Author Topic: WhitelistCloud 1.00 beta  (Read 4251 times)

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 596
    • View Profile
    • VoodooShield
WhitelistCloud 1.00 beta
« on: August 10, 2019, 07:32:44 pm »
Hey Guys, so here is the first beta version of WhitelistCloud.  As you guys know, this project started off as a simple online scanner to analyze and detect for Safe files as opposed to Malicious files… basically the exact opposite of VirusTotal.  As you guys know, I am a huge fan of VirusTotal and WC could never replace VT, but I also wanted an engine where I could scan a file and it would tell me it is Safe as opposed to Undetected.  We need both and WC could certainly never replace VT.

Many years ago, my clients would constantly look me dead in the eye and ask “Dan, I have antivirus software, how did I get a virus?”  I had to explain to them that AV’s are filters, they are not locks, and there will be bypasses.  Anyway, having to answer this question over 500 or so times is one of the reasons I eventually had the idea for VS. 

Much in the same way VS came about, several people have asked me the last few years “Dan, VS is cool and everything, but how do I know that the only things running on my system are safe, especially before installing VS?”.  And I explained to them that the best you could do would be to scan your computer with a few different AV’s, then install VS.  (Which BTW is a non-issue because VS automatically cleans up the whitelist when malware is removed by malware scanners). 

But anyway, this is what made me think of the idea for WC.  I was not aware of any product that I could run on my machine that would constantly let me know if only Safe items were running.  There are tons of products that will tell you if only Undetected items are running, but as we all know signatures, ML/Ai, behavior blockers, etc. are not perfect.  I wanted a utility where I was essentially 100% confident that ONLY Safe items were running at any given time, and I wanted a very quick method for being able to ascertain this info.

So that is how the WC app started, and I started building the app about a month ago, utilizing as many of the inbuilt Windows features as possible.  I have always talked about adding some kind of simple firewall to VS, and during development, I realized that since we are already classifying all of the running (snapshot) and pre-execution processes as either Safe or Not Safe, why not automatically create a firewall rule in Windows Firewall for Not Safe items?

If I had to guess, WC will probably be adopted mainly by security enthusiasts and professionals, and also SMB and enterprise networks.  It would be amazing to have a tech where an IT Administrator would know at a glance that ONLY known Safe files are running on their endpoints and networks.  This would provide unparalleled visibility and drastically reduce alert fatigue.  I totally understand that there are already EDR and other systems that continuously monitor for malware, but I am unaware of any such system that specifically monitors for Safe files, especially that is similar to WC’s method (for obvious reasons).  I would go into much greater detail on how WC works, but as you guys all know, I cannot do so at this point (besides this document is going to be long enough 😉).  But if anyone is aware of such a system, please let me know.

But I do not see WC as something that will be adopted by consumers by the masses… it is mainly for security people and SMB / Enterprise.  Although, once we refine the GUI a little more, you never know… maybe a lot of people want to know that only Safe files are running on their machines.  And who knows, I think there are several very simple ways we can implement WC into VS.

As far as the GUI goes, it started out to be quite complex, but I really pared it down to the basics… I wanted this to be a dead stupid simple app that anyone can use… I just think we have some work on the GUI to get it there.  And once you guys see it, I am sure you will have all kinds of great suggestions on how we can improve the user interface.  The most important element in the user interface is the “Unresolved Not Safe Items” element on the Status Tab.  I was not sure what to name it or what to do with it… I mean do we make it a button or what?  Anyway, that is pretty much the only element that most users will need to use… we need to figure out how to make it as simple as possible.

Please keep in mind, the first 50 or so users who try WC will find it to be slow for the first 5-10 minutes, and this is simply because the database is pretty much blank.  But as more and more users adopt the app, it will become super-fast.  The snapshot scans should only take 1-5 seconds or so once you have run WC for 5-10 minutes.

Also, please keep in mind that this is a beta so there will probably be a few bugs.  But as I mentioned, the code should be pretty darn stable since I borrowed a lot of it from VS, which tremendously sped up development time for WC.  If I had to write WC from scratch, it would have taken a year or two, and even then, we would be squashing bugs for several months after that.

BTW, please let me know if anyone is aware of any existing products that function similar to WC.  It is important to respect other company’s intellectual property, otherwise there is no reason to build new cool stuff.  I would have asked online if anyone knew of a product similar to the ideas that I have to WC, but since I applied for a patent, I was not allowed to disclose the ideas before the application was submitted.  You will certainly find things that are similar, simply because there is so much overlap and cloning in tech in general, but even more so in cybersecurity.  But anyway, if there is something similar that I am unaware of, please let me know… this is important.


So WC includes 2 main functions
1.   Continuously let the end user and IT Administrators know if ONLY Safe items are running on the endpoint / network.
2.   Create a Windows Firewall rule if an unknown Not Safe item is detected, until the end user or IT Administrator approves of the item.


