• Unlock forum

    Guest, you need to be a "Verified" member to post a new thread or reply in this forum.

oldschool

Level 53
Verified
Here's more from Dan about to a new stand-alone app. Enjoy!

Hey Guys, so here is the first
beta
version of WhitelistCloud. As you guys know, this project started off as a simple online scanner to analyze and detect for Safe files as opposed to Malicious files… basically the exact opposite of VirusTotal. As you guys know, I am a huge fan of VirusTotal and WC could never replace VT, but I also wanted an engine where I could scan a file and it would tell me it is Safe as opposed to Undetected. We need both and WC could certainly never replace VT.

Many years ago, my clients would constantly look me dead in the eye and ask “Dan, I have antivirus software, how did I get a virus?” I had to explain to them that AV’s are filters, they are not locks, and there will be bypasses. Anyway, having to answer this question over 500 or so times is one of the reasons I eventually had the idea for VS.

Much in the same way VS came about, several people have asked me the last few years “Dan, VS is cool and everything, but how do I know that the only things running on my system are safe, especially before installing VS?”. And I explained to them that the best you could do would be to scan your computer with a few different AV’s, then install VS. (Which BTW is a non-issue because VS automatically cleans up the whitelist when malware is removed by malware scanners).

But anyway, this is what made me think of the idea for WC. I was not aware of any product that I could run on my machine that would constantly let me know if only Safe items were running. There are tons of products that will tell you if only Undetected items are running, but as we all know signatures, ML/Ai, behavior blockers, etc. are not perfect. I wanted a utility where I was essentially 100% confident that ONLY Safe items were running at any given time, and I wanted a very quick method for being able to ascertain this info.

So that is how the WC app started, and I started building the app about a month ago, utilizing as many of the inbuilt Windows features as possible. I have always talked about adding some kind of simple firewall to VS, and during development, I realized that since we are already classifying all of the running (snapshot) and pre-execution processes as either Safe or Not Safe, why not automatically create a firewall rule in Windows Firewall for Not Safe items?

If I had to guess, WC will probably be adopted mainly by security enthusiasts and professionals, and also SMB and enterprise networks. It would be amazing to have a tech where an IT Administrator would know at a glance that ONLY known Safe files are running on their endpoints and networks. This would provide unparalleled visibility and drastically reduce alert fatigue. I totally understand that there are already EDR and other systems that continuously monitor for malware, but I am unaware of any such system that specifically monitors for Safe files, especially that is similar to WC’s method (for obvious reasons). I would go into much greater detail on how WC works, but as you guys all know, I cannot do so at this point (besides this document is going to be long enough ). But if anyone is aware of such a system, please let me know.

But I do not see WC as something that will be adopted by consumers by the masses… it is mainly for security people and SMB / Enterprise. Although, once we refine the GUI a little more, you never know… maybe a lot of people want to know that only Safe files are running on their machines. And who knows, I think there are several very simple ways we can implement WC into VS.

As far as the GUI goes, it started out to be quite complex, but I really pared it down to the basics… I wanted this to be a dead stupid simple app that anyone can use… I just think we have some work on the GUI to get it there. And once you guys see it, I am sure you will have all kinds of great suggestions on how we can improve the user interface. The most important element in the user interface is the “Unresolved Not Safe Items” element on the Status Tab. I was not sure what to name it or what to do with it… I mean do we make it a button or what? Anyway, that is pretty much the only element that most users will need to use… we need to figure out how to make it as simple as possible.

Please keep in mind, the first 50 or so users who try WC will find it to be slow for the first 5-10 minutes, and this is simply because the database is pretty much blank. But as more and more users adopt the app, it will become super-fast. The snapshot scans should only take 1-5 seconds or so once you have run WC for 5-10 minutes.

Also, please keep in mind that this is a
beta
so there will probably be a few bugs. But as I mentioned, the code should be pretty darn stable since I borrowed a lot of it from VS, which tremendously sped up development time for WC. If I had to write WC from scratch, it would have taken a year or two, and even then, we would be squashing bugs for several months after that.

BTW, please let me know if anyone is aware of any existing products that function similar to WC. It is important to respect other company’s intellectual property, otherwise there is no reason to build new cool stuff. I would have asked online if anyone knew of a product similar to the ideas that I have to WC, but since I applied for a patent, I was not allowed to disclose the ideas before the application was submitted. You will certainly find things that are similar, simply because there is so much overlap and cloning in tech in general, but even more so in cybersecurity. But anyway, if there is something similar that I am unaware of, please let me know… this is important.


