BlackFog Privacy

Discussion in 'other anti-malware software' started by liba, Feb 2, 2018.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I got curious about the Ransomware, so I set up the VM, turn off everything but BFP. I ran several pieces of Ransomware by it and with all three I ended up encryped files 3 times. I stopped at that point.
     
  2. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    I will respond to these in more detail tomorrow.
     
  3. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Note one thing when testing though, that you need to simulate a user getting infected rather than downloading the ransomware onto the desktop and testing like that. The first line of defense that you will hit with BF is the execution prevention, but that wont happen if you use the desktop or put it on your drive yourself.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    Darren - with this sort of Threat Detection:
    Prevented execution of c:\users\nnnn\appdata\local\temp\GOOGLE_DRIVE_UPGRADE_chnhwq\googledrivesync.exe using rule C:\Users\nnnn\AppData\Local
    does the EC Settings>Global>Windows Application Whitelist support wildcards e.g.
    \temp\GOOGLE_DRIVE_UPGRADE_*\googledrivesync.exe, or \temp\*\googledrivesync.exe?
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    Darren- I don't follow the execution prevention comment you made. As examples:

    1). if one goes to a malicious site that has an exploit kit that carries ransomware- the kit must act locally (ie. on the victim's computer). There would be two potential ways of stopping the malicious cascade, either by blocking the download of the kit or by detecting and stopping it locally. Are you saying that BF just prevents the downloading?

    2). Miners- once again, these MUST stay resident on the Local system, and to stop a miner a security app must detect it no matter where it is initiated from, or at least by how it is operating (high CPU cycles, consistent Outbound connection).

    3). Email malware- "click this link to see Pix of Ophelia naked"- the malware will be downloaded and run from Temp. How is this distinguishable from saving and running to the desktop (unless there are specific preclusions in place to prevent things initiating from specific areas).

    4). From your website: "BlackFog's fileless cybersecurity software protects your online and offline" From this one can infer from the Offline comment that protection is protection no matter where things are initiated.

    5). If BF stops malware A when run from the Desktop, how would running malware B (which it may not stop) from the Desktop be invalid?

    6). And about the comment "BlackFog provides protection for more than 26 million threats and blocks both the distribution and activation of ransomware on your device". Should this be taken as "as long as it is not initiated locally".

    D- I'm not trying to give you a hard time, just a fair shake...

    M
     
    Last edited: Feb 12, 2018
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I believe it does block execution as long as it is in %Appdata%. Unfortunately to me if true that isn't adequate.
     
  7. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Ok here are a few responses from the weekends questions. Some good comments. Let me do these in reverse order:

    We do indeed have execution prevention in place so that we can block double extensions, localappdata and appdata (this also includes temp). There are a few others too. We then whitelist legitimate apps that try and use these locations which is technically not permitted anymore. Now you can of course whitelist your own apps as well and if you use the E console you can use wildcards as Peter pointed out. The goal of this is to prevent most bad actors while still making your computer useable. Naturally we could go crazy here, so striking the right balance is a challenge.

    Cruel Sister, some good questions. In terms of blocking we don't rely on one layer but several. So yes we can block downloading, but if we miss it, then we need to provide other techniques such as execution prevention, and then stopping the C2 access as well. So while it may get onto your computer we will have other mechanisms available to stop it. We are continually adding new methodologies to layer over these to catch the ones that get through. Since all of this malware, mining etc have to get out, this is why we target this mechanism. If they cant get out, for exchanging keys or stealing data then they cannot do much.

    The miners are the most common these days so we have focused more and more not hat in recent weeks and have a good hit rate on those.

    The 26 million default preventions included are c2 servers, miners malware etc. So it doesn't matter from our perspective if they are initiated locally not, they still cannot communicate to their servers to exchange keys to activate.
     
  8. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    One other interesting point, is that we use DoD level wiping and sometimes that gets in the way of some existing security products that I notice some of you running into, where the service will be stopped. To help out this regard we are adding to the next patch the ability to use a standard delete so it can bypass these write rules on other security tools.

    That should be available in 48 hours or so.
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    AppCheck detected PrivacySvc.exe as ransomware :), so just whitelisted it.
     
    Last edited: Feb 12, 2018
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Darren

    Couple of critical points, at least to me.

    1. Especially with Ransomware, nothing short of 100% is acceptable. You can protect 99%, but if I get hit with one of the 1%, then the product failed me.

    2. THe stopping of ransomware communicating with the servers does nothing for me. I tested 3 pieces of ransomware and in all three cases the files were encrypted.

