Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're very welcome, my please. I am glad that you have that working well now. You can also take that same approach to Program Files and ProgramData if you wanted to lock it down more.

    @novirusthanks I agree 100% with @Cutting_Edgetech here. This can be extremely beneficial for the user to test their rule set initially but also determine what else may need to be added to their rules. So in this case, it would log what would normally be blocked but not actually block.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    I've checked it out, and without a user friendly GUI it's not my cup of tea. This is the exact same reason why I didn't like Bouncer.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,502
    Location:
    U.S.A. (South)
    I hear your gripe on this end on that Rasheed but maybe novirusthanks will pull off something to meet that expectation too? I know this is a stretch and i'm in no means recommending or suggesting it (or maybe I am ;)) but if I had my way with this I would have a balloon toast option that would rise up from the task area everytime something is logged. I'm just a manic for display details like that :D
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Thank You. Your always better at describing things better than I.
     
  5. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    do we have a GUI yet?
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,502
    Location:
    U.S.A. (South)
    Lockdown Mode is a dream :cool:

    Gave me fits at first just like anything new but you can safely pinch off a whole lot of potential entry points of crapware with this device, er eh I mean program. Impressive! Thanks novirusthanks and looking forward to see what else is in store for this one.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    This would be cool, but to be honest, I was hoping to see some improvements to ERP, which is the most impressive app from novirusthanks.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    It could be that Andreas is using this Smart Object Blocker as some sort of "playing ground" to express his latest ideas and potentially test some of these more extensive features before applying those toward ERP. That is my guess anyway, that some of these highly requested features likely could end up in ERP at some point.
     
  9. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    994
    That would be great.
     
  10. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    Love to see that happen. I have always been an advocate for NoVirusThanks to combine some of its tools.

    I would even be willing to pay for a yearly subscription for SOB to be part of ERP so that this well deserved company has a stable income. I believe it will not add bloat, but rather complete it, as the foundations already in place to adopt the strengths of SOB.
     
  11. @WildByDesign

    That would make sense. Not providing SmartObjectBlocker with a GUI, would only attrackt specialists and power users. Most power users on this forum tend to play with software (including malware), so that would provide Andreas a source of valuable feedback without the hassle of providing support (SOB not a paid program).

    Translate this feedback into ERP, keep the GUI and options simple and the amount of support given to ERP would reduce also. This would increasing the odds of a favourable business case to maintain ERP. ERP has a user base of advocates and ERP already has an option to add trusted publishers, add program hashes and whitelist directories, so it would make sense what WildByDesign is suggesting.


    @novirusthanks

    When locking down system with a * wildcard in Block Rules, SmartObjectBlocker blocks SwissArmyKnife driver of MBAM. This results in a BSOD (Windows 10) telling that SwissArmyKnife driver is accessing read only memory in an illegal way. This can be a trick of MBAM when scanning for Rootkits to evade being blocked by a active rootkit (by applying a rootkit like trick themselves).

    Flow of events
    A) Install MBAM Premium
    B) Enable rootkit detection
    C) and after some time you will

    Regards Kees
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    Sounds good to me. I don't mean this in a harsh way, but the key question to me is why Andreas didn't spend his time into integrating these features into ERP, is it perhaps because of technical issues? Was it perhaps easier to write a new program like Smart Object Blocker? Hopefully WildByDesign has already given the correct answer.
     
  13. Reasons
    1. Start with a clean slate
    2. New core defense mechanism

    When core functionality is totally different, it is sometimes easier to re-use older code into new than add new code into existing.

    About the new core defense mechanism, which is only wild speculation on my side

    a) Because Bouncer kicks in earlier (as reported by WildByDesign)
    b) Looking at the way MBAM swisarmyknife is blocked accessing read-only memory

    My guess is that SmartObjectBlocker does not block the loading of an object, but the allocation of (virtual) memory. This would be a very interesting approach, since part of the exploits try to trick the OS of changing read-only memory into executable memory or (the other part tries to misuse left-overs of executable memory before they are given back to the OS again). So intervention at this point might have favourable side effects.