So WC includes 2 main functions
1. Continuously let the end user and IT Administrators know if ONLY Safe items are running on the endpoint / network.
2. Create a Windows Firewall rule if an unknown Not Safe item is detected, until the end user or IT Administrator approves of the item.


The whole goal was to keep WC as stupid simple as possible… and I think we are close. It is a
beta
version so there might be a few issues, but I believe most of the bugs are worked out. I also did not want WC to be all “in your face” and demand your attention constantly… I call it passive whitelisting . WC will casually alert you on the next snapshot scan, although there is an option to disable alert altogether, which we might want to enable by default. These are all things we can brainstorm over and figure out what is best and make refinements as we go.

I have not implemented the kernel mode driver yet and may not ever, it all depends on the feedback that I get because there are pros and cons in doing so. WC is not intended to stop the latest ransomware in its tracks like VS does. Rather, WC is more concerned with the other VAST majority of malware that continuously executes on a machine, and exfiltrates data (for example), or propagates to another machine on the network (remember, WC automatically adds a firewall rule for new Not Safe items). Or maybe a banking trojan, RDP or coinminer… you guys get the idea.


WC First Use Instructions…
1. Install WC from here: www.whitelistcloud.com/Download/InstallWhitelistCloud.exe
2. WC will scan your running processes and upload the files for analysis if they are not already in the database. Realistically this scan should take less than 5 minutes. When I clear out the database completely and test on 2 of my machines, it takes 1.5 minutes on one and 2 minutes on the other.
3. If any Not Safe items are detected, they will show up on the Scan tab where you can click on each one and whitelist the item if you know it to be Safe.


And really that is about it… as long as the WC tray Icon is white (and not red), you are essentially 100% confident that ONLY Safe files are running on your system at any given time. And if something does try to sneak in, WC will create a firewall rule until you have had the chance to approve of the item.

Thank you guys!!! I hope you enjoy WC! It is seemingly simple on the surface, but there are a lot of cool things going on under the hood.
« Last Edit: Today at 07:46:50 pm by VoodooShield »
Logged
 

plat1098

Level 20
Verified
Nice!. Would make a nice on-demand second opinion scanner, right? Or checking dirty remnants still on system.

whitelist scan.PNG

Edit: Wow, wait, this has real-time? Just now, WhitelistCloud alerted to a new temp file, it was unsigned. So, I manually check it with Jotti. Of course it was clean (it was an Intel file) so I whitelisted it as a temporary measure and now it's all safe again. The tray icon goes from blood-red to white when that happens. (y)Also, OSArmor blocked it from installing with the "unsigned process running with high privileges" rule. :D
 
Last edited:

Dave Russo

Level 13
Verified
Here's more from Dan about to a new stand-alone app. Enjoy!

Hey Guys, so here is the first
beta
version of WhitelistCloud. As you guys know, this project started off as a simple online scanner to analyze and detect for Safe files as opposed to Malicious files… basically the exact opposite of VirusTotal. As you guys know, I am a huge fan of VirusTotal and WC could never replace VT, but I also wanted an engine where I could scan a file and it would tell me it is Safe as opposed to Undetected. We need both and WC could certainly never replace VT.

Many years ago, my clients would constantly look me dead in the eye and ask “Dan, I have antivirus software, how did I get a virus?” I had to explain to them that AV’s are filters, they are not locks, and there will be bypasses. Anyway, having to answer this question over 500 or so times is one of the reasons I eventually had the idea for VS.

Much in the same way VS came about, several people have asked me the last few years “Dan, VS is cool and everything, but how do I know that the only things running on my system are safe, especially before installing VS?”. And I explained to them that the best you could do would be to scan your computer with a few different AV’s, then install VS. (Which BTW is a non-issue because VS automatically cleans up the whitelist when malware is removed by malware scanners).

But anyway, this is what made me think of the idea for WC. I was not aware of any product that I could run on my machine that would constantly let me know if only Safe items were running. There are tons of products that will tell you if only Undetected items are running, but as we all know signatures, ML/Ai, behavior blockers, etc. are not perfect. I wanted a utility where I was essentially 100% confident that ONLY Safe items were running at any given time, and I wanted a very quick method for being able to ascertain this info.

