Cch123

Level 7
Verified
Joined
May 6, 2014
Messages
331
#1
NoVirusThanks has just released a new tool. Here's my short summary of its capabilities. It has 2 modes, namely "lockdown" and "behavioral"

1. Lockdown
Lockdown mode is similar to Exe Radar Pro's lockdown mode, but on steroids. Basically, while Exe radar pro is simply an anti-executable, this software is capable of bringing the application whitelisting concept to drivers and dlls for a far more complete protection. (ERP is only able to control executables and not dlls and drivers.)

2. Behavioral Mode
Well basically, this mode allows you to write your own behavioral AV to the level of protection you want. Examples of such a rule is given by NVT: "You can block, for example, the web browser (Firefox, Chrome, Opera) from executing unsigned processes or unsigned dlls, thus preventing exploit kits from executing the payload." Another example is blocking double extensions.

Overall, I think that this is an extremely exciting software, but there are still bugs here and there since its still so new. But definitely something to monitor

Original Post from NVT on wilders:
We have released a new program named Smart Object Blocker, it is on its first version:

NoVirusThanks Smart Object Blocker is a valid approach to prevent malware and rootkit infections without requiring virus signatures or updates. It monitors in kernel-mode all processes, dlls and drivers loaded in the system, best bulletproof protection. The program is very stable and resources-friendly, you’ll not even notice it is installed in the system. With this awesome program you can create a whitelist and block all the rest (Lockdown Mode) or you can create a blacklist (Behavioral Mode), with support for exclusions, to block only specific objects. Block DLL injections. Supports all Microsoft Windows OS (32/64-bit).

http://www.novirusthanks.org/products/smart-object-blocker/





You should read the Readme for a basic usage guide:

- Program configuration

The program can be configured via a simple .INI file.

The configuration file is named Configuration.ini and is used to configure the program, you can enable/disable the "Behavioral Mode" or "Lockdown Mode", set the folders where rules are saved, enable/disable the logging of events to a file etc.

All configuration fields are written in an understandable English language.

Use "y" to enable an option or "n" to disable an option, example:

LogEventsToFile = n ---> Disable logging to file

LogEventsToFile = y ---> Enable logging to file

These are the default settings:

[Mode]
Type = Behavioral
ProtectionDisabled = n

[Settings]
BlockRulePath = %CURDIR%\Block
AllowRulePath = %CURDIR%\Allow
ExcludeRulePath = %CURDIR%\Exclude
LogEventsToFile = y
LogEventsPath = %CURDIR%\Logs

- Protection modes

"Behavioral"

** For the INI file: Type = Behavioral **

This mode is used to block processes, dlls, drivers that match the block-rules.

You can use the exclusion-rules to exclude specific objects from being blocked, for example, you can block the execution of processes and the loading of dlls located in C:\ProgramData\ folder, except for processes/dlls with a specific digital signature, process name or MD5 hash.

This mode is very useful to mitigate and block known attacks and potentially future attacks using up-to-date block-rules.

This mode is also recommended to home-users and to beginner users.

"Lockdown"

** For the INI file: Type = Lockdown **

This mode is used to allow only processes, dlls, drivers that match the allow-rules.

This is a very powerful protection as only safe and trusted applications, dlls, drivers are allowed to run in the system, all the rest are blocked.

This mode is more recommended to companies and to enterprises, but if well configured can be used also by home-users.

** Important **

ProtectionDisabled = n --> It means the protection is enabled

ProtectionDisabled = y --> It means the protection is disabled

- Create rules

Creation of the rules is very simple, you can use wildcards or regular expressions (PCRE).

Our program uses aliases/variables to understand what it has to scan/check, for example:

%PROCESS% -> Means the process full file name, example: C:\Path\Process.exe

%PARENT% -> Means the parent process full file name, example: C:\Path\to\Parent\Process.exe

To create a rule you can do like this:

1] The rule below matches any process named "abc.exe" using wildcards:

[%PROCESS%: *\abc.exe]

2] The rule below matches the process named "abc.exe" and located in C:\WINDOWS\ using wildcards:

[%PROCESS%: %WINDIR%\abc.exe]

3] The rule below matches any process named "abc.exe" using regular expressions:

[REGEX:%PROCESS%: \\abc\.exe]

You can match multiple aliases/variables:

1] The rule below matches the process named "abc.exe" started by the parent process named "explorer.exe" using wildcards:

[%PROCESS%: *\abc.exe] [%PARENT%: *\explorer.exe]

2] The rule below matches the process named "abc.exe" started by the parent process named "explorer.exe" using regular expressions:

[REGEX:%PROCESS%: \\abc\.exe] [REGEX:%PARENT%: \\explorer\.exe]

3] You can also mix wildcards and regex in different fields, for example you can use regex on %PROCESS% and wildcard on %PARENT%:

[REGEX:%PROCESS%: \\abc\.exe] [%PARENT%: *\explorer.exe]

You can create also rules useful to mitigate web browsers exploit and block the payload execution, for example you can block any process started by firefox.exe:

[%PARENT%: *\firefox.exe]

And if needed, you can add in the exclusion-rules all processes allowed to be started by firefox.exe, for example:

[%PROCESS%: %WINDIR%\safe_process.exe] [%PARENT%: *\firefox.exe]

** Important **

The rules are loaded in real-time, it means if you edit Allow.DB, the program will auto-load the new rules immediately.

- Other information

1] When an object is blocked, there is no alert as of now, so check the program's GUI, there are displayed all blocked objects

2] We recommend you to save the events to a file to further investigate any blocked object

3] Use the "Lockdown Mode" with caution, it may also block important objects needed by some other applications

4] Remember that if an important kernel-mode driver is blocked it may generate a "Blue Screen of Death" (this is caused by the fact that the driver could not be loaded, not by our program)

5] If you use the "Lockdown Mode" make sure to write rules also for DLLs and drivers, not only for processes.

6] The program is not configured to start with Windows, so for now you have to open it manually
For ERP users, this is an enhanced ERP with no GUI controls, no alert mode, but with "only" Lockdown Mode and Behavioral Mode (with support for exclusions), plus it can monitor DLLs and drivers, so it is a very complete protection. You can create very smart rules, filtering almost every field of the to-be-loded object (process, commandline, hash, parent process, etc) with support for mixing/grouping rules, for example, you can allow Firefox to execute processes located in a particular folder, signed by a trusted vendor, and that match a specific command-line string. Moreover, you can easily share/combine rules with other users, thanks to the custom environment variables and aliases that we have created. Check the product page for more information.

Basic usage: install the program, by default it is set to "Behavioral Mode", click the button "Block Rules" to edit the rules to block specific processes, dlls, drivers.

Feedbacks are of course welcome :)
 
Last edited:

Raul90

New Member
Joined
Feb 5, 2012
Messages
645
#3
Yeah. There's not much we can see in the gui and the rules creation need some getting used to. But it's a great software complement. If I could iron out the kinks in my trial I will keep it :)