NVT Smart Object Blocker Update Thread

Discussion in 'NoVirusThanks' started by Umbra, Aug 24, 2015.

  1. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Released stable version v1.1:
    http://downloads.novirusthanks.org/files/SmartObjectBlocker_Setup.exe

    This is the full changelog:

    [20-08-2015] v1.1.0.0
    + Added tray icon with right-click menu
    + Change the tray icon when objects are blocked if the GUI is not showing
    + Improved support for Windows 10 and Google Chrome
    + Added a new object variable to match SHA256 file hash
    + Added a custom cmdline parameter "-hidegui" to not show the main form when started
    + Added more block rules and optimized allow rules
    + Added new useful object and path variables
    + Improved matching of regular expressions (SEH wrap)
    + Added exclusions to Lockdown Mode
    + Fixed a couple vars/aliases within exclusions
    + Added Passive Logging mode
    + Added session end handling when rebooting or powering off the machine
    + Added DEP + ASLR on iobDLL32/64.dll files
    + Added option to copy blocked objects to a folder for forensic analysis
    + Added possibility to specify the Configuration.ini's location via command-line
    + Added possibility to use all the path variables also in the INI file
    + Show parent process fully qualified filename when a DLL is blocked
    + Match parent process also for DLL events
    + Added a new object variable to match parent process signer
    + Added a new object variable to match parent process SHA256 and MD5 file hash
    + Other optimizations
    Click to expand...
    ** Click on Variables button to see the new object variables **

    We've updated the \Block\ rules for the Behavioral Mode (default) so that SOB auto-blocks the execution of processes, dlls and drivers located in folders commonly abused by malware and exploit kits, plus it blocks web browsers, adobe reader, MS Edge, etc from executing cmd.exe, rundll32.exe, regsvr32.exe, etc and from loading kernel-mode drivers and DLLs located in specific folders. So as it is configured by default in Behavioral Mode, it can be effective in preventing a malware infection, you just need to install it and forget it. We will keep improving the block rules in next versions.

    Example Block rules we've recently added in Process.DB:

    [%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\plugin-container.exe]
    [%FILEPATH%: %TEMP%\*] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%FILEPATH%: %WINDOWS%\Temp\*] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%FILENAME%: rundll32.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%FILENAME%: cmd.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%FILENAME%: powershell*.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%FILENAME%: regsvr32.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%FILENAME%: wscript.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    [%FILENAME%: cscript.exe] [%PARENTPROCESS%: *\MicrosoftEdge.exe]
    ...
    [%FILEPATH%: %ROOT%\Users\]
    [%FILEPATH%: %ROOT%\Documents and Settings\]
    [%FILEPATH%: %ROOT%\RECYCLER\*]
    [%FILEPATH%: %ROOT%\System Volume Information\*]
    [%FILEPATH%: %ROOT%\PerfLogs\*]
    [%FILEPATH%: %RECENT%\*]
    [%FILEPATH%: %WINDOWS%\Prefetch\*]
    [%FILEPATH%: %WINDOWS%\Tasks\*]
    [%FILEPATH%: *\$Recycle.Bin\*]
    [%FILEPATH%: *\Recycle.Bin\*]

    To update:

    1) Close SOB
    2) Make a backup of the \Allow\, \Block\ and \Exclude\ (folders if needed)
    3) Uninstall SOB
    4) Reboot the PC (important)
    5) Install the new SOB
     
    Moose, tonibalas and XhenEd like this.
  2. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
  3. hjlbx

    hjlbx Guest

    Currently using NoVirusThanks Exe Radar Pro to monitor processes + Smart Object Blocker to monitor dlls and drivers.

    Smart Object Blocker is more powerful than traditional anti-exploit application...

    Anyhow, combo is very light on system.
     
    TerrakionSmash likes this.
  4. SpartacusSystem

    SpartacusSystem Level 6

    Aug 6, 2015
    290
    1,712
    Student
    England, United Kingdom
    Windows 10
    Kaspersky
    How does this compare to MBAE or are they two different things?
     
