Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    OK found the culprit.

    Even though Norton blocks some program processes. I tried installing it without Quietzone enabled and it went fine. That worries me as to why? If I understand Quietzone right it would only do that if you are trying to make a permanent change to the hard drive. One that can not normally be reversed?
     
  2. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    994
    I'm still getting this block.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    If I remember correctly from your previous PM, that was specifically a command line blockage. Oddly, the rules (including what NVT suggested) should be working and allow that command line. It's possible that it could be a bug. I will look into this a bit more and let you know if I can make sense out of it.
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Infected
    Maybe try something like this in Allow\Process.DB:

    Code:
    [%CMDLINE%: wmiadap.exe /F /T /R]
    Or
    Code:
    [%CMDLINE%: \?\C:\Windows\system32\wbem\WMIADAP.EXE]
    EDIT:

    Or (if all else fails)
    Code:
    [%CMDLINE%: *wmiadap.exe*]
    Hopefully this may help until Andreas can figure it out for you.
     
  5. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    994
    Thanks again. I'll give it a try in the morning.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    Ready when you are :thumb:
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released a new version v1.1:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    The issue #63 should be fixed (the \?\ before the file path).

    New object variables:

    Some Block\Processes.DB simple rules (already implemented) to:

    - Block Cryptowall bcdedit/vssadmin executions:

    Code:
    [%CMDLINE%: *vssadmin*Delete*Shadows*/All*/Quiet*]
    [%CMDLINE%: *bcdedit*/set*recoveryenabled* No*]
    [%CMDLINE%: *bcdedit*/set*bootstatuspolicy*ignoreallfailures*]
    [%CMDLINE%: *bcdedit*-set*loadoptions*DDISABLE_INTEGRITY_CHECKS*]
    [%CMDLINE%: *bcdedit*/deletevalue*safeboot*/set*safebootalternateshell*false*]
    
    - Block TROJ_POWELIKS.A https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POWELIKS.A:

    Code:
    [%CMDLINE%: *rundll32*javascript:*]
    [%CMDLINE%: *rundll32*;*eval*(*]
    
    - Block Rundll32 from loading .exe files:

    Code:
    [%CMDLINE%: *rundll32*Shell32.dll*Control_RunDLL*\*.exe*]
    
    - Block Javaw.exe from spawning processes in temp folder:

    Code:
    [%PROCESS%: %TEMP%\*] [%PARENTPROCESS%: *\javaw.exe]
    
    @Infected

    Now the rule:

    [%PROCESS%: %SYSTEM%\wbem\WMIADAP.EXE]

    Should work fine.

    @boredog

    Probably quietzone blocks SOB from loading the kernel-mode driver or from placing it in the system folder ?

    @WildByDesign

    You can now use the parameter "-hidegui" to not show the main form on startup, example "SmartObjectBlocker.exe -hidegui".

    @EASTER

    I have updated the rules on Allow\ folder to auto allow processes, dlls, drivers located in:
    C:\WINDOWS\*
    C:\Program Files\*
    C:\Program Files (x86)\*

    You need to edit Configuration.ini and set:

    Code:
    Type = Lockdown
    
    Then restart SOB. So with these rules all the rest is blocked automatically. Important is to always run web browsers, pdf readers, media players, etc with low privileges, so their processes don't have permissions to drop a PE file in WINDOWS and Program Files folder. This basic configuration is what I use on two VMs with Windows 7 64-bit OS.
     
    Last edited: Aug 6, 2015
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    Got it!!!! Thanks :)

    Pretty Tight! NV-ERP which I also run alerts (luv the alerts) but pressing ALLOW yields no launch.
     
    Last edited: Aug 6, 2015
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    I am having a problem with what should be a simple rule for this but can't seem to nail down the right set of variables. Everything in lockdown mode works fine in the (Block Rules) DB but yet to come to grips on this single folder.

    C:\Windows\Temp

    This is the local variable to get there on my Windows 8: %windir%\temp

    But in lockdown mode using several different scenarios the exe inside it I test with always launches unrestricted. Maybe it's a simple matter.

    Anyone? This [%PROCESS%: %WINDIR%\temp*] does not work.
     
    Last edited: Aug 6, 2015
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @EASTER Are you intending to block all within C:\Windows\Temp?

    [%PROCESS%: %WINDIR%\temp*]
    possibly missing backslash after temp?
    Code:
    [%PROCESS%: %WINDIR%\temp\*] 
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    [%PROCESS%: %WINDIR%\TEMP\*]
    No Change. Thanks for replying and trying. I went thru a whole plethora of different variables and I know if Secure Folders can block that folder, SOB can too. I'm on Windows 8 OEM 64bit FWIW w/no upgrades. Just standard. Weird Glitch for me.
     