So that is how the WC app started, and I started building the app about a month ago, utilizing as many of the inbuilt Windows features as possible. I have always talked about adding some kind of simple firewall to VS, and during development, I realized that since we are already classifying all of the running (snapshot) and pre-execution processes as either Safe or Not Safe, why not automatically create a firewall rule in Windows Firewall for Not Safe items?

If I had to guess, WC will probably be adopted mainly by security enthusiasts and professionals, and also SMB and enterprise networks. It would be amazing to have a tech where an IT Administrator would know at a glance that ONLY known Safe files are running on their endpoints and networks. This would provide unparalleled visibility and drastically reduce alert fatigue. I totally understand that there are already EDR and other systems that continuously monitor for malware, but I am unaware of any such system that specifically monitors for Safe files, especially that is similar to WC’s method (for obvious reasons). I would go into much greater detail on how WC works, but as you guys all know, I cannot do so at this point (besides this document is going to be long enough ). But if anyone is aware of such a system, please let me know.

But I do not see WC as something that will be adopted by consumers by the masses… it is mainly for security people and SMB / Enterprise. Although, once we refine the GUI a little more, you never know… maybe a lot of people want to know that only Safe files are running on their machines. And who knows, I think there are several very simple ways we can implement WC into VS.

As far as the GUI goes, it started out to be quite complex, but I really pared it down to the basics… I wanted this to be a dead stupid simple app that anyone can use… I just think we have some work on the GUI to get it there. And once you guys see it, I am sure you will have all kinds of great suggestions on how we can improve the user interface. The most important element in the user interface is the “Unresolved Not Safe Items” element on the Status Tab. I was not sure what to name it or what to do with it… I mean do we make it a button or what? Anyway, that is pretty much the only element that most users will need to use… we need to figure out how to make it as simple as possible.

Please keep in mind, the first 50 or so users who try WC will find it to be slow for the first 5-10 minutes, and this is simply because the database is pretty much blank. But as more and more users adopt the app, it will become super-fast. The snapshot scans should only take 1-5 seconds or so once you have run WC for 5-10 minutes.

Also, please keep in mind that this is a
beta
so there will probably be a few bugs. But as I mentioned, the code should be pretty darn stable since I borrowed a lot of it from VS, which tremendously sped up development time for WC. If I had to write WC from scratch, it would have taken a year or two, and even then, we would be squashing bugs for several months after that.

BTW, please let me know if anyone is aware of any existing products that function similar to WC. It is important to respect other company’s intellectual property, otherwise there is no reason to build new cool stuff. I would have asked online if anyone knew of a product similar to the ideas that I have to WC, but since I applied for a patent, I was not allowed to disclose the ideas before the application was submitted. You will certainly find things that are similar, simply because there is so much overlap and cloning in tech in general, but even more so in cybersecurity. But anyway, if there is something similar that I am unaware of, please let me know… this is important.


So WC includes 2 main functions
1. Continuously let the end user and IT Administrators know if ONLY Safe items are running on the endpoint / network.
2. Create a Windows Firewall rule if an unknown Not Safe item is detected, until the end user or IT Administrator approves of the item.


The whole goal was to keep WC as stupid simple as possible… and I think we are close. It is a
beta
version so there might be a few issues, but I believe most of the bugs are worked out. I also did not want WC to be all “in your face” and demand your attention constantly… I call it passive whitelisting . WC will casually alert you on the next snapshot scan, although there is an option to disable alert altogether, which we might want to enable by default. These are all things we can brainstorm over and figure out what is best and make refinements as we go.

I have not implemented the kernel mode driver yet and may not ever, it all depends on the feedback that I get because there are pros and cons in doing so. WC is not intended to stop the latest ransomware in its tracks like VS does. Rather, WC is more concerned with the other VAST majority of malware that continuously executes on a machine, and exfiltrates data (for example), or propagates to another machine on the network (remember, WC automatically adds a firewall rule for new Not Safe items). Or maybe a banking trojan, RDP or coinminer… you guys get the idea.


