Community-based HIPS

What do you think about community-based HIPS?
What're their merits and demerits?

There're two community-based HIPS I'm aware of - Prevx1 and Online Armour.
Is there any more?
How do you compare between one another? Which is better?

Thanks a lot for your reply.

I love prevx it gives me a very good sense of security

Prevx1 and Nod, what more can I say. I love Prevx.

prevx1 is great.

I sincerely hope that the community database is quickly verified by experts, who see the difference between clean and infected applications, because I don't trust the housewives doing this.
I also hope that these experts can handle the quantity of new applications.

I would not use a pc without Prevx.

-{ Quote: "I sincerely hope that the community database is quickly verified by experts, who see the difference between clean and infected applications, because I don't trust the housewives doing this." }-

A valid concern - Prevx do have a lot of people verifying the DB entries.

I like prevx - it adds a second opinion - but sometimes gets things wrong. I have had a few things jailed that were not malware but - overall I like it


Online Armour is quite nice - I have just put this one one of my test pc after a few months without it.

SNS is another alternative - kinda

Personally I prefer Prevx

-{ Quote: "I sincerely hope that the community database is quickly verified by experts, who see the difference between clean and infected applications, because I don't trust the housewives doing this." }-Indeed it is. The Analysts are the only ones that make changes to the db, otherwise the malware writers would be all over it.

Feel free to PM me with questions like these, if you like. You can also feel free to drop by the official forums at CastleCops.

cheater87, austin1257, lodore:
Why do you love this application?
Any specifc reason? Or just the feeling of liking?

-{ Quote: "Indeed it is. The Analysts are the only ones that make changes to the db, otherwise the malware writers would be all over it." }-

I know users can right-click on the result and "disagree"!
How does it actually work and proceed?

the applications are quickly checked for spyware and malware and send to the community right away. it used to be heavy on resourses but now getting lighter.
so its improving with every relase which is always nice to see in a company.

lodore

im paranoid of stuff like spyware so a program that stops it from installing is great for me.

Easy to install, verifies your pc for issues wjile installing. Once installed it will nip anything that tries to mess deep into your pc. I know that isnt the technical way of putting it. But I know of 2 people who use it and the XP firewall and nothing else, and have never had a issue. This was verified by online scans they did from 2 other vendors. Personally, I like the added protection of Nod, and Ewido inactive just to keep a eye out. But it will pretty much keep all malware off your pc. No slow down either that I have noticed.

no slow down thats is good.
im thinking of putting prevx1 in my setup.

I thought you did have it. Just what do you use, today.???

Protected by Fsis 2006.firefox with no script,adblock ,siteadvisor,nat device.

just whats above. the other stuff in my sig is what is coming soon

fsis=f-secure internet secuirty 2006. it keeps on giving me over 10mb updates and then doesnt want to install em. so have to run there special tool to reset updates.

cant wait to get rid of it.

Wow, if you ever sell your PC, sell it cheap.::)

i ment i cant wait to get rid of f-secure:)

the stuff here is what is to come.

av+prevx1+nat device+windows firewall.

sieems simple enough.

the av's are eiether bitdefender 10 or kaspersky 6.

-{ Quote: "I know users can right-click on the result and "disagree"!
How does it actually work and proceed?" }-It sends a message in with the specific location in the database (which is important) and any comments you provide. The analysts then review it and either change it or tell you why not. Believe it or not we actually get people disagreeing about actual malware.

It pretty much follows the "Neighborhood Watch" analogy. In a Neighborhood Watch, people keep an eye out for crime and give the police any information they have to help the police to take care of it. With an official Neighborhood Watch, citizens are given the information/tools to spot and report suspicious activity more effectively than just someone that happens to see something happening, and so it is with Prevx1. Obviously if the citizens could add or remove criminal records from the database, the criminals would all be deleting any records of themselves, and is just what would happen with the Prevx1 Community Database if it were open. Hopefully there will be more "community" type features added, but until then don't hesitate to write in or visit our forum. Of course I'm always around here as well :)

Prevx1 looks like a good security program.Can someone tell me if this would be a good addition to my other security software or would there be conflic's due to overlaping? Would like to try this one.

Dont know, you have alot you wont need with Prevx1. I am getting ready to test Prevx1 with the new Antivir beta suite. Will keep you informed.

