Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
NVT Smart Object Blocker Update Thread
Message
<blockquote data-quote="Raul90" data-source="post: 436922" data-attributes="member: 1217"><p>Read about this thread earlier and got me interested. Have been a user and a fan of hips programs like that of OA Premium and Comodo. In NVT SOB I see that the rules are created manually and the thing is I am not a techy and the rules though there are guides are a bit confusing to a novice like me. But as I use it I feel this is a solid product more powerful than EXE Radar.</p><p></p><p>So I recovered a trial partition I use with my old Bitdefender trials and installed NVT SOB alongside Avast Premier(no firewall) + Comodo Firewall (HIPS disabled / AutoDandbox off in the meantime as I use SOB / Viruscope enabled). Wanted to share my experience using NVT SOB here first as the block issues I faced with my Bitdefender trials may be solved effectively by using NVT SOB alone. I may post there at <a href="http://www.wilderssecurity.com/threads/smart-object-blocker-block-exe-dll-drivers.378369/" target="_blank">Wilders</a> from the link posted by <strong>Umbra</strong> but I still have to join there. MT should be first for me.</p><p></p><p>This is my spin of using NVT SOB. Allow me some questions as I start this. Hope <strong>Umbra</strong> / <strong>hjlbx</strong> and the <strong>guys</strong> can check out the glitches I experienced at the moment.</p><p></p><p></p><p>1. Stop a specific executable from being started by another process</p><p></p><p>Stop a specific executable from being started by another process in PROCESS.db</p><p>[%FILENAME%: example.exe][%PARENTPROCESS%: *\winword.exe]</p><p></p><p>OR/AND</p><p></p><p>[%PROCESS%: *\example.exe][%PARENTPROCESS%: *\winword.exe]</p></blockquote><p></p><p>based from the quoted text above, say, I wanted to block a certain game.exe from launching firefox.exe, (the behavior of browser launch is triggered when you exit the game) the rule will be,</p><p></p><p>//Prevent game.exe from executing firefox.exe</p><p>[%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe]</p><p></p><p>or,</p><p></p><p>//Prevent game.exe from executing firefox.exe</p><p>[%FILENAME%: firefox.exe][%PARENTPROCESS%: *\game.exe]</p><p></p><p>These rules(below) worked well.</p><p></p><p></p><p><img src="http://imgur.com/smvGiiB.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="http://imgur.com/oejvTbm.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="http://imgur.com/XvKmwEP.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="http://imgur.com/5kboMdQ.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="http://imgur.com/FU6S30l.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Went on to block Glary Utilities 5 from auto-updating everytime it launches.</p><p></p><p>C:\Program Files (x86)\Glary Utilities 5\Integrator.exe</p><p>C:\Program Files (x86)\Glary Utilities 5\AutoUpdate.exe</p><p></p><p>Which rule is better,</p><p></p><p>//Prevent Integrator.exe from executing AutoUpdate.exe</p><p>[%PROCESS%: *\AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]</p><p></p><p>or,</p><p></p><p>//Prevent Integrator.exe from executing AutoUpdate.exe</p><p>[%FILENAME%: AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe]</p><p></p><p>This one(below) worked well.</p><p></p><p></p><p><img src="http://i.imgur.com/XdalgnO.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>2. If I wanted game.exe from starting with Windows, say,</p><p></p><p></p><p></p><p>Will block rule be,</p><p></p><p>//Prevent game.exe from starting with Windows</p><p>[%FILENAME%: game.exe][%FILEPATH%: C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*]</p><p>[%FILENAME%: game.exe][%FILEPATH%: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*]</p><p></p><p>Applied the rules but there was no logs to check if it's working well. As of the moment I can't really test this aside from checking Autoruns.exe>Logon. Again please do correct me here as it may be wrong. Thanks <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p>3. How about registry keys...? If I want to prevent game.exe from accessing registry keys below? <em>(registry key referrence from Comodo Autoruns>Logon / Comodo HIPS>Registry Groups>Automatic Startup)</em></p><p></p><p>*\System\ControlSet001\Control\Terminal Server\Wds\rdpwd\\StartupPrograms </p><p>*\Software\Microsoft\Windows\CurrentVersion\Run*</p><p>*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Startup</p><p>*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Start Menu</p><p>*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Startup</p><p>*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Start Menu</p><p></p><p>*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*</p><p>*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*</p><p>*\Software\Microsoft\Command Processor\AutoRun</p><p>*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*</p><p>*\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components </p><p></p><p>What may be the rules for these?