WC First Use Instructions…
1. Install WC from here: www.whitelistcloud.com/Download/InstallWhitelistCloud.exe
2. WC will scan your running processes and upload the files for analysis if they are not already in the database. Realistically this scan should take less than 5 minutes. When I clear out the database completely and test on 2 of my machines, it takes 1.5 minutes on one and 2 minutes on the other.
3. If any Not Safe items are detected, they will show up on the Scan tab where you can click on each one and whitelist the item if you know it to be Safe.


And really that is about it… as long as the WC tray Icon is white (and not red), you are essentially 100% confident that ONLY Safe files are running on your system at any given time. And if something does try to sneak in, WC will create a firewall rule until you have had the chance to approve of the item.

Thank you guys!!! I hope you enjoy WC! It is seemingly simple on the surface, but there are a lot of cool things going on under the hood.
« Last Edit: Today at 07:46:50 pm by VoodooShield »
Logged
Thank you Old School for posting ,I am in on this looks great
 

Slyguy

Level 43
This is a really really impressive program!

On one of my test HyperVs it detected an unsafe program communicating out, automatically setup rules to block it, and notified me. It indeed was a suspicious file that should have been blocked but thus far no suite on the test HV flagged it. It did flag a very very suspicious file I keep running (developed by someone I know at a UTM firm) internally for security purposes that is unsigned, which I was glad to see it caught. Not even Cylance or others flagged that.

This program is extremely lightweight, non-intrusive, and gives you insight into potential remnants after cleanup and other suspicious activity.

Dan is hitting a home run with this one. I am going to recommend to him that this product goes to a premium paid product with a 30 day trial after Beta is over. It's worth it. Also, I see this product having BIG potential in the Enterprise Market if it gets a management portal. Something like this on all domain systems, keeping a watchful eye on suspicious programs and putting a lock on them until they are classified as good by the domain administrator? This is exactly what is needed to stop enterprise outbreaks.
 

Burrito

Level 23
Just so everybody understands...

Whitelisting has been implemented many times by multiple companies. Windows AppLocker is an implementation of whitelisting. Even SRP is a form of whitelisting.

On the consumer side, the big whitelister is PC Matic - PC Pitstop. If you go to their website, they talk about the benefits of whitelisting.

The US federal government uses several different whitelisting apps. One by McAfee is widely used -- McAfee Application Control. Another one I've used was called Lumension Application Control. I'm not sure that one still exists..

I'm sure there are others..

Carbon Black features whitelisting.

I've sat in a couple of other demos where other products talked about how they implemented whitelisting... so yes, there are others.

I'm not sure about this -- but some believe that Cylance is more of a whitelister vice blacklister. Some believe their machine learning algorithm focuses on scoring 'goodware' rather than malware. But that's just rumor.

Unless Dan's concept is different or better than what the McAfee Application Control or multiple other products can do.... he might want to think hard about this. Whitelisting globally is not a simple process.

But I say......... Go Dan Go.
 

oldschool

Level 53
Verified
Please remember that WLC is simply that - to check for good files. It doesn't check for blacklisting purposes. VS already has that. And please, please remember that this is an initial beta so there will likely be bugs and flaws.

Also, this from Dan:

BTW, I forgot to mention, there may be a handful of "Not Safe" / false positives from the Windows directory. I actually installed every single version of Windows (ie, service packs, updates, etc) on a clean system and wrote some code to upload the files to the database and basically manually whitelisted all of the Windows files. It was a very long process and I am sure I got most of them, but there will be a few that I missed. I will have to manually whitelist these over the next few weeks until we get them all.

Having said that, there is actually a much better method to deal with Windows files and it will work perfectly without false positives out of the gate. I just have not had the time to finish that part of the code yet... it is going to take a little time.

So if you guys see any Not Safe Windows files over the next few weeks, it is probably a false positive.
 

simmerskool

Level 9
Verified
Malware Tester
Just installed and ran a scan,came out clean, but I noticed a glitch(I think)after scan it says Windows Defender Firewall on{I'm using Smantec Firewall} so I thought maybe program turned on WFW but when I checked it is still off.So does it matter what Firewall I use for Whitelist Cloud ?
for now, I understand firewall feature only works with WFW, if you're using 3d-party fw, then disable that feature in settings.
 

Slyguy

Level 43
Just so everybody understands...

Whitelisting has been implemented many times by multiple companies. Windows AppLocker is an implementation of whitelisting. Even SRP is a form of whitelisting.

