Smart Object Blocker (Block EXE, DLL, Drivers)

Discussion in 'other anti-malware software' started by novirusthanks, Jul 29, 2015.

  1. Yes also for other (limited) users.
     
  2. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    697
    Location:
    Europe
    @novirusthanks:
    Is it ready to run with the default settings ?
    Does it make sense to install it with NVT EXPro ? Let me know thank you
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,821
    Location:
    Under a bushel ...
    +1
     
  4. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    2nd answer can be found in one of the 9 pages of this thread, or in the ERP thread... the 1st one I haven't paid too much attention to yet; still reading through AppGuard thread.
     
  5. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    -- Just installed and testing SOB and in it's default settings it's good to go BUT you have to tweak it more specifically for your usage. Like when you want to restrict something that run's automatically or stop an application from starting another. In NVT you can't stop that application trigger (stop an application from starting another) but in SOB you can via a rule like,

    If that capability can be emrged with NVT then it would be one awesome app!

    Have not actually ran both NVT and SOB at the same time though. I am tempted but as of the moment I have KasperskyPure 3 with NVT in one partition and testing SOB with Avast Premier.

    I'll share if ever I make that decision here.
     
  6. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    697
    Location:
    Europe
    I will be waiting until the next release, hope that it comes soon.
     
  7. @novirusthanks

    Andreas,

    In the defaults for %FILEPATH% you sometimes use only \ after variables and sometimes \* is that done for any reason?

    As far as I understand for FILEPATH, PROCESSPATH etc only last backslash would be enough (why add the asterix)?

    Thx Kees
     
  8. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @Windows_Security

    [%FILEPATH%: %ROOT%\] -> Matches only C:\, not sub-folders
    [%FILEPATH%: %ROOT%\*] -> Matches C:\ and any sub-folder, example C:\Example\, C:\Test\Path\, etc

    The "*" means any character and any length.

    @constantine76

    Feel free to post here feedbacks :)

    @Ashanta

    SOB can be of help also with default settings.

    You may want/need to edit them or create new one based on your needs.
     
  9. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, @novirusthanks .:)
    Here I have a problem in preventing DLLs with SOB.
    Suppose that we have an exe file "CallDll.exe" and a dll file "HelloDll.dll".
    The exe file will load the load the dll file.
    I have tried the following three different rules in the Behavioral mode, but with any of them, the function in the dll file is still carried out successfully.:confused:
    How to make a correct rule to block the dlls?
    Thanks.
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released a new version v1.2:
    http://www.novirusthanks.org/products/smart-object-blocker/

    @Online_Sword

    Try now, it should work. Here are the rules that can be added to \Block\DLL.DB file:

    Any of the 3 rules should work fine.
     
    Last edited: Oct 7, 2015
  11. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, @novirusthanks .:)
    Thank you for your reply and the new version.
    I have installed the new version. The timestamp of the digital sign is Oct 8, 2:15:26.
    But even with the new version, I still cannot prevent my dll in the Behavioral mode with any of the three rules above...:confused:
    In addition, I cannot block this dll in the Lockdown mode either, as long as the exe file that calls the dll file is whitelisted.
    Would you have time to test my dll? I can send my test files to you.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Online Sword.

    You are still missing the vital point. Why would you white list an app that calls the dll, and then want the DLL blocked. Does make no sense.

    Pete
     
  13. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, Pete.:)
    Well, since SOB is designed to have the capability of preventing DLLs, naturally I hope to test it. In George Mallory's word, "Because it's there".
    So maybe you need to talk with Andreas rather than me on the significance of blocking dlls.:)
    Then, how to only test the capability of preventing dlls? In my opinion, it is obvious that we need to whitelist the exe file in the test. Only in this way could we confirm whether the DLL (not the EXE) is properlly handled by the rules written in DLL.DB.
    I mean, of course SOB has the capability of blocking EXE files. But, the object that I want to test here, is DLL, not EXE. So, we should isolate exe file from this experiment, which means we should whitelist it. I think isolation is a normal approach in scientific experiments. It can help us to focus on the object that we are interested in.
     
