BlackFog Privacy

Discussion in 'other anti-malware software' started by liba, Feb 2, 2018.

  1. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    @lucd This is why we have the Enterprise edition actually, it does all of this across thousands of machines.....But point taken, and we do have a plan for this. Just not ready to announce anythign just yet.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,027
    Location:
    Among the gum trees
    Hi @Darren Williams ,

    One of my machines has been off / shut down for a couple of days and since I knew there was a Component Package Update I tried to update Malwarebytes. Checking for updates seemed to take an unusually long time and the new Component Package was not downloaded. I tried several times without success.

    Eventually I opened BlackFog and disabled Execution and tried updating MB again. This time the new Component Package downloaded and installed successfully. I suspect BF was blocking MB's update.

    Thanks.
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    FWIW Krusty, I did not experience this (two machines). Updated normally - but my MB is on demand.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,027
    Location:
    Among the gum trees
    It only happened on my laptop. My desktop didn't have any problems.

    Funny thing is though it was downloading Update definitions, it just would not download the new Component Package.
     
  5. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    Krusty, I had a similar problem as I mentioned in an earlier post on this thread. I could not install MB when BF was running, whether I had set BF to "install mode" or not. I had to disable BF and reboot my computer. I found that I was then able to install MB without a hitch and thereafter MB and BF got along just fine. Don't know about MB updates though. I will have to wait and see if I run into the identical problem that you had with one of your machines. But, there definitely is a problem that I run into when installing new programs on my computer.

    I attempted to install Mailwasher Pro this evening, with BF running but in "install mode." Mailwasher would not install, even after repeated attempts whether BF was set to "install mode" or not. Once again, as with attempts to install MB, I found it necessary to disable BF, reboot my computer and attempt to reinstall Mailwasher on reboot, with BF disabled. When I did this, I had no problem installing Mailwasher. I have a few more programs to install. My guess is that I will run into the same problem if BF is running, whether or not I set BF to "install mode." But, I will give it a go. If I run into the same software install problems, then my only recourse--when installing Third Party software, other than Windows software--will be to disable BF altogether and reboot my computer. Since Darren couldn't replicate the problem I had with MB, I will have to assume there is some discrepancy between BF and the Hardware/Software configuration of my machine. Since the issue I have with BF only extends to installation matters and not to the functioning of the program itself as far as I can tell, I will continue to use BF, as the perceived benefits, to my mind, outweigh software installation annoyances.
     
  6. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    BlackFog should not get in the way of these things unless they are doing something fishy on installation. You will be able to tell by looking into the events that we log or the log itself in the menu. That will provide some clues for you at least. The key will be if they are using known bad domains to push content or handshakes. We only block outbound not inbound.
     
  7. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    having difficulty blocking smartscreen.exe even added exe to blocklist but connections are still established
    after blocking the exe in your deny list I can see the connections related to smartscreen.exe:
    52.178.182.73
    51.144.113.175
    Ireland Dublin

    it stopped some connection by deny smartscreen.exe rule yesterday but not today

    I don't need smartscreen.exe to run, I have other solutions, it is disabled by shutup10, locked in firewall, locked in spy shelter, but I can see 3-5 kb to be sent somehow
    how its connecting I dunno, pure magic
    btw. what managed "no" mean
     
    Last edited: Apr 26, 2021
  8. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    @lucd we don't block exe's via the block list, we can only allow them right now. This is a feature we are going to add in the next release so its working as intended... So the way smartscreen is working is it uses a pool of IP's to talk to its servers which will constantly change and explains why it will work sometimes and not others based on what you have setup. I would recommend instead you use the Privacy options and select "SmartScreen" and this will stop most communications from it.
     
  9. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    OK, but the event said you did manage to block the exe and the ip, that is confusing, because it tricks you into thinking the exe rules are working, please add the functionality as soon as your team can

    I already did that, it still communicates via those two addresses, you can add them to your SmartScreen Filter, since I verified they are from Microsoft/Azure and tied to smartscreen.exe process, after adding both IPs smart screen is silent and fully blocked (tested for 5 days), at least for now:)
    52.178.182.73
    52.170.57.27
    51.144.113.175
    23.97.153.169
    23.55.163.73

    unless you add block exe functionality we can't fully control smart screen/svchost
     

    Attached Files:

    Last edited: May 1, 2021
  10. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    You just happened to discover it before we released it...
     