</p><p></p><p>4. Can we use SOB to prevent access to outgoing connections? Well, I know this one can be done with the firewall but just wanted to ask this one and what may be the best rule for this, "if" this is possible with SOB.</p><p></p><p></p><p>5. Block opera_autoupdate.exe from starting with opera.exe</p><p></p><p>Created a rule below but it did not work and opera.exe launched still opera_autoupdate.exe. Actually all rules created did not work. Please check it out.</p><p></p><p>//Prevent Opera from executing processes</p><p>[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]</p><p></p><p>The rules below did not work also:</p><p></p><p>[%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\launcher.exe]</p><p>[%FILEPATH%: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]</p><p>[%FILENAME%: opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe]</p><p></p><p>As of the moment opera_autoupdate.exe cannot be blocked. How can I effectively block the launch of opera_autoupdate.exe..?</p><p></p><p>6. I tried something like a trial software asking for activation so I blocked activation.exe of FoxitPhantomPDF. Rules are below.</p><p></p><p>//Prevent FoxitPhantomPDF.exe from executing processes</p><p>[%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]</p><p>[%PROCESS%: *\FoxitUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]</p><p>[%PROCESS%: *\SendCrashReport.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]</p><p>[%PROCESS%: *\FoxitPhantomPDFUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]</p><p>[%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]</p><p>[%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]</p><p></p><p>The launch of firefox.exe and FoxitUpdater.exe was blocked(see logs below). The block rule for SendCrashReport.exe I was not able to test yet.</p><p></p><p>The last two rules for Activation.exe did not work and the activation window still showed/displayed.</p><p></p><p>In contrast, the new rule below blocked it.</p><p></p><p>[%FILENAME%: Activation.exe][%FILEPATH%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\*]</p><p></p><p>Now I was wondering...why did'nt the block rule below for Activation.exe work?</p><p></p><p>[%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe],</p><p>[%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe]</p><p></p><p></p><p></p><p>Still testing here and learning the rules creation but aside from my other questions this program is phenomenal. Been wanting to use something like this. As of the moment I have ERP in another partition and the game.exe launch of firefox.exe can't be blocked by it. ERP is easier to use and set though. You only place it either in whitelist/blacklist). But as Umbra mentioned the more you use it the more you'll like it. Well I am. Am planning to pair this one with either Avast Premier (with firewall) or EIS but not yet maybe when this is stable.</p><p></p><p>To sum up in the meantime:</p><p></p><p><strong>Block Rules that worked for me</strong></p><p></p><p></p><p></p><p><strong>Block Rules that did not work. </strong></p><p>[/QUOTE]</p>
[QUOTE="Raul90, post: 436922, member: 1217"] Read about this thread earlier and got me interested. Have been a user and a fan of hips programs like that of OA Premium and Comodo. In NVT SOB I see that the rules are created manually and the thing is I am not a techy and the rules though there are guides are a bit confusing to a novice like me. But as I use it I feel this is a solid product more powerful than EXE Radar. So I recovered a trial partition I use with my old Bitdefender trials and installed NVT SOB alongside Avast Premier(no firewall) + Comodo Firewall (HIPS disabled / AutoDandbox off in the meantime as I use SOB / Viruscope enabled). Wanted to share my experience using NVT SOB here first as the block issues I faced with my Bitdefender trials may be solved effectively by using NVT SOB alone. I may post there at [URL='http://www.wilderssecurity.com/threads/smart-object-blocker-block-exe-dll-drivers.378369/']Wilders[/URL] from the link posted by [B]Umbra[/B] but I still have to join there. MT should be first for me. This is my spin of using NVT SOB. Allow me some questions as I start this. Hope [B]Umbra[/B] / [B]hjlbx[/B] and the [B]guys[/B] can check out the glitches I experienced at the moment. 