Author Topic: WhitelistCloud 1.00 beta  (Read 1624 times)

Offline Telos

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #90 on: August 13, 2019, 03:58:27 pm »
Hey Dan... with v1.00's high CPU usage, I disabled its service waiting for the next beta to drop. When 1.01 was announced, I reset the v1.00 service to automatic and the clicked "Start". Right away I was notified that 1.01 was available and I accepted the automatic update.

But...


After that, WLC would not start. I downloaded v1.01 from this thread, ran it and all went well. I don't know if there is an auto-update issue, or I just experienced a fluke. Just FYI.

The CPU issue seems resolved...


That is pretty quiet 👍

Offline Telos

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #91 on: August 13, 2019, 04:49:33 pm »
Some small items... v1.01

When viewing the whitelisted I noticed 2 copies of the same program (one that I recently updated), so I figured I would remove both and let WLC figure things out. But there is no obvious means to remove programs from the whitelist, other than to blacklist them...

While navigating the whitelist, when you select a whitelisted item to see the detail, and the close that box, you are returned to the first item on the whitelist, instead of to the item you clicked on. This makes reviewing the entries quite cumbersome, having to scroll the list to each individual listing.

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 569
    • View Profile
    • VoodooShield
Re: WhitelistCloud 1.00 beta
« Reply #92 on: August 13, 2019, 05:15:53 pm »
...
WFC doesn't care about inbound, unless we have a server (IIS, or ICQ, UPnP ...) running, which holds ports open continuously.  If we don't have a server running, then the router or modem will simply drop any unsolicited traffic without question.
...
...
My question is... I am not sure what you mean when you say "WFC doesn't care about inbound traffic, unless we have a server (IIS, or ICQ, UPnP ...) running.  That being the case, how does WFC handle malware that downloads a payload?  The router is not going to block it... it is not unsolicited.  Heck, windows firewall is not going to block the downloading of a payload unless a rule is created, right?  Anyway, I was just really confused and curious about this, so I thought I would ask, thank you!

 :-[ Oops...  I should have taken more words...  OK.  Server 101:

There are servers and there are servers.  Most corporate setups will have a file-server which is (or should be) entirely within the LAN; and they may also have a web-server facing the WAN, which may be serving note-pads in the field for example, or an intranet with WAN access.  Essentially here, WAN and LAN must at all times be separate physical entities: the LAN is at risk and must be locked solid.

Any server must NEVER under ANY circumstances be used for workstation duties.  The web-server must be physically between the router and the modem.  All dependent workstations must be properly firewalled.

Hokay.  Malware gets onto a box by two, and ONLY two routes: removeable media, and The Internet.  Many corporate entities have placed orders for boxes with no holes, so in theory Stuxnet cannot happen.  The Internet is different.  Your file-server probably does not need a firewall, since nobody will be work-stationing on it, and it is not visible from the WAN.  So your web server must be configured with armour-plate, and its firewall must be aimed at specific IPs.  My personal recommendation would be Cloudflare or a similar service.  These companies use much more robust tools than Windows Firewall.

For the average family setup, the above is so much spaghetti.  UPnP and DHCP are servers, but we won't discuss them.  If you're running ICQ or similar, place that box OUTSIDE the LAN.  That is, Modem<->ICQ<->Router<->Workstations.  And firewall the workstations.

Does anybody remember Red Doom and similar from a couple of decades ago?  All the infections happened to weak server setups, and IIS was the target of choice.  In fact, most infections happened on Windows Server XXX being used as a workstation and the presence of an activated and running IIS was either not realised or completely ignored.  To the best of my knowledge, no workstation OS--Windows 3.x, W9x, WMe, W2K Pro etc--was ever directly infected, if at all.

Malware is now distributed via social engineering and drive-by attacks.  On this note, does anybody remember CCleaner?  Woefully inadequate security for a softs publisher.

Windows Firewall, with or without Windows Firewall Control, cannot do much against social engineering.

My own experience was a weaponised ad on Major Geeks, who were in fact blameless: it is most probable that the ad-server was not properly firewalled and had no security softs in place.  The ad appearing in my browser first replaced Major Geeks with a porn page, which then dropped a trojan in %appdata\local\temp%, where it imploded because CryptoPrevent had taken all execute permissions off that folder in all accounts, and had also changed ownership...  All I had to do was vacuum the floor.

Assume we have WFC up and running.  If this rogue ad happened now, assuming it made its way past VS, it cannot phone home.  The only way malware can download a payload is if it can first make an "Allow" outbound rule in Windows Firewall.  This is a hard ask anyway due to the complexity of WF settings--they're not all in one place--but WFC has its own security enhancements: Secure Rules and Secure Profile, both aimed at preventing this scenario.  Tick those boxes and be safe.
That makes a lot more sense, thank you!  I actually just installed WFC and played around with it a little, it's cool, I can see why there are a lot of fans!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 569
    • View Profile
    • VoodooShield
Re: WhitelistCloud 1.00 beta
« Reply #93 on: August 13, 2019, 05:16:44 pm »
Hey Dan... with v1.00's high CPU usage, I disabled its service waiting for the next beta to drop. When 1.01 was announced, I reset the v1.00 service to automatic and the clicked "Start". Right away I was notified that 1.01 was available and I accepted the automatic update.