    Hope Andreas can tell some more about the protection mechansim of SOB

    regards Kees
     
    Last edited by a moderator: Aug 10, 2015
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released a new version v1.1:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    We have changed the name of the DB files on \Exclude\ folder:
    Exclude\Exclude-Behavioral.DB --> This handles exclusions for Behavioral Mode
    Exclude\Exclude-Lockdown.DB --> This handles exclusions for Lockdown Mode

    Passive logging can be enabled\disabled from the Configuration.ini file:
    PassiveLogging = y\n

    ** By default it is set to "n" = disabled **

    We've improved also the Variables.txt and Readme.txt files.
    Now the variables %SIGNER% and %PRODUCTNAME% works fine for exclusions.

    Taken from the Readme.txt:

    To update:

    1) Close SOB
    2) Make a backup of the \Allow\, \Block\ and \Exclude\ (folders if needed)
    3) Uninstall SOB
    4) Reboot the PC (important)
    5) Install the new SOB

    @Windows_Security

    The issue with the -hidegui should be fixed.

    If a driver is blocked from loading, in some cases, it may generate a BSOD, here is a small text taken from the Readme.txt:

    After you whitelist MBAM driver it should work normally without issues.

    I should test SOB with MBAM later today to see what happens.

    Yes, we can add a button "Get File Info" that can be used to extract all useful details about a selected file.

    @EASTER

    Yes Lockdown Mode is very powerful, it only needs some time initially to write the rules but after that, it needs almost no maintenance (depending on the usage of the PC of course, for example, if you install hundreds of new apps per month it may need a constant updating of the rules).
     
    Last edited: Aug 12, 2015
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,502
    Location:
    U.S.A. (South)
    Likewise Thank You!

    @novirusthanks

    You wouldn't happen to think to consider at some unknown point in time a simple Registry app with a LOCKDOWN mode for the Windows Registry on the same fashion or otherwise as PC Hunter uses in that ARK could you? One click on that puppy in it's settings menu to "forbid writing keys/values" seals up the deal on that section of security too, and in no way affects the normal operation of your system. On-Demand Only during a windows session however.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Thank you for adding passive logging mode! I can't wait to try some rules I have been working on in passive logging mode first to make sure I don't break anything :)
     
  18. @novirusthanks

    Confirmed, when opening the GUI after a warning (triangular red icon), the icon returns to green again Nice, I also like the passive logging. :thumb:

    Regards Kees
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released a new version v1.1 (small updates):
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    + Added more path variables
    + Improved the \Block\ rules for Behavioral Mode
    + Improved the text on Variables.txt file
    + Show protection mode on the trayicon hint
    + Write "-= Passive Logging =-" text also in the log file

    To update:

    1) Close SOB
    2) Make a backup of the \Allow\, \Block\ and \Exclude\ (folders if needed)
    3) Uninstall SOB
    4) Reboot the PC (important)
    5) Install the new SOB
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,502
    Location:
    U.S.A. (South)
    Hah. I just did this this morning and already More Improvements!!!

    @novirusthanks Keep 'em coming and as always very many T H A N K S!!!
     
  21. I think a thread with SOB config files is usefull, when somebody would you please create such a thread?

    Tell which mode you use SOB and attach the config files as text files
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,502
    Location:
    U.S.A. (South)
    Very maintenance free. Lockdown Mode is not excessive just effective and I might just be getting the hang of this noise-free type of protection finally.

    FWIW NVT-ERP jumps up first on activity motion. Not sure how redundant it might seem but they both work flawlessly together on my Windows 8
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,437
    Location:
    .
    Does SOB have a Sandboxie Full Access like ERP.....?
     
  24. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @bjm_

    Yes it works perfectly with Sandboxie and can monitor processes and DLLs loaded inside the sandbox.

    I made a note in the Readme.txt about how to configure Sandboxie:

    Here are some events logged by SOB when I was testing it with SBIE:

    Note that in some cases SBIE redirects some API calls to reflect the file path as if it is located in the non-sandboxed system, example:

    The file is in real located inside the sandbox folder at:

    @Windows_Security

    That sounds a good idea, I can create it in a few.
     
    Last edited: Aug 14, 2015
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.