Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. solhuebner

    solhuebner Registered Member

    Joined:
    Oct 9, 2013
    Posts:
    7
    Location:
    Malta
    And a second idea:
    I think it would be better to rename the "Exit" button to "Close" or "To tray"... and only exit the program if you right click on the icon and say exit.
    It is too easy at the moment as there is also no question if you really want to after you looked up a blockage maybe I somehow always tend to press on "Exit" to close the window ;)
     
  2. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Released a new version of SOB v1.3:

    http://www.novirusthanks.org/products/smart-object-blocker/

    smart-object-blocker-gui.png

    The interface should now be simpler than on first version, you click on Edit Rules, a popup is displayed, select what rules to edit (Processes, DLLs, Drivers), same is for Exclusions. When you are on Behavioral Mode, the Edit Rules and Exclusions allow to edit Behavioral Mode-specific rules, when on Lockdown Mode you can edit Lockdown Mode-specific rules. We have removed the variables\aliases *MD5* so it now uses only SHA1 and doesn't need to compute MD5 hashes (better for performance), plus it uses now a caching system.

    @solhuebner

    I updated the Exclusions rules for Behavioral Mode to allow Firefox to spawn splwow64.exe, this is the rule I added on \Exclude\Behavioral\Processes.DB:

     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Many thanks.
     
  4. guest

    guest Guest

    thanks !

    Sandboxie generates this alert:

    Code:
    [04-Dec-15 14:27:21] Blocked Process: C:\Program Files\Sandboxie\SandboxieCrypto.exe
    Rule: [%PARENTPROCESS%: *\chrome.exe]
    Command Line: "C:\Program Files\Sandboxie\SandboxieCrypto.exe"
    Process Id: 6704
    Parent Process Id: 6696
    Parent Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    
     
    Last edited by a moderator: Dec 4, 2015
  5. @novirusthanks

    Andreas,

    I tried V 1.3, chrome took very long to start, so I uninstalled SecureFolders on my desktop (no other security software running). Again Chrome took very long to start. Did not occur with previous versions. When you have a debugger/logger version of SON, I am willing to install it to find out why SOB slows down startup of programs.

    regards Kees
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    I want to know why SmartObjectBlocker.exe won't run at startup, I set:
    AutoStartWithWindows = y

    Or is it another component supposed to be run at startup, if so which is?
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Like @guest SOB logs:
    Code:
    -= Passive Logging =-
    
    
    [04-Dec-15 2:34:58 PM] Blocked Process: C:\Program Files\Sandboxie\SandboxieCrypto.exe
    Rule: [%PARENTPROCESS%: *\chrome.exe]
    Command Line: "C:\Program Files\Sandboxie\SandboxieCrypto.exe"
    Process Id: 1260
    Parent Process Id: 1028
    Parent Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    
    
    -= Passive Logging =-
    
    
    [04-Dec-15 2:36:23 PM] Blocked Process: C:\Program Files\Sandboxie\SandboxieCrypto.exe
    Rule: [%PARENTPROCESS%: *\skype.exe]
    Command Line: "C:\Program Files\Sandboxie\SandboxieCrypto.exe"
    Process Id: 1856
    Parent Process Id: 5840
    Parent Process: C:\Program Files (x86)\Skype\Phone\Skype.exe
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Mister X @guest

    Click on Exclusions -> Processes and add these rules:

    [%PARENTPROCESS%: *\skype.exe] [%FILE%: %PROGRAMFILES%\Sandboxie\SandboxieCrypto.exe]
    [%PARENTPROCESS%: *\chrome.exe] [%FILE%: %PROGRAMFILES%\Sandboxie\SandboxieCrypto.exe]

    Let me know if that works.

    Did you restart SOB after changing the settings ?
    It uses Task Scheduler to startup, make sure the Task Scheduler service is running.

    @Windows_Security

    Strange, if you re-run chrome, is it slow at running ?
     
  9. guest

    guest Guest

    It works , thanks Andreas ;)

    i set it on Lockdown mode , since most of my apps are portable so i just create a filepath rule to allow them :D

    another questions if i want add vendors in exclusions , are those lines still correct?

    Process Exclusions:

    [%FILE%: %TEMP%*] [%PUBLISHER%: name of vendor]
    [%PROCESS%: %TEMP%*] [%PUBLISHER%: name of vendor]


    @Windows_Security

    did you created some new tweaks for SoB, i remember you made a thread for it detailing your rules, some updates?
     
    Last edited by a moderator: Dec 4, 2015
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Yes, all of the above is solved. Thanks.
    Is it normal the need to add those lines to exclusions-processes?
     
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    @novirusthanks
    I'm experiencing the same in Chrome, specially home page to load and sandboxed (Sandboxie).
     
  12. @novirusthanks

    Just first start-up. Do you use a different technique to include SOB dll? EMET-DLL for instance used to load a lot slower than the MBAE-DLL.

    Using browser feels the same, just startup is a lot slower (cold from <1 second to over 4 seconds, warm from < 0.5 to over 3).

    @Mister X
    Thanks for confirming, good to known I am not alone :thumb:
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Good for you only have few seconds delayed. In my case (using HDD) takes countless seconds to visualize home page although browsing is somewhat smooth as usual.
    For Sandboxie to work along with MBAE, SOB and ERP I use their respective templates Sandboxie wide not just one or two sandboxes.
    SOB is in Behavioral Mode but stills slowing things down...
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    :thumb:
     
  15. solhuebner

    solhuebner Registered Member

    Joined:
    Oct 9, 2013
    Posts:
    7
    Location:
    Malta
    Thank you for the new release :)
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @Mister X @Windows_Security

    The new SOB version filters any DLL file, the old version used to not filter DLLs located in \Program Files\* folder.
    Can you try to whitelist the folder(s) where are located Chrome's DLLs ? Something like this:

    [%FILE%: %PROGRAMFILES%\Google\Chrome\*]
    [%FILE%: %APPDATA%\Local\Google\Chrome*]
    [%FILE%: %LOCALAPPDATA%\Local\Google\Chrome*]

    You can add additional checks of course.
     
