DataDefender

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
After 77 days of development, DD is pretty much ready. It is a standard backup app with a few unique features. Eventually we will add support for cloud backup, cloning, SQL backup, etc, but we are off to a great start.

In addition to the backup component, there is also what I believe to be a unique method for detecting ransomware. In a few days we will release a DD beta and I will explain how the anti-ransom mechanism works. If there is a similar ransomware detection mechanism on the market, please let me know (this is important).

The one thing I can tell you at this point is that it is nothing like Controlled Folder Access, or any of the anti-ransom mechanisms that grant or deny specific individual applications access to user data files. Tech like this is pretty cool, but it is extremely difficult to use and I would think would be quite easy to bypass (just a guess).

When it comes to ransomware, I believe detecting encryption relatively quickly and reliably is key. In other words, back ups are great, but if you have to restore half or all of your data, it can easily turn into a real mess.

 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
@danb

Just a word of caution. When I Google on Data Defender it shows a 'black out text eraser roller' and modules of software services from large companies (and legal departments with deep pockets). It is a more difficult to trade mark a generic term. So you might add Voodoo Shield in front of the name. Problem is that when you use Voodoo Shield as a brand or product range name, you also need to add something to your existing flagship product Voodoo Shield,

DataDefender -> Voodoo Shield Data Defender
VoodooShield -> Voodoo Shield Application Lock


/L
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
@danb

Just a word of caution. When I Google on Data Defender it shows a 'black out text eraser roller' and modules of software services from large companies (and legal departments with deep pockets). It is a more difficult to trade mark a generic term. So you might add Voodoo Shield in front of the name. Problem is that when you use Voodoo Shield as a brand or product range name, you also need to add something to your existing flagship product Voodoo Shield,

DataDefender -> Voodoo Shield Data Defender
VoodooShield -> Voodoo Shield Application Lock


/L
Thank you for the suggestions! We searched for a Class 9 US trademark for DataDefender and there was not one, so hopefully we will be in good shape. But I will keep an eye on it either way.

BTW, the whole focus of DD is to protect the data and to give the user insight on the status of their data. So if anyone has any suggestions on what other data protection components we can add, please let me know.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Thank you for the suggestions! We searched for a Class 9 US trademark for DataDefender and there was not one, so hopefully we will be in good shape. But I will keep an eye on it either way.

BTW, the whole focus of DD is to protect the data and to give the user insight on the status of their data. So if anyone has any suggestions on what other data protection components we can add, please let me know.
:) other data protection features like password protection of files/folders

Windows acces control rights is a bit complex, so an easy to set and manage user based access rights might a feature you could implement also
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
Here is the first beta version of DataDefender. DD is a standard backup app with a focus on ransomware and data loss prevention and data control.

I believe the main anti-ransomware mechanism is quite unique, but if there is anything similar please let me know, this is how it works…

The concept of DataDefender is simple. Have you ever been using your computer and notice that at times the hard drive seems to be reading or writing endlessly for no apparent reason, so you wonder “is something reading, deleting or encrypting my data without my permission?” This happens to me all of the time, and one day I realized that as long no unknown processes are executing, then I have nothing to worry about. Basically, whenever the hard drive is grinding away, I want to be ensured that only known benign processes are currently executing and accessing the data files.

DataDefender’s main focus is to closely monitor all user space file modification events (changed, created, deleted, renamed, etc.) to protect data against ransomware and other forms of malware. The file modification events also can include file size, file attributes, file security attributes, last access time, last write time, and creation time.

The anti-ransomware mechanisms that I have tested typically monitor processes and grant or deny access to user data folders for each process. Whereas DD primarily monitors the user data folders for any and all modifications (especially increased drive activity), and secondarily monitors suspicious processes. DD considers a process to be suspicious if it is a non-native, vulnerable or unknown process, typically in the user-space.

While monitoring the user data files for increased read or write disk drive activity or file access / modification events, if no suspicious processes are executing, the drive activity is allowed and not restricted in any way.

