BlackFog's fileless cybersecurity software protects your online and offline privacy using real-time predictive threat detection. With 9 layers of defense against ransomware, spyware, malware and unauthorized data collection and profiling. https://privacy.software.blackfog.com/wp-content/uploads/2016/10/BFPrivacyUI.png http://s3.amazonaws.com/blackfog.downloads.us/BlackFogPrivacySetup.exe
Looked interesting. However, met a "installation failed" message and installation aborted - so I have no impressions except a shake of the head.
You know, I normally can smell "fake security" apps from a mile away, and something about it just doesn't feel right. It's completely unclear how this app tries to protect against malware and tracking. Is it signature based or does it use behavior blocking? Not a word on the website about this stuff. And yet it claims to protect against file-less malware which is pretty hard for even the most advanced tools.
Some more information: Blackfog Privacy - Fileless protection for Home and Office v3.3.1 (January 31, 2018) 'Real-time protection against online threats' "As featured on 'killerstartups'": Private Eyes, They’re Watching You – Unless You Use BlackFog Mar 18, 2016 Website Download (Windows & macOS Installer) Store FAQ (Excerpt):
I've now managed to get BlackFog installed and have a look at what it does and its options. It seems to me quite similar to the Ruiware products in its scope but it's certainly light on resources and unobtrusive - and that, for me is its greatest weakness. It creates a running daily log of events, mainly of files that it's deleted or detected. Unfortunately, there's no way to approve its actions before deleting and no way of rolling back the changes. Here's a very small example of some of today's log file: [2018-02-04 10:50:28] Deleted: C:\Users\xyz\AppData\Local\Temp\lptmp\languages\zh_TW\zh_TW.xpm (4 KB) [2018-02-04 10:50:28] Deleted: C:\Users\xyz\AppData\Local\Temp\scoped_dir4480_24174\Cookies (5 KB) [2018-02-04 10:50:28] Deleted: C:\Users\xyz\AppData\Local\Temp\scoped_dir4480_24174\Cookies-journal (1 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-file-l1-2-0.dll.bak (18 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-file-l2-1-0.dll.bak (18 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-localization-l1-2-0.dll.bak (20 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-processthreads-l1-1-1.dll.bak (18 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-synch-l1-2-0.dll.bak (18 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-core-timezone-l1-1-0.dll.bak (18 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-crt-convert-l1-1-0.dll.bak (22 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-crt-environment-l1-1-0.dll.bak (18 KB) [2018-02-04 10:50:28] Deleted: C:\WINDOWS\Temp\api-ms-win-crt-filesystem-l1-1-0.dll.bak (20 KB) [2018-02-04 10:52:23] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000001 (40 B) [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\091d5de1-f79d-4e35-a724-f2010325c4da.tmp (27 KB) [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\1d6eec1b-e4b5-41a8-ab9b-3c33afbb3b97.tmp (27 KB) [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\343da0a1-fdce-4bd7-b723-e26160970eb5.tmp (27 KB) [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\660d6228-8f94-4404-8f48-160cd29e3ac7.tmp (27 KB) [2018-02-04 11:53:43] Deleted: C:\Users\xyz\AppData\Roaming\Opera Software\Opera Stable\Jump List Icons\9332d916-01c3-4e52-8394-6d7f3439c2db.tmp (27 KB) I'll keep and eye on this for the duration of the 30 day trial but I'm not convinced that it offers anything more than EAM and Adguard. We'll see.
