BlackFog Privacy

Discussion in 'other anti-malware software' started by liba, Feb 2, 2018.

  1. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    188
    Last edited by a moderator: Feb 2, 2018
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,943
    homepage? impressions yourself? rating?
     
  3. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    199
    Location:
    UK
    Looked interesting. However, met a "installation failed" message and installation aborted - so I have no impressions except a shake of the head.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,965
    Location:
    The Netherlands
    You know, I normally can smell "fake security" apps from a mile away, and something about it just doesn't feel right. It's completely unclear how this app tries to protect against malware and tracking. Is it signature based or does it use behavior blocking? Not a word on the website about this stuff. And yet it claims to protect against file-less malware which is pretty hard for even the most advanced tools.
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    17,525
    Some more information:

    Blackfog Privacy - Fileless protection for Home and Office v3.3.1 (January 31, 2018)
    'Real-time protection against online threats'

    "As featured on 'killerstartups'":
    Private Eyes, They’re Watching You – Unless You Use BlackFog
    Mar 18, 2016
    Website
    Download (Windows & macOS Installer)
    Store
    FAQ (Excerpt):
     
  6. kenw

    kenw Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    124
    Location:
    Brighton, Colorado
    That version number looks ? may not mean anything. Malwarebytes3.3.1
     
  7. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    199
    Location:
    UK
    I've now managed to get BlackFog installed and have a look at what it does and its options.
    It seems to me quite similar to the Ruiware products in its scope but it's certainly light on resources and unobtrusive - and that, for me is its greatest weakness. It creates a running daily log of events, mainly of files that it's deleted or detected. Unfortunately, there's no way to approve its actions before deleting and no way of rolling back the changes. Here's a very small example of some of today's log file:


    [2018-02-04 10:50:28] Deleted: C:\Users\xyz\AppData\Local\Temp\lptmp\languages\zh_TW\zh_TW.xpm (4 KB)
    [2018-02-04 10:50:28] Deleted: C:\Users\xyz\AppData\Local\Temp\scoped_dir4480_24174\Cookies (5 KB)
    [2018-02-04 10:50:28] Deleted: C:\Users\xyz\AppData\Local\Temp\scoped_dir4480_24174\Cookies-journal (1 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-file-l1-2-0.dll.bak (18 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-file-l2-1-0.dll.bak (18 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-localization-l1-2-0.dll.bak (20 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-processthreads-l1-1-1.dll.bak (18 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-synch-l1-2-0.dll.bak (18 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-timezone-l1-1-0.dll.bak (18 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-crt-convert-l1-1-0.dll.bak (22 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-crt-environment-l1-1-0.dll.bak (18 KB)
    [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-crt-filesystem-l1-1-0.dll.bak (20 KB)
    [2018-02-04 10:52:23] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000001 (40 B)
    [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\091d5de1-f79d-4e35-a724-f2010325c4da.tmp (27 KB)
    [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\1d6eec1b-e4b5-41a8-ab9b-3c33afbb3b97.tmp (27 KB)
    [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\343da0a1-fdce-4bd7-b723-e26160970eb5.tmp (27 KB)
    [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\660d6228-8f94-4404-8f48-160cd29e3ac7.tmp (27 KB)
    [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\9332d916-01c3-4e52-8394-6d7f3439c2db.tmp (27 KB)

    I'll keep and eye on this for the duration of the 30 day trial but I'm not convinced that it offers anything more than EAM and Adguard. We'll see.
     
  8. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    584
    Location:
    Far East
    So an AV is still needed? Anything for the android smartphone?

    Thanks
     
    Last edited: Feb 4, 2018
  9. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    Just a clarification on some of these points for those that are interested.

    BlackFog is focused on 2 cores aspects, Privacy and Fileless Network protection. So starting with NiteRanger, yes we still recommend AV, as we don't feel it is necessary to replicate the myriad of free or paid tools that exist already, and there are plenty of great options.

    The forensic data collection activities on your machine can be swept using the cleaning option and these can be controlled by the Forensic options in the app, as well as the System options which control the system level collection activities from MS directly. Someone above posted a log of some of this behavior. We do not have a rollback because these are very well tested and should have no impact on your machine except in the collection of data. Each of these can be switched off from the options available. The goal here is to prevent personally identifiable data from sitting on your machine.

    The core part of the solution is focused on network activity which as mentioned by someone is behavioral based. We have plenty of blog articles on this if you want more details on this.

    For sake of brevity though I will just summarize as follows. BlackFog sits at layer 3 of the Network stack and watches all outbound traffic and watches for anomalies in behavior, this includes data leaking to known C&C servers, crypto mining sites etc. We look at how protocols are formed, what it is sending, how and where to determine if it is legitimate and block accordingly. We have about 10 different parameters (many more under development) that are used to determine legitimacy of the traffic. In addition we monitor executable location to prevent files being dropped on your machine. As pointed out this is very complex to do and it is done in real time.

    We designed this to be no intrusive and minimize false positives.

    We have a complete edition available for Windows, Lite edition for Mac (focused more on ad blocking and known malware, full edition coming soon) and later this year Android and iOS editions.

    Happy to answer any specific questions anyone may have.

