Discussion in 'other anti-malware software' started by liba, Feb 2, 2018.
Oh Yeah, one can stop the protection for a period of time. But when is such as that ever good?
You guys are getting pretty skilled at this now. Yes the install mode allows you to install other products as mentioned. You can also whitelist individual items. If the system for example blocks an app you want. Just open the Threats window and click not he entry and you will see there is a whitelist option. That will then permit it in future.
Paul, the scroll bar is locked on your device because you have the Enterprise edition which has "Network Lock" on. There are various options like this to stop users in corporations adjusting security settings. Just toggle the option on the console and it should be enabled again. Make sure you click update not he client to pull the setting immediately.
Krusty, the advertising is not persisted on restart if you manually restart and miss the persist window. Hence the mismatch there.
CruelSister, you are correct on the execution prevention part, but there are many other techniques employed on the network layer for ransomware. There will be more, but we have focused not he network activation of ransomware. As mentioned we will be introducing some new mechanisms for local execution shortly.
Re there Miners can connect anywhere.... can you explain what you mean? We have inherent blocks to all miners in the system, so as long as its running they should able to connect to your machine.
OK, got it, pretty obvious really .
Krusty I will get them to save those stats more often in future so it doesn't go to zero on restart.
Also note that the Install mode only stops the local execution rules, not anything else, so you are still protected. I totally agree with Cruel Sister on this... which is why it only stops the bare minimum to allow your installer to run.
Why did you ignore my post? https://www.wilderssecurity.com/threads/blackfog-privacy-3-3-1.400343/page-5#post-2737460
I'm just trying to figure out what BFP brings to the table. I'm not trying to be negative, but I can already block advertising with extensions, and don't see the point of data cleaning. Also, there are plenty of exploit blocking tools available. Not to forget about Google's Safe Browsing and Windows SmartScreen which are in fact URL filters. So the part that is mostly interesting to me is the outbound protection, how does it block the C2 communication? Also, this won't stop certain ransomware variants if they are already running, as mentioned by Cruelsister.
Another point is that these built-in systems are specific for individual apps, our system is less specific because we work at a lower level and therefore apply to all running apps.
As for the outbound protection, this is our main focus and so we stop communication to C2 servers using a lot of different techniques, from standard blacklists through to communications techniques, based on what the various pieces of ransomware do. The paper I quoted from the University of Birmingham provides a more exhaustive list of ways they can do this. So there is not only one technique employed.
One last point is that if the ransomware is already running, thats going to be more problematic. While we will still pickup some activity and disrupt them we prefer to be installed on a clean system to get the most benefit.
Can your software do what the below software does with alert i.e. blocking an email attachment from phoning home when its opened?
My Settings>Update & Security>Windows Update>View installed update history>Update history is blank.
(Uninstall updates does show a list of updates but with no details, Date modified, Type and Size are blank.
CP>Programs and Features>View installed updates shows complete list OK.)
This is a recent development. A shot in the dark but could BFP be doing any cleaning in this area?
Nothing much else has changed here, and only seen on machine with BFP installed.
What about if you go to Control Panel ...Programs and Features..and select View Installed Updates from link at left side of page?
Just updated my post stapp. That looks fine.
Yes, BFP removed my Update History on my three machines too.
I will have someone review the rules and confirm shortly.
Yes it could have been BF doing that according to the rules. The rules have been updated this morning to remove the offending rule as it offers no privacy benefits anyway. If you click Help > Update it will pull the rules immediately rather than waiting for a few hours.
NiteRanger: Yes this is exactly what we do in terms of blocking activation. Now I don't know what that particular example does method wise but there are a few layers that would attack that problem.
By the way we are releasing an additional layer to intercept PowerShell scripts this week too, which I think was what you and Paul were interested in. That will be version 3.4.
After watching that video again, looks like we stop it several ways. First we block the execution of the PDF before we need to even block the activation, so we pick that up even earlier. It uses the classic double extension trick.
Thanks Darren. Have done that - will check later to see if Update history is listed again (still blank now). In my experience there may be some delay ...
I doubt the deleted history will show again. Any new updates going forward should not have the history deleted though.
Just wondering why the update history is still visible in the Control Panel ...Programs and Features.. View Installed Updates after it has been wiped from Settings. Was the wipe in Settings just a 'cosmetic' one? (just removed the text)
My understanding is that the updates themselves are not touched, just the date they were installed and any error messages about failed updates.
So cosmetic.. thanks Krusty.
Not a BF user myself, but following the thread and just wanted clarification on that situation.
I can confirm this, I have had 3 Office updates since, and these are the only ones that show now.
Was wondering the same. So 'update history' is not sourcing 'installed updates' list ... I notice also, on the latter, that most Office updates, though not all, are now dated yesterday ...
I've had the same thing happen on a Win7 machine years ago when I restored an image backup within Windows using Symantec System Recovery. The Update History was removed but the updates were still installed.
Do the installed updates for the 'wipe' period still get listed in Reliability History ?
stapp, not sure where you mean, how do I navigate to that?
Edit: OK, got it. I do see them ...
Separate names with a comma.