- Mar 29, 2018
- 7,577
Here's more from Dan about to a new stand-alone app. Enjoy!
Hey Guys, so here is the first version of WhitelistCloud. As you guys know, this project started off as a simple online scanner to analyze and detect for Safe files as opposed to Malicious files… basically the exact opposite of VirusTotal. As you guys know, I am a huge fan of VirusTotal and WC could never replace VT, but I also wanted an engine where I could scan a file and it would tell me it is Safe as opposed to Undetected. We need both and WC could certainly never replace VT.
Hey Guys, so here is the first version of WhitelistCloud. As you guys know, this project started off as a simple online scanner to analyze and detect for Safe files as opposed to Malicious files… basically the exact opposite of VirusTotal. As you guys know, I am a huge fan of VirusTotal and WC could never replace VT, but I also wanted an engine where I could scan a file and it would tell me it is Safe as opposed to Undetected. We need both and WC could certainly never replace VT.
Many years ago, my clients would constantly look me dead in the eye and ask “Dan, I have antivirus software, how did I get a virus?” I had to explain to them that AV’s are filters, they are not locks, and there will be bypasses. Anyway, having to answer this question over 500 or so times is one of the reasons I eventually had the idea for VS.
Much in the same way VS came about, several people have asked me the last few years “Dan, VS is cool and everything, but how do I know that the only things running on my system are safe, especially before installing VS?”. And I explained to them that the best you could do would be to scan your computer with a few different AV’s, then install VS. (Which BTW is a non-issue because VS automatically cleans up the whitelist when malware is removed by malware scanners).
But anyway, this is what made me think of the idea for WC. I was not aware of any product that I could run on my machine that would constantly let me know if only Safe items were running. There are tons of products that will tell you if only Undetected items are running, but as we all know signatures, ML/Ai, behavior blockers, etc. are not perfect. I wanted a utility where I was essentially 100% confident that ONLY Safe items were running at any given time, and I wanted a very quick method for being able to ascertain this info.
So that is how the WC app started, and I started building the app about a month ago, utilizing as many of the inbuilt Windows features as possible. I have always talked about adding some kind of simple firewall to VS, and during development, I realized that since we are already classifying all of the running (snapshot) and pre-execution processes as either Safe or Not Safe, why not automatically create a firewall rule in Windows Firewall for Not Safe items?
If I had to guess, WC will probably be adopted mainly by security enthusiasts and professionals, and also SMB and enterprise networks. It would be amazing to have a tech where an IT Administrator would know at a glance that ONLY known Safe files are running on their endpoints and networks. This would provide unparalleled visibility and drastically reduce alert fatigue. I totally understand that there are already EDR and other systems that continuously monitor for malware, but I am unaware of any such system that specifically monitors for Safe files, especially that is similar to WC’s method (for obvious reasons). I would go into much greater detail on how WC works, but as you guys all know, I cannot do so at this point (besides this document is going to be long enough ). But if anyone is aware of such a system, please let me know.
But I do not see WC as something that will be adopted by consumers by the masses… it is mainly for security people and SMB / Enterprise. Although, once we refine the GUI a little more, you never know… maybe a lot of people want to know that only Safe files are running on their machines. And who knows, I think there are several very simple ways we can implement WC into VS.
As far as the GUI goes, it started out to be quite complex, but I really pared it down to the basics… I wanted this to be a dead stupid simple app that anyone can use… I just think we have some work on the GUI to get it there. And once you guys see it, I am sure you will have all kinds of great suggestions on how we can improve the user interface. The most important element in the user interface is the “Unresolved Not Safe Items” element on the Status Tab. I was not sure what to name it or what to do with it… I mean do we make it a button or what? Anyway, that is pretty much the only element that most users will need to use… we need to figure out how to make it as simple as possible.
Please keep in mind, the first 50 or so users who try WC will find it to be slow for the first 5-10 minutes, and this is simply because the database is pretty much blank. But as more and more users adopt the app, it will become super-fast. The snapshot scans should only take 1-5 seconds or so once you have run WC for 5-10 minutes.
Also, please keep in mind that this is a so there will probably be a few bugs. But as I mentioned, the code should be pretty darn stable since I borrowed a lot of it from VS, which tremendously sped up development time for WC. If I had to write WC from scratch, it would have taken a year or two, and even then, we would be squashing bugs for several months after that.
BTW, please let me know if anyone is aware of any existing products that function similar to WC. It is important to respect other company’s intellectual property, otherwise there is no reason to build new cool stuff. I would have asked online if anyone knew of a product similar to the ideas that I have to WC, but since I applied for a patent, I was not allowed to disclose the ideas before the application was submitted. You will certainly find things that are similar, simply because there is so much overlap and cloning in tech in general, but even more so in cybersecurity. But anyway, if there is something similar that I am unaware of, please let me know… this is important.
So WC includes 2 main functions
The whole goal was to keep WC as stupid simple as possible… and I think we are close. It is a
- Continuously let the end user and IT Administrators know if ONLY Safe items are running on the endpoint / network.
- Create a Windows Firewall rule if an unknown Not Safe item is detected, until the end user or IT Administrator approves of the item.
version so there might be a few issues, but I believe most of the bugs are worked out. I also did not want WC to be all “in your face” and demand your attention constantly… I call it passive whitelisting . WC will casually alert you on the next snapshot scan, although there is an option to disable alert altogether, which we might want to enable by default. These are all things we can brainstorm over and figure out what is best and make refinements as we go.
I have not implemented the kernel mode driver yet and may not ever, it all depends on the feedback that I get because there are pros and cons in doing so. WC is not intended to stop the latest ransomware in its tracks like VS does. Rather, WC is more concerned with the other VAST majority of malware that continuously executes on a machine, and exfiltrates data (for example), or propagates to another machine on the network (remember, WC automatically adds a firewall rule for new Not Safe items). Or maybe a banking trojan, RDP or coinminer… you guys get the idea.
Thank you guys!!! I hope you enjoy WC! It is seemingly simple on the surface, but there are a lot of cool things going on under the hood.WC First Use Instructions…
- Install WC from here: www.whitelistcloud.com/Download/InstallWhitelistCloud.exe
- WC will scan your running processes and upload the files for analysis if they are not already in the database. Realistically this scan should take less than 5 minutes. When I clear out the database completely and test on 2 of my machines, it takes 1.5 minutes on one and 2 minutes on the other.
- If any Not Safe items are detected, they will show up on the Scan tab where you can click on each one and whitelist the item if you know it to be Safe.
And really that is about it… as long as the WC tray Icon is white (and not red), you are essentially 100% confident that ONLY Safe files are running on your system at any given time. And if something does try to sneak in, WC will create a firewall rule until you have had the chance to approve of the item.