Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Perfect, I could reproduce your behaviour now.

    Will upload a new build in a few, thanks for the additional information.
     
  2. Thx, a year ago I sugested to combine a few of your tools. All the people which are advocates of your software disagreed, the GUI would become to complex. Have to compliment you with this solution. I will be using it in behavioral mode (as an extra container around vulnarable software) :thumb: succes
     
    Last edited by a moderator: Jul 31, 2015
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks Andreas. ERP is like a warm soft slipper. I couldn't give it up.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,577
    Location:
    The Netherlands
    I haven't tested it yet, but it does look interesting, especially because it's able to block drivers and code injection, techniques often used by malware. I do wonder why this was never integrated into ERP.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The possibilities with this are almost endless and the potential power that this driver holds is quite amazing, I must admit. I am excited to give this a try later tonight and I think that together, as a community, we can put together a pretty solid set of configurations. I think that my only wish at this point would be SHA-256 hash instead of MD5. This is pretty awesome, so many filtering options and abilities.
     
  6. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    Thanks Andreas, will check it out!
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    Thanks bunches Andreas for this one!, must check it out. I'm also with Peter2150 on ERP so will be using SOB for the other vital coverages.

    Although always expecting a nice useful GUI, no issue making an exception here. :)
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've put a few hours of testing in so far and enjoying for the most part.
    • Many memory corruption errors on Windows 10 x64, particularly regarding cmd.exe and conhost.exe, happens regardless of protection being enabled or disabled. These are not blockages, just memory corruption error
    • I don't like maintaining 7-8 different configuration (.DB) files. I think that it might be better condensed into one database or maybe 3 at most. But better see what other users think about this and go with whatever the majority prefers
    I will follow development closely but will wait for a more stable release. I am excited to see this program grow.

    EDIT: Also, please consider storing rules/databases within ProgramData folder so that they are not removed when uninstalling the program. That way rules are not lost when upgrading or waiting until next release.
     
    Last edited: Jul 30, 2015
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    @WildByDesign

    Hence I always make mention of a simple GUI for establishing settings.

    I dunno, for myself it just seems to help with consolidating via (BROWSE) + *Wildcards automation rather then manually manipulating rules/DB files. Maybe that's a bit much but as I mentioned earlier I can deal with it given the potential benefits.
     
  10. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    I'm with Windows_Security on this. Combining this with ERP would be unbeatable. Would love to see this become ExeRadar(Ultimate) lol.
    None the less. I will watch with interest, see what the future brings.

    regards.
     
  11. With AppLocker the allow and block and exclude are in one command, but that does not make it easier. I don't mind the different modes (lock down or behavioral) with corresponding configuration (allow or block+exclude).

    This type of application is intended for power users and system administrators only. Control through steering tables means no time lost on GUI and SysAdmin tools (to use in coprorate networks). It is a well scoped first viable solution IMO.
     
  12. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Thanks for the release :) Another program to keep an eye on.
     
  13. SmartObjectBlocker in Behavioral mode with protection enabled, running on demand (before start of Chrome).

    This only allows Microsoft and Google executables to run from Windows and Chrome folder, while Chrome broker (parent process) is not allowed to start other processes. Chrome is only allowed to use Flash and PDF plug-in with uBlock extension (whitelisted through GPO). This effectively locks down chrome in kernel.

    Block Rules - DLL
    [%FILE%: *]

    Block Rules - Driver
    [%FILE%: *]

    Block Rules - Process
    [%PARENT%: *\chrome.exe]
    [%PROCESS%: *]

    Exclude Rules
    [%FILE%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]
    [%PROCESS%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]

    [%FILE%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.]
    [%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.]
     
    Last edited by a moderator: Aug 2, 2015
  14. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    994
    Do we have to keep this opened and minimized to the task bar for it to keep working?
     
  15. Yes, I guess this will change for final release. But at the moment it is a great ad hoc layer around Chrome's sandbox.
     
  16. I installed keyscrambler as an example how this protects your browser from the system and vice versa with setup of post #38 (keyscrambler dll injection is blocked)

    [31-7-2015 21:06:55] Blocked DLL: C:\Program Files\KeyScrambler\KeyScramblerIE.DLL
    Rule: [%FILE%: *]
    ImageBase: 0x6FEF0000
    EntryPoint: 0x6FF8C5FA
    SizeOfImage: 0x137000
    Process: C:\Program Files\Google\Chrome\Application\chrome.exe
    ProcessId: 2192
    ThreadId: 924

    When you want to allow keyscrambler, just ADD THIS RULE (use installation folder of keyscrambler)
    Exclude Rules
    [%FILE%: %PROGRAMFILES%\KeyScrambler\KeyScramblerIE.DLL
     
    Last edited by a moderator: Aug 2, 2015
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,210
    Location:
    Here
    That seems great for on demand application tightening.
     
  18. hjlbx

    hjlbx Guest

    @novirusthanks

    Unless the product has a usable, understandable GUI - it will appeal only to advanced security soft enthusiasts and script-writing geeks.

    Why not just integrate dll and driver blocking into ERP ? That makes much more sense, since ERP already uses the same monitoring process as SOP.

    INI files, while simplistic from a coding perspective, are way above and beyond what the typical user understands - and more importantly - is willing to tolerate. I hate to say this, but the truth of the matter is that configuring INI files is nothing but a real hassle... not worth the time, effort, frustration and disappointment as I see it - and more importantly, done incorrectly, can smash the system...
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Interesting. Just had SOB running reasonably well with 100% MD5 hash-based rules only, in Lockdown mode. 35,000+ hashes give or take a few. Although it wasn't nearly as efficient as I had expected, it was fun testing. What amazes me the most about this program is the endless possibilities as far as configuration goes. Definitely keeping an eye on this as it develops further.
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released a new version v1.1:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    As always, uninstall the old SOB version, reboot the PC and install the new version.

    Improved the text file Variables.txt:

    And also Readme.txt, here is a rule to block 16-bit executables:

    [%PROCESS%: *:\WINDOWS\System32\NTVDM*]

    In the next version also the issue reported by @Windows_Security will be fixed.

    @WildByDesign

    This new version should fix all the issues related to the memory corruption errors on Win 10 and Chrome.

    Will be done in the next version. We'll also add support for SHA hash.

    @hjlbx

    Lets wait until the program is stable and then we can discuss about it.

    @Infected

    Now it has a tray icon. If you have the app minimized in the tray icon and an object is blocked, the tray icon changes to a red warning icon so you can double click it to open the GUI and see what was blocked.
     
    Last edited: Aug 2, 2015
  21. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    994
    It seems to be working fine. The only thing is, it doesn't start on it's own and it's blocked by UAC when you want to open it.
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You could consider creating a scheduled task to run at startup with Admin privileges. This should work and also bypass UAC prompt.
     
  23. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ScreenHunter_02 Aug. 02 10.55.jpg Not sure yet but it doesn't like to be installed and run inside Quietzone.

    I am on Windows 10 64 bit now. I regretfully did the upgrade to 10
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Phenomenal work, Andreas. I can confirm that the memory errors with Windows 10, Chrome, etc. are resolved now.

    Question regarding wildcards (DISM as an example):

    Would I do? (with '?' wildcards to cover individual characters)
    Code:
    [%FILE%: %LOCALAPPDATA%\Temp\????????-????-????-????-????????????\*]
    or? (with * asterisks to cover larger sections)
    Code:
    [%FILE%: %LOCALAPPDATA%\Temp\*-*-*-*-*\*]
    Thank you for your time. :)
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    +1
    I agree with this. In fact, I would like to test it right now but... oh! the lack of gui.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.