I dropped Online Armor for Prevx1. Found my system ran faster, there are far less popups and i only get bothered by the 'really obscure' things. It really does run transparent. It must have one hell of a large whitelist cos some of the apps i use are not what i'd call mainstream. I've tried a few HIPS out but my main gripe was always having to make too many of the decision's myself. Prevx1 has taken 99% of the decision making away, and thats how i like things...running in the background only popping up when really needed.

Lovin' it!!!

muf

-{ Quote: "I also hope that these experts can handle the quantity of new applications." }-I would assume that this "new applications" workload is made even larger by changes/updates to applications already in the Prevx database.

-{ Quote: "Prevx1 looks like a good security program.Can someone tell me if this would be a good addition to my other security software or would there be conflic's due to overlaping? Would like to try this one." }-

Possible. If two applications are monitoring the same area, a conflict may occur. Some conflicts may be hidden. That's mean they don't geenrate an error message. Instead each one nullify the protection of others, but you don't notify it if you don't investigate deep enough. Given stability/reliablity into consideration, it isn't worth to overlap protection.

-{ Quote: "Believe it or not we actually get people disagreeing about actual malware." }-

How come?

Do they really disagreeing, or just naughty?

I may expect there may be some arugments about some greyware (the behaviour may be regarded as bad, but obviously not harmful).

Will the workload be huge since no one will agree on everything?

-{ Quote: "How come?

Do they really disagreeing, or just naughty?" }-Usually because another "trusted" app doesn't detect it.

-{ Quote: "I may expect there may be some arugments about some greyware (the behaviour may be regarded as bad, but obviously not harmful).

Will the workload be huge since no one will agree on everything?" }-Indeed, and these are taken on a case-by-case basis. Every vendor has their own guidelines about what they will and will not detect.

The workload we have is not as big as you think, there's a lot of automation. The database has tens of millions of files, but just a few analysts have no problems keeping up; we don't have to prioritize the way most signature-based vendors do. To give a little perspective on that, we actually have tools to sell to those vendors to help, and there's always more in the works. You can also go to the "Prevx Insight" page on the website and see how many new files are seen so far for the day (over 198,000 today, at the time of writing) and consider how few Unknown prompts you see (many/most people never see one).

Let me set the scene very briefly as to why Prevx1 is quite different to your existing end-point security products.

When we set out to develop Prevx1 we wanted to address a fundamental weakness of conventional security products - their blindness to threats which they fail to recognize. In simple terms, unless these products recognize something by its signature, file heuristics or behavioural traps then they simply ignore it. Our belief was, and still is, that as malware threats become more and more covert and diverse security becomes more a question of intelligence than recognition.

Prevx1 turns this issue on its head. We designed Prevx1 to monitor software activity at the system level and report unique behaviors back to a centralised database. Of course we also use signatures and heuristics but these are not conventional AV signatures, we are not trying to store signatures of the million or so malicious programs we have identified in the last twelve months on each PC. On the PC, Prevx builds and maintains a unique agent based inventory of signatures which relate one to one with each executable (good or bad) present on the PC. This inventory is then updated as required in real time to reflect the determination of each and every program on the PC. Known good programs can therefore be allowed to run freely without interruption, Known bad programs can be blocked from running and Unknown programs can be closely monitored for signs of malicious behavior and then blocked.

This might sound a little like Host Intrusion Prevention but there is one big difference. Behavior is examined centrally. This means we can take account of the aggregated behavior of any executable and we can also consider its relationships to other objects. So whereas HIPS has to make decisions based on what it sees a program do on the PC, Prevx1 has a massive advantage due to the additional intelligence it has gathered. Even if we fail to stop a new threat, once it is identified we already have all the event information associated with it to be able to clean up effectively.

We now have just under 500,000 users (27.09.06) who have downloaded and run Prevx1. This has allowed us to build a vast software database which knows of more than 40 million executables and 1.5Billion unique behaviors. Every day we see around 200,000 new unique executables. Of these more than 2,500 are identified as malicious. With each of our Prevx1 agents reporting new unique behaviors in real time we are seeing and categorising new malware much faster than other security companies which translates into much earlier and more extensive protection.

Prevx1 also incorporates comprehensive cleanup capabilities that can deal with the advanced ‘keep-alive’ technologies being used by state-of-the-art malware.