  5. hjlbx

    hjlbx Guest

    MBAE and NVT SOB appear to be similar in terms of anti-exploit functionality. Although, SOB is a very early version so it is not fully developed. As time goes on I would expect that Andreas, the developer, will continue to add new block rules for widely exploited applications.

    From what I understand, MBAE protects against all documented CVE exploits and perhaps some that are not documented. SOB probably does not provide the same degree of protection as MBAE at this point in time.

    The difference between MBAE and SOB is that the user can configure their own, custom SOB rules, using .ini files whereas with MBAE the user cannot modify the internal rules\code. That's quite powerful capability for the user, but requires advanced knowledge of Windows, exploits\malwares, dlls, etc.
     
    TerrakionSmash and Moose like this.
  6. Azure Phoenix

    Azure Phoenix Level 19

    Oct 23, 2014
    920
    2,458
    Puerto Rico
    Wouldn't the combination of EXE Radar Pro and Driver Radar Pro be easier to use and offer the same level of protection?
     
  7. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    at the moment , surely , SOB is brand new; but once in stable release , it will take over both ERP and DRP with increased protection.

    i just wrote a quick review of it here : [Quick Review] NoVirusThanks Smart Object Blocker (v1.1 Beta )
     
    Azure Phoenix likes this.
  8. Online_Sword

    Online_Sword New Member
    Trusted

    Mar 23, 2015
    575
    1,807
    Does this mean a novice user like me, who know little about dlls and drivers, can also use it?
     
  9. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    if you take time to learn how to write the rules , yes.
     
    hjlbx and Online_Sword like this.
  10. SpartacusSystem

    SpartacusSystem Level 6

    Aug 6, 2015
    290
    1,712
    Student
    England, United Kingdom
    Windows 10
    Kaspersky
    Alright, sounds good enough, I may it give a try.
     
  11. Raul90

    Raul90 New Member

    Feb 5, 2012
    645
    1,012
    #11 Raul90, Sep 29, 2015
    Last edited: Sep 29, 2015
    Read about this thread earlier and got me interested. Have been a user and a fan of hips programs like that of OA Premium and Comodo. In NVT SOB I see that the rules are created manually and the thing is I am not a techy and the rules though there are guides are a bit confusing to a novice like me. But as I use it I feel this is a solid product more powerful than EXE Radar.

    So I recovered a trial partition I use with my old Bitdefender trials and installed NVT SOB alongside Avast Premier(no firewall) + Comodo Firewall (HIPS disabled / AutoDandbox off in the meantime as I use SOB / Viruscope enabled). Wanted to share my experience using NVT SOB here first as the block issues I faced with my Bitdefender trials may be solved effectively by using NVT SOB alone. I may post there at Wilders from the link posted by Umbra but I still have to join there. MT should be first for me.

    This is my spin of using NVT SOB. Allow me some questions as I start this. Hope Umbra / hjlbx and the guys can check out the glitches I experienced at the moment.


    1. Stop a specific executable from being started by another process

    Stop a specific executable from being started by another process in PROCESS.db
    [%FILENAME%: example.exe][%PARENTPROCESS%: *\winword.exe]

    OR/AND

    [%PROCESS%: *\example.exe][%PARENTPROCESS%: *\winword.exe]
    [/quote]

    based from the quoted text above, say, I wanted to block a certain game.exe from launching firefox.exe, (the behavior of browser launch is triggered when you exit the game) the rule will be,

    //Prevent game.exe from executing firefox.exe
    [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe]

    or,

    //Prevent game.exe from executing firefox.exe
    [%FILENAME%: firefox.exe][%PARENTPROCESS%: *\game.exe]

    These rules(below) worked well.
    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    Went on to block Glary Utilities 5 from auto-updating everytime it launches.

