Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. guest

    guest Guest

    can we have an "start with windows " option? i sometimes forget to launch it manually :p
     
  2. @novirusthanks

    Andreas, would this also work (%PROFILE%\Downloads) when I have relocated downloads to another partition?


    I am very happy with the capabilities. SOB is fast, easy on resources and mind bogging granular :)

    You already have software which monitors file and folder access, could this be included in SOB also (to make it the ultimate sandbox for Windows :) )


    regards Kees
     
    Last edited by a moderator: Aug 29, 2015
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Questions for everyone using SOB:

    1) What do you think about having also possibility to write negative rules ?

    This can allow to match, for example, processes, dlls, drivers that do not have the "dot" in the filename.

    Example rule: [NEG:%FILENAME%: *.*]

    Of course this could be wrote via regular expression like this:

    Code:
    [REGEX:%FILENAME%: ^(?:(?!\.).)*$]
    
    But this is a bit more complex probably.

    2) What do you think about having an option in the Configuration.ini to block autorun.inf executions from USBs, CD-ROMs, etc ?

    Just a simple BlockAutounForUSBs = y BlockAutorunForCDROMs = y etc

    3) What do you think about having a new variable %USB%, %CDROM% to identify if the object is located in a USB or CDROM device ?

    This would allow you to block, for example, execution of processes from USB and/or CDROM devices.

    @Windows_Security

    The variable %PROFILE% is related to your profile folder, so if you installed Windows on E:\ partition, it would be like E:\Users\Username\

    You mean like block/allow processes from writing/reading to/from a folder ?
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I think that both of those are fantastic ideas. :thumb:
     
  5. guest

    guest Guest

    excellent

    very needed , since USBs and other removable medias are high infection vectors; this options will avoid some of us to install some 3rd party softwares.

    most needed too
     
  6. @novirusthanks

    2. What do you think about having an option in the Configuration.ini to block autorun.inf executions from USBs, CD-ROMs, etc ?
    :thumb: great

    3) What do you think about having a new variable %USB%, %CDROM% to identify if the object is located in a USB or CDROM device ?
    :thumb:
    great

    4) You mean like block/allow processes from writing/reading to/from a folder ?
    :thumb:
    great
     
    Last edited by a moderator: Aug 31, 2015
  7. nezic

    nezic Registered Member

    Joined:
    Jul 7, 2013
    Posts:
    8
    "You mean like block/allow processes from writing/reading to/from a folder ? great" +1
    How soon can we expect this, so excited...
     
  8. @novirusthanks


    1. What do you think about having also possibility to write negative rules ?
    IMO this has 2 advantage and 2 disadvantages, so I am sceptical about it

    Downside 1.
    This will mix the usage of allow - exception and block - exception. Now I write a * BLOCK rule DDL for Chrome and an EXCEPTION rule for DLL's from Microsoft and Google (to allow Chrome to only load DLL's from Microsoft en Google). In the current situation, the all rule is in Block, the exception rule in exception, which is logical by intuïtion.

    Upside 1.
    This will mix the usage of allow - exception and block - exception. The advantage is that (with NEG) I can write a BLOCK ALL EXCEPT (IS ALLOW ONLY ) rule in the BLOCK section: e.g. Block NEG DLL's from Microsoft and Block NEG DLL's from Google (so I am wrting an exclude rule in the block section).

    Downside 2
    As the above example shows, this might invoke logic errors when using "de Morgan rule's":
    - not (A and B) is the same as (not A) or (not B)
    - not (A or B) is the same as (not A) and (not B).

    Upside 2
    when applying negative rules, there is no reason to have seperate ALLOW and BLOCK rules folders anymore, since the NEGATIVE sort of reverses this logic. ALLOW, BLOCK and EXCLUDE folders are redundant anyway because Lock Down mode or Behavioral mode dictates the purpose of DLL, DRIVER. PROCESS and EXCLUDE db. So the advantage of introducing NEG would be a reduction in configuration files (just add a comment rule ; to explain that mode determines the way these rules are applied)
     
    Last edited by a moderator: Aug 31, 2015
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    We've added support to block AutoRun (autorun.inf) executions for USBs, CDROMs or completely, plus we've added support for commenting lines.

    Another question:

    What's your preference ?

    I would personally vote to separate the .DB files for Exclusion rules, much better to organize and write the rules.
     
    Last edited: Sep 2, 2015
  10. guest

    guest Guest

    me too, clearer and simpler
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I think they should be separated also. I think users will be less likely to make mistakes when writing the rules if they are separated.
     
  12. Yes, because file commands apply both on DLL and Driver in exclusion, Seperation into three (DLL, Driver, Process) would be the most straigh forwards solution.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)

    Thanks for the added improvements.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    Hello Andreas. Any news on this?
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released a new build:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    Here is what we've changed/added so far:

    To update:

    1) Close SOB
    2) Make a backup of the \Allow\, \Block\ and \Exclude\ (folders if needed)
    3) Uninstall SOB
    4) Reboot the PC (important)
    5) Install the new SOB

    New\renamed object variables:

    Block AutoRun.inf:

    Autostart with Windows:

    Now exclusions are handled separated:

    @Mister X

    Not yet discussed, should do that in the next week :)
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,682
    Location:
    Mexico
    ditto
     
  18. theshadow247

    theshadow247 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    323
    Location:
    ontario.canada
    thank you.as always
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    So what's the skinny on SOB. Happy that it's developments are going forward pretty much without a hitch but just curious if anything new is being seriously considered yet.

    Or implemented
     
  20. @novirusthanks

    Andreas,

    Would you please add an option to autostart SOB task even when admin user is NOT logged on?

    This enables SOB to be protecting other users on the system as well.

    Regards Kees
     
  21. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    The site is back up now...
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
  23. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,148
    This program seems rather complex and time consuming to learn, how is it any different than faronics anti executable
    or windows built in Applocker ? which are much easier to use
     
  24. guest

    guest Guest

    It seems complex because the GUi isnt implemented yet. Remember it is a alpha version. You cant compare it to anything until final release.
     
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @Windows_Security

    Like start SOB when Windows starts also on Limited User Accounts ?

    @arran

    The program should be easy to manage, it allows to write custom rules to block/allow processes, dlls and drivers. You can use wildcards, regular expressions and group rules to match an object. After you understand how SOB works it will become easier to use it. The GUI as of now is only used to display the blocked events. We'll write more tutorials soon.

    @EASTER

    For now we are working on making it stable, fixing few bugs reported by an user and improving few things. We should release a new build in few days.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.