  11. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    A bit of more information on connections would be nice, especially for process like svchost, blackfog doesn't tell me.. just that is port 0 (typically reserved for NT Autority System*) and 600kb of data, sometimes it points to Azure with ip heing displayed
    *
    System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535)

    I think your view box should be more informative (I occluded other processes but svchost row is fully revealed), I don't know the flag* and the origin, and don't know what action to take, but if svchost is in green blackfog knows it has k,s or p flag perhaps?*
    When svchost uses the “-k” flag, a request will be made to the following registry
    key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Svchost

    I believe at least name of the parent process (or what is using svchost), flag, origin of svchost (from system32 or not) should be displayed, because literally anything can go throught svchost so what's the point of blocking stuff with programme: werfault.exe for example, is a way for apps to trigger crashes reports on termination via svchost,
    eg. WerSvc = C:\Windows\System32\svchost.exe -k WerSvcGroup,

    information about parent process would help disambiguate
    moreover:
    I am getting this in the privacy logs in appdata local

    [2021-05-02 13:52:15.293187][INFO][6128] Application Started: [2021-05-02 13:52:15] UTC -1
    [2021-05-02 13:52:15.295266][INFO][6128] Error setting mitigation ASLR policy: Access is denied.
    [2021-05-02 13:52:15.297270][INFO][6128] Failed to get Network status

    EDIT: manage to fix those ip connections to AZURE by doing some windows debloating
     

    Attached Files:

    Last edited: May 3, 2021
  12. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    lucd, I just saw your post. I ran into the same problem this evening which prompted this post. In the last few days my computer had been freezing because I had several open apps and background processes that I didn't need, and they placed heavy demands, I presume, on the CPU and RAM. I disabled a number of programs from starting, including my Black Fog and my computer is once again humming. I had been restarting BF when I got on the web. And I didn't have an issue until today. Perhaps I had just been lucky. I note that the "spy" (or is that "counterspy") BF icon was filled in red, meaning, as you would know, that the privacy service had been disabled. In the past I would disable the program when installing new word processing applications and then reenable the program and see a clear "see-thru" icon in the taskbar once again, meaning that the privacy service had re-engaged. But, this evening, the privacy service wouldn't activate when I attempted to start the program after bootup, and the warning at the bottom of the BF GUI simply said "privacy service inactive" or words to that effect, and no action could be taken on my part to rectify the problem.

    In Windows Tssk Manager the program did not appear under processes although it did appear in Privacy Hacker, but the privacyservice.exe itself does not appear in either msconfig or in services.

    I had attempted to ascertain if the BF privacy service was disabled and I sought then to renable it either in msconfig or services if I could see the BF service there. I could not. The service does appear, though, in the BF program files in Windows Explorer. I clicked on the service, hoping it would start from its list in the program files. It wouldn't start. I then uninstalled the program--everything, using REVO uninstaller. I then reinstalled BF, and it seems to be working now on my machine. I will henceforth keep the program active and enabled in "START" when booting up the program.

    As I draft this post, I haven't rebooted the computer to see if the privacy service activates or not having just reinstalled the program, and will let you know if the problem reoccurs. Installation or Reinstallation of the program doesn't require a reboot.

    If you haven't done so, you might try using an uninstaller like REVO to remove all BF registry entries as well as program files. Then reinstall BF and see if it works on your computer.

    This program does create a conundrum for the user, as the user has very little control over the program's operations, at least for the non-enterprise version. It would be nice to see the BF privacyservice.exe listed in msconfig or services. Everything is hidden from the user with this program. It is exasperating to be unable simply to restart the service when it inexplicably stops, thereby shutting down the entire program. And the log entries don't help at all in isolating the problem and suggesting a fix. The only option appears to be a complete uninstall/reinstall of the program, which, at least in my case, did resolve the issue, but I will have to see whether the program inexplicably goes on the fritz again. It may be that the program prefers to start on bootup, as important BF coding may be lurking, as with many security software, deep in the Windows kernel, which requires loading, along with critical Windows services, during the bootup process.
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,027
    Location:
    Among the gum trees
     

    Attached Files:

  14. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    :thumb:

    And msconfig ...
     