    Thanks Darren
     
  10. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    If you would like some background technical information I would recommend you refer to an excellent paper from the University of Birmingham that goes into great detail on exfiltration. That will give you some insight into what BlackFog is doing. We also closely follow the Mitre ATT&CK matrix.

    University of Birmingham
    Command & Control: Understanding, Denying and Detecting by Gardiner, Cova, Nagaraja

    https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
     
    Last edited by a moderator: Feb 4, 2018
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,696
    This is funny, or not, depending on your viewpoint...

    Tracking Activity_Blackfrog_01.JPG
     
  12. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    584
    Location:
    Far East
    Hi Darren

    From the info gatherered it seems BlackFog controls/protects the outbound only and NOT the inbound, right? The latter would depend on the user. How about in-process protection?

    Since BlackFog is about privacy protection how about protection for browser against the different types of fingerprinting etc

    Does it protect against the different types of ransomware like MBR encryptor, file/disk encryptor, file destroyer, screen locker etc?

    And does BlackFog protects against bots and APTs (Advanced Persistent Threats)?

    Thanks
     
    Last edited: Feb 4, 2018
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,998
    Location:
    Among the gum trees
    Their website tried to access my browser fingerprint too. :cautious:
     
  14. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    Hi NiteRanger, yes thats correct we focus on outbound data because every bad actor has to get out eventually to do bad stuff, either stealing information or activating their software, exchange keys etc.

    We protect against many types of finger printing already. If you have "Web Profiling" block turned on then they are pretty much blocked. If there are things we are missing we are happy to add to our list.

    We also protect against many of the encryptors already. Whilst not exhaustive, we are continually adding more. I will get back you you on more details tomorrow regarding the APT's.

    Re the track off information, thats a result of the google analytics scripts that our web site embeds as well as various plugins for the product pages. I will talk to marketing about disabling any of the unnecessary elements here.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,998
    Location:
    Among the gum trees
    Hi Darren,

    I'm sure you understand the irony of a product that is supposed to protect your privacy while your website is infested with trackers.
     
  16. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    Yes indeed. We have removed the one from Google already as that appears to be the major culprit.
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    584
    Location:
    Far East
    Hi

    My Tunnelbear Blocker for Chrome is still detecting 2 fingerprints on your website. Can you please check?
     
  18. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    Might be some plugins from some third party providers. We will checking this today.
     
  19. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    Looks like it is being picked up by Tunnelbear because the site uses HTML 5 Canvas for drawing icons etc. But we are not actually fingerprinting anything.
     
  20. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    Regarding APT's, we carefully monitor the traffic on your device and look for anomalies in behavior so we can stop these types of programs stealing your data. By watching the pattern of network activity and data volumes we can often see trends that identify these bad actors. These algorithms are always being refined with new parameters on literally a daily basis by our engineers and we are working on various models using Machine Learning that will be added to our next major release (4.0). Right now we are pretty good at detecting them, but no where near where we want it to be.

    As you know these are very complex to detect so this is where we are sending a lot of our efforts right now, while at the same time keeping our system very lightweight. Happy to answer any other questions you might have. I enjoy these discussions.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,453
    Hi Darren

    I have two questions.

    1. The website mentions memory protection. Could you elaborate.

    2. I have my system locked down very tight. I have tested against a lot of malware and nothing gets by. What would BlackFog add that would justify the expense.

    Thanks so much.

    Pete
     
  22. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    584
    Location:
    Far East
    Thanks. Let us know when v4 will be released and the new features/improvement added
     
    Last edited: Feb 5, 2018
  23. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    You're begging the question:

    I'm 100% protected so how does your gear add value? By your math and assumptions the answer has to be zero.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,453
    Lets see what they say
     
  25. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    184
    Location:
    California
    Hi Pete,

    Good questions. Here is how we look at security. The exponential rise in Network (Fileless) based attacks is only going to continue. AV solutions that rely on signatures are of little use to more sophisticated malware because they dynamically change their signature (fast fluxing). They also know understand that for your computer to be useful it needs to be connected to other machines and the Internet. The attacks therefore focus on network layers that they know are open, specifically ports such as HTTP, HTTPS, RDP etc.

    As a consequence, efforts to thwart these new attacks need to focus on these avenues of protection. We definitely think you should have your machine locked down like you do already. This is a primary defense technique and will work against a large number of existing malware. The problem is the next generation which has now started appearing, which focus on network weaknesses and vulnerabilities (WannaCry etc).

    While a large majority will continue to drop payloads on your device and execute (your lockdown defense will work nicely) we are seeing specially crafted malware that injects directly into running applications. So more of our efforts are focused on protecting your system using a layered approach.

    Think of it like a castle defense. The walls of the castle are like your application lockdown approach. The archers are the guys trying to break through, but progressively they start to focus on the gates (the same mechanism you use to get out). These are effectively the open ports in our scenario. So once they get in it's important to have mechanisms in place to protect everything and effectively trap and destroy them. This is what we focus on. This would include watching memory/process injection etc and preventing propagation and ultimately activation through C2 servers, which is what we have done so far.

    Sorry for the long answer. I hope that clarifies things.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.