BlackFog Privacy

Discussion in 'other anti-malware software' started by liba, Feb 2, 2018.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    PrivaZer wipes Reliability History on my machines anyway so I can't answer that.

    Paul,

    Control Panel > System Security > Review your computer's status > Maintenance > View Reliability History.
     
    Last edited: Feb 17, 2018
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,940
    Location:
    UK
    It should list your 'real' win updates as well. (and all errors, it's a great little built-in tool)

    Just hit the windows start flag and immediately start typing reliability... (no need to use the search box)
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks Krusty and stapp. I have had to edit my post #175 again :rolleyes:. Yes I do see them.
     
    Last edited: Feb 16, 2018
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Darren - a request.

    Would it be possible to add (task bar) Install Mode - Permanent on / off option, instead of just current 10 min option?
     
  5. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    418
    Location:
    California
    Question for you Paul. why would you want to turn off execution prevention entirely? It's a lot more than just some directories. Its specific apps as well double extension prevention etc. Just trying to understand the need.
     
    Last edited: Feb 16, 2018
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I daily reserve time to update all my apps and portable apps, and this often takes more than 10 minutes. I don't want to have to set install for 10 minutes more than once, or have BFP reactivate during an update.

    I prefer to control it manually.

    NVT ERP, for example, has options 10 mins, 30 mins, 1 hr, until reboot, and permanently. Just the latter addition would be OK (for me at least).
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the response. I totally forgot to read the paper, but it's quite a lot of info. Can you perhaps give examples of malware that BFP can block from connecting out? Personally I'm mostly interested in behavior blockers that can block malware from achieving their goals even when they are already running in memory, so that's why I was a bit skeptical about BPF at first. Think of anti code-injection, keystroke encryption and file/folder protection, but I guess that isn't the focus of BFP.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Rasheed.

    To me if they are running at all it's too late. I've been giving a lot of thought to this and this product in particular as how it relates to ransomware. Apologies to Darren but people need to think about this.

    1. As was pointed out earlier, something can be dropped anywhere on your system. Nuff said.

    2. Waiting until a connection is made outbound is way way too late.

    a) I installed Blackfog in VM and tested Ransomware against it. Outbound may have been stopped, but all three(I stopped after that) had a field day encrypting everything.

    b) These malwares aren't sitting there innocently waiting for an outbound connection. They all installed themselves in the Windows Startup key. Some of them even install scripts in registry keys for use later. The guys at emsisoft are trying to help someone who got hit by ransomware, paid the fee, got the key but didn't get all the files back. The ONLY protection against these thieves is to keep them out in the first place. Outbound protection just isn't the solution.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I fully agree with Peter. Prevention is definitely better than the cure. In many cases there is no cure once the damage has been done. Is this product even meant to be a defense against Ransomware in the first place? I've read some of the post in this thread, and it seems to me that a good outbound firewall that has good leak protection will achieve the same goal. What type of threats does this product mitigate?
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Disregard my last post. I see that Darren has stated it does have execution prevention. I guess they will keep developing it, and improving it to have better detection over time. I guess it is using some behavior blocking to mitigate malicious executions. Maybe in time it will mature.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    As for blocking ads and profiling, the only time BFP blocks anything is when I disable uBlock Origin.

    BFP.PNG

    Of course it could be said that I could remove uBO but I think uBO is currently blocking more than BFP. I know BFP works at a system level but apparently I don't have anything on my machines sending ads or trying to profile me. uBO is a LOT cheaper too.
     
  12. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    418
    Location:
    California
    so while our focus is definitely outbound blocking, that is not the only thing we are doing. We use a layered approach, like execution blocking, ad / tracking block and a number of other behavioral techniques, so its not a single layer that will protect you, but all of them together. Each day we continue to add more layers so you will only see it improve. Each ransomware variant works differently. Our next level of fileless protection is focused on powershell scripts, so that will add yet another layer.
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Agreed. The ransomware needs to be stopped in it's tracks. It is great that it stops your data from going to a C&C server somewhere overseas but you are left with files encrypted on your system. For people like us in the tech field it's not too bad as we have data/system backups etc. For the average joe who is not tech savvy they will lose everything, or have to go to Best Buy and pay God knows how much to get their systems cleaned, and likely not get there data back.