    Attached Files:

  15. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    I stand corrected. You and paulderdash are right. I didn't check msconfig carefully enough. I went back. I was looking for the BF service under the name, "black fog," and didn't scroll down far enough and check carefully enough to see it listed under "privacy service." It was getting late; working late. Too tired. Anyway, it was there, after all. Thanks.:thumb:
     
  16. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    lucd, my guess is that your tweaks may be affecting BF, as you, yourself, surmise. I know that, having used, at times, programs such as NVT Syshardener or Hard_Configurator myself, those programs, designed to lock down a computer, have often had a deleterious effect on the operation of other software on my machine, that often isn't immediately apparent; and, since I am not a computer programmer, developer, electrical engineer, or even a sophisticated user, I have to be ever mindful of my lack of erudition and of the negative results of overzealousness in employing this and that security software on my machine. That is why I turn to this Forum, finding it to be uniquely beneficial.

    In any event, as I mentioned in my post last night, I checked to see if BF is functioning on my machine after normal bootup, after the problem I had with BF, and BF seems to be doing fine.

    In terms of malware, I think that is unlikely to be the case given the security you have. But, when I encounter slowdowns and constant freezes and the like, I find that reinstallation of the OS to a simple, clean state is the best, if drastic, answer to dealing with a multiplicity of sins.

    I find now that, when I add a particular security software, I let it "play" for several days on my machine, to see how it gets along with other programs before I consider adding others. As I read posts on this Forum, it appears that, in comparison to several years ago, Wilderssecurity readers, today, seem to be shying away from the employment of extensive arrays of security software, in favor of simplicity. As it is said, sometimes the cure (too much security software) is as bad as the sickness (infestation of malware). But, since the intelligence and counterintelligence community in our Country seem reluctant, at best, to lock down our nation's information technology infrastructure, preferring to have numerous backdoors available to them, those backdoors will be and are being exploited by a flurry of bad actors, as well, which include, unfortunately, the supposedly "good" actors, namely, that same intelligence and police apparatus of our Government, along with that of the mega-corporations, and it is only getting worse. But, I am getting off-topic.

    But, as for BF, I find it odd that the program apparently lacks a self-protect feature, but I could be wrong about that as well, as I often am, I am sorry to say, about so much else.:cool:
     
  17. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    exactly , when I saw blackfog using system default utils (eg. icacls, attrib.exe) I immediately thought that's room for issues, but as said blackfog should not be silent that it's rendered useless by some restriction policy, should go red, instead everyting appears to work but its not. That and the parent processing of svchost should be displayed (it would be nice to have), eg werfault/svchost : an example of app bypassing werfault restrictions is libre office: will communicate via werfault exe, but that's not the point, they try really hard at abusing svchost and error reporting
     
    Last edited: May 12, 2021
  18. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    lucd, yes, it would be nice if windows error reporting would be more elucidating or, in the alternative, if BF, itself, would self-diagnose and point to where the hangup is occurring so the user can take action. Wish I could help.

    When I encounter conflicts, uninstalling or shutting down security one-by-one sometimes helps, but often, not. Perhaps Windows registry keys get messed up. At that point best to reimage or do a clean install and cut out the use of restriction software like NVT Syshardener and the like or otherwise use gingerly.

    Best to hear from Darren. Must be tied up. You may wish to contact BF directly on this. Would like to know how or if you can resolve this matter short of doing away with BF altogether. Good luck. Stay in touch.
     
  19. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    I believe the main problem is that it tries to download stuff but its blocked (see log), I must have added blackfog ip to block list since its very similar to azure range

    Most of the time when you break stuff its from your own stupidity, I should dedicate time to something else
     
    Last edited: May 11, 2021
  20. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    lucd, ESET antivirus? I don't use it; had long used NORTON as my mainstay, despite the large footprint and ADS. Yes, BF does go "RED" if disabled, if deliberately, in "INSTALL" mode, or, otherwise, when BF fails to function, in which event, the bottom lefthand corner of the main GUI says, "PROTECTION INACTIVE." I also make note of the fact that I just became aware of, that, when, I place BF in "INSTALL MODE," as I did just a couple of minutes ago, for 15 Minutes, as a test, I then attempted to cancel "INSTALL" and could not do so. A message on the main GUI said that policies would be reenabled after the expiration of time and I saw a "COUNTDOWN." This is not good. The user should be able to cancel "INSTALL" at will.