However, if there is increased drive activity in the user data folders AND a suspicious process is executing, DD briefly suspends each suspicious process to see if drive activity increases or decreases. As each application is resumed consecutively, if drive activity remains constant, then we know that particular suspended suspicious process is not responsible for increased drive activity. Over time, suspicious processes that do not increase drive activity are automatically whitelisted by a feature known as dwell time, which we might make user configurable at some point.

However, if increased drive activity within the user data files stops and restarts as the process is suspended and resumed, then the application responsible for increased drive activity within the user data files has been identified. Once the suspicious application that is responsible for increased drive activity within the user data files has been identified, the suspicious application is then terminated and potentially quarantined, and the compromised user data files are manually or automatically restored.

So that is how DD works in a nutshell. For now DD does not utilize a kernel mode driver, but we can implement one if necessary. I have only tested it against synthetic ransomware and will certainly need to make changes once we start testing with real ransomware, simply because I am not familiar with all of the sneaky tricks ransomware utilizes while encrypting files. I just figured it was time to release a beta in case anyone was interested in helping me find ransomware that encrypts the files without DD noticing, especially since for now DD is configured to only detect file name changes. Once we start testing, we will figure out what other file modification events we need to add, and they are very simple to add. BTW, if you do test DD, please make sure you have at least 20 or so sample files to be encrypted. In my tests, DD typically takes action after around 5-15 files have been encrypted. We can also change several different parameters within DD’s detection code to tighten things up a bit if necessary.

DD 0.90 beta
SHA-256: e0507f631d698ae4a83e9a401649f27c4cc22c2091c7b61e00f7eed9d8505429

Thank you guys!
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
I have only tested it against synthetic ransomware and will certainly need to make changes once we start testing with real ransomware, simply because I am not familiar with all of the sneaky tricks ransomware utilizes while encrypting files. I just figured it was time to release a beta in case anyone was interested in helping me find ransomware that encrypts the files without DD noticing
@cruelsister might be willing to cobble up some ransomware to put DD through the wringer.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
@cruelsister might be willing to cobble up some ransomware to put DD through the wringer.
Yeah, it will be interesting to see what all bypasses DD initially... this could easily go either way ;). Especially since the vulnerable processes feature is 100% untested and probably not complete, since for now I only added the non-toggling vulnerable processes from VS, and not the toggling web apps "super vulnerable" processes. This should be fun!
 

Vitali Ortzi

Level 25
Verified
Top Poster
Well-known
Dec 12, 2016
1,405
Maybe we will have a chance to hear some of cruel sisters nice music
She haven’t uploaded anything in a while on yt :(
anyway Dan looking forward to see how will it works
could be a great product for the enterprise if it does so without high false positives
Anyway Dan you are one of our favorite devs
 
Last edited:

Vitali Ortzi

Level 25
Verified
Top Poster
Well-known
Dec 12, 2016
1,405
Thank you for the suggestions! We searched for a Class 9 US trademark for DataDefender and there was not one, so hopefully we will be in good shape. But I will keep an eye on it either way.

BTW, the whole focus of DD is to protect the data and to give the user insight on the status of their data. So if anyone has any suggestions on what other data protection components we can add, please let me know.
Maybe in some point in the far future depending how the product goes you could add paid network protection modules or make a central management for all your products targeting enterprise and power users
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
Maybe we will have a chance to hear some of cruel sisters nice music
She haven’t uploaded anything in a while on yt :(
anyway Dan looking forward to see how will it works
could be a great product for the enterprise if it does so without high false positives
Anyway Dan you are one of our favorite devs
Thank you, I appreciate that, and it would be an honor to help bring CS out of video production retirement ;).
 
  • Like
Reactions: Nevi and Venustus

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
Maybe in some point in the far future depending how the product goes you could add paid network protection modules or make a central management for all your products targeting enterprise and power users
Yeah, we have a web management console, but we need to add some more features to it... especially a network protection module like you mentioned, thank you for the suggestion! SMB and larger organizations are already using VS, but as far as I know not too many of them use the web management console. And ideally, the goal has always been to refine VS to the point where admins do not need to access the web management console, but it is certainly nice to have just in case.
 
