[Quick Review] NoVirusThanks Smart Object Blocker (v1.1 Beta )

[Deleted member 178]

Hi guys ,

NoViruThanks , creators of the formidable anti-executable ExeRadarPro (aka ERP) has released a new tool (still in beta but functionning) called Smart Object Blocker.

you can find it here: NoVirusThanks Smart Object Blocker - NoVirusThanks

What is it ?

Smart Object Blocker (aka SOB) is an anti-executable like ERP , the difference is it also monitors Dll and drivers in addition of processes.

NoVirusThanks Smart Object Blocker is a valid approach to prevent malware and rootkit infections without requiring virus signatures or updates. It monitors in kernel-mode all processes, dlls and drivers loaded in the system, best bulletproof protection. The program is very stable and resources-friendly, you’ll not even notice it is installed in the system. With this awesome program you can create a whitelist and block all the rest (Lockdown Mode) or you can create a blacklist (Behavioral Mode), with support for exclusions, to block only specific objects. Block DLL injections. Supports all Microsoft Windows OS (32/64-bit).

How it looks like?

at the moment it is just a basic interface, not even a GUI.

For ERP users, this is an enhanced ERP with no GUI controls, no alert mode, but with "only" Lockdown Mode and Behavioral Mode (with support for exclusions), plus it can monitor DLLs and drivers, so it is a very complete protection. You can create very smart rules, filtering almost every field of the to-be-loded object (process, commandline, hash, parent process, etc) with support for mixing/grouping rules, for example, you can allow Firefox to execute processes located in a particular folder, signed by a trusted vendor, and that match a specific command-line string. Moreover, you can easily share/combine rules with other users, thanks to the custom environment variables and aliases that we have created. Check the product page for more information.

Is it heavy on system ?

not at all , you can't even feel it

How do we use it?

Actually, you have to write your own rules using wildcards in .db files , there is no popups to click , so it seems laborious to use (remember it is a beta); but once you get the trick , you will understand how powerful this product is.

there an example and explanation:

The program can be configured by editing the Configuration.ini file:

Spoiler: INI file

Spoiler: Mode

[Mode]
Type = Behavioral ---------------> Can be set to "Behavioral" (block objects based on rules) or "Lockdown" (allow objects based on rules)
ProtectionDisabled = n ---------------> Allows you to disable or enable the real-time protection, by default it is enabled

Spoiler: Settings

[Settings]
PassiveLogging = n ---------------> Passive logging allows you to test your rules, the objects are not blocked but just logged
BlockRulePath = %CURDIR%\Block ---------------> The folder where are located the .DB files (rules) for the Behavioral Mode
AllowRulePath = %CURDIR%\Allow ---------------> The folder where are located the .DB files (rules) for the Lockdown Mode
ExcludeRulePath = %CURDIR%\Exclude ---------------> The folder where are located the .DB files (rules) to handle the exclusions for Behavioral and Lockdown
LogEventsToFile = y ---------------> Allows you to save the events to a log file (enabled by default)
LogEventsPath = %CURDIR%\Logs ---------------> The folder where are saved the log files

Spoiler: Rules

Behavioral Mode uses these rules:

Block\Process.DB ---------------> Rules to block processes
Block\DLL.DB ---------------> Rules to block DLLs
Block\Driver.DB ---------------> Rules to block drivers
Exclude\Exclude-Behavioral.DB ---------------> Rules to handle exclusions

Lockdown Mode uses these files:

Allow\Process.DB ---------------> Rules to allow processes
Allow\DLL.DB ---------------> Rules to allow DLLs
Allow\Driver.DB ---------------> Rules to allow drivers
Exclude\Exclude-Lockdown.DB ---------------> Rules to handle exclusions

By default the program is set to Behavioral Mode.

To switch to Lockdown Mode you need to edit Configuration.ini and set:

Type = Lockdown

Then restart the program for the changes to take effect.

