Stop common malware exploits with NoVirusThanks Smart Object Blocker
June 29, 2016
Shah Sheikh (1172 articles)
Share

Stop common malware exploits with NoVirusThanks Smart Object Blocker

NoVirusThanks Smart Object Blocker is a low level tool which enables blocking the execution of certain applications, commands, DLLs and drivers. Default rules block some common malware exploits and attacks, and you can add more to fine-tune the protection available.

Creating these rules requires editing a text file, which isn’t exactly convenient, but a few bundled examples help to explain the basics.

You can block an individual file with a rule like this, for instance.

[%FILE%: %SYSTEM%\drivers\file.sys]

The first element tells the program to block a file by name, the second gives you the name and (optionally) location.

Conditional rules are more interesting, especially the ability to block execution depending on command line parameters.

Ransomware often uses the Windows command line tool vssadmin to silently delete your system restore points, for instance: “vssadmin Delete Shadows /All /Quiet”. You could delete or rename the program, but that’s not ideal — you or a legitimate application might need it later, or it might be restored by a Windows update.

Install Smart Object Blocker and it comes with this built-in rule.

[%PROCESSCMDLINE%: *vssadmin*Delete*Shadows*/All*/Quiet*]

This time the program inspects process command lines. Run vssadmin with the destructive switches and it’ll be blocked, use it for other purposes and it’ll work properly.

Add more of these to match your needs. Are you worried about REGEDIT’s ability to import a bunch of settings via a REG file, for instance? You could use something like this.

[%PROCESSCMDLINE%: *regedit*.reg*]

If REGEDIT is launched with a command line containing “.reg” then it’ll be blocked, use other switches — or none — and it’ll work as normal. This isn’t perfect — it’ll stop legitimate programs using the same technique, and REGEDIT can import files with other extensions as well — but you’ll get some extra protection.

Other possibilities include blocking anything launched by commonly exploited applications like Adobe Reader:

[%PARENTPROCESS%: *\AcroRd32.exe]

You could also block objects by path, ensuring programs only launch from approved or system locations, and there are filters for name, hash, description, publisher, version, creation or modification date, the vendor who digitally signed it, and more.

It’s even possible to use a Lockdown Mode, a whitelisting system which automatically blocks everything but the processes you specify.

Smart Object Blocker is a versatile system which can handle anything from a single VSSAdmin-type restriction, to building a full-scale exploit blocker. Use it with care, though: prevent some key executable from running and you could easily break your PC.

NoVirusThanks Smart Object Blocker is a free application for Windows XP and later.

Source | BetaNews