the dual-monitor issue.

 

If it blocks something like this:

[29-Nov-15 10:27:56] Blocked Process: C:\Windows\splwow64.exe
Rule: [%PARENTPROCESS%: *\firefox.exe]
Command Line: C:\WINDOWS\splwow64.exe 8192
Process Id: 8788
Parent Process Id: 4888
Parent Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

it would be nice if you could add a line how to whitelist this specific blocked action

Kind regards