NVT Smart Object Blocker Update Thread

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#1
Released stable version v1.1:
http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

This is the full changelog:

[20-08-2015] v1.1.0.0
+ Added tray icon with right-click menu
+ Change the tray icon when objects are blocked if the GUI is not showing
+ Improved support for Windows 10 and Google Chrome
+ Added a new object variable to match SHA256 file hash
+ Added a custom cmdline parameter "-hidegui" to not show the main form when started
+ Added more block rules and optimized allow rules
+ Added new useful object and path variables
+ Improved matching of regular expressions (SEH wrap)
+ Added exclusions to Lockdown Mode
+ Fixed a couple vars/aliases within exclusions
+ Added Passive Logging mode
+ Added session end handling when rebooting or powering off the machine
+ Added DEP + ASLR on iobDLL32/64.dll files
+ Added option to copy blocked objects to a folder for forensic analysis
+ Added possibility to specify the Configuration.ini's location via command-line
+ Added possibility to use all the path variables also in the INI file
+ Show parent process fully qualified filename when a DLL is blocked
+ Match parent process also for DLL events
+ Added a new object variable to match parent process signer
+ Added a new object variable to match parent process SHA256 and MD5 file hash
+ Other optimizations
Click to expand...
** Click on Variables button to see the new object variables **

We've updated the \Block\ rules for the Behavioral Mode (default) so that SOB auto-blocks the execution of processes, dlls and drivers located in folders commonly abused by malware and exploit kits, plus it blocks web browsers, adobe reader, MS Edge, etc from executing cmd.exe, rundll32.exe, regsvr32.exe, etc and from loading kernel-mode drivers and DLLs located in specific folders. So as it is configured by default in Behavioral Mode, it can be effective in preventing a malware infection, you just need to install it and forget it. We will keep improving the block rules in next versions.

Example Block rules we've recently added in Process.DB:

[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\plugin-container.exe]
[%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
[%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
...
[%FILEPATH%: %ROOT%\Users\]
[%FILEPATH%: %ROOT%\Documents and Settings\]
[%FILEPATH%: %ROOT%\RECYCLER\*]
[%FILEPATH%: %ROOT%\System Volume Information\*]
[%FILEPATH%: %ROOT%\PerfLogs\*]
[%FILEPATH%: %RECENT%\*]
[%FILEPATH%: %WINDOWS%\Prefetch\*]
[%FILEPATH%: %WINDOWS%\Tasks\*]
[%FILEPATH%: *\$Recycle.Bin\*]
[%FILEPATH%: *\Recycle.Bin\*]

To update:

1) Close SOB
2) Make a backup of the \Allow\, \Block\ and \Exclude\ (folders if needed)
3) Uninstall SOB
4) Reboot the PC (important)
5) Install the new SOB
 
H

hjlbx

Guest
#3
Currently using NoVirusThanks Exe Radar Pro to monitor processes + Smart Object Blocker to monitor dlls and drivers.

Smart Object Blocker is more powerful than traditional anti-exploit application...

Anyhow, combo is very light on system.
 
H

hjlbx

Guest
#5
How does this compare to MBAE or are they two different things?
MBAE and NVT SOB appear to be similar in terms of anti-exploit functionality. Although, SOB is a very early version so it is not fully developed. As time goes on I would expect that Andreas, the developer, will continue to add new block rules for widely exploited applications.

From what I understand, MBAE protects against all documented CVE exploits and perhaps some that are not documented. SOB probably does not provide the same degree of protection as MBAE at this point in time.

The difference between MBAE and SOB is that the user can configure their own, custom SOB rules, using .ini files whereas with MBAE the user cannot modify the internal rules\code. That's quite powerful capability for the user, but requires advanced knowledge of Windows, exploits\malwares, dlls, etc.
 
Joined
Oct 23, 2014
Messages
1,072
#6
Currently using NoVirusThanks Exe Radar Pro to monitor processes + Smart Object Blocker to monitor dlls and drivers.

Smart Object Blocker is more powerful than traditional anti-exploit application...

Anyhow, combo is very light on system.
Wouldn't the combination of EXE Radar Pro and Driver Radar Pro be easier to use and offer the same level of protection?
 
Likes: oldschool

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#7
Joined
Aug 6, 2015
Messages
290
OS
Windows 10
Antivirus
Kaspersky
#10
MBAE and NVT SOB appear to be similar in terms of anti-exploit functionality. Although, SOB is a very early version so it is not fully developed. As time goes on I would expect that Andreas, the developer, will continue to add new block rules for widely exploited applications.

From what I understand, MBAE protects against all documented CVE exploits and perhaps some that are not documented. SOB probably does not provide the same degree of protection as MBAE at this point in time.