The default rules on \Allow\Process.DB are these ones:

[%PROCESS%: *:\WINDOWS\*]
[%PROCESS%: %PROGRAMFILES%\*]
[%PROCESS%: %PROGRAMFILESX86%\*]

That means all processes located in \Windows\, \Program Files\, \Program Files (x86)\ (and subfolders, note the * character) are allowed, all the rest is blocked.

You may need to add more rules based on the programs you have installed, for example, if you have Chrome installed, it needs to execute files located in AppData folder.

So you can add a new rule that allows updating of Chrome application:

[%FILEPATH%: %LOCALAPPDATA%\Google\Chrome\*] [%SIGNER%: Google Inc]

All executable files located in %LOCALAPPDATA%\Google\Chrome\* and digitally signed by Google Inc are allowed to execute.

Personally i used those rules to block EVERY processes/dll/drivers located on my D: partition :

Block rules:

Process.db:
[%PROCESS%: D:\*]
[%FILEPATH%: D:\*]

Drivers.db:
[%FILE%: D:\*]

Dll.db:
[%FILE%: D:\*]

then i tested against a portable app (DNS Jumper) to simulate a malware (DNS jumper allows you to change the DNS setting of your computer , behavior often used by malwares), there the result:

It seems complicated to use...

for the moment , it is complicated because you don't have a GUI , but that will change in the future. Actually it is mostly a new toy for advanced users to play with

So what the benefit of SOB, i still don't get it?

SOB as said earlier will block any process/dll/drivers , those are components of any programs and malwares. since you can create personal and customized rules yourself ; you have TOTAL control of your system.

So i'm interested but i'm not an advanced user, im willing to learn; what should i do?

in your case , use a Virtual Machine or an old computer and install it, then try to learn how to write the rules.

you will have lot of explanations and example by following this thread on Wilders .


Conclusion

More i use it , more i like it ; i like to be in TOTAL CONTROL of my system without any resources hindrances.
This soft is very promising with endless possibilities.

 

[Malware Man]

It's a nice piece of software. However, I will not be using this. I am really happy with Applocker which is built into Windows and is free. Since it is built in, I don't have to worry about incompatibles and other stuff and it mostly likely runs at a deeper level than NoVirusThanks does.

I'm loving this thing. I've tried multiple samples of cryptolocker, fake AV's and ransomware and it just blocks it all, no AV needed lol.

Just my two cents.

Granted, I am running a high enough version of Windows for Applocker, I realize that the majority of you guys on here won't be. Therefore, you should turn to something like this or Comodo's sandbox or similar software.

 

[Deleted member 178]

indeed Win Home users don't benefit from Applocker so we have to stick with those kind of apps.

 

[RmG152]

indeed Win Home users don't benefit from Applocker so we have to stick with those kind of apps.

Home and pro applocker only work on w8 and w10 enterprise...

 

[MalwareT]

There's mispelling error in review . Anyway i will try this out

 

[hjlbx]

It's a nice piece of software. However, I will not be using this. I am really happy with Applocker which is built into Windows and is free. Since it is built in, I don't have to worry about incompatibles and other stuff and it mostly likely runs at a deeper level than NoVirusThanks does.

I'm loving this thing. I've tried multiple samples of cryptolocker, fake AV's and ransomware and it just blocks it all, no AV needed lol.

Just my two cents.

Granted, I am running a high enough version of Windows for Applocker, I realize that the majority of you guys on here won't be. Therefore, you should turn to something like this or Comodo's sandbox or similar software.

The rationale regarding compatibility is a valid one, but NoVirusThanks products very rarely - if ever - cause system critical conflicts. If anyone finds any type of compatibility issue and reports it to the developer, it is fixed...

I do not intend to debate one versus the other. From a technical perspective only, SOB is more powerful than AppLocker since the user can create virtually limitless custom rules. The downside is that this level of control requires advanced knowledge plus time and effort on user's part; one bad rule can smash a system. Right now SOB is not so user-friendly since it is very early version...