    3. Your assumption of where you need to block is wrong. Most malware is delivered in email. Very few people download to those locations. They either go to a download folder or the desktop. I've watched Cruelsisters videos. She mostly initiates from the desktop.

    Pete
     
    Last edited: Feb 12, 2018
  11. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Totally agree you need 100%. This is what we are striving for, as is every other vendor. Some great feedback on this forum which is already being incorporated as we speak. As noted above, all ransomware has to communicate through the network art some point to do its damage so thats what we target. Now we will continue to beef up the execution prevention as well as the process monitoring to solve the desktop / downloads folder issue as well. So I will let you know when thats in the release so you can play with it.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Darren reread what I wrote. I am assuming the outbound was block, but the ransom ware I ran encrypted the files anyway.

    Let us know. I will test for you. See I already have 100%, but it isn't achieved with a ransomware program.
     
  13. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Ideally it should have blocked the communication to the C2 server too, because they need to grab the encryption key in order to start the encryption process among other things (I don't want to disclose every method of course as I am sure competitors will be watching). Can you PM me the ones you tried so I can send it to our labs to verify.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Darren

    I am afraid I can't do that as I have agree with several people that I won't do that. Sorry.

    Pete

    However I can work the other way. If you have any you want me to try that I can do. Just PM
    me.
     
  15. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Sure we understand that.
     
  16. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    With regard to miners- I understand how the blocking of communication by the malware to Command can be done quite well in the case of in-browser mining services, but shouldn't this prevention also be the case for a locally executed Miners?

    Also, much less than half of all ransomware (in my limited experience, anyway) need to connect to Command to initially encrypt.

    Peter- you are quite correct about the folder from which malware will be dropped. Ophelia can drop it anywhere...
     
  17. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Correct, locally executed miners should work exactly the same. As long as we handle them internally, which we have so far... It also takes us a only a few minutes to update all systems with additional rules, which is why we designed it this way so you don't have to run any updaters all the time.

    Interesting observation about ransomware from your experience. We clearly need to beef this area up more for detecting this and I know we are working on some of this using ML already. Just needs a lot more testing before we can roll it out. We have also added in our latest beta (based on some observations in this forum), blocking of powershell script anomalies such as those from the recent GanGrab attack.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That is quite a giggle.
     
  19. Darren Williams

    Darren Williams Developer

    Joined:
    Feb 4, 2018
    Posts:
    407
    Location:
    California
    Note that we released 3.3.3 today with some minor additions based on feedback such as a new "Standard Delete" option and the ability to mute browser clean notifications as requested by some of you.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,999
    Location:
    Among the gum trees
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,999
    Location:
    Among the gum trees
    Running great here. Love the ability to mute the clean notifications. :thumb:
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,999
    Location:
    Among the gum trees
    I had the service not start on one machine (different machine than before) after a system restart meaning the tray icon was red and Network Protection was disabled.

    Also, on another machine the 'Advertising' and 'Profiling' tiles are blank for today after a system restart.

    Edit: There were over 190 ads blocked before the restart but now the tile shows 1.
     
    Last edited: Feb 13, 2018
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    Not fixed in 3.3.3.

    Thanks for adding standard deletion.
     
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    I played around a bit this morning with the newest version and things were made a bit more clear to me.

    1). There is indeed a specific preclusion for anything being initiated in AppData. So go to a website that will have an exploit that tries to start a Pony info stealer (invariably dropped into AppData) and you will be protected. Click on an email Document (or save it ANYWHERE) that contains a Powershell script that will download some malicious something into AppData and it will be stopped. The downside to this protection modality is don't even think about installing legitimate things (like Java) as these will also be stopped. Policy is Policy and it is agnostic.

    2). I suppose I inferred too much when I saw the Ransomware protection blurb on the product website. My assumption was that there was intrinsic mechanistic protection against these baddies instead of just a general policy to prevent executables from running from certain places. Perhaps this should be clarified to prevent confusion for simple minds like mine.

    3). The 4 hour mandatory cleaning of the browser temp is a good idea, as I know you guys like to dwell on porn sites for extended periods and any crap running in temp will be deleted.

    4). The Outbound connection protection aspect of BF can be improved. Miners can connect anywhere (like Ophelia's server).
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    I already experienced this with a Google autoupdate (googledrivesync.exe). One can whitelist in the console, still testing if wildcard works ...

    For manual updates one can go into install mode for 10 minutes, right-click taskbar icon. I would imagine that overrides the policy ... ?
    Knowing the quality of your testing, this is disappointing. :(:cautious:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.