The difference between MBAE and SOB is that the user can configure their own, custom SOB rules, using .ini files whereas with MBAE the user cannot modify the internal rules\code. That's quite powerful capability for the user, but requires advanced knowledge of Windows, exploits\malwares, dlls, etc.
Alright, sounds good enough, I may it give a try.
 

Raul90

New Member
Joined
Feb 5, 2012
Messages
645
#11
Read about this thread earlier and got me interested. Have been a user and a fan of hips programs like that of OA Premium and Comodo. In NVT SOB I see that the rules are created manually and the thing is I am not a techy and the rules though there are guides are a bit confusing to a novice like me. But as I use it I feel this is a solid product more powerful than EXE Radar.

So I recovered a trial partition I use with my old Bitdefender trials and installed NVT SOB alongside Avast Premier(no firewall) + Comodo Firewall (HIPS disabled / AutoDandbox off in the meantime as I use SOB / Viruscope enabled). Wanted to share my experience using NVT SOB here first as the block issues I faced with my Bitdefender trials may be solved effectively by using NVT SOB alone. I may post there at Wilders from the link posted by Umbra but I still have to join there. MT should be first for me.

This is my spin of using NVT SOB. Allow me some questions as I start this. Hope Umbra / hjlbx and the guys can check out the glitches I experienced at the moment.


1. Stop a specific executable from being started by another process

Stop a specific executable from being started by another process in PROCESS.db
[%FILENAME%: example.exe][%PARENTPROCESS%: *\winword.exe]

OR/AND

[%PROCESS%: *\example.exe][%PARENTPROCESS%: *\winword.exe]
[/quote]

based from the quoted text above, say, I wanted to block a certain game.exe from launching firefox.exe, (the behavior of browser launch is triggered when you exit the game) the rule will be,

//Prevent game.exe from executing firefox.exe
[%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe]

or,

//Prevent game.exe from executing firefox.exe
[%FILENAME%: firefox.exe][%PARENTPROCESS%: *\game.exe]

These rules(below) worked well.
[9/29/2015 3:10:26 AM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 4308
Parent Process Id: 2388
Parent Process: C:\Program Files (x86)\GameTop.com\WorldRiddles3\game.exe


[9/29/2015 3:19:31 AM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\Golden_Path_gametop.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 2964
Parent Process Id: 1100
Parent Process: C:\Program Files (x86)\GameTop.com\Golden Path\Golden_Path_gametop.exe


[9/29/2015 3:21:25 AM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\eldorado.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 2576
Parent Process Id: 3756
Parent Process: C:\Program Files (x86)\GameTop.com\Lost Treasures Of ElDorado\eldorado.exe


[9/29/2015 3:22:06 AM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 5804
Parent Process Id: 860
Parent Process: C:\Program Files (x86)\GameTop.com\WorldRiddles3\game.exe


[9/29/2015 3:22:48 AM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 2032
Parent Process Id: 4580
Parent Process: D:\Program Files (x86)\GameTop.com\Star Defender 4\game.exe










Went on to block Glary Utilities 5 from auto-updating everytime it launches.

C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
C:\Program Files (x86)\Glary Utilities 5\AutoUpdate.exe

Which rule is better,

//Prevent Integrator.exe from executing AutoUpdate.exe
[%PROCESS%: *\AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]

or,

//Prevent Integrator.exe from executing AutoUpdate.exe
[%FILENAME%: AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]

This one(below) worked well.
[9/29/2015 3:02:45 AM] Blocked Process: C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe
Rule: [%PROCESS%: *\AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]
Command Line: C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe
Process Id: 872
Parent Process Id: 820
Parent Process: C:\Program Files (x86)\Glary Utilities 5\Integrator.exe


2. If I wanted game.exe from starting with Windows, say,

C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*|
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*|
Will block rule be,

//Prevent game.exe from starting with Windows
[%FILENAME%: game.exe][%FILEPATH%: C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*]
[%FILENAME%: game.exe][%FILEPATH%: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*]

Applied the rules but there was no logs to check if it's working well. As of the moment I can't really test this aside from checking Autoruns.exe>Logon. Again please do correct me here as it may be wrong. Thanks :)

3. How about registry keys...? If I want to prevent game.exe from accessing registry keys below? (registry key referrence from Comodo Autoruns>Logon / Comodo HIPS>Registry Groups>Automatic Startup)

*\System\ControlSet001\Control\Terminal Server\Wds\rdpwd\\StartupPrograms
*\Software\Microsoft\Windows\CurrentVersion\Run*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Startup
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Start Menu
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Startup
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Start Menu

*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*
*\Software\Microsoft\Command Processor\AutoRun
*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*
*\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

What may be the rules for these?

