Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @Windows_Security

    Yes that rules should work fine.

    Will fix it tomorrow, thanks for reporting it.
     
  2. nezic

    nezic Registered Member

    Joined:
    Jul 7, 2013
    Posts:
    8
    PARENTPROCESS is very useful, I would like to see CHILD also.:)
     
  3. hjlbx

    hjlbx Guest

    @novirusthanks

    If I want to use ERP to monitor processes, and SOB to monitor dlls and drivers only, what rule do I need to create in SOB so there is no duplication of effort between ERP and SOB ?

    Without some form of alerts from SOB I have no idea when it blocks something; I have to continually look in the log. I know it is very early beta, but no alerts makes no sense from a usability perspective. It just isn't practical. I'm not bashing SOB... just sayin' it is very frustrating to use - especially for someone who knows next to nothing about writing rules - and gets no feedback\indication from the security soft.

    If I perform a clean install of OS, then immediately install ERP and place into Alert or Lock-Down mode, what is the advantage of SOB over ERP in that case ?

    I tested ERP against pack after pack of malwares... and eventually stopped because it was an exercise in utter futility - because ERP blocks everything. In fact, I had to ask around if anyone had ever even heard of a single instance where ERP had been by-passed. Everyone I asked stated "No."

    Thanks,

    HJLBX
     
  4. @novirusthanks

    What would work to block a parent-child process combination?

    Stop a specific executable from being started by another process in PROCESS.db
    [%FILENAME%: example.exe] [%PARENTPROCESS%: *\winword.exe]

    OR/AND

    [%PROCESS%: *\example.exe] [%PARENTPROCESS%: *\winword.exe]

    Thanks Kees
     
    Last edited by a moderator: Aug 24, 2015
  5. guest

    guest Guest

    i did a test but it didn't work (so i guess i missed something)

    - Used executable:

    DNS Jumper portable located on D:

    - Block rules:

    Process.db:
    [%PROCESS%: D:\*]
    [%FILEPATH%: D:\*]

    Drivers.db:
    [%FILE%: D:\*]

    Dll.db:
    [%FILE%: D:\*]

    - Result:

    DNS Jumper is executed , i can use it normally , no intervetion from SOB despite SOB log :

    Code:
    [24-Aug-15 14:30:49] Blocked Process: D:\DnsJumper.exe
    Rule: [%PROCESS%: D:\*]
    Command Line: D:\DnsJumper.exe
    Process Id: 5192
    Parent Process Id: 4844
    Parent Process: C:\Windows\explorer.exe
     
  6. nezic

    nezic Registered Member

    Joined:
    Jul 7, 2013
    Posts:
    8
    @guest maybe passive logging is enabled.
    I just fire one more question on my mind, would be possible block specific folder for specific process?
     
  7. guest

    guest Guest

    i enabled it.
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    New build 1.1 with the "-hidegui" issue fixed:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    I have added an option to show the balloon hints and it can be enabled/disabled via Configuration.ini (enabled by default):

    @Windows_Security

    It should be fixed now, try the build above.

    Both rules do the same thing, you can use either the first one or the second one.

    @nezic

    You can block child process like this:

    With the above rule you block the parent process explorer.exe from executing a (child) process abc.exe

    Yes, you can block abc.exe located in different folders, example:

    @hjlbx

    You need to make sure SOB auto-allows any process, how do you want to use SOB ? In Behavioral Mode or Lockdown Mode ?

    This is an example rule to auto-allow all processes when SOB is in Lockdown Mode:

    The above rule allows any process to run.

    It can now show balloon hints, try the build above.

    SOB can monitor for dlls and drivers and allows you to write more customized/granular rules, that's all mainly.

    SOB can be used, for example, to restrict the loading of some DLLs in some processes (useful to mitigate exploits) and to block kernel-mode drivers.

    No process can run without ERP consent, if you want to monitor also DLLs and/or drivers, SOB can be handy.

    @guest

    That looks really strange, can you try to see if the process started was located somehow in a different location or if it was already opened ?
     