  • Like
Reactions: Nevi and Venustus

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
@danb

I really like the mix and match backup / protection options. May I suggest two backup use cases?

Some data needs to be backup only once, like historical data (in my case old prototypes of websites which I made with webbuilder) or pictures I made with my phone and which I backup to backup_folder on my PC. These types of data and media files are backups themselves which I only want to keep and have DataDefender protect and backup once or manually.

1618772466718.png

I have set them now on don't backup, but in case of ransomware attack a part of phone photo's would be encrpted, I would appreciate it very much when Data Defender would recover it. Hence the request Backup Once (when adding the folder) or Backup manually.

regards

/L
 
Last edited by a moderator:

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
@danb

I really like the mix and match backup / protection options. May I suggest two backup use cases?

Some data needs to be backup only once, like historical data (in my case old prototypes of websites which I made with webbuilder) or pictures I made with my phone and which I backup to backup_folder on my PC. These types of data and media files are backups themselves which I only want to keep and have DataDefender protect and backup once or manually.

View attachment 257030

I have set them now on don't backup, but in case of ransomware attack a part of phone photo's would be encrpted, I would appreciate it very much when Data Defender would recover it. Hence the request Backup Once (when adding the folder) or Backup manually.

regards

/L
Cool, thank you for the suggestion! I see exactly what you mean, and sure, we can add something like "Backup Once". But let let me explain a little about how the backup component of DD works, then if you think we still need to add something like "Backup Once", we certainly can. Also, keep in mind, you should be able to do your initial backup, then just set whatever folder you want to "Don't Backup / Protect Only". Then if you ever need to restore that folder, just change it to Backup Monthly (or whatever), then you should be able to restore those files. But yeah, that is exactly why I included that feature... like I have tons of mp3's and videos that I hardly ever add new files to, so for those I just set them to Backup Monthly.

So about how the backup component of DD works... since storage is transitioning from HDD to SSD, when building DD I optimized it for SSD. It obviously still works with mechanical hard drives, but it works even better with SSD's. For example, you know how you can read SSD's all day long without degradation? But whenever you write to SSD's they are degraded? Well, when DD backs up, it essentially reads and verifies the files first, and if the files are identical it does not overwrite them, it just moves on to the next file. So basically, I did everything possible to limit writing to the SSD. So I guess what I am saying is that if you set the protected folders you mentioned to Backup Monthly, DD is not actually backing them up, it is simply verifying that they have not changed. That way, you will know that each month they are verified. But if we need to add a Backup Once, we can certainly do that. BTW, DD is also optimized for SSD in that if you set the Backup Speed to Medium, Fast or Blazing, it will verify and backup in parallel, depending on how many cores your processor has. So if you have a pretty fast processor and fast SSD, backups should be extremely fast. Thanks again, please let me know what you think on the Backup Once!
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
Posted the news on Wilders:
Cool, thank you! Please tell imdb that DD is not a whitelisting app. It is a data defender app ;). DD actually does not use whitelists at all. You can activate WLC to use as a whitelist scanner, but it is completely separate from DD.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Cool, thank you for the suggestion! I see exactly what you mean, and sure, we can add something like "Backup Once". But let let me explain a little about how the backup component of DD works, then if you think we still need to add something like "Backup Once", we certainly can. Also, keep in mind, you should be able to do your initial backup, then just set whatever folder you want to "Don't Backup / Protect Only". Then if you ever need to restore that folder, just change it to Backup Monthly (or whatever), then you should be able to restore those files. But yeah, that is exactly why I included that feature... like I have tons of mp3's and videos that I hardly ever add new files to, so for those I just set them to Backup Monthly.