The whole goal was to keep WC as stupid simple as possible… and I think we are close.  It is a beta version so there might be a few issues, but I believe most of the bugs are worked out.  I also did not want WC to be all “in your face” and demand your attention constantly… I call it passive whitelisting 😉.  WC will casually alert you on the next snapshot scan, although there is an option to disable alert altogether, which we might want to enable by default.  These are all things we can brainstorm over and figure out what is best and make refinements as we go.

I have not implemented the kernel mode driver yet and may not ever, it all depends on the feedback that I get because there are pros and cons in doing so.  WC is not intended to stop the latest ransomware in its tracks like VS does.  Rather, WC is more concerned with the other VAST majority of malware that continuously executes on a machine, and exfiltrates data (for example), or propagates to another machine on the network (remember, WC automatically adds a firewall rule for new Not Safe items).  Or maybe a banking trojan, RDP or coinminer… you guys get the idea.


WC First Use Instructions…
1. Install WC from here: www.whitelistcloud.com/Download/InstallWhitelistCloud.exe
2.  WC will scan your running processes and upload the files for analysis if they are not already in the database.  Realistically this scan should take less than 5 minutes.  When I clear out the database completely and test on 2 of my machines, it takes 1.5 minutes on one and 2 minutes on the other.
3.  If any Not Safe items are detected, they will show up on the Scan tab where you can click on each one and whitelist the item if you know it to be Safe.


And really that is about it… as long as the WC tray Icon is white (and not red), you are essentially 100% confident that ONLY Safe files are running on your system at any given time.  And if something does try to sneak in, WC will create a firewall rule until you have had the chance to approve of the item.

Thank you guys!!!  I hope you enjoy WC!  It is seemingly simple on the surface, but there are a lot of cool things going on under the hood.
« Last Edit: August 10, 2019, 07:46:50 pm by VoodooShield »

Offline Jasper The Rasper

  • Administrator
  • Full Member
  • *****
  • Posts: 193
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #1 on: August 10, 2019, 07:54:57 pm »
Thank you.
I have downloaded it and I will give it a run tomorrow. I would do it now but I am busy backing up my system.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 596
    • View Profile
    • VoodooShield
Re: WhitelistCloud 1.00 beta
« Reply #2 on: August 10, 2019, 08:52:04 pm »
Thank you.
I have downloaded it and I will give it a run tomorrow. I would do it now but I am busy backing up my system.
Very cool, thank you!

BTW, I forgot to mention, there may be a handful of "Not Safe" / false positives from the Windows directory.  I actually installed every single version of Windows (ie, service packs, updates, etc) on a clean system and wrote some code to upload the files to the database and basically manually whitelisted all of the Windows files.  It was a very long process and I am sure I got most of them, but there will be a few that I missed.  I will have to manually whitelist these over the next few weeks until we get them all.

Having said that, there is actually a much better method to deal with Windows files and it will work perfectly without false positives out of the gate.  I just have not had the time to finish that part of the code yet... it is going to take a little time.

So if you guys see any Not Safe Windows files over the next few weeks, it is probably a false positive.

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #3 on: August 10, 2019, 09:58:22 pm »
Thank you.
Very cool, thank you!
...
BTW, I forgot to mention, there may be a handful of "Not Safe" / false positives from the Windows directory.  I actually installed every single version of Windows (ie, service packs, updates, etc) on a clean system and wrote some code to upload the files to the database and basically manually whitelisted all of the Windows files.  It was a very long process and I am sure I got most of them, but there will be a few that I missed.  I will have to manually whitelist these over the next few weeks until we get them all.
Having said that, there is actually a much better method to deal with Windows files and it will work perfectly without false positives out of the gate.  I just have not had the time to finish that part of the code yet... it is going to take a little time.
So if you guys see any Not Safe Windows files over the next few weeks, it is probably a false positive.

installed on win7
installation a tad unclear in the sense that it wanted me to turn on windows firewall.  But golly gee, I run comodo firewall 12 aka cruelcomodo.  So I did not open windows firewall, but I did open cf@cs | advanced view window and it appeared that WLC was online and scanning, ie, not obviously blocked by cf.  Scan took 260.99 seconds. It found 7 "not safe" files which I'm pretty sure are safe.  I like that the list also shows sha256 of not safe files. 
In settings: default is "create both firewall rules for not safe items" (both meaning inbound & outbound). But since we're in false positive beta testing, should that be disabled, ie, I disabled that setting, although a tad unclear if that means anything on system like mine NOT running windows firewall??
It performs a scan on startup.  If I reboot once a week, that's a lot.  But then timed scan at different intervals with default at 60 mins.  To me, this means then that if a new PE file opens, it is unseen by WLC, correct?  Only sees what's running at time of the scan?  Should WLC scan newly opening .exe files?
Now to check those 7 not safe files more closely...


Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Truth is more of a stranger than fiction.
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #4 on: August 10, 2019, 10:13:39 pm »
11.4 seconds and clean.



Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro & WhitelistCloud
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #5 on: August 10, 2019, 10:31:26 pm »
follow-up to my initial scan and post...
I like nice coding of hash copies to clipboard to help plug it into VT.
6 of my not safe files were MS files, all confirmed clean by VT.
the remaining 1 is a asus file related I'm sure to to the motherboard, and it scanned clear with the "problem" related to signature not being verified although a signer is VeriSign. Perhaps something with the date?  Dan if you want to look at that file, I'll PM you the specifics.
In any event, those 7 are now whitelisted so I assume added to WLC whitelist.  How do YOU prevent, malware being added to your WLC database??

You asked about other software... So eg, Process Explorer shows all the running apps with each VT score, eg 0/72 in green, but if even 1/n it shows in red.  Of course to see that I have to have procexp setup like that and have its window open, whereas WLC shows red / white in systray.

curious, a new not safe was just found and I did not manually scan, has it been 60 mins, perhaps.  Depending on system resources and internet connection, perhaps it is reasonable to do a scan in intervals less than 60 mins and WLC does provide for that. 

So far, I like it.

Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Truth is more of a stranger than fiction.
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #6 on: August 10, 2019, 10:35:45 pm »
Dan can I ask you for future versions can you make it possible to install other then C drive? I like to have my programs on D drive. I can't remember if I asked you about VS for this as well? I also did another scan and it took a bit longer!  :P

Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro & WhitelistCloud
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline HempOil

  • Youngling
  • *
  • Posts: 28
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #7 on: August 10, 2019, 10:58:17 pm »
My laptop just got a clean bill of health. I'll delve deeper into it when I have some spare cycles.
FYI, as can be seen in my signature, I also run Comodo, so I did not enable or take advantage of the Windows Firewall feature.
Windows 10 Home 64-bit, version 1903, build 18362.329
Comodo Internet Security Premium 12.0.0.6818
VoodooShield 5.02
HMP.A 3.8.0 Build 839 CTP 1 & HMP 3.8.15 b306 (64-bit)
Google Chrome 76.0.3809.132 (Official Build) (64-bit) with Strict-Origin-Isolation enabled and run in Comodo sandbox

Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Truth is more of a stranger than fiction.
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #8 on: August 10, 2019, 11:14:45 pm »
My laptop just got a clean bill of health. I'll delve deeper into it when I have some spare cycles.
FYI, as can be seen in my signature, I also run Comodo, so I did not enable or take advantage of the Windows Firewall feature.

Is Comodo a two way firewall inbound and outbound? I haven't looked at it in a longtime.

Thanks,
Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro & WhitelistCloud
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline Andi

  • Full Member
  • ***
  • Posts: 117
  • He died for you, why not live for Him?
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #9 on: August 11, 2019, 12:17:47 am »
Ok...I find bug...

There is problem with wrong data for time passed to scann ( it took about 45-60 sec )...I don't have English/US "numeration" ( AM/PM...first month and second date) so maybe is because of that!
I have first day, second month,third year and 24h format of time.




Win10 x64 (1903)
System Security:  Kaspersky free, VoodooShield
Browser Security: AdGuard,Kaspersky Protection

Offline ssherjj

  • Global Moderator
  • Full Member
  • *****
  • Posts: 148
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #10 on: August 11, 2019, 12:28:56 am »
 beta

I have installed the WhiteCloud and will delve into it more. Thanks Dan! :)
Microsoft® Windows Insider MVP - Windows Security 
Webroot® SecureAnywhere™ Expert Product Advisor Webroot Forum Gold VIP  (Beta Tester)
VoodooShields  v5.01

Offline Andi

  • Full Member
  • ***
  • Posts: 117
  • He died for you, why not live for Him?
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #11 on: August 11, 2019, 12:32:12 am »
Additional scann took about 4-5sec. but WC says 287sec.
I see from other people sceenshoots that they have "decimal dot" ( 123.45 ), maybe this is problem...I don't have it!!!

...and one suggestion: add a "upload files" notification or litlle popup of that cloud image when we hoover mouse on it   ;)
« Last Edit: August 11, 2019, 12:53:42 am by Andi »
Win10 x64 (1903)
System Security:  Kaspersky free, VoodooShield
Browser Security: AdGuard,Kaspersky Protection

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #12 on: August 11, 2019, 01:54:25 am »
My laptop just got a clean bill of health. I'll delve deeper into it when I have some spare cycles.
FYI, as can be seen in my signature, I also run Comodo, so I did not enable or take advantage of the Windows Firewall feature.

Is Comodo a two way firewall inbound and outbound? I haven't looked at it in a longtime.

Thanks,

I think comodo firewall is in & out.

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #13 on: August 11, 2019, 01:56:34 am »
My initial scan was 260 seconds, last few scans have been 5 seconds, so I changed settings to scan every 5 mins.


Offline Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Truth is more of a stranger than fiction.
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #14 on: August 11, 2019, 03:11:49 am »
Here is my first boot up scan!

Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro & WhitelistCloud
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.