    C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
    C:\Program Files (x86)\Glary Utilities 5\AutoUpdate.exe

    Which rule is better,

    //Prevent Integrator.exe from executing AutoUpdate.exe
    [%PROCESS%: *\AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]

    or,

    //Prevent Integrator.exe from executing AutoUpdate.exe
    [%FILENAME%: AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]

    This one(below) worked well.
    [​IMG]

    2. If I wanted game.exe from starting with Windows, say,

    Will block rule be,

    //Prevent game.exe from starting with Windows
    [%FILENAME%: game.exe][%FILEPATH%: C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*]
    [%FILENAME%: game.exe][%FILEPATH%: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*]

    Applied the rules but there was no logs to check if it's working well. As of the moment I can't really test this aside from checking Autoruns.exe>Logon. Again please do correct me here as it may be wrong. Thanks :)

    3. How about registry keys...? If I want to prevent game.exe from accessing registry keys below? (registry key referrence from Comodo Autoruns>Logon / Comodo HIPS>Registry Groups>Automatic Startup)

    *\System\ControlSet001\Control\Terminal Server\Wds\rdpwd\\StartupPrograms
    *\Software\Microsoft\Windows\CurrentVersion\Run*
    *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Startup
    *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Start Menu
    *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Startup
    *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Start Menu

    *\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*
    *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*
    *\Software\Microsoft\Command Processor\AutoRun
    *\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*
    *\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

    What may be the rules for these?

    4. Can we use SOB to prevent access to outgoing connections? Well, I know this one can be done with the firewall but just wanted to ask this one and what may be the best rule for this, "if" this is possible with SOB.


    5. Block opera_autoupdate.exe from starting with opera.exe

    Created a rule below but it did not work and opera.exe launched still opera_autoupdate.exe. Actually all rules created did not work. Please check it out.

    //Prevent Opera from executing processes
    [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]

    The rules below did not work also:

    [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\launcher.exe]
    [%FILEPATH%: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
    [%FILENAME%: opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]

    As of the moment opera_autoupdate.exe cannot be blocked. How can I effectively block the launch of opera_autoupdate.exe..?

    6. I tried something like a trial software asking for activation so I blocked activation.exe of FoxitPhantomPDF. Rules are below.

    //Prevent FoxitPhantomPDF.exe from executing processes
    [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
    [%PROCESS%: *\FoxitUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
    [%PROCESS%: *\SendCrashReport.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
    [%PROCESS%: *\FoxitPhantomPDFUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
    [%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]
    [%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]

    The launch of firefox.exe and FoxitUpdater.exe was blocked(see logs below). The block rule for SendCrashReport.exe I was not able to test yet.

    The last two rules for Activation.exe did not work and the activation window still showed/displayed.

    In contrast, the new rule below blocked it.

    [%FILENAME%: Activation.exe][%FILEPATH%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\*]

    Now I was wondering...why did'nt the block rule below for Activation.exe work?

    [%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe],
    [%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]

    Still testing here and learning the rules creation but aside from my other questions this program is phenomenal. Been wanting to use something like this. As of the moment I have ERP in another partition and the game.exe launch of firefox.exe can't be blocked by it. ERP is easier to use and set though. You only place it either in whitelist/blacklist). But as Umbra mentioned the more you use it the more you'll like it. Well I am. Am planning to pair this one with either Avast Premier (with firewall) or EIS but not yet maybe when this is stable.

    To sum up in the meantime:

    Block Rules that worked for me

    Block Rules that did not work.

     
    frogboy likes this.
  12. Online_Sword

    Online_Sword New Member
    Trusted

    Mar 23, 2015
    575
    1,807
    Hi, as far as I know, the current version of SOB does not have HIPS features or firewall features.
    I have not found any statement on the manual indicating that SOB has the capabilities of registry protection and network protection.
    Please let me know if I misunderstand it.:)

    I have not done any tests on this. But I guess the reason might be that Activation.exe is indirectly called by FoxitPhantomPDF.exe.
    I mean, maybe FoxitPhantomPDF.exe called some other executable files like example.exe in the folder "C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\", then example.exe called Activation.exe.
    In such case, the following rule cannot block Activation.exe:
     
    Raul90 likes this.
  13. Raul90

    Raul90 New Member

    Feb 5, 2012
    645
    1,012
    Thanks for the reply there.