Prevx Support

-{ Quote: "Believe it or not we actually get people disagreeing about actual malware." }-
That's not suprising considering there is no "official" definition for malware, or most of the other terms used to describe different undesirable wares. There is a lot of grey area when setting criteria as to exactly what constitutes malicious behavior. That's one of the biggest reasons that no 2 adware or spyware removal apps target the same things.
If one assumes the apps function as they claim, and are not easily bypassed by new variants and similar changes, the user has to ask 2 questions with regards to community based HIPS:
1, Do you trust the community to update their lists in a realistic amount of time?
2, Does the community definition of malicious or undesirable agree with your own?
I'd have no problem with the first question. If you use other software as a guide, community based programs have problems fixed much faster than the commercial equivalents. One doesn't need to look any farther than alternate browsers and operating systems for an example of who fixes vulnerabilities faster.
For me, the 2nd question might be a problem, depending on what criteria they use. I didn't see anywhere on their site that details exactly what behaviors or criteria have to be met for an app to be blocked. I might have missed it. While there might not be that much variation in what gets called "malicious", there's a lot more variation in what different people or companies call undesirable behavior.
Rick

-{ Quote: "That's not suprising considering there is no "official" definition for malware, or most of the other terms used to describe different undesirable wares. There is a lot of grey area when setting criteria as to exactly what constitutes malicious behavior. " }-I'm not talking about bundled adware like with WeatherBug that some people may knowingly decide to use, I'm talking about worms and trojans, like Bagle, which were clearly detected as such. One that comes to mind was a software crack that was clearly dropping all sorts of other trojans and such.

-{ Quote: "I didn't see anywhere on their site that details exactly what behaviors or criteria have to be met for an app to be blocked." }-This is true, however I don't know of any anti-malware vendor that publishes detailed descriptions of their heuristics. These are also changing daily based on both observed and projected trends. You can see the list of what areas are monitored and what Prevx1 will do when it sees something happen (whether it will prompt you or report it for heuristics), policies set to "Prevent" are the ones that will be outright blocked.

Like Stubbs100 pointed out, while Prevx1 has some similarities with HIPS, there are some major differences. Instead of just blocking behaviors, the monitored information are used for (centralized) automated malware analysis. Instead of having a human find a piece of malware and reverse engineer it, that process is automated so the analysts only have to look at the information and mark it good or bad. Then instead of downloading a signature, Prevx1 just looks it up as needed and either allows it, blocks it, or asks you (depending on your settings). The intent is to close the "zero day" gap, the pure behavior blocking is more secondary and meant to give advanced users an opportunity to control the situation, but only when necessary.

You can debate this in to the end of the world of infinite wisdom, but for most normal users as myself, the bottom line is, this product works and works well. There is a thread about if you could only pick 4 applications, well if you could only pick one, this would be it for me. It comes before all I have ever tried. The one piece of software that only took me 20 minutes to decide to buy and never regretted it. I think even today, blackspears stated that a good HIPS or CIPS, program is something you cant do without, and this is the best.

-{ Quote: "This is true, however I don't know of any anti-malware vendor that publishes detailed descriptions of their heuristics. " }-
That isn't quite what I meant. I'll try again. What I was looking for was something that stated what they considered behavior unacceptable to add an item to the blocklist. Obviously, if it logs keystrokes, it's added. Lavasoft has/had their TAC, where behaviors were given point values. If a program exceeded a certain value, it was supposed to be added to the detection list. I was looking for something that would be similar to that in concept.
What about these behaviors, which are grounds for the app to be blocked:
delivers popup ads
banner ads
data miner
calls home
updates silently
downloads more software
modifies hosts file
modifies internet zone settings or adds itself to trusted zone
questionable changes in products EULA
vendor shares data with other companies
Which or how many of these would get an item added to the blocklist?
Rick

That's one that's probably going a bit OT, but you might bring it up in our forum or write directly. I can try to get someone with more direct knowledge to answer, but going into this much fine detail about Prevx1 is probably better saved for official venues.