Just a clarification on some of these points for those that are interested. BlackFog is focused on 2 cores aspects, Privacy and Fileless Network protection. So starting with NiteRanger, yes we still recommend AV, as we don't feel it is necessary to replicate the myriad of free or paid tools that exist already, and there are plenty of great options. The forensic data collection activities on your machine can be swept using the cleaning option and these can be controlled by the Forensic options in the app, as well as the System options which control the system level collection activities from MS directly. Someone above posted a log of some of this behavior. We do not have a rollback because these are very well tested and should have no impact on your machine except in the collection of data. Each of these can be switched off from the options available. The goal here is to prevent personally identifiable data from sitting on your machine. The core part of the solution is focused on network activity which as mentioned by someone is behavioral based. We have plenty of blog articles on this if you want more details on this. For sake of brevity though I will just summarize as follows. BlackFog sits at layer 3 of the Network stack and watches all outbound traffic and watches for anomalies in behavior, this includes data leaking to known C&C servers, crypto mining sites etc. We look at how protocols are formed, what it is sending, how and where to determine if it is legitimate and block accordingly. We have about 10 different parameters (many more under development) that are used to determine legitimacy of the traffic. In addition we monitor executable location to prevent files being dropped on your machine. As pointed out this is very complex to do and it is done in real time. We designed this to be no intrusive and minimize false positives. We have a complete edition available for Windows, Lite edition for Mac (focused more on ad blocking and known malware, full edition coming soon) and later this year Android and iOS editions. Happy to answer any specific questions anyone may have. Thanks Darren
If you would like some background technical information I would recommend you refer to an excellent paper from the University of Birmingham that goes into great detail on exfiltration. That will give you some insight into what BlackFog is doing. We also closely follow the Mitre ATT&CK matrix. University of Birmingham Command & Control: Understanding, Denying and Detecting by Gardiner, Cova, Nagaraja https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
Hi Darren From the info gatherered it seems BlackFog controls/protects the outbound only and NOT the inbound, right? The latter would depend on the user. How about in-process protection? Since BlackFog is about privacy protection how about protection for browser against the different types of fingerprinting etc Does it protect against the different types of ransomware like MBR encryptor, file/disk encryptor, file destroyer, screen locker etc? And does BlackFog protects against bots and APTs (Advanced Persistent Threats)? Thanks
Hi NiteRanger, yes thats correct we focus on outbound data because every bad actor has to get out eventually to do bad stuff, either stealing information or activating their software, exchange keys etc. We protect against many types of finger printing already. If you have "Web Profiling" block turned on then they are pretty much blocked. If there are things we are missing we are happy to add to our list. We also protect against many of the encryptors already. Whilst not exhaustive, we are continually adding more. I will get back you you on more details tomorrow regarding the APT's. Re the track off information, thats a result of the google analytics scripts that our web site embeds as well as various plugins for the product pages. I will talk to marketing about disabling any of the unnecessary elements here.
Hi Darren, I'm sure you understand the irony of a product that is supposed to protect your privacy while your website is infested with trackers.
Hi My Tunnelbear Blocker for Chrome is still detecting 2 fingerprints on your website. Can you please check?
Looks like it is being picked up by Tunnelbear because the site uses HTML 5 Canvas for drawing icons etc. But we are not actually fingerprinting anything.
Regarding APT's, we carefully monitor the traffic on your device and look for anomalies in behavior so we can stop these types of programs stealing your data. By watching the pattern of network activity and data volumes we can often see trends that identify these bad actors. These algorithms are always being refined with new parameters on literally a daily basis by our engineers and we are working on various models using Machine Learning that will be added to our next major release (4.0). Right now we are pretty good at detecting them, but no where near where we want it to be. As you know these are very complex to detect so this is where we are sending a lot of our efforts right now, while at the same time keeping our system very lightweight. Happy to answer any other questions you might have. I enjoy these discussions.
Hi Darren I have two questions. 1. The website mentions memory protection. Could you elaborate. 2. I have my system locked down very tight. I have tested against a lot of malware and nothing gets by. What would BlackFog add that would justify the expense. Thanks so much. Pete
You're begging the question: I'm 100% protected so how does your gear add value? By your math and assumptions the answer has to be zero.
Hi Pete, Good questions. Here is how we look at security. The exponential rise in Network (Fileless) based attacks is only going to continue. AV solutions that rely on signatures are of little use to more sophisticated malware because they dynamically change their signature (fast fluxing). They also know understand that for your computer to be useful it needs to be connected to other machines and the Internet. The attacks therefore focus on network layers that they know are open, specifically ports such as HTTP, HTTPS, RDP etc. As a consequence, efforts to thwart these new attacks need to focus on these avenues of protection. We definitely think you should have your machine locked down like you do already. This is a primary defense technique and will work against a large number of existing malware. The problem is the next generation which has now started appearing, which focus on network weaknesses and vulnerabilities (WannaCry etc). While a large majority will continue to drop payloads on your device and execute (your lockdown defense will work nicely) we are seeing specially crafted malware that injects directly into running applications. So more of our efforts are focused on protecting your system using a layered approach. Think of it like a castle defense. The walls of the castle are like your application lockdown approach. The archers are the guys trying to break through, but progressively they start to focus on the gates (the same mechanism you use to get out). These are effectively the open ports in our scenario. So once they get in it's important to have mechanisms in place to protect everything and effectively trap and destroy them. This is what we focus on. This would include watching memory/process injection etc and preventing propagation and ultimately activation through C2 servers, which is what we have done so far. Sorry for the long answer. I hope that clarifies things.