    I exited the program and restarted it, but BF was still in "INSTALL MODE." Clearly, BF requires much more work, first, to give the user more hands-on control over it, second, to provide comprehensive error reporting, and, third, to provide, more detailed information, on what, exactly it is doing in its operation.

    When a security program operates aggressively but gives the user little feedback and little to no user control over that operation, that, to my mind, is cause for some concern, if not alarm. BF denies user flexibility over the program's functioning. In that regard, BF operates more like HEIMDAL than like such programs as, say, "HITMAN PRO ALERT" and "SPYSHELTER," or even "NORTON," for that matter.

    As I complete this post, BF is now active again, but, this philosophy of "SET and FORGET" that we are seeing more and more in new security programs causes more headache than relief. Why should user flexibility be limited to one model, such as the so-called "ENTERPRISE" version, and not others? And, yet, that the user can shut the program down so easily--the one thing a user can readily accomplish--could not a hacker do the same to it? Why isn't there a user "LOCKDOWN PROTECT" feature here? From a logical perspective alone, this strikes me as something of a design flaw that could have been, and should have been, readily foreseen at the get-go, and dealt with during early development but certainly before release.

    It seems to me that computer program developers, while spending time, as well they should, on seeing to it that a program does accomplish what the promo ads say it will do, ought to spend as much time designing into the program such things as comprehensive and truly elucidating error reporting and assessment reporting features, and no less considerable user flexibility and control over a program's functioning.
     
  21. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    665
    Location:
    Island of Woman
    I wouldn't bloat it too much with options and I don't want spy shelter experience but it would be cool to have more information in the network tab,

    thousands of connection can go through svchost so limiting access from apps would be nice, it is already done internally though, you can block malicious dll via policy* but I am sure there are more ways to exploit svchost or legitimate process can raise privacy concerns too
    (removed some forum posts as I am not 100% sure what happened between me and blackfog). I agree it wouldn't hurt to be able to run diagnostics internally to check if all barriers work
    *
    ::svchost ONLY signed dlls
    reg add "HKLM\System\CurrentControlSet\Control\SCMConfig" /v EnableSvchostMitigationPolicy /t reg_DWORD /d 1 /f
     
    Last edited: May 11, 2021
  22. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Yes it is a total balance guys, if we provide too many options then people are turned off in our experience. You guys are the other extreme where there is just never enough... We keep striving for the right balance and protection. If my Mom can use it then we pass the test...
     
  23. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    Not to belabor the point, but, in one instance, when, as recited in an earlier post, BF failed to function, showing a "RED" icon, and the main GUI was saying "PRIVACY INACTIVE" or words to that effect, but without any indication why, I was perplexed. The only thing left for me to do was to uninstall and reinstall the program and hope that it would work, and, fortunately, it did. The program was again operational, and to date, everything remains normal. But, Windows error reporting service didn't hint at a possible cause for the problem either and I am still left to wonder what could possibly have caused the snag.
     
  24. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Its nearly impossible to know from machine to machine unfortunately as people have a myriad of products installed and running. In future though you can always restart the service as thats what Inactive normally means, we will make it more obvious in a future edition.
     
  25. FANTAZIUS_MALLARE

    FANTAZIUS_MALLARE Registered Member

    Joined:
    Apr 12, 2021
    Posts:
    19
    Location:
    CLEVELAND OHIO
    Darren, thank you for your feedback. I did try to restart the service initially, but that didn't work. So, I had to take the only action left for me, as I could ascertain, which was to uninstall and reinstall the program, which is no big deal anyway. It isn't nearly as time-consuming and disruptive as reinstalling an OS. As you point out, with the complexity of computers and the individual nature of each machine, each with its own unique complement of hardware and software, it is often really difficult to decipher the cause of the sudden non-performance of any one program on any one occasion on any one machine, apart from a hands-on look at that machine.

    But, if I may suggest, a couple of things you may wish to include in a new version of the basic BF program would be, the ability to cancel "INSTALL MODE." At the moment, a user can only set the feature for 15, 30, or 60-minute increments without a means to shut installation mode off if no longer needed. Even on reboot, BF is still in "INSTALL MODE" until the built-in timer runs down. At least that was the case for me. A second feature would be a "SELF-PROTECT" switch, which many security programs have. But, that may already be built-in to the program. I don't know. I do know that I can shut the program down easily enough if I want to or when I feel I may have to, but it would be good to know that a self-protect mechanism exists for BF and that the user has some control over that. Thank you.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.