    Last edited: Aug 24, 2015
  9. guest

    guest Guest

    located on D: (in a folder i created for portable apps) , clicked the exe after SOB is active. (check the screenshot ).

    Note: UAC alerted me and i allowed DNS Jumper to run.

    http://i.imgur.com/WM4Nvnt.png
     
    Last edited by a moderator: Aug 24, 2015
  10. hjlbx

    hjlbx Guest

    @novirusthanks

    I am learning SOB so I have opted to use only Behavioral Mode at this time and not create nor modify any rules. Later, if I choose I can mess with the Lock-Down mode.

    The only widely-exploited apps that I have installed on system are IE11 and, sometimes, Firefox... so exploit mitigation is minimal need in my case.

    So, in essence, SOB acts as anti-exploit when monitoring .dlls and anti-rootkit (kernel level\driver-based) when monitoring .sys files. Am I understanding this correctly ?

    However, ERP is still brilliant protection... it may not be able to block an exploit, but it will block the payload(s)... correct ? Also, it will block any installers that would otherwise deposit a .sys file in the driver directory... correct ?

    Thanks,

    HJLBX
     
  11. 1. Confirmed is solved now

    2. Andreas great program with endless possibilities, See for example of total lockdown Chrome and better than EMET's ASR of Outlook :D

    Thx kees

    Total Lockdown.png
     
    Last edited by a moderator: Aug 24, 2015
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @guest

    You seem to have the "Passive Logging" enabled, disable it like this:

    1) Close SOB
    2) Edit Configuration.ini
    3) Set PassiveLogging = n
    4) Save Configuration.ini
    5) Start SOB

    Now the processes on D:\* should be blocked.

    Let me know the result.

    @hjlbx

    It can help to mitigate exploits by restricting the DLLs allowed to be loaded by commonly exploited apps and can block loading of malicious .sys driver files (such as rootkits and nasty malware).

    Absolutely, with ERP you have complete control over what is executed in the system, blocking malware, apps installations and payloads.

    So for example, if you block Rootkit.exe execution, it is unable to load the malicious .sys driver file.

    @Windows_Security

    Great!
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,477
    Location:
    U.S.A. (South)
    @novirusthanks

    Awesome just simply awesome. Excellent effort with SOB. I dribble over the tray icon alert too. Makes checking the screen all the time less tiresome. Let us know should you decide to throw in and enhance a form of an alert box option like ERP. In ERP it's absolutely phenomenal. Well thought out and so useful.

    Whatta combo!
     
  14. hjlbx

    hjlbx Guest

    @novirusthanks

    Is it possible for dll or .sys file to be installed surreptitiously (hidden) onto a system without an executable ? If that is indeed possible then I see the added value of SOB...

    From what I understand, for a dll it simply requires install to System32 directory and then registration on the system with regsvr32.exe.

    I am not too sure about .sys files. I thought the System32, SysWOW64 and Driver Locker directories were protected objects on Windows...
     
  15. guest

    guest Guest

    indeed , i had it enabled. now the exe is blocked as it should be. I thought Passive Logging was just for logging , missed that it let the exe run. :p
     
  16. NT Five

    NT Five Registered Member

    Joined:
    Aug 23, 2015
    Posts:
    15
    Location:
    Stuck in NT 5 land...
    NVT's apps rock !

    Using ERP on my main box and I am a happy user but I think the GUI needs some minor polishing (window sizes and layout) to make it close to perfect.

    I've got licences for ERP, AppGuard and Sandboxie and I'm running these apps on old technology (netbook, CPU Atom N450, 2 gigs of RAM) so I'm always keeping an eye on resource usage.

    At the moment the combo ERP/AG/SBIE is too demanding in this area, especially on my low end HW.
    I really want to cut resource usage down and I am thinking of replacing ERP by SOB to start with.

    Just downloaded the latest SOB and I will start testing soon. :)
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,477
    Location:
    U.S.A. (South)
    Don't feel bad. I done the exact same thing when he released the passive logging version thinking I had the rulesets wrong.