  17. @novirusthanks

    Andreas, in my case that is not likely to make a differences.

    I ran previous version with DLL filter for Chrome to:
    - only allow Google signed DLL's from Chrome folder
    - only allow Microsoft signed from Windows folder

    So when the filtering of DLL's was the problem, previous version should have loaded slow also IMO
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    If I was a wagering type I would have to almost bet and then raise again that there is a nice GUI being experimented on for this beauty.
     
  19. TestPersonX

    TestPersonX Registered Member

    Joined:
    Jul 13, 2009
    Posts:
    39
    Location:
    Germany
    Three short questions:

    1. I would really love if you'd introduce a button within the "GUI" to quickly enable/disable the protection on the fly. E.g. when blocking all exe-files in Temp folders, I want to be able to quickly disable protection for installations etc... I mean I could also kill the process, but that would yield more overhead, then a simple IF-condition for global checks within the code.

    2. Is there any sort of self-defense? Or would it be that simple for any malware to kill the process from the Taskmanager? I know that by blocking all exe-files from starting, the possible malware/ransomware should not even be able to kill any process - but still Id like to see some self-defence, just to feel more comfortable with it.

    3. Did anybody already implement some rules specifically made for ransomware? The rules presented by Windows_Security seem way to restrictive for me (starting with blocking ALL dlls and then slowly whitelisting your applications). I'd rather cover only 95% of all security-holes, and therefore only use FEW globally applicable rules which are rather easy to maintain.
    EDIT: I did it myself the following way blocking processes:

    [%PROCESS%: %TEMP%*] Blocks startup of all temporary folder
    [%PROCESS%: %LOCALAPPDATA%*]
    [%PROCESS%: %APPDATA%*]
    [%PROCESS%: C:\users\%PCUSERNAME%*]

    with those exclusions:

    // Dropbox / Spotify allowed to execute from AppData:
    [%PROCESS%: %APPDATA%\Dropbox\bin\Dropbox.exe] [%FILEPUBLISHER%: Dropbox, Inc.]
    [%PROCESS%: %LOCALAPPDATA%\Dropbox\Update\DropboxUpdate.exe] [%FILEPUBLISHER%: Dropbox, Inc.]
    [%PROCESS%: %APPDATA%\Spotify\Spotify*.exe] [%FILEPUBLISHER%: Spotify Ltd]


    4. What is this:

    [04.01.2016 10:23:20] Blocked Process: C:\Windows\SysWOW64\WerFault.exe
    Rule: [%PARENTPROCESS%: *\chrome.exe]
    Command Line: C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 608
    Process Id: 4452
    Parent Process Id: 1480
    Parent Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    ?? WerFault seems to be some error reporting, but Chrome didnt crash or anything like it... Normal usage without any problems :eek:
     
    Last edited: Jan 4, 2016
  20. Tested V1.3 with same ruleset as V1.2, realized that when running 1.2 I was on Windows 7, with 1.3 on Windows 10
     
  21. TestPersonX

    TestPersonX Registered Member

    Joined:
    Jul 13, 2009
    Posts:
    39
    Location:
    Germany
    Devs: Could you please implement some sort of priorization of rules?
    E.g.:

    I have those exception rules (your default ones):
    [%PROCESS%: %WINDOWS%*] [%FILEPUBLISHER%: Microsoft Corporation]
    [%FILE%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]


    But I have one more-specified block-rule (full-path):
    [%FILE%: C:\Windows\System32\GWX\*]

    Right now the exception rule always predecesses the exception, so GWX.exe is executed, but IMO shouldnt.
    thanks
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    The silence is been deafening lately which can only mean one thing if normal trends are true to form. Andreas is about to drop another new modified version at any time.

    Anyone who knows me form XP days also knows my unorthodox manner of "piling it on" like i used to do with HIPS. If the system can stand it i simply cannot wait to combine BOTH SOB + Bouncer in tandem. I know that will demand some careful very fine tuning at it's best but if the resources and compatibility can work without serious interruptions or Burps with success, that's the goal here.
     
  23. TestPersonX

    TestPersonX Registered Member

    Joined:
    Jul 13, 2009
    Posts:
    39
    Location:
    Germany
    Did anybody already find a good exclude-rule to still be able to run Google Drive?
    It runs some python scripts and python dll's from the users temp folder unfortunately.

    And I guess they are NOT signed by google itself.
    So I wonder what's a good way to allow it, but dont allow too much.

    EDIT: I did it like this - what do you think, is it safe to use?

    // Google Drive runs Python from Temp, so Parent Process is allowed to Run DLLs
    [%FILE%: %TEMP%\_MEI*\*.dll] [%PARENTPROCESS%: C:\Program Files (x86)\Google\Drive\googledrivesync.exe]
    [%FILE%: %TEMP%\_MEI*\*.pyd] [%PARENTPROCESS%: C:\Program Files (x86)\Google\Drive\googledrivesync.exe]
     
    Last edited: Jan 17, 2016
  24. guest

    guest Guest

    Any news here ? it's been a while...
     
  25. TestPersonX

    TestPersonX Registered Member

    Joined:
    Jul 13, 2009
    Posts:
    39
    Location:
    Germany
    Yes Indeed - I have also mailed them some suggestions which they wanted to implement - but nothing heard anymore :-(
    I somehow feel bad about using a dead application.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.