I am more than happy to answer questions as well as just generally participate and share what I know, but I do feel like we're going in a bit deep here (and at length), so would encourage people with questions to come over to our forums. You'll also be more likely to get answers from some of the team that are far more technically knowledgable than I am over there, too :)

-{ Quote: "You can debate this in to the end of the world of infinite wisdom, but for most normal users as myself, the bottom line is, this product works and works well. There is a thread about if you could only pick 4 applications, well if you could only pick one, this would be it for me. It comes before all I have ever tried. The one piece of software that only took me 20 minutes to decide to buy and never regretted it. I think even today, blackspears stated that a good HIPS or CIPS, program is something you cant do without, and this is the best." }-

I agree. Prevx is the only security software that I will recommend unreservedly to friends. It works and on ABC mode just runs in the background until it blocks something. And for £13 per year it is good value - other companies should take note.

-{ Quote: "That isn't quite what I meant. I'll try again. What I was looking for was something that stated what they considered behavior unacceptable to add an item to the blocklist. Obviously, if it logs keystrokes, it's added. Lavasoft has/had their TAC, where behaviors were given point values. If a program exceeded a certain value, it was supposed to be added to the detection list. I was looking for something that would be similar to that in concept.
What about these behaviors, which are grounds for the app to be blocked:
delivers popup ads
banner ads
data miner
calls home
updates silently
downloads more software
modifies hosts file
modifies internet zone settings or adds itself to trusted zone
questionable changes in products EULA
vendor shares data with other companies
Which or how many of these would get an item added to the blocklist?
Rick" }-

You spotted it right. That's also one of my concern. If you run it in ABC or Pro mode, you just don't know what it blocks, what it allows. These behaviours are those I would like to decide at my own discretion.

How about if Pevx1 asks us for the final decision when it is going to block/allow (the behaviours) of greyware (Prevx1 may post a recommendation/explanation, but it offers the option for user to decide)?

Does anyone know which website has made a malware test regarding Prevx1?

-{ Quote: "What about these behaviors, which are grounds for the app to be blocked:
delivers popup ads
banner ads
data miner
calls home
updates silently
downloads more software
modifies hosts file
modifies internet zone settings or adds itself to trusted zone
questionable changes in products EULA
vendor shares data with other companies
Which or how many of these would get an item added to the blocklist?
Rick" }-

Hi Rick,

That's make a few things clear. When it comes to malware, we are effectively at war. A bit strong? Well maybe. Malware is firmly in the hands of organised crime, it is no longer down to script kiddies and idiots out to "make a name" for themselves. Malware is written for one reason - to make money. Likewise, Anti-Malware software is written for one reason - to make money! Yes, it helps the community to get clean, but the bottom line is we wouldn't put the effort in if there wasn't a commercial reason for doing it.

Now, given that we're at "war" with the malware writers there is a mantra from the intelligence community that holds firm for this "malware war" as it would for any other war - that is:

WHENEVER POSSIBLE, YOU NEVER LET YOUR ENEMY KNOW HOW GOOD YOU ARE!

It's unlikely that we'll publish details of how our AI engines work, what data points they use individually or collectively to determine that a program is good, bad or otherwise. This is strictly need-to-know information :-X Joking apart, you really don't need to be concerned with it. It works. That's the important thing :)

Let's look at the competition for a moment... Many of them publish the results of their malware analysis after they've released their signature updates. Why do they do this? Simple - marketing. Most people that get a malware infection go straight for Google and search for the filename. AV vendors publish analysis results to get hits on their websites from filename searches. Filename-based marketing leads to hits which leads to downloads which leads to sales. Anti-Malware products are written to make money! End of story.

Now, how many of those same companies tell you HOW they do their analysis? How many tell you what rules they employ to decide whether something is bad or not? How many use automated tools versus a manual process? How many publish the nature of their signature structure or algorithms? What... you don't know? Of course you don't as these things are commercial secrets and simply aren't published. The user's of their products TRUST them to have done a good job. If they have, they detect the malware and if your lucky they clean it up. If they haven't or they are simply too slow to win the war against the malware writers... their user's start to reduce that TRUST level and look for something else.

In this war on malware, products with automated intelligence engines are the the only ones that have a chance of keeping up with malware evolution/production. Traditional AV vendors are struggling now, and it's going to get much worst for them.

You have a simple question to consider - where should you put your TRUST?