4. Can we use SOB to prevent access to outgoing connections? Well, I know this one can be done with the firewall but just wanted to ask this one and what may be the best rule for this, "if" this is possible with SOB.


5. Block opera_autoupdate.exe from starting with opera.exe

Created a rule below but it did not work and opera.exe launched still opera_autoupdate.exe. Actually all rules created did not work. Please check it out.

//Prevent Opera from executing processes
[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]

The rules below did not work also:

[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\launcher.exe]
[%FILEPATH%: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
[%FILENAME%: opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]

As of the moment opera_autoupdate.exe cannot be blocked. How can I effectively block the launch of opera_autoupdate.exe..?

6. I tried something like a trial software asking for activation so I blocked activation.exe of FoxitPhantomPDF. Rules are below.

//Prevent FoxitPhantomPDF.exe from executing processes
[%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
[%PROCESS%: *\FoxitUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
[%PROCESS%: *\SendCrashReport.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
[%PROCESS%: *\FoxitPhantomPDFUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
[%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
[%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]

The launch of firefox.exe and FoxitUpdater.exe was blocked(see logs below). The block rule for SendCrashReport.exe I was not able to test yet.

The last two rules for Activation.exe did not work and the activation window still showed/displayed.

In contrast, the new rule below blocked it.

[%FILENAME%: Activation.exe][%FILEPATH%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\*]

Now I was wondering...why did'nt the block rule below for Activation.exe work?

[%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe],
[%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]

SOB Log:
[9/29/2015 1:07:00 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 5320
Parent Process Id: 1288
Parent Process: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe


[9/29/2015 1:07:03 PM] Blocked Process: C:\Users\THOR\AppData\Roaming\Foxit Software\Addon\Foxit PhantomPDF\FoxitPhantomPDFUpdater.exe
Rule: [%PROCESS%: *\FoxitPhantomPDFUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
Command Line: C:\Users\THOR\AppData\Roaming\Foxit Software\Addon\Foxit PhantomPDF\FoxitPhantomPDFUpdater.exe
Process Id: 4028
Parent Process Id: 1288
Parent Process: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe


[9/29/2015 1:07:09 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 2244
Parent Process Id: 1288
Parent Process: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe
Parent Process: C:\Windows\Explorer.EXE
Still testing here and learning the rules creation but aside from my other questions this program is phenomenal. Been wanting to use something like this. As of the moment I have ERP in another partition and the game.exe launch of firefox.exe can't be blocked by it. ERP is easier to use and set though. You only place it either in whitelist/blacklist). But as Umbra mentioned the more you use it the more you'll like it. Well I am. Am planning to pair this one with either Avast Premier (with firewall) or EIS but not yet maybe when this is stable.

To sum up in the meantime:

Block Rules that worked for me

[9/29/2015 2:12:14 PM] Blocked Process: C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe
Rule: [%PROCESS%: *\AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]
Command Line: C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe
Process Id: 6020
Parent Process Id: 268
Parent Process: C:\Program Files (x86)\Glary Utilities 5\Integrator.exe


[9/29/2015 2:13:21 PM] Blocked Process: C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe
Rule: [%PROCESS%: *\AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]
Command Line: C:\Program Files (x86)\Glary Utilities 5\autoupdate.exe
Process Id: 1792
Parent Process Id: 1936
Parent Process: C:\Program Files (x86)\Glary Utilities 5\Integrator.exe


[9/29/2015 2:20:46 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\Golden_Path_gametop.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 5960
Parent Process Id: 5424
Parent Process: C:\Program Files (x86)\GameTop.com\Golden Path\Golden_Path_gametop.exe


[9/29/2015 2:21:02 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\eldorado.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 2192
Parent Process Id: 3372
Parent Process: C:\Program Files (x86)\GameTop.com\Lost Treasures Of ElDorado\eldorado.exe


[9/29/2015 2:21:10 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 5808
Parent Process Id: 5288
Parent Process: C:\Program Files (x86)\GameTop.com\WorldRiddles3\game.exe


[9/29/2015 2:28:46 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\PersianPuzzle.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 5212
Parent Process Id: 3516
Parent Process: C:\Program Files (x86)\GameTop.com\Persian Puzzle\PersianPuzzle.exe

[9/29/2015 5:24:13 PM] Blocked Process: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\Activation.exe
Rule: [%FILENAME%: Activation.exe][%FILEPATH%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\*]
Command Line: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\Activation.exe
Process Id: 1708
Parent Process Id: 1732
Parent Process: C:\Windows\Explorer.EXE

[9/29/2015 1:07:00 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 5320
Parent Process Id: 1288
Parent Process: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe


[9/29/2015 1:07:03 PM] Blocked Process: C:\Users\THOR\AppData\Roaming\Foxit Software\Addon\Foxit PhantomPDF\FoxitPhantomPDFUpdater.exe
Rule: [%PROCESS%: *\FoxitPhantomPDFUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
Command Line: C:\Users\THOR\AppData\Roaming\Foxit Software\Addon\Foxit PhantomPDF\FoxitPhantomPDFUpdater.exe
Process Id: 4028
Parent Process Id: 1288
Parent Process: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe


[9/29/2015 1:07:09 PM] Blocked Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Rule: [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
Command Line: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Process Id: 2244
Parent Process Id: 1288
Parent Process: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe
Parent Process: C:\Windows\Explorer.EXE
Block Rules that did not work.