    Last edited: Aug 6, 2015
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @EASTER We may have to wait to hear from Andreas. It could be that the Allow rule for C:\Windows\* could very well be over-riding and taking priority over the Block rule within that directory for C:\Windows\Temp\* (%WINDIR%\TEMP\*) and is therefore allowing all. This could be a problem because generally with anti-exec programs, Block rules should take priority.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    Your reply echoes exactly what crossed my mind on that very thing. It's important IMHO that every TEMP landing avenue have a precaution in place and no doubt this one Andreas will easily have the answer for.

    I found it odd that in Lockdown Mode the other Temp areas for example APPDATA + SYSDIR Temp folders are solidly covered but the Windows Directory Temp escapes for now.
     
    Last edited: Aug 6, 2015
  14. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    379
    Location:
    router
    @novirusthanks
    can you write tool like this http://code.kliu.org/hashcheck/ to generate rule for SOB?
    so tool generate mixed rule with this options %PROCESS% %FILE% %SHAHASH% %PUBLISHER%
    and also search for only executable file
    so the rule easily created
     
  15. Because SecureFolders website is down and NVT is very active on WIlders (Bouncer communication on Wilders thanks to Wildbydesign), I made a new Safe Admin setup for Windows 10, using only freeware with SmartObjectBlocker

    Would be great (AppLocker on steroids) when in Lock Down mode the priority sequence would be:
    - Exclude rules have priority over Block rules and Block rules have priority over Allow rules.
    - Like Applocker SOB would get an option to extract digital signature and hash out of executable or DLL.​
     
    Last edited by a moderator: Aug 7, 2015
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    Well for the time being it's but a small matter for me to fire up ole Secure Folders and block /Windows/Temp solid. I know it must be something in the wildcard or variable that prevents SOB from also covering that folder. Weird.
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    @novirusthanks
    Could you write a program similar to SecureFolders? Some Wilders' people invited the dev to join including me but he/she never did.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Another possibility here would be to give yourself more granular control over your Windows directory.

    Allowed\DLL.DB and also Allowed\Driver.DB
    Code:
    [%FILE%: %WINDIR%\Temp\??_?????.tmp\setup.exe
    [%FILE%: %WINDIR%\Temp\????????-????-????-????-????????????\*
    [%FILE%: %WINDIR%\Temp\{????????-????-????-????-????????????}\*
    [%FILE%: %WINDIR%\Temp\DPTF\*
    [%FILE%: %WINDIR%\AppPatch\*
    [%FILE%: %WINDIR%\assembly\*
    [%FILE%: %WINDIR%\Branding\*
    [%FILE%: %WINDIR%\ImmersiveControlPanel\*
    [%FILE%: %WINDIR%\Installer\*
    [%FILE%: %WINDIR%\Microsoft.NET\*
    [%FILE%: %WINDIR%\servicing\*
    [%FILE%: %WINDIR%\SoftwareDistribution\*
    [%FILE%: %WINDIR%\System32\*
    [%FILE%: %WINDIR%\SystemApps\*
    [%FILE%: %WINDIR%\SysWOW64\*
    [%FILE%: %WINDIR%\twain_32\*
    [%FILE%: %WINDIR%\WinStore\*
    [%FILE%: %WINDIR%\WinSxS\*
    [%FILE%: %WINDIR%\explorer.exe
    [%FILE%: %WINDIR%\notepad.exe
    [%FILE%: %WINDIR%\splwow64.exe
    [%FILE%: %WINDIR%\Temp\MPGEAR.DLL
    [%FILE%: %WINDIR%\Temp\MPENGINE.DLL
    [%FILE%: %WINDIR%\Temp\???????.tmp\*