Regards,

ghiser1
Prevx Security Architect

ghiser1,
Thanks for taking time to reply. No explanation needed regarding this war or the monetary motivations behind it. Been in this war for quite a while and have seen enough instances where a company chooses to make the product and its support more important than the needs of the users. That's not an accusation, referrs to other products.
-{ Quote: "It's unlikely that we'll publish details of how our AI engines work, what data points they use individually or collectively to determine that a program is good, bad or otherwise." }-
How would a list of behaviors that you consider malicious amount to giving details of how your software works? How would stating that "we target keyloggers" help the author of a keylogger or harm the software/community? I'm not asking for details of how the detection process or removal procedure works. I just want to know what behaviors are considered malicious, not filenames or software brands.
I doubt that I'm the only one here who's asked an adware/spyware remover the question "why don't you target such and such, and gotten a reply that effectively states "we don't consider it malicious", even though it meets their written criteria of targetable behavior. If a particular program delivers intermittent popup ads, will it be targeted? Popup adware is annoying and usually undesirable, but is it "malicious enough" to target or will the user need an adware remover to target it? I don't see where a yes or no answer would benefit the enemy or hurt the software/community. If anything, I would think that defining what will be considered malicious would have the opposite effect. For potential users, they'd know just what they'll be protected from. It would have no effect on malware writers or the criminal element at all. They expect to be targeted and know it's coming, just like we know what to expect from them, more of this war. Another instance where a list of malicious or unacceptable behaviors would be a benefit is with the vendors of what I'd call "grayware", that stuff that tries to see how close they can get to the line without crossing it. I'm sure you know the type, the ones that scream "our software isn't spyware", all the while knowing that there's no legal definition for that word. A list of behaviors that are considered malicious would send a message to all of them, something on this order.
This community considers these unacceptable behaviors. Any software that engages in these or any other equally repulsive activities will be targeted. If you don't want your software targeted, don't write it to do these things.
I apologize if I sound distrusting or skeptical, but after seeing one anti-spyware after another fail to do what they claim, watching viruses go past 2 out of 3 AVs I used to run, and seeing so-called "acceptable software" engage in activities I find very questionable at best, I've lost all trust of definition or signature based security and chose to use and recommend classic HIPS programs, SSM in particular, which trusts nothing except what I tell it to. For me, it's an ideal solution, but I also recognize that it's not that good of a choice for the average or casual user. For the average user, yours looks like a more usable option that doesn't require the user to know their systems to the same degree. I both use and test Open Source software, so I'm familiar with the "community approach" and its advantages. Community based malware protection could be what the average user needs, depending on how you define malicious.
Rick

-{ Quote: "How would a list of behaviors that you consider malicious amount to giving details of how your software works? How would stating that "we target keyloggers" help the author of a keylogger or harm the software/community? I'm not asking for details of how the detection process or removal procedure works. I just want to know what behaviors are considered malicious, not filenames or software brands.
" }-

Hi Rick,

You see, that's the root of the problem. There are no behaviours that in themselves are malicious. Maliciousness is a subjective area. Whether an application that logs keystrokes is malicious or not depends on a large number of factors and there are many legitimate reasons for logging keystrokes and many legitimate applications that do it. If those keystokes are captured to a file and transmitted across a network to a range of differing domains and IP ranges you might say it's looks more suspicious but it still isn't necessarily malicious. BTW, I've just described most Instant Messaging and VoIP applications that have a "Log my conversation" capability turned on.

There are also lots of apparently benign behaviours that when taken collectively become malicious in intent. There is no guidence that can be given on "do this and you'll be targeted, or do this and you wont". You need to get to the level where you can say things like don't do X when you've already done Y and Z if you were first first created by A in folder B with your name looking like C. That's the problem - you need specifics. Without this context individual behaviours are useless - which is why IMHO traditional HIPS are useless - unless, like in your case, the user is confident that they know how to answer the questions the HIPS presents you with.

As an example, which of these should be considered malicious:

1. Creates a run key that points to itself.
2. Creates a copy of itself with a different name in a new folder under the windows directory.
3. Uses a different folder or file names that appear to be random hex digits.
4. Downloads and installs new programs/DLLs to replace standard system files on reboot.

Depending on context they could all be. Likewise if the context is that these behaviours were all done under the guidence of the automatic windows update service, you get a vastly different picture. Context is key and globally gathered data is paramount in understanding the true context. The view from one PC is always cloudy.

