I am receiving a certificate modification warning of blackfog driver (don't remember its name it was some certicate of privacy.sys or something) in the registry, is it something that blackfog would do to modify its own certificate ? I downloaded the latest version, I am worried this is some bypass attempt targeted at blackfog, does blackfog checks its own certificates for modification by third party?
We would never do this. We will add some protection for this activity @lucd. Thanks for the heads up.
Since we get a lot of questions about our general approach we have just published an article that talks about Cyber Warfare and Data Exfiltration that might be a useful reference. We are also looking for beta testers in the next couple of weeks for our new macOS edition of 4.0 which will feature more universal exfiltration on the entire Mac just like with Windows. The only requirement is that you are running Catalina. Please send an email to support@blackfog.com if you would like to be added to the list.
After each reboot and log in to Internet this attempt happens at root certificate change (I've seen this 10 times in 1 month), ofc I did not let the certificate be changed. The certificate key's too long to post but if you really need I can try to send full picture, I do know 360 qihoo does a certificate scan and if needed it will attempt to "fix" and download the "right" certificate, however on different pc I am not having this issue (same setup: qihoo360+blackfog), it seams this change of certificate is not coming from qihoo, since I did not ask qihoo to modify certificates (in scan results options) P.S. thank you for your wonderful article and looking forward for more
@Darren Williams Since the update to 4.3.0 (b475) I have had to start the Privacy.exe manually from the start menu as it doesn't start on boot up although PrivacyScv.exe starts as normal. Although there is no icon in the Taskbar and no gui until I start Privacy.exe manually information is still being recorded to the Dashboard and Exfiltration and in the events tab. I have tried re-installing but doesn't make any difference. Any suggestions? Also, since the last Rules update on Jan 27 I do not get a Browser Cleaned notification for Firefox and no entry in the events list. Chrome, Vivaldi and Edge work as expected. Further. The notification for Vivaldi and events entry both show "Browser Clean Completed in 0 secs (0 b, 0 files). Is this because Vivaldi is not in the Forensics list?
@lucd I will send this to the team to the a look at to see what might be goign on here. Very unusual behavior for sure. Our certs are done by MS themselves so we know they are solid. @Dark Star 72 the startup is actually performed by the system scheduler, so I wonder if there is something stopping that from triggering. I will PM you a couple of things to look at for that. We will check if Firefox has changed its startup logic as thats always possible. Also haven't added Vivaldi rules yet but we have added the infrastructure, so a future rules update will mean it is automatically supported without a version change which is why you get 0.
@Darren Williams A quick update. I updated Firefox from 72.0.1 to 72.0.2 late last night and it's now cleaning and recording in the events tab so I assume that there was something in bld 72.0.1 that was causing the problem. Must have been coincidence that I updated from 72.0.0 to 72.0.1 on the same day that the rules were updated.
@Dark Star: Thanks for the info. Also note that the auto start happens by adding the app to the start registry for the system. You can see it is available on Win 10, goto Settings > Apps > Startup. You will see BlackFog listed there and it should be enabled.
@Darren Williams :Opened settings > Apps > Startup and BlackFog was off. Enabled it and closed settings. Opened settings again to check it was still enabled and it was off again. So opened Task Manager > Startup and it was Disabled so Enabled it there and so far it has stayed enabled over several reboots
Interesting you needed to do that. Never seen that before. Might need to write a KBA on that. Thanks for finding out what it was.
No Krusty, not with update to FF 73. But I used PatchMyPC silent install this time, not FF internal updater.
There is a general problem with Firefox 72.x that caused grief for a lot of users. You can read about it on the Mozilla site below: “Users with 0patch security software may encounter crashes at startup after updating to Firefox 73. This will be fixed in a future Firefox release. As a workaround, an exclusion for firefox.exe can be added within the 0patch settings. https://www.mozilla.org/en-US/firefox/73.0/releasenotes/
My BlackFog Privacy license auto-renewed without warning. I think one should be notified a week or so in advance, so that one has the option to cancel. At least my AppGuard sub did that. For us 'third worlders' (South Africa), $ amounts can translate to quite a bit of money on the exchange rate.
I second this. I wasn't aware of BF renewing until I saw my credit card statement last week. Not good business practice.
Noted guys, we will modify this procedure going forward and make sure there is ample notification of a renewal.
We have just published an article and PDF about remote work and privacy for those that are interested.
any news on root CA modification involving blackfog, now qihoo360 H.I.P.S. doesn't let me choose (allow/deny of modification of binary blob), but the qihoo's window pops up and closes very fast as if someone made the decision for me to install the root CA of blackfog did not see any untrusted connections in the event log of blacklog so I dunno what is happening, another program affected is simplewall firewall, might be a bug, a compatibility problem, a legitimate OS action or a an attack technique, it happens only when being connected
We hope everyone is staying safe at home. Note we have just released 4.3.1 with a new Privacy option to "hide hostnames" in the Windows interface. Full release notes can be found on our website.
I just installed a security patch update on my Samsung Galaxy J7 phone with Android version 9 and now my apps can't seem to download anything, like Twitter can't load new tweets anymore with BF running.
Make sure you have the latest rules operating on BlackFog (Mar 27). I just tried it myself it it seems ok from this end. PM me if you still have problems and we can set out the combination of things to make sure its working ok.
I clicked on update rules and still does not work. All the settings show no number counts for blocked stuff. When i view events there is nothing there. Some or all of this happened right after the android software patch. Should i uninstall and install it again. The Android update might have corrupted the BF App.