  14. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Isolation is the key with everything computer-based. I applaud your approach so far, trying to use SOB purely for DLL purposes. I am heading down that path too; start with a backup of my PC once I've set up AppGuard, and then remove AppGuard to see how ERP for exe, SOB for dll and DRP for driver pans out. Transparency, isolation, accountability and piss easy to troubleshoot.
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    @Online_Sword

    Can you send me the files you used in your tests ?

    I tried it now and it works fine:

     
  16. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Thank you for your reply.
    I have sent the download link of the test files to you via PM.;)
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yeah, but does this really provide anymore security. How can a dll load with either a calling application, or Rundll32
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    First I tested against ERP. Didn't white list the exe, just allowed it and as expected it ran the DLL


    Tested with the files in question, with the latest version of Faronics AE. Did it in a VM just to keep the number of files down. One thing about this AE is you get very familiar with it's favorite window "Please wait" Let it scan for exe's and DLL's Then turn on the option to monitor both DLL and Jar files. Then I added the two files. I ran the exe and FAE did challenge the exe. Interestingly it had a box to allow included DLL's and it was checked default. I unchecked it and it did challenge the DLL. So it worked.
    Just not sure I see what was accomplished.
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,953
    Location:
    Here
    Malware Defender and Software Restriction Policy don't block it either.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,675
    Location:
    Mexico
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Mister X Good point there, I was reading that Ars Technica article this morning as well.
     
  22. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    I posted this one in behalf of a friend(wanted to post it here himself but still did not get an email from the admins). I actually tried this one on my own partition using Acronis Universal Restore so I can have the same partition on my vacant one. Have succeeeded certain issues he encountered with SOB like blocking opera-autoupdate.exe each time opera.exe runs and blocking specific access to drives but I had more questions. I am still learning the rules creation so pardon me if they are wrong. Might you check them out please.

    1. Applied created block rules via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]. No deletion of default rules for opera.exe in Behavioral_Block_Process.DB / Exclude_Behavioral_Process.DB.

    Created block rule applied,

    No blocks. Opera.exe connected to the internet normally with opera_autoupdate.exe and opera_crashreporter.exe.
    See image:

    xttp://imgur.com/nhhAaO6.png


    2. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB. Retained default rules for opera.exe in Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]

    Created block rule applied,

    with deletion of default rules for Behavioral_Process.DB,


    No blocks. Opera.exe connected to the internet normally with opera_autoupdate.exe and opera_crashreporter.exe.

    See image:

    xttp://imgur.com/RUdonkD.png


    3. Applied created block rules plus deleted default rules for opera.exe Exclude_Behavioral_Process.DB. Retained default rules for opera.exe in Behavioral_Block_Process.DB. Take note of rule via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]

    Created block rule applied,

    with deletion of default rules for Exclude_Behavioral_Process.DB,


    See image:

    xttp://imgur.com/lCtlLoJ.png

    SOB blocked opera.exe and opera_autoupdate.exe. Opera.exe also did not run normally. See SOB log below:


    4. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB / Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*]

    Created block rule applied,

    Deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB in place,

    SOB did not block "opera_autoupdate.exe" and "opera_crashreporter.exe".

    See image:

    xttp://imgur.com/bZsz4CD.png


    5. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB / Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%PROCESS%: *\xxxx.exe][%PARENTPROCESS%: *\xxxx.exe]

    Created block rule applied,

    with deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB,

    See image:

    xttp://imgur.com/rk6thzA.png

    SOB blocked opera_autoupdate.exe / opera_crashreporter.exe while opera.exe ran normally. See SOB logs below.


    6. Applied created block rules plus deleted default rules for opera.exe Exclude_Behavioral_Process.DB. Retained default rules for opera.exe in Behavioral_Block_Process.DB. Take note of rule via the rule with grouping: [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*]

    Created block rule applied,

    with deletion of default rules for Exclude_Behavioral_Process.DB,

    See image:

    xttp://imgur.com/lIjYe4G.png

    Same behavior/observation as of #3. SOB blocked opera.exe and opera_autoupdate.exe. Opera.exe also did not run normally. See SOB log below:


    7. Applied created block rules plus deleted default rules for opera.exe in Behavioral_Block_Process.DB. Retained default rules for opera.exe in Exclude_Behavioral_Process.DB. Take note of rule via the rule with grouping: [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*]

    Created block rule applied,

    with deletion of default rules for Behavioral_Process.DB,

    Same behavior/observations as of #2. No blocks. Opera.exe connected to the internet normally with opera_autoupdate.exe and opera_crashreporter.exe.