So about how the backup component of DD works... since storage is transitioning from HDD to SSD, when building DD I optimized it for SSD. It obviously still works with mechanical hard drives, but it works even better with SSD's. For example, you know how you can read SSD's all day long without degradation? But whenever you write to SSD's they are degraded? Well, when DD backs up, it essentially reads and verifies the files first, and if the files are identical it does not overwrite them, it just moves on to the next file. So basically, I did everything possible to limit writing to the SSD. So I guess what I am saying is that if you set the protected folders you mentioned to Backup Monthly, DD is not actually backing them up, it is simply verifying that they have not changed. That way, you will know that each month they are verified. But if we need to add a Backup Once, we can certainly do that. BTW, DD is also optimized for SSD in that if you set the Backup Speed to Medium, Fast or Blazing, it will verify and backup in parallel, depending on how many cores your processor has. So if you have a pretty fast processor and fast SSD, backups should be extremely fast. Thanks again, please let me know what you think on the Backup Once!
Yep, syncbsck free works that way, but the 'is this file changed' check takes some time when you have a lot of data. I suspected that the backup worked that way.

I have waisted a lot of time looking at Syncback figuring out whether some of the nearly 2tb photo's of my girlfriend were changed when backing up

So I was asking those 2 use cases with a reason
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,725
Yep, syncbsck free works that way, but the 'is this file changed' check takes some time when you have a lot of data. I suspected that the backup worked that way.

I have waisted a lot of time looking at Syncback figuring out whether some of the nearly 2tb photo's of my girlfriend were changed when backing up

So I was asking those 2 use cases with a reason
Cool, please let me know what you think in a day or so after you see how it is going to work for you, and if we need to make changes we will.

I tested several different methods that check if the file is changed or not, and the one I ended up with is pretty quick... it is a combination of a couple different methods I found on stackoverflow.

I forgot to mention, by far the biggest factor that impacts DD's verification and backup speed is if the backup is encrypted or not. If the backup is not encrypted, it is crazy fast. Also, not encrypting the backup is great because it gives you another option to restore the files if needed... you can just copy and paste files directly from the backup folder. So unless someone really needs to encrypt the local backup (for security reasons), it is definitely best to just leave it unencrypted.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Hi Guys! I've been taking Data Defender for a dance and just wanted to share a few things about it. But before beginning, it is important to note that as this is a first beta the strong points will remain strong and any failings will I'm sure be rectified. That being said this post will have no real value for any future builds of Data defender (except for the strong points, of course). Second (as a full disclosure), I personally can find no need for on in my current setup. CF fills my security needs, and as WD doesn't annoy and is useful (unlike WF and UAC) I also keep that enabled.

Now to Data Defender- my test was done on a Win8.1 system (I have a better malware mini zoo on that system, and it is dumber by default than W10) with WD disabled and data Defender installed. Installation was rather swift, and I requested the backup to be saved locally on a dummy directory (C;\1). I verified that the backup was done and correct. Please note that DD will only protect those things that it protects by default , so one must be cognizant that ransomware could possibly screw with files elsewhere not under the protection of DD (which was indeed the case).

On the whole, Data Defender worked as advertised. The good points:

1). Some ransomware, like MyLittlePony and CryptoFortess (and a number of others) were prevented from activating which demonstrated that DD has some intrinsic anti-ransomware properties. Some, like Xdata, only partially worked and the few files encrypted were able to be restored. Most however although while encrypting data, the user was able to utilize the auto-restore function to get the files back (and simultaneously have the trashed files deleted). Examples here would be Vaggen, Shade, and Ishtar.

2). For the sub-optimal. Wasted Locker got through and encrypted files including those protected. A CryptoMix variant encrypted files and deleted those protected, and a Mespinoza thingy encrypted files and DD was unable to open to attempt restore functionality. I have left samples of the latter two on my profile (apparently I don't have rights to play in the Malware section here).

3). Finally, for those that do not already have this tweak in place, I strongly suggest adding "take Ownership" right click context entry to your registry:

Add Take Ownership to Context Menu in Windows 10

This will aid in manually restoring files protected by Data Defender.

To sum up. Data defender at this point kinda-sorta works for its intended purpose with I am sure elegant coding to come.

Thanks Dan for the opportunity to check it out.

(addendum- I did not try the Cloud backup as I would never ever trust personal files to the Cloud)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top