    -- I was thinking of pairing this one with either Avast Premier or EIS so I asked. Some programs do circumvent firewall settings and still connect to home secretly. I can only block that with HIPS (Comodo / Outpost Pro or the defunct OA). Was thinking with this I can have a setup without HIPS. As of the moment I have 3 configs for CIS depending on the need. Same with Outpost Pro.

    Gotta reply later I am in the office. Maybe when I get home later(if I am not tired) still have to visit my brother-in-law at the hospital also hen I get off from work. Be back here.

    Thanks to Umbra for opening this topic :)
     
  14. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    No problemo,

    @Raul90 , you should register at Wilders since the dev is active there. He would answer your question more accurately.

    I dont have my computer under hands actually so i cant answers you about rules.

    As far as i know about SOB , rules stacks, so you can block files and processes at same time.

    The best way to create rules is to monitor the program behavior itself , see what process run and connect to internet, then create a rule for it.

    Remember that SOB have some whitelist, so be sure the one you want block is not whitelisted
     
    Raul90 and scot like this.
  15. Raul90

    Raul90 New Member

    Feb 5, 2012
    645
    1,012
    @Umbra,

    ei there guru :) Well I did the other day but there's still no response in the email. My sign-up was succesfull but as mentioned there's no response still from the admins so I cannot post. Actually I have the text of the post right here ready. Anyway will wait on it and make one here also just to share here for MT :)
     
  16. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Be patient ;)
     
    Raul90 likes this.
  17. Raul90

    Raul90 New Member

    Feb 5, 2012
    645
    1,012
    Am waiting :) Thanks guru :)
     
  18. Raul90

    Raul90 New Member

    Feb 5, 2012
    645
    1,012
    Would just like to share some info from Wilders about SOB, (ask a friend to try--take over my trials-- for a while and post it there) because I was busy with family matters and I am still not a registered member there.

    There was some luck in blocking opera_autoupdate.exe with rules:

    [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
    [%PROCESS%: *\opera_crashreporter.exe][%PARENTPROCESS%: *\opera.exe]


    But it was so with the deletion of default rules for Behavioral_Process.DB / Exclude_Behavioral_Process.DB (missed that when I tried it out)

    a.Block Rules_Process.DB
    -- [%PARENTPROCESS%: *\opera.exe]
    b.Exclude Rules_Behavioral
    -- [%FILESIGNER%: Opera Software ASA] [%PARENTPROCESS%: *\opera.exe]


    [​IMG]

    SOB logs:

    [10/14/2015 2:15:38 AM] Blocked Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera_crashreporter.exe
    Rule: [%PROCESS%: *\opera_crashreporter.exe][%PARENTPROCESS%: *\opera.exe]
    Command Line: C:\Program Files (x86)\Opera\31.0.1889.131\opera_crashreporter.exe
    Process Id: 3524
    Parent Process Id: 3104
    Parent Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera.exe

    [10/14/2015 2:15:43 AM] Blocked Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe
    Rule: [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]
    Command Line: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe
    Process Id: 1236
    Parent Process Id: 3104
    Parent Process: C:\Program Files (x86)\Opera\31.0.1889.131\opera.exe

    I still need to work things out and maybe later on try it again here. The Wilders link of the reply and post is HERE
     
  19. Raul90

    Raul90 New Member

    Feb 5, 2012
    645
    1,012
    Still waiting on the next beat build hopefully with a better gui(hopefully).
     
    Umbra likes this.
  20. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,161
    29,611
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    we all do lol
     
    Raul90 likes this.
Loading...
Similar Threads Forum Date
[Quick Review] NoVirusThanks Smart Object Blocker (v1.1 Beta ) NoVirusThanks Aug 24, 2015
NoVirusThanks Smart Object Blocker NoVirusThanks Aug 3, 2015
Q&A Smart Firewall for Protection of IoT Devices - Are you using any? General Security Discussions Thursday at 7:12 PM