Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. No GUI, but great granular control. Smart Object Blocker for example makes an end to the discussion whether or not to sandbox Chrome with Sandboxie, the answer is #38 ad hoc protection for both on-line banking and dodgy browsing.
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Did you first install this in VM Ware or another sandbox?
     
  3. No on my play windows7 image. After upgrade to Windows 10, Wildbydesign reported that issues on Win_10 were solved. So I added it on my main image (now Windows 10 Pro)
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Released a new version v1.1:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    The issue #post-2511281 should be fixed.

    Added many new path variables (see Variables.txt) and %SHAHASH% for SHA256 file hash.

    @boredog

    Is possible that there is a security app that is blocked SmartObjectBlocker.exe from injecting DLLs or loading drivers ?
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Wow. Thanks is about all I can add to this at the moment. Checking it out and many thanks for the new update!
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    If I want to make a rule that does not allow Firefox to Spawn child processes then is the following rule below correct? How is the rule distinguished as a block rule vs an allow rule in the ini file? There's going to be a learning curve for me in settings up SOB. I will have to learn it as I go along.
    [%PARENT%: *\firefox.exe]
    [%PROCESS%: *]
     
  7. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    So, as from what I understood your answer here is don't sandbox Chrome (with enabled, built-in sandbox) with Sandboxie/don't use/run Chrome and its own built-in sandbox inside Sandboxie at all (because Sandboxie removes Chrome's sandbox's job restrictions and integrity levels-allowing child processes to be started (like Safeguy said: it's the restrictions, the permissions, the privileges where the true sandboxing architecture gets it security from which is why the 2 sandboxes conflict); which decreases the level of Chrome's own built-in sandbox protection), but use Smart Object Blocker instead?

    One question, WS how do I know that configuration will disable loading of my other browsers like Firefox, IE, Opera and etc.?
    How do I know my Windows would load at all?
    I'm asking you that because I'm pretty much scared of using security and protection solutions like these since they work on kernel level and they can easily mess up Windows if you don't know what to do/configure and how to do/configure in the first place!
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I hope that this will not become another thread about Sandboxie.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Does anyone care to share a basic config rules with everything necessary for a windows 8? I can handle the rest with time :)
     
  10. @CoolWebSearch

    My answer was everyman to his own, yes SBIE has extra code (attack surface argument), but that is mostly directed to prevent side by side intrusion (so can't be all bad). But for me I did not use SBIE, because it changes Integrity Level (which is part of Chrome sandbox), disables the one process job object restriction (also part of Chrome sandbox) and has a mechanism to control messaging/inter process communication (which technically means that it opens a door to bypass the third part of Chrome sandbox the alternate desktop).

    Nice thing of Smart Object Blocker (SOB) is that it monitors the loading of executable objects into memory: It does not touch Integrity Level, Job object or Alternate desktop. It can be used in behavioral mode, to use it on demand. When you close/exit SOB all restriction are removed again.

    @EASTER

    When you look at post #38, I followed a simple strategy to create a block all rule, with a exclude rule to control what to allow to start (when using SOB on demand for Chrome). In #38 I first start SOB, then run Chrome. With SOB I am certain that broker process is not allowed to start any other process (broker does not have job object restriction as far as I know) and I am sure Chrome only consists of Google and Microsoft signed DLL's (and Drivers).

    Block Rules example (DLL & DRIVERS)
    FILE applies to Drivers and DLL's, it is all in the read.me which comes with the installer

    [%FILE%: *] blocks all (lock out)
    [%FILE%: C:\Users\*] blocks Users folders and all subfolders

    Exclude Rules (example)
    To compensate for the block all (I use it on demand in Behavioral mode), I added a rule to allow systemprocesses
    [%FILE%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation] this allows only microsoft signed DLL's/Drivers to run from Windows folder

    [%FILE%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.] This allows on Google signed Drivers and DLL's to run from directory where I installed Chrome

    Block Rules examples (PROCESS)
    [%PROCESS%: *] Blocks startup of all processes
    [%PROCESS%: %TEMP%*] Blocks startup of all temporary folder
    [%PROCESS%: D:\*] Blocks startup of all processes in D partition

    [%PARENT%: *\chrome.exe] Limits Chrome to launch other processes (but broker Chrome can still start its renderer processes which are also calles Chrome.exe) from any location (*\ prefixx).

    Exclude Rules (example)
    To compensate the block all, I allow signed processes from Chrome installation folder (and system processes in Windows signed by Microsoft)
    [%PROCESS%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]
    [%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.]


    So in Behavioral mode I first locked down the system to a level in which I locked out myself, then opened holes for trusted processes to make Chrome load without blocking unwanted processes (are displayed in the log). When you want to add a prcess, just add it in the exclude rules. Made a mistake, just close SOB and your back to normal.