1. Stop a specific executable from being started by another process Stop a specific executable from being started by another process in PROCESS.db [%FILENAME%: example.exe][%PARENTPROCESS%: *\winword.exe] OR/AND [%PROCESS%: *\example.exe][%PARENTPROCESS%: *\winword.exe] [/quote] based from the quoted text above, say, I wanted to block a certain game.exe from launching firefox.exe, (the behavior of browser launch is triggered when you exit the game) the rule will be, //Prevent game.exe from executing firefox.exe [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\game.exe] or, //Prevent game.exe from executing firefox.exe [%FILENAME%: firefox.exe][%PARENTPROCESS%: *\game.exe] These rules(below) worked well. [IMG]http://imgur.com/smvGiiB.png[/IMG] [IMG]http://imgur.com/oejvTbm.png[/IMG] [IMG]http://imgur.com/XvKmwEP.png[/IMG] [IMG]http://imgur.com/5kboMdQ.png[/IMG] [IMG]http://imgur.com/FU6S30l.png[/IMG] Went on to block Glary Utilities 5 from auto-updating everytime it launches. C:\Program Files (x86)\Glary Utilities 5\Integrator.exe C:\Program Files (x86)\Glary Utilities 5\AutoUpdate.exe Which rule is better, //Prevent Integrator.exe from executing AutoUpdate.exe [%PROCESS%: *\AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe] or, //Prevent Integrator.exe from executing AutoUpdate.exe [%FILENAME%: AutoUpdate.exe][%PARENTPROCESS%: *\Integrator.exe] This one(below) worked well. [IMG]http://i.imgur.com/XdalgnO.png[/IMG] 2. If I wanted game.exe from starting with Windows, say, Will block rule be, //Prevent game.exe from starting with Windows [%FILENAME%: game.exe][%FILEPATH%: C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*] [%FILENAME%: game.exe][%FILEPATH%: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*] Applied the rules but there was no logs to check if it's working well. As of the moment I can't really test this aside from checking Autoruns.exe>Logon. Again please do correct me here as it may be wrong. Thanks :) 3. How about registry keys...? If I want to prevent game.exe from accessing registry keys below? [I](registry key referrence from Comodo Autoruns>Logon / Comodo HIPS>Registry Groups>Automatic Startup)[/I] *\System\ControlSet001\Control\Terminal Server\Wds\rdpwd\\StartupPrograms *\Software\Microsoft\Windows\CurrentVersion\Run* *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Startup *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\*Start Menu *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Startup *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\*Start Menu *\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\* *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\* *\Software\Microsoft\Command Processor\AutoRun *\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\* *\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components What may be the rules for these? 4. Can we use SOB to prevent access to outgoing connections? Well, I know this one can be done with the firewall but just wanted to ask this one and what may be the best rule for this, "if" this is possible with SOB. 5. Block opera_autoupdate.exe from starting with opera.exe Created a rule below but it did not work and opera.exe launched still opera_autoupdate.exe. Actually all rules created did not work. Please check it out. //Prevent Opera from executing processes [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe] The rules below did not work also: [%PROCESS%: *\opera_autoupdate.exe][%PARENTPROCESS%: *\launcher.exe] [%FILEPATH%: C:\Program Files (x86)\Opera\31.0.1889.131\opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe] [%FILENAME%: opera_autoupdate.exe][%PARENTPROCESS%: *\opera.exe] As of the moment opera_autoupdate.exe cannot be blocked. How can I effectively block the launch of opera_autoupdate.exe..? 6. I tried something like a trial software asking for activation so I blocked activation.exe of FoxitPhantomPDF. Rules are below. //Prevent FoxitPhantomPDF.exe from executing processes [%PROCESS%: *\firefox.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe] [%PROCESS%: *\FoxitUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe] [%PROCESS%: *\SendCrashReport.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe] [%PROCESS%: *\FoxitPhantomPDFUpdater.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe] [%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe] [%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe] The launch of firefox.exe and FoxitUpdater.exe was blocked(see logs below). The block rule for SendCrashReport.exe I was not able to test yet. The last two rules for Activation.exe did not work and the activation window still showed/displayed. In contrast, the new rule below blocked it. [%FILENAME%: Activation.exe][%FILEPATH%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\*] Now I was wondering...why did'nt the block rule below for Activation.exe work? [%FILENAME%: Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe], [%PROCESS%: *\Activation.exe][%PARENTPROCESS%: *\FoxitPhantomPDF.exe] Still testing here and learning the rules creation but aside from my other questions this program is phenomenal. Been wanting to use something like this. As of the moment I have ERP in another partition and the game.exe launch of firefox.exe can't be blocked by it. ERP is easier to use and set though. You only place it either in whitelist/blacklist). But as Umbra mentioned the more you use it the more you'll like it. Well I am. Am planning to pair this one with either Avast Premier (with firewall) or EIS but not yet maybe when this is stable. To sum up in the meantime: [B]Block Rules that worked for me[/B] [B]Block Rules that did not work. [/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top