[%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe],
[%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]

//Prevent Opera from executing opera_autoupdate.exe
[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\launcher.exe]
[%FILEPATH%: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
[%FILENAME%: opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
 
Last edited:
Likes: frogboy

Online_Sword

New Member
Trusted
Joined
Mar 23, 2015
Messages
575
#12
3. How about registry keys...?
4. Can we use SOB to prevent access to outgoing connections?
Hi, as far as I know, the current version of SOB does not have HIPS features or firewall features.
I have not found any statement on the manual indicating that SOB has the capabilities of registry protection and network protection.
Please let me know if I misunderstand it.:)

Now I was wondering...why did'nt the block rule below for Activation.exe work?
I have not done any tests on this. But I guess the reason might be that Activation.exe is indirectly called by FoxitPhantomPDF.exe.
I mean, maybe FoxitPhantomPDF.exe called some other executable files like example.exe in the folder "C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\", then example.exe called Activation.exe.
In such case, the following rule cannot block Activation.exe:
[%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
 
Likes: Raul90

Raul90

New Member
Joined
Feb 5, 2012
Messages
645
#13
Thanks for the reply there.

Hi, as far as I know, the current version of SOB does not have HIPS features or firewall features.
I have not found any statement on the manual indicating that SOB has the capabilities of registry protection and network protection.
Please let me know if I misunderstand it.:)
-- I was thinking of pairing this one with either Avast Premier or EIS so I asked. Some programs do circumvent firewall settings and still connect to home secretly. I can only block that with HIPS (Comodo / Outpost Pro or the defunct OA). Was thinking with this I can have a setup without HIPS. As of the moment I have 3 configs for CIS depending on the need. Same with Outpost Pro.

Gotta reply later I am in the office. Maybe when I get home later(if I am not tired) still have to visit my brother-in-law at the hospital also hen I get off from work. Be back here.

Thanks to Umbra for opening this topic :)
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#14
No problemo,

@Raul90 , you should register at Wilders since the dev is active there. He would answer your question more accurately.

I dont have my computer under hands actually so i cant answers you about rules.

As far as i know about SOB , rules stacks, so you can block files and processes at same time.

The best way to create rules is to monitor the program behavior itself , see what process run and connect to internet, then create a rule for it.

Remember that SOB have some whitelist, so be sure the one you want block is not whitelisted
 

Raul90

New Member
Joined
Feb 5, 2012
Messages
645
#15
@Umbra,

ei there guru :) Well I did the other day but there's still no response in the email. My sign-up was succesfull but as mentioned there's no response still from the admins so I cannot post. Actually I have the text of the post right here ready. Anyway will wait on it and make one here also just to share here for MT :)
 

Raul90

New Member
Joined
Feb 5, 2012
Messages
645
#18
Would just like to share some info from Wilders about SOB, (ask a friend to try--take over my trials-- for a while and post it there) because I was busy with family matters and I am still not a registered member there.

There was some luck in blocking opera_autoupdate.exe with rules:

[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
[%PROCESS%: *\opera_crashreporter.exe][%PARENTPROCESS%: *\opera.exe]


But it was so with the deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB (missed that when I tried it out)

a.Block Rules_Process.DB
-- [%PARENTPROCESS%: *\opera.exe]
b.Exclude Rules_Behavioral
-- [%FILESIGNER%: Opera Software ASA] [%PARENTPROCESS%: *\opera.exe]




SOB logs:

[10/14/2015 2:15:38 AM] Blocked Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera_crashreporter.exe
Rule: [%PROCESS%: *\opera_crashreporter.exe][%PARENTPROCESS%: *\opera.exe]
Command Line: C:\Program Files (x86)\Opera\31.0.1889.131\opera_crashreporter.exe
Process Id: 3524
Parent Process Id: 3104
Parent Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera.exe

[10/14/2015 2:15:43 AM] Blocked Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe
Rule: [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
Command Line: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe
Process Id: 1236
Parent Process Id: 3104
Parent Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera.exe

I still need to work things out and maybe later on try it again here. The Wilders link of the reply and post is HERE
 

Similar Threads

Similar Threads