    Application Ideas (adding Exclude Rules)
    - check all your installed programs in Program Files folder, either allow them on hash or by publisher, e.g. add a File and process exclude for CCleaner (allows only Piriform signed processes and DLL's to start in CCleaner folder).
    [%PROCESS%: %PROGRAMFILES%\CCleaner\*] [%PUBLISHER%: Piriform Ltd]
    [%FILE%: %PROGRAMFILES%\CCleaner\*] [%PUBLISHER%: Piriform Ltd]

    and same for SyncBackFree
    [%PROCESS%: %PROGRAMFILES%\SyncBackFree\*] [%PUBLISHER%: 2BrightSparks Pte Ltd]
    [%FILE%: %PROGRAMFILES%\SyncBackFree\*] [%PUBLISHER%: 2BrightSparks Pte Ltd]
    and same for syncbackfree

    and same for SumatraPDF
    [%PROCESS%: %PROGRAMFILES%\SumatraPDF\*] [%PUBLISHER%: Krzysztof Kowalczyk]
    [%FILE%: %PROGRAMFILES%\SumatraPDF\*] [%PUBLISHER%: Krzysztof Kowalczyk]

    ennumerate all your installed programs, use your old HIPS rulesets of XP-times as an inspiration :thumb: Easter going granular again on x64 OS :), you can use Secure Folders to restrict access to Data and WildbyDesign mentioned SOB works together with Bouncer, so have fun. :D


    Regards Kees
     
    Last edited by a moderator: Aug 3, 2015
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Could not thank you any more for driving those excellent security points straight home Kees
     
  12. guest

    guest Guest

    i think i will wait a GUI-stable version before using it on my laptop's real system , but the VM is ready :D

    (may install it on real system when i will domesticated it ;) )

    im still happy with ERP anyway , hope both will be merged.

    anyway good job Andreas.
     
  13. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    With my setup, I'm getting this block..is this ok?

    [8/3/2015 6:59:43 AM] Blocked Process: \?\C:\Windows\system32\wbem\WMIADAP.EXE
    Rule: [Not in Lockdown Mode Allowed Database]
    Command Line: wmiadap.exe /F /T /R
    Process Id: 2800
    Parent Process Id: 944
    Parent Process: C:\Windows\system32\svchost.exe
     
  14. guest

    guest Guest

    played a bit with it, Lockdown is quite strong indeed , it block everything lol
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @WildByDesign

    I would use the first one:

    Code:
    [%FILE%: %LOCALAPPDATA%\Temp\????????-????-????-????-????????????\*]
    
    I generally use * where the string length may vary, but in your case the string length of that folder is always the same.

    @Cutting_Edgetech

    Yes this rule makes sure Firefox does not spawn other processes (all in one line):

    [%PARENT%: *\firefox.exe] [%PROCESS%: *]

    Then you can use Exclude\Process.DB to handle exclusions (if needed).

    @EASTER

    Later or tomorrow I will share a configuration that I am using in few PCs.

    @Windows_Security

    Thanks for the great and detailed explaination :)

    @Infected

    You should allow that system process, add this in Allow\Process.DB:

    [%PROCESS%: %SYSTEM%\wbem\WMIADAP.EXE]

    Let me know if that works.

    @guest

    Yes, very important to allow important files when in Lockdown Mode :)

    By default all system and safe DLLs are auto-loaded.[/code]
     
  16. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Ok, added it, thanks. I'll let you know.
     
  17. Smart Object Blocker has near zero impact on my system (G3240 Pentium). There is always a 10%-15% variance between AppTimer runs.

    C:\Program Files\Google\Chrome\Application\chrome.exe - 5 executions
    0.5089
    0.4988
    0.5035
    0.4915
    0.5011
    N=0.5

    C:\Program Files\Google\Chrome\Application\chrome.exe - 5 executions with Chrome Sandbox as in Post #38
    0.5669
    0.5760
    0.5563
    0.5966
    0.5476
    N=0.57

    I suggest a name change: lean & smart object blocker (abbreviation LSOB sounds better than SOB) :)
     
  18. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Lean & Mean Smart Object Blocker
     
  19. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    i agree with this also, fwiw
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Thank you, sir.

    Would you consider adding either a command line argument or a option in the settings ini file that would allow the UI to automatically minimize when it starts? That way it would essentially just go straight to showing only the tray icon in the system tray as the UI would be minimized to tray at start with this particular option enabled. This would be more for users who want to have SOB start with Windows.

    EDIT: I also wanted to mention that SHA256 hashing is working wonderfully. Keep up the great work.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have to agree with this. Would have loved to see this in ERP.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Ok, thank you Andreas!
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Kees, thanks for all the sample rules you have been providing!
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    NVT

    I am not getting any alerts from any of my security software. The only time Quietzone interferes is if I have to install a program and restart because it deletes all changes to all disks.
    I am running Windows Home 10 now.

    I have Norton security 2015
    Malwalbytes Antimalware
    Malwarbytes Antiexploit
    Adguard
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Ok I looked at Norton's logs and it is not only blocking SOB but some processes of Adguard and malwarbytes.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.