Hope this helps,

ghiser1

Herbalist: One of the things your last post made me think of, as well, is that while you will see a TAC system posted by Ad-Aware, you won't necessarily see the same for NOD32. The detection scope of Prevx1 is closer to that of NOD32's than Ad-Aware's, although we do not have to prioritize the same way and so can include the more minor stuff that comes through. Same goes for Online Armor or most other community based apps. One of the other things to consider is that Prevx1 will work perfectly fine alongside other software as well. Even if one program fit all your requirements, none of them will catch 100% of everything (I'm sure you know that's impossible), so if there's an anti-spyware app that you know and trust to catch some things, you don't -have- to make a choice between one and the other, you can use both and still be ahead of the game (an AV, AT, or AS plus Prevx1 and Windows Firewall would still beat having 5 apps of different types).

ghiser1,
-{ Quote: "There are no behaviours that in themselves are malicious. Maliciousness is a subjective area." }-
I must say I'm somewhat disappointed with this response. While I agree that, by actual definition, that there are no absolutely malicious behaviors, I wasn't asking in those terms. The behaviors I listed would be in the form an average user might use them, not their true, technically correct definitions, but conventional usage. This is the first time I've ever run into an anti-malware (community HIPS, behavior blocker, choose your term) software that either can't or won't define malware. You describe the present situation as a war, a term with which I completely agree, yet you don't define or identify the enemy in any usable terms. Identifying the enemy in general terms isn't advertizing or marketing. It's stating simple facts. If someone were to ask me what PrevX protects me from, I'd have to honestly say "I don't really know." It appears we're at an impasse where none should exist.
-{ Quote: "You have a simple question to consider - where should you put your TRUST?" }-
That's exactly my point. Before I use or recommend a security application, I want to know what it does, what it protects me from, etc. I know what SSM can do, and I've grown to trust it enough that I no longer use any signature, definition, or reference file based software. When I don't know what a security apps specifically defends me from, there's no incentive for me to try it.
Rick

I wonder if some of the posts in this thread haven't crossed the line such that they constitute plugs for a specific software program rather than topical discussions about community-based HIPS in general?

In any event, my comments about community-based HIPS (versus those HIPS where the individual user makes most decisions) are stated in a somewhat related thread over YONDER (http://www.wilderssecurity.com/showpost.php?p=848176&postcount=77). Please note that I pointedly avoid plugging specific programs, including my own personal favorite HIPS.

-{ Quote: "I wonder if some of the posts in this thread haven't crossed the line such that they constitute plugs for a specific software program rather than topical discussions about community-based HIPS in general?" }-My simple answer is no. The discussion involves a general question of operating mechanism posed by a member, and the followup to that. For more in-depth technical consideration the offer has already been tendered to move the discussion to the home support forums if appropriate. As far as I can see, this has not turned into a support discussion.

-{ Quote: "In any event, my comments about community-based HIPS (versus those HIPS where the individual user makes most decisions) are stated in a somewhat related thread over YONDER (http://www.wilderssecurity.com/showpost.php?p=848176&postcount=77). Please note that I pointedly avoid plugging specific programs, including my own personal favorite HIPS." }-I don't recall any general admonishments against the mention of commercial product names, nor of a general prohibition against vendors responding to open questions. There is general guidance (http://www.wilderssecurity.com/showpost.php?p=695652&postcount=3) to both members and vendors to pursue in-depth and focused product support discussions in the appropropriate venue, be it an official forum here or elsewhere. The discussion thus far is not a specific product support issue, rather the posts of late have turned on a general question of how a product classifies malware, which is a question of general interest and can easily expand to other products.

Blue

-{ Quote: "I must say I'm somewhat disappointed with this response. While I agree that, by actual definition, that there are no absolutely malicious behaviors, I wasn't asking in those terms. The behaviors I listed would be in the form an average user might use them, not their true, technically correct definitions, but conventional usage. This is the first time I've ever run into an anti-malware (community HIPS, behavior blocker, choose your term) software that either can't or won't define malware. You describe the present situation as a war, a term with which I completely agree, yet you don't define or identify the enemy in any usable terms. Identifying the enemy in general terms isn't advertizing or marketing. It's stating simple facts. If someone were to ask me what PrevX protects me from, I'd have to honestly say "I don't really know." It appears we're at an impasse where none should exist." }-Herbalist,

It might be useful to turn the question around a bit and ask what classical signature based AV products protect you against or what do they specifically define as malware. Do they really define things any differently? By my reading of your comments, you wouldn't know what, for example, any classical AV protects you from. If you were to ask a vendor, aside from a general response that we protect you from software having signature X that our analysts have determined does bad things to your system, they are not about to air their internal approach to signature development and implimentation.