    See image:

    xttp://imgur.com/DyaLT5C.png

    Based on the observations above. Both #2 and #7 gave the same results. Also with #3 and #6.

    The only effective method to block opera_autoupdate.exe / opera_crashreporter.exe without affecting performnce of opera.exe is #5. By applying,

    [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
    [%PROCESS%: *\opera_crashreporter.exe][%PARENTPROCESS%: *\opera.exe]

    with deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB,

    Now I do not know why did #4 failed using rule grouping, [%FILENAME%: xxxx.exe][%FILEPATH%: C:\Program Files (x86)\xxxx\xxxxx xxxxx xxxx\*].

    Ain't it supposed to be the same with #5...?


    8. Block specific file type from executing

    Are there only specific file types that SOB can block? I ask because I tried to block certain file types and the only ones that I have blocked successfully are all .exe. File types that I have tried so far are video files of .mp4, .avi, .wmv, .html and .txt. I have had no success with all mentioned.
    The rules that were created to block the file types I mentioned are below. Can you check them out if they are correct?

    //Block a file type from executing
    [%FILENAME%: *.avi][%FILEPATH%: *]
    [%FILENAME%: *.mp4][%FILEPATH%: *]
    [%FILENAME%: *.wmv][%FILEPATH%: *]
    [%FILENAME%: *.txt][%FILEPATH%: I:\VLCPortable\*]
    [%FILENAME%: *.html][%FILEPATH%: I:\VLCPortable\*]
    -- Did not work. These despite the removal of Allow Default rules in Process.DB / Drivers.DB / DLL.DB,

    //Block specific video file Terminator2_JudgementDay.mp4
    [%FILENAME%: Terminator2_JudgementDay.mp4][%FILEPATH%: L:\My Videos]
    [%FILENAME%: Terminator2_JudgementDay.mp4][%FILEPATH%: D:\My Videos]
    -- Did not work. Double clicking the file will launch the default video player which is PotPlayerMini.

    //Block VLCPortable.exe from accessing files in L:\My Videos or D:\My Videos
    [%PROCESS%: *\VLCPortable.exe][%FILEPATH%: L:\My Videos\*]
    [%PROCESS%: *\VLCPortable.exe][%FILEPATH%: D:\My Videos\*]
    --Did not work. File accessed via the VLCPortable Media>Open file> "file path".

    //Block specific video file from being accessed by default player
    [%FILENAME%: Terminator2_JudgementDay.mp4][%PROCESS%: *\PotPlayerMini.exe]
    [%FILENAME%: Terminator2_JudgementDay.mp4][%PARENTPROCESS%: *\PotPlayerMini.exe]
    [%PROCESS%: *\PotPlayerMini.exe][%FILEPATH%: D:\My Videos]
    -- Did not work. Double-clicking launch the default player. Accessing the file from the PotPlayerMini.exe gui (Add> "file") was also led to the file being played.

    //Block specific video file from being accessed by video player
    [%FILENAME%: Return.to.Sender.2015.BRRip.XviD.AC-EVO.avi] [%PARENTPROCESS%: *\VLCPortable.exe]
    [%FILENAME%: Return.to.Sender.2015.BRRip.XviD.AC-EVO.avi] [%PROCESS%: *\VLCPortable.exe]
    -- Did not work. The file was played via the "right-click>Open With>VLCPortable". File as also accessed via the VLCPortable Media>Open file> "file path".

    //Block VLCPortable.exe
    [%PROCESS%: *\VLCPortable.exe]
    --WORKED. But it will just deter me from using VLCPortable.exe. This is also the same if I use, "[%PROCESS%: *\VLCPortable.exe][%FILEPATH%: *]"..correct..?