Comodo has the advantage of already monitoring dlls and .sys files - and will generate alerts when suspicious dll behavior or install of newly introduced driver is detected. However, it only covers a limited number of generic suspicious behaviors. The user can create rules within Comodo for any file type - but once again - it requires advanced knowledge. The same warning applies = one bad rule and system is smashed...

 

[Deleted member 178]

not saying SOB isnt doing any kernel hooks so it doesn't lower the OS defense.

 

[Malware Man]

The rationale regarding compatibility is a valid one, but NoVirusThanks products very rarely - if ever - cause system critical conflicts. If anyone finds any type of compatibility issue and reports it to the developer, it is fixed...

I do not intend to debate one versus the other. From a technical perspective only, SOB is more powerful than AppLocker since the user can create virtually limitless custom rules. The downside is that this level of control requires advanced knowledge plus time and effort on user's part; one bad rule can smash a system. Right now SOB is not so user-friendly since it is very early version...

Comodo has the advantage of already monitoring dlls and .sys files - and will generate alerts when suspicious dll behavior or install of newly introduced driver is detected. However, it only covers a limited number of generic suspicious behaviors. The user can create rules within Comodo for any file type - but once again - it requires advanced knowledge. The same warning applies = one bad rule and system is smashed...

Thank you for the insight.

I still prefer Applocker. It's by the best thing I have ever used and requires very little maintenance. Just 4 rules, switching to a standard user account, enabling a service and I was all set. I have used Comodo, although I think it's amazing software. I prefer Applocker. It's built in, lightweight, works fine. It's built in so I can be 100% sure it's going to work great with the OS.

My knowledge about the Windows file system is pretty good. I am sure I could manage to use SOB, but this works for me.

What works for me, may not work for you and you may not like it. Everyone is entitled to their own opinion.

The less security programs running, the better for IMO cause then the system isn't being so bogged down by all the processes.

I used to go crazy and have 4 things or 5 things running at once. It got so slow. I am now running just Applocker + AV and I couldn't be happier. I have finally found a config I like and will stick with for awhile.

I've been obsessed with Group Policy and been loving all the security features inside of it to lock Windows down. It's honestly great and cannot justify paying for some other whitelisting program when Applocker is free, built in, and works just fine for me.

I've been struggling to get stuff past it. I've tried like packs of Malware. I've ran over maybe 500 or 1000 files so far and they all just keep getting denied lol.

@RmG152 Yes, unfortunately Applocker is only available to the Enterprise edition of Windows 8.1... I happen to be running Windows 10 Education edition which includes it and couldn't be happier. I get it for nothing from my school!

 

[Moose]

Salutations,Friends!

Is Smart Object Blocker going to be a replacement for ERP( ExeRadarPro) to cut resource usage down? Or is the developer going to combine the two?
And given choices which one would you remove from real-time between the two?

Kind regards,

 

[hjlbx]

Salutations,Friends!

Is Smart Object Blocker going to be a replacement for ERP( ExeRadarPro) to cut resource usage down? Or is the developer going to combine the two?
And given choices which one would you remove from real-time between the two?

Kind regards,

On my system SOB uses about .5 to 1 % CPU intermittently (range = 0 to 1 %) and 4.5 MB RAM.

ERP used about 2 % CPU and 10 MB RAM.

Both are extremely light... ERP shouldn't be using more than 15 MB RAM intermittently...

SOB uses less resources than ERP since it is passive with very minimal GUI, whereas ERP is actively monitoring system + real-time updated Events Log + GUI.

 

[Moose]

@hjlbx,

Well said!

And both play well.

 

[Deleted member 178]

Is Smart Object Blocker going to be a replacement for ERP( ExeRadarPro) to cut resource usage down? Or is the developer going to combine the two?

ERP is freeware actually and it will stay like this, i guess SOB will be paid because it is stronger. SOB = ERP + DRP , so i don't believe they will merge both , unless the devs want an all-in-one product.

And given choices which one would you remove from real-time between the two?

SOB > ERP , so i will remove ERP

 

[Raul90]

Got very interested so I gave it a spin!