-{ Quote: "That's exactly my point. Before I use or recommend a security application, I want to know what it does, what it protects me from, etc. I know what SSM can do, and I've grown to trust it enough that I no longer use any signature, definition, or reference file based software. When I don't know what a security apps specifically defends me from, there's no incentive for me to try it." }-As for classical HIPS like SSM, they don't protect you from anything per se, rather they do provide you with an opportunity to allow or disallow specific classes of operating system functions on a per application basis. Protection rests entirely with the user and for most PC users herein lies the problem. While this can afford a very high level of protection and control to an informed user, a system can be rendered almost unusable in the hands of an ill-informed user.

Blue

-{ Quote: "While this can afford a very high level of protection and control to an informed user, a system can be rendered almost unusable in the hands of an ill-informed user." }-


That is an extremely well put point BZ. Classic HIPS programs are only as good as the person controlling them. People should remember that. Community-based HIPS provide a whitelist/blacklist to assist the user. These types of HIPS are easier, safer and in my opinion are better suited to the general masses. I wouldn't put an inexperienced user who frequents the 'darker' side of the net in a position where they have to rely on a classic HIPS. They will eventually make the wrong decision.

muf

Which file extensions are considered as executables in Prevx1 ? ".exe", ... ???

-{ Quote: "Which file extensions are considered as executables in Prevx1 ? ".exe", ... ???" }-

File extensions are unimportant to Prevx1. You can rename an executable to anything you want. If it attempts to run as a process it will be "assessed" regardless of extension or even whether it has one.

-{ Quote: "File extensions are unimportant to Prevx1. You can rename an executable to anything you want. If it attempts to run as a process it will be "assessed" regardless of extension or even whether it has one." }-
That's what I thought too. Faronics Anti-Executable claims to recognize more than 80 executables.
They give a few examples on this webpage :
http://www.faronics.com/html/AntiExec.asp
but I didn't find the complete list until now.
I hope AE works like Prevx1 and that their whitelist isn't based on file extensions. Of course AE requires a clean computer when installed, otherwise possible bad executables will be whitelisted as well.

-{ Quote: "As for classical HIPS like SSM, they don't protect you from anything per se, rather they do provide you with an opportunity to allow or disallow specific classes of operating system functions on a per application basis. Protection rests entirely with the user and for most PC users herein lies the problem. While this can afford a very high level of protection and control to an informed user, a system can be rendered almost unusable in the hands of an ill-informed user." }-
Absolutely. I pretty much said that earlier.
For me, it's an ideal solution, but I also recognize that it's not that good of a choice for the average or casual user. For the average user, yours looks like a more usable option that doesn't require the user to know their systems to the same degree. ........Community based malware protection could be what the average user needs, depending on how you define malicious.
Regarding:
-{ Quote: "It might be useful to turn the question around a bit and ask what classical signature based AV products protect you against or what do they specifically define as malware. Do they really define things any differently?" }-
The "classic AV" protects against a varying percentage of the malicious code in circulation. If you're lucky, it'll recognize the next one you encounter. For the record, I don't run a resident AV either. As for defining what they detect, at least they "claim" to defend against viruses, worms, and a varying list of other undesirables. Regarding what PrevX detects, I can't even get that much of an answer. So far, I don't see a single "YES" or "NO" answer to anything I've asked. I'm not trying to start an argument here. I just want a few simple answers to the type of questions the average user might ask. Those are the ones they ask me. I need something to tell them that actually says something they understand. When an average user says "keylogger", they aren't thinking of IM programs message archiving. They're referring to the password stealing variety. That would be obvious to most people when the topic is malware. I asked about adware. For the sake of clarity, I'll define it as "software whose primary purpose is the delivery of ads", not every app with a little banner ad in it or cycling ad at the top. Do you target conventional adware or will the user need a separate app for this? If I give my customers the kind of answers you're giving me, I won't have any customers. Yes, I understand what you mean when you say "that depends on....", but I'm sure you know exactly what context I'm asking the question in, user terms , not technically correct definitions. Regarding the examples you gave earlier, keyboard hooking by an IM program, I block it. Regarding the windows update procedure, since they released WGA, it's all manually done and monitored.
Earlier, you made reference to the financial motives of many spyware/malware remover vendors, a condition with which I completely agree. They have no reason to release software that will truly protect users as that cuts into future business, like a few million sales for individual PCs wouldn't be enough business for one lifetime, even as a one time sale. IMO, they're part of the problem, not part of the solution. I like the concept behind PrevX for the typical user, community based with much of the process automated, taking the difficult decisions off of the user. My single problem here is that there's some very basic information missing. In laymans terms, "What will you protect me from?" The marketing people from these other apps know what the user is asking. I realize that with free, community based, software, there isn't much advertizing or marketing, although I see that you do sell a business version, so there is some financial motivation as well. Perhaps you should have someone with enough marketing experience :gack: (did I say that?) to answer laymans questions in their terms, starting with the ones I've been asking from the start.
Rick