    //Block VLCPortable.exe
    [%PROCESS%: *\VLCPortable.exe][%FILEPATH%: *]
    --WORKED. Copy/paste the VLCPortable folder to a different location outside the main partition and tried to double-click the "VLCPortable.exe" from there. Removed default Allow Rule "[%FILEPATH%: %PROGRAMFILESX86%\*\*]" in Process.DB. SOB blocked it.

    SOB Log:


    //Block specific file from being accessed bu default player(.wmv)
    [%FILE%: I:\New folder\Wildlife.wmv]
    [%FILENAME%: Wildlife.wmv][%FILEPATH%: I:\New folder\]
    [%FILENAME%: Wildlife.wmv][%PROCESS%: *\wmplayer.exe]
    -- Did not work even if you remove default Allow Rule "[%FILEPATH%: %PROGRAMFILESX86%\*\*]" in Process.DB and copy/paste Wildlife.wmv to a different folder outside the main partition (I:\New folder\). Double-click will launch the file in wmplayer.exe. File can also be accessed via the Windows Media Player gui.

    9. Tried these rules below to restrict access to drives or any file in stated drives.


    //Block access to anything on stated specific drives:


    ---WORKED ONLY ON .EXE FILES. MS Office 2013 files, video files, .txt files, .html files, also were not blocked by SOB.

    Now I have observed that with the rules created above and I continue to block Kingsoft applications in D:\Program Files (x86) SOB seemed to stop functioning. et.exe -- Kingsoft Spreadsheets 2013, wpp.exe Kingsoft Presentation 2013 and wps.exe -- Kingsoft Writer 2013 did not launch but that was as far as I can go. No logs were seen. Any files that I wanted to run like CCleaner or Process Hacker portable all within the main partition did not run. I can't even restart the pc so I had to use the restart button on the desktop. After restart, I could now block the remaining. See logs after "[10/16/2015 8:14:28 PM]".

    Then a funny thing happened as I tried to launch CCleaner.exe / HitmanPro.exe / Cyberfox.exe in D:\Program Files. All were blocked but no logs and pop-up were seen. Then tried to launch Process Hacker Portable in the main partition but the same thing happened. Can't launch anything in C:\. Had to restart using the restart button on the desktop again.
     
    Last edited: Oct 18, 2015
  23. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    We are working on SOB to fix one issue identified only in Windows 8\10 OS (related to dll injection monitoring) and we're adding many improvements, hope to have the new build ready in one week.

    @constantine76

    1. + 2.

    That is because in the Exclude\Behavioral\Process.DB there are references of Opera digital signature "Opera Software ASA" and\or process names "opera.exe". SOB first checks for exclusions, and then check the block or allow rules (Behavioral or Lockdown). Your rule should work fine only if you delete the rules related to Opera in the Exclude rules or you need to restrict the Exclude rules.

    3.

    That may be related to the fact that you block all the executions from "opera.exe" as parent process, but opera.exe may be able to run if you double click on it because it is started for the first time by explorer.exe (not by opera.exe itself). After the first time opera.exe is executed, I see it tries to re-execute itself but that executions are blocked by SOB as opera.exe is now the parent process too.

    5.

    Correct, that rules work fine.

    There may be a bug on SOB when parsing vars like %FILENAME% or %FILEPATH% for Process.DB, I'll check this. It is also possible that Opera needs some specific rules caused by the need to run as parent process some of its processes, I'll have to check this too.

    You can't block file types with SOB that way, you need to filter the %PROCESSCMDLINE% variable, because when you run a .AVI file with VLC, I think VLC is started with the .AVI file as parameter, example:

    SOB does not monitor for file access but just for process executions, dll injection and loading of kernel-mode drivers. However, you may allow\block what files are opened with specific processes by filtering the command-line of specific processes (video players, audio players, documents, notepad, etc).

    Same as before, SOB doesn't monitor file accesses but you can instead filter process command-lines.

    I'll show more examples after we've released the new SOB version :)
     
  24. @novirusthanks

    Andreas, any news on the next release?

    I was wondering whether SOB also protects against reflective DLL-injection?

    Regards Kees
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,904
    Location:
    U.S.A.
    Additionally add remote shellcode injection and process hollowing methods.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.