    Allowed\Process.DB
    Code:
    [%PROCESS%: %WINDIR%\Temp\??_?????.tmp\setup.exe
    [%PROCESS%: %WINDIR%\Temp\????????-????-????-????-????????????\*
    [%PROCESS%: %WINDIR%\Temp\{????????-????-????-????-????????????}\*
    [%PROCESS%: %WINDIR%\Temp\DPTF\*
    [%PROCESS%: %WINDIR%\AppPatch\*
    [%PROCESS%: %WINDIR%\assembly\*
    [%PROCESS%: %WINDIR%\Branding\*
    [%PROCESS%: %WINDIR%\ImmersiveControlPanel\*
    [%PROCESS%: %WINDIR%\Installer\*
    [%PROCESS%: %WINDIR%\Microsoft.NET\*
    [%PROCESS%: %WINDIR%\servicing\*
    [%PROCESS%: %WINDIR%\SoftwareDistribution\*
    [%PROCESS%: %WINDIR%\System32\*
    [%PROCESS%: %WINDIR%\SystemApps\*
    [%PROCESS%: %WINDIR%\SysWOW64\*
    [%PROCESS%: %WINDIR%\twain_32\*
    [%PROCESS%: %WINDIR%\WinStore\*
    [%PROCESS%: %WINDIR%\WinSxS\*
    [%PROCESS%: %WINDIR%\explorer.exe
    [%PROCESS%: %WINDIR%\notepad.exe
    [%PROCESS%: %WINDIR%\splwow64.exe
    [%PROCESS%: %WINDIR%\Temp\MPGEAR.DLL
    [%PROCESS%: %WINDIR%\Temp\MPENGINE.DLL
    [%PROCESS%: %WINDIR%\Temp\???????.tmp\*
    In this method, what is allowed here within C:\Windows and also C:\Windows\Temp is allowed to execute, while anything not specifically shown here would be blocked automatically. So you have control over what is allowed or not allowed within Temp and also Windows. And this should also alleviate the problem that you are currently having at the same time. If you want nothing at all to run within C:\Windows\Temp, simply delete those lines. But these are based on a Windows 10 x64 system so some of these may vary from your system. I imagine Windows 8.x would be very similar.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I have SOB in Lockdown Mode with protection disabled. I have the logging enabled. Shouldn't SOB still log if something would have been blocked if the protection was enabled? It is not working for me.

    Edit: Below are my settings.
    [Mode]
    Type = Lockdown
    ProtectionDisabled = y

    [Settings]
    BlockRulePath = %CURDIR%\Block
    AllowRulePath = %CURDIR%\Allow
    ExcludeRulePath = %CURDIR%\Exclude
    LogEventsToFile = y
    LogEventsPath = %CURDIR%\Logs
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @Cutting_Edgetech

    When the protection is disabled SOB does not log any event.

    From your configuration I see you have set to disable the protection "ProtectionDisabled = y".

    For the changes to take effect it is needed to restart SOB.

    @Mister X

    Yes can be done, I can keep you updated on this in the next weeks.

    @Windows_Security

    Thanks for recommending SOB, you're doing an awesome job (checked also the other threads) :)

    We will add a new file in \Exclude\ folder named Exlude-Allow.DB that handles exclusions of Lockdown.

    As of now, if you set SOB in Lockdown it only uses these rules:

    Allow\Process.DB
    Allow\DLL.DB
    Allow\Driver.DB

    And if you set it to Behavioral it only uses these rules:

    Block\Process.DB
    Block\DLL.DB
    Block\Driver.DB
    Exclude\Exclude.DB

    We'll add Exclude also for Lockdown (Allow rules) in the next build.

    @co22

    Probably yes, I'll keep you updated here.
     
    Last edited: Aug 7, 2015
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    Thank you very much :thumb:
     
  22. @novirusthanks

    When using -hidegui I ran into a possible bug: when SOB has blocked something and icon changes, it does not respond to the icon options (show gui or exit).

    Could it als be possible to have variables for all users (C:\Users) and current user (C:\User\Name)?

    Regards Kees
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)

    @WildByDesign

    By golly you're a master! Thanks a ton. Along with the nice granularity choices it also completely solved the C:/Windows/Temp escape I was experiencing.

    Many Thanks!

    Here is the proof!!

    [8/7/2015 9:48:33 PM] Blocked Process: C:\Windows\Temp\AUserAssistView.exe
    Rule: [Not in Lockdown Mode Allowed Database]
    Command Line: C:\Windows\Temp\AUserAssistView.exe
    Process Id: 4488
    Parent Process Id: 2720
    Parent Process: C:\windows\Explorer.EXE
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I did restart SOB, but I assumed SOB would log events when disabled that would be blocked if SOB was enabled. I highly suggest adding logging functionality for when SOB is disabled. This would be very useful to make sure the user has properly configured SOB so that it does not block critical files in Lockdown Mode. The user could run SOB disabled first, and check the logs to make sure they have SOB configured properly for their system.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    @novirusthanks

    More welcome news indeed.

    Personally I been working overtime to fine tune those DB files with variables/wildcards as best as can be expected and while at times seems daunting, so far I been stringing things together howbeit after some careful effort but very well worth the time. Looking extremely promising!
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.