On the consumer side, the big whitelister is PC Matic - PC Pitstop. If you go to their website, they talk about the benefits of whitelisting.

The US federal government uses several different whitelisting apps. One by McAfee is widely used -- McAfee Application Control. Another one I've used was called Lumension Application Control. I'm not sure that one still exists..

I'm sure there are others..

Carbon Black features whitelisting.

I've sat in a couple of other demos where other products talked about how they implemented whitelisting... so yes, there are others.

I'm not sure about this -- but some believe that Cylance is more of a whitelister vice blacklister. Some believe their machine learning algorithm focuses on scoring 'goodware' rather than malware. But that's just rumor.

Unless Dan's concept is different or better than what the McAfee Application Control or multiple other products can do.... he might want to think hard about this. Whitelisting globally is not a simple process.

But I say......... Go Dan Go.
Around 2004 or so I worked for a firm where they had an almost-ready-to-launch Whitelisting Control product. It was very powerful and well done however C level folks decided it wasn't going to make them enough money in the short term because at the time it was felt that AV products were more than sufficient. They were very shortsighted in that respect, and if they had pushed forward they'd have very mature WL product with a lot of development time behind it.

I'm very pleased to see WLC from Dan, and I cannot wait for the product to mature.
 

outlawxtorn

Level 5
Verified
Content Creator
Very cool program, Dan is a great developer!
@Slyguy I also agree that this should be a premium program. Shoot, in my opinion VS should just be a premium paid program as well.
 
Last edited:

Nightwalker

Level 20
Verified
Trusted
Content Creator
For now I cant share the enthusiasm that some members are showing, because for all it is worthy this isnt whitelist technology, it is more like a VirusTotal Scanner checker with an algorithm logic (If older than X years/months and If not detected by X engines = safe).

Whitelist isnt that simply to employ or maintain, in the past even big vendors had to do some technological partnership to keep this technology useful (Kaspersky using Bit9 database/resources).

Of course I could be wrong here, but I doubt that it is similar to real whitelist technology like that was developed by Bit9 (now CarbonBlack).

Edit: Norton does what this software wants to do since 2009 and there are many others vendors that do the same or better.
(Norton Quorum)
 
Last edited:

Burrito

Level 23
For now I cant share the enthusiasm that some members are showing, because for all it is worthy this isnt whitelist technology, it is more like a VirusTotal Scanner checker with an algorithm logic (If older than X years/months and If not detected by X engines = safe).

Of course I could be wrong here, but I doubt that it is similar to real whitelist technology like that was developed by Bit9 (now CarbonBlack).
I agree. I just didn't want to be the first negative skeptic in the thread....

I think Dan's in over his head here. The ML and other techniques used now for whitelisting are pretty sophisticated -- and those are being implemented at companies with lots of resources.... like Carbon Black.

PC Matic is a good example of the difficulties of whitelisting.

But hey, I was wrong about Dan previously. I never thought VooDoo would be a good product.

So.... Go Dan Go.
 

plat1098

Level 20
Verified
Well, as a stand-alone, time will tell if there's a market for this technology, especially in Enterprise. It's brand new so it's a novelty. Instead of a full-blown suite, it raises the possibility of creating a security set-up with various snap-ins, sort of like Legos. Build and customize your security from the ground up. :love:
 

Slyguy

Level 43
Well, as a stand-alone, time will tell if there's a market for this technology, especially in Enterprise. It's brand new so it's a novelty. Instead of a full-blown suite, it raises the possibility of creating a security set-up with various snap-ins, sort of like Legos. Build and customize your security from the ground up. :love:
That's what I am thinking. Sure, this stuff is out there in some form or another, but we need to look at where it is coming from and how they are doing it. PCMatic is a good example,. if you want the WL technology you need to buy their whole suite, and it's a suite that isn't well regarded. Norton Download Insight is notoriously sleepy, but also assumes you want to run Norton, especially given recent news. McAfee Application Control might be the one it has the most parity with. But no consumer footprint on that and McAfee isn't well liked outside of the USA.

I definitely see a market for it. Especially if it is kept lean and not tied to another suite. Adding it, with a managed portal combined with another enterprise endpoint suite it would offer valuable insight to the activity on a system. Especially considering a lot of enterprise are using products/programs without much insight on their networks already and really don't have a single pane of glass to see what is executing on systems.
 
Top