But...


After that, WLC would not start. I downloaded v1.01 from this thread, ran it and all went well. I don't know if there is an auto-update issue, or I just experienced a fluke. Just FYI.

The CPU issue seems resolved...


That is pretty quiet 👍
Thank you Telos!  I could write some code to trap that error, and I might.  I just do not know if many people will be disabling the WhitelistCloudService or not ;).

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 569
    • View Profile
    • VoodooShield
Re: WhitelistCloud 1.00 beta
« Reply #94 on: August 13, 2019, 05:19:12 pm »
Some small items... v1.01

When viewing the whitelisted I noticed 2 copies of the same program (one that I recently updated), so I figured I would remove both and let WLC figure things out. But there is no obvious means to remove programs from the whitelist, other than to blacklist them...

While navigating the whitelist, when you select a whitelisted item to see the detail, and the close that box, you are returned to the first item on the whitelist, instead of to the item you clicked on. This makes reviewing the entries quite cumbersome, having to scroll the list to each individual listing.
Yeah, we need to figure out what to do in these two scenarios, but I wanted to wait for you guys to see if first, and to give me your input and ideas before we figured out what to do and how to refine the gui.  This is more of a POC than anything... but really I never envisioned that users would review the file insight details of a lot of different processes... this is more of a set it and forget it type app.  But let's think it over and we will figure it out together.  Thank you!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 569
    • View Profile
    • VoodooShield
Re: WhitelistCloud 1.00 beta
« Reply #95 on: August 13, 2019, 05:39:21 pm »
BTW, it looks like I missed the Windows 10 10.0.18860.1001 release... I just had tons of Not Safe Windows files appear as Not Safe.  It is fixed now ;).  Once I figure out that other method for Windows Files and Apps, this issue will be fixed permanently.

Offline Unauthorized

  • Youngling
  • *
  • Posts: 11
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #96 on: August 13, 2019, 05:42:08 pm »
Installed version 1.01 and no problems on my end. Noticed CPU is at 0% running in the background. Great work Dan!

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 569
    • View Profile
    • VoodooShield
Re: WhitelistCloud 1.00 beta
« Reply #97 on: August 13, 2019, 06:30:22 pm »
Installed version 1.01 and no problems on my end. Noticed CPU is at 0% running in the background. Great work Dan!
Very cool, thank you for letting me know!

So now you guys are essentially 100% sure that ONLY Safe files are running on your machines.  Before, you were relatively sure your systems were clean, but now you are essentially 100% certain.  It was always a concern for me because obviously I am a target… and I often wondered if someone were actually able to sneak something in.  Now I know for sure.

THAT is what WLC is about.  Well, that and to block network connectivity and propagation if a Not Safe item is encountered (equally important).

Offline Jasper The Rasper

  • Administrator
  • Full Member
  • *****
  • Posts: 192
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #98 on: August 13, 2019, 07:26:24 pm »
This is my W10 now.
2 to about 3% is about the norm though.
Cool, thank you Jasper, please try 1.01, hopefully it will be 0 ;).

Yes it is 0 now.
The GUI was there last night but is not there now. It could be something with this system but if it is there later on I will let you know.
I have just done a reinstall to see if that helps at this end.
Very cool about the cpu utilization!  The fix was to limit the process creation mechanism in the service to just the PID and the Process Path, instead of the entire process.  I would have done it that way from the beginning, but both of my machines that I had WC installed on essentially had 0 cpu utilization the entire time, so I just left it as it was, just in case we needed some of the other process info for something else later on.

That is very odd about the GUI.  So that we are on the same page, what happens when you double click the WC tray icon?  Thank you!

Sorted I hope and it is possible it was down to me. I have my Taskbar always on top and it could have been hiding behind that. When I looked tonight as soon as I switched the laptop on it was coloured red as a tray icon - a false positive.
I will let you know though if the problem does come back.

Offline Telos

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #99 on: August 13, 2019, 07:27:49 pm »
I hit a wall using AirVPN's "Eddie" client. With WLC running Eddie will not connect to any server. No errors are thrown that I can see in Eddie's logs. It just gives up and tries another server and so on.

Once this occurred I stopped WLC program/service, but no joy.

Then I used the Win10 uninstaller to remove WLC; still no joy (I didn't reboot at these times). I had a previous drive image where I had disabled WLC service, so I loaded that and ran the v1.01 installer. Again no connection to AirVPN (yes, my 'net connection was good).

I suspect that something fails in the whitelist since there is no outside 'net connection available while Eddie is handshaking/checking DNS/etc/etc. So something appears to be blocked.

So again back to the disabled v1.00 image and a Revo uninstall.

I'm not sure how to beat this unless I can whitelist all Eddie's executables beforehand (maybe this is already available... I didn't think to check before reimaging).