    I have been watching this thread off and on for the past few weeks and have been tempted to give it a go, but just seeing Peter's experience alone is enough for me to not even bother installing it.
     
  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Interesting, I am not really interested in the ad blocking, as I have uBO with uMatrix - and AdGuard - active :rolleyes:.

    But I still see Ads and Profiling blocked:
     

    Attached Files:

    • BFP.jpg
      BFP.jpg
      File size:
      155.7 KB
      Views:
      9
    Last edited: Feb 19, 2018
  15. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    130
    Location:
    Australia
    I'm not using uBlock Origin but I'm using the AdGuard Extension for Edge and still see Ads and Profiling with BFP.

    BFP.PNG
     
  16. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    130
    Location:
    Australia
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I have the same red dots on my Traffic Map ... Darren, what is the significance of these?

    I was wondering if BFP is maybe somehow blocking AdGuard (Russian) hence Ronald and I are seeing ad-blocking?
     
  18. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    130
    Location:
    Australia
    Not to sure about AdGuard, but you are able to block by country "Network > Geography"

    Note China, Russia and Ukraine are blocked by default in BFP.

    BFP3.PNG

    Edit: Added Thumbnail
     
    Last edited: Feb 19, 2018
  19. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    418
    Location:
    California
    Here are a few answers, the red dots represent the regions blocked through Geography area, the black ones represent the actual traffic.

    If Avast is using direct IP's then yes it will be a problem with the default settings, as that is a big no no. So unchecking the Suspicious Address option will allow that. If they also route through Russia you can uncheck Russia option. If you want to turn off all geo blocking entirely you can use the Geography option in the Blocked settings area.

    If the Ad blocking is on it should block the ads through any browser. Now there maybe a few here and there that are new that haven't been picked up yet, but the team is constantly updating the rules for these. If you have a site that had ads you shouldn't see you are welcome to PM me and I can send it to the team to review. There are new Ad companies popping up every day. One other point here is that if you are using another Ad Blocker, they will not be blocked twice, so the first one that catches it (the one in the plugin) will get it first which is why you wont see it in BF.
     
  20. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Regarding blocking IP based on region- this is very nice, but should never be considered to be all inclusive:

    1). If anyone remembers the massive Credit Card breaches at Home Depot and Target, in both cases the breach was discovered only after a number of months- it was found (by serendipity) that pulse outbound transmissions were being made to Servers somewhere on the Steppes of Central Asia. Both HD and Target were "protected" by SEP which, although logging the event(s), did not block them. Geographical transmission preclusion would have saved much grief and hundreds of millions of dollars.

    2). On the other hand seemingly legitimate Servers can be utilized by BlackHats to cover their tracks, examples being the CCleaner fiasco (the C&C being a CubeMotion server in Los Angeles), many Bankers using CloudFlare (USA), and a bunch of ransomware using the Amazon Farm in Northern Virginia (down the Block and around the Corner from Langley).

    So yeah, it is a good idea to block stuff depending on region, but just doing this does not make life Rainbows and Unicorns...
     
  21. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    418
    Location:
    California
    Correct, its just another tool in the arsenal.
     
  22. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    418
    Location:
    California
    Note we have now released version 3.4.0 which adds support for PowerShell Fileless protection. Release notes are as follows:

    Added PowerShell Fileless protection to Network options
    1. Privilege escalation
    2. Obfuscation
    3. Encoded commands
    4. Remote download
    5. Remote execution
    6. Mimikatz/Powersploit toolkits
    7. Compiled PowerShell
    8. PowerShell DLL injection
    Improved SQL performance on multiple inserts
    Improved handling of foreign language character sets
    Fixed possible buffer overflow in notifications
    Improved refresh rates on client when changing geofence on Enterprise console
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Thanks Darren. I don't know how I missed this earlier but I'm updating right now. :thumb:
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
  25. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    418
    Location:
    California
    While it will work you will not get as many resolved domains in the hosts tab as before. This is not a problem for most functionality because we actually use raw IP's for most protection, but it will limit the protection for NON HTTP/s traffic because we won't be able to extract the domain name easily. Again this won't really affect the application very much, its more about visually seeing the traffic in the UI.

    The next release (3.5) will have less of an issue because we will not be using DNS very much anyway.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.