    It's gonna be a monumental setup when all the "granularity" rules are put all in their respective places. This is some pretty intense security
     
  18. guest

    guest Guest

    yes i was scratching my head for hours thinking "what i made wrongly..?" :D

    indeed , we can already foresee the endless possibilities we may have.
     
  19. @novirusthanks

    Andreas,

    Is SOB also capable of blocking OCX (active X) objects?

    regards

    Kees
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @Windows_Security

    Yes, it can do that, example:

    @guest

    Glad now it works.

    @NT Five

    If you need any help with SOB just post here so we can help.

    @hjlbx

    A DLL can be loaded also if placed in other folders, not only System32 folder, same for SYS files, some Anti-Rootkit software used to drop the driver file in Temp folder and load it from there.

    SOB gives you total control about what is executed/loaded in the system, you just need to get used to how it works and then you should be able to create rules very quickly when needed.
     
  21. hjlbx

    hjlbx Guest

    @novirusthanks

    Both of the above can only be accomplished by an executable... correct ?
     
  22. @novirusthanks

    Andreas the combinations are mindblowing, would you have a look at these rules to check whether I have applied them correctly.

    Block DLL.DB
    [%FILENAME%: *.dll] [%PARENTPROCESS%: *\chrome.exe] Block chrome loading dll's

    Block PROCESS.DB
    [%PARENT%: *\chrome.exe] %PARENT% VARIABLE NOT LONGER VALID?
    [%PROCESS%: *] [%PARENTFILENAME%: chrome.exe] Block chrome starting other programs
    [%PROCESS%: *\chrome.exe] [%PARENTPROCESS%: *] Block chrome being started by any program

    Exclude BEHAVIORAL.DB
    Allow chrome to load dll's signed by Google from Chrome folder

    [%FILE%: %PROGRAMFILES%\Google\Chrome\*] [%SIGNER%: Google Inc] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

    Allow chrome to load dll's signed by Microsoft from Windows folder
    [%FILE%: %WINDOWS%\*] [%SIGNER%: Microsoft Corporation] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

    Allow chrome to launch Google Update

    [%PROCESS%: %PROGRAMFILES%\Google\Update\GoogleUpdate.exe] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

    Allow chrome to be launched by explorer, delegate-execute and chrome
    [%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe] [%PARENTPROCESS%: %WINDOWS%\explorer.exe]
    [%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\*\delegate_execute.exe]
    [%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe] [%PARENTPROCESS%: %PROGRAMFILES%\Google\Chrome\Application\chrome.exe]

    Allow GoogleUpdate (signed by Google) to run Google signed programs and dlls from TEMP folder
    [%FILE%: %TEMP%\*] [%SIGNER%: Google Inc] [%PARENTFILENAME%: GoogleUpdate.exe] [%PARENTSIGNER%: Google Inc]
    [%PROCESS%: %TEMP%\*] [%SIGNER%: Google Inc] [%PARENTFILENAME%: GoogleUpdate.exe] [%PARENTSIGNER%: Google Inc]
     
    Last edited by a moderator: Aug 26, 2015
  23. @novirusthanks

    Andreas, two questions:
    1. Would it also be possible to add comment lines in the config files (e.g. lines starting with ; )?
    2. Could you add the %Downloads% variable for the downloads directory?

    Thx Kees
     
  24. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    this is a keeper.and easy enough to set up.cheers and keep up the great work...Thanks to all that posted there config's
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @Windows_Security

    The rules are all correct.

    The variable should be %PARENTPROCESS%

    Sure, we are adding it.

    I think it is better to write it like this:

    So it handles \Downloads\ folder for both XP and Vista+ OS, example:

    @hjlbx

    Correct, however, if a process is already started, it can be exploited to load new DLLs and with SOB you can control it.

    Check this rule wrote by @Windows_Security:

    With SOB you can also monitor/control loading of Active X (OCX) files.

    You have really more control, as you do not have to worry about checking command-line for regsvr32, rundll32, etc you control the modules to be loaded.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.