Thoughts on this"

FWIW, while uninstalling isn't likely a priority, here are the registry leftovers Revo found:


Online Triple Helix

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Truth is more of a stranger than fiction.
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #100 on: August 13, 2019, 08:20:25 pm »
Installed version 1.01 and no problems on my end. Noticed CPU is at 0% running in the background. Great work Dan!

Same here as well!  8)



Microsoft® Windows Insider MVP - Windows Security
Webroot SecureAnywhere Complete & VoodooShield Pro & WhitelistCloud
Alienware 17R5 Laptop with the new i9-8950HK Processor, 32GB of RAM and 2 Samsung NVMe 960 Pro's.

Offline simmerskool

  • Jr. Member
  • **
  • Posts: 93
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #101 on: August 13, 2019, 08:45:14 pm »
used WC v1.00 to install v1.01.  seems aok.
average cpu on WC 0.01%  & WCserv 0.92% (during a scan) otherwise usage falls back to 0.00% here. 
I see the cpu thread usage varies from 13 to 17. 
fwiw, I like interface without the minimize button.
I do have whitelist double entry for google software_reporter_tool but different file sizes so I assume google (chrome) dropped in an update. I have mixed feelings about not getting any notice of that.  I'll dig a little deeper.


Offline schmidthouse

  • Jr. Member
  • **
  • Posts: 72
  • Do not confuse Kindness for Weakness
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #102 on: August 13, 2019, 10:18:09 pm »
Installed 101 on both W10 machines. One took 6min/15secs for initial scan and the older machine took 4min/10 secs for the initial scan.
Nothing unexpected.
Thanks Dan. :)
***HP ENVY 15K LT W10 Pro 64Bit/750GB HD/16GB Ram/Avast Prem 19.6.2383 /VS 501(WC)/Secureline VPN/SANDBOXIE/Prey Project
**HP Compaq Buisness LT W10 Pro 64Bit/1TB HD/8GB Ram/Avast Prem. bc /VS 501(WC)/Avast Secureline/SANDBOXIE/Prey Project     
*Dell Inspiron  xpSP4 PRO 32 Bit/Avast (since 2002)/Comodo FW 3.14/OSA/Comodo Ice Dragon/Avast Secureline
LAYERED SECURITY SOFTWARE PROTECTION on all OS's
When you think you know, Think Again

Offline VoodooShield

  • VoodooShield Developer
  • VoodooShield Support
  • Hero Member
  • *
  • Posts: 569
    • View Profile
    • VoodooShield
Re: WhitelistCloud 1.00 beta
« Reply #103 on: August 14, 2019, 05:39:56 pm »
I hit a wall using AirVPN's "Eddie" client. With WLC running Eddie will not connect to any server. No errors are thrown that I can see in Eddie's logs. It just gives up and tries another server and so on.

Once this occurred I stopped WLC program/service, but no joy.

Then I used the Win10 uninstaller to remove WLC; still no joy (I didn't reboot at these times). I had a previous drive image where I had disabled WLC service, so I loaded that and ran the v1.01 installer. Again no connection to AirVPN (yes, my 'net connection was good).

I suspect that something fails in the whitelist since there is no outside 'net connection available while Eddie is handshaking/checking DNS/etc/etc. So something appears to be blocked.

So again back to the disabled v1.00 image and a Revo uninstall.

I'm not sure how to beat this unless I can whitelist all Eddie's executables beforehand (maybe this is already available... I didn't think to check before reimaging).

Thoughts on this"

FWIW, while uninstalling isn't likely a priority, here are the registry leftovers Revo found:


Sorry about that Telos!  Can you check in Windows Defender Firewall to see if WLC created a firewall rule for the AirVPN's "Eddie" client?  Or you can start WLC and click the "Clear Firewall Rules" on the Settings tab.  WLC should remove the rule once the AirVPN's "Eddie" client is considered safe, either automatically or by the user clicking "Whitelist Item".

This is the only thing I can think of... please let me know how it goes.

Offline Telos

  • Jr. Member
  • **
  • Posts: 98
    • View Profile
Re: WhitelistCloud 1.00 beta
« Reply #104 on: August 14, 2019, 10:39:17 pm »
Sorry about that Telos!  Can you check in Windows Defender Firewall to see if WLC created a firewall rule for the AirVPN's "Eddie" client?  Or you can start WLC and click the "Clear Firewall Rules" on the Settings tab.  WLC should remove the rule once the AirVPN's "Eddie" client is considered safe, either automatically or by the user clicking "Whitelist Item".

This is the only thing I can think of... please let me know how it goes.
I'm at a loss understanding how WLC interacts with Windows Defender Firewall (WGF). You mention "Clear Firewall Rules"... but I have quite a few rules in WDF and I'm not keen on seeing those wiped... or is there another set that is involved when WLC is running.

How would I check if WLC created a rule? I don't see a field that describes the source of a firewall rule apart from the restricted ones which are owned by Win 10.

Re: "Eddie" here are the primary executables...



Of those, I only see openvpn.exe among my WDF entries... AirVPN get daily use, so re-imaging to have VPN access is not something I choose to do frequently.