Prevx1 is a general anti-malware, it will detect anything the analysts come across, whether that's viruses, trojans, worms, adware, spyware, rootkits, keyloggers, or other. The only thing we consciously don't add detection for is riskware, but even then it's going to be taken on a case-by-case basis along with the automated analysis. Prevx1 even detects legitimate apps, though marked differently. There is almost nothing that Prevx1 does not detect one way or another... some are even marked 'caution', usually by the automated analysis. There are around 200k new files every day to be determined both good and bad, the way that just a few analysts keep up so effortlessly is because a lot of it is automated.

Now when it comes to the grayware, the anti-spyware apps will publish "TAC" style lists explaining how they decide to include detection for something or not, your anti-malware apps like NOD32, Norton, and so on, don't often publish those kinds of lists, and being closer to those AVs than to anti-spyware apps, we don't either, partially because we really would need to start talking about how the automated analysis engine works. The main difference, however, is that the AVs add detection based more on if and when they can get to those samples, they have to prioritize.. we don't.

As I've mentioned in private (as well as previously in this thread), however, if you want more specifics then you will need to come over to our forum where the entire team can and will see your question, not everyone on the team visits Wilders regularly.

It works very well. It is the one product as I have said before, I cant do without.

-{ Quote: "Prevx1 is a general anti-malware, it will detect anything the analysts come across, whether that's viruses, trojans, worms, adware, spyware, rootkits, keyloggers, or other. The only thing we consciously don't add detection for is riskware, but even then it's going to be taken on a case-by-case basis along with the automated analysis." }-

Thanks Notok, was about to put something similar myself.

To ensure we have clarity though, we aim to detect, protect and clean up everything that could be considered malware except for one thing. That one thing is tracking cookies as we don't consider tracking cookies themselves as malicious - though that's not to say that they're off the agenda for good...
We focus on identifying malware files, whether applications, dlls or drivers regardless of purpose or infection route.

I think I misunderstood the technical depth herbalist wanted in his original question. I hadn't realise that he mean't high level headings like worms, spyware, keyloggers etc. Sometimes its easy to get too close to a topic and forget that sometimes the very basic information isn't clear.

For the record, Prevx's business is automated malware research - that is all malware files regardless of type. If it is persistant on disk, then it is in our scope. Our aim is to identify and classify ALL executable files in one of three primary categories: good, bad, caution.

Good is a legitimate.
Bad is malware.
Caution are items that would not normally appear on the average user's PC, but may be considered legitimate for use by security professionals.

Hope this helps,

ghiser1

-{ Quote: "Prevx1 is a general anti-malware, it will detect anything the analysts come across, whether that's viruses, trojans, worms, adware, spyware, rootkits, keyloggers, or other. The only thing we consciously don't add detection for is riskware, but even then it's going to be taken on a case-by-case basis along with the automated analysis. Prevx1 even detects legitimate apps, though marked differently." }-
Why couldn't someone have said that a full forum page earlier? That was all I've wanted, a general listing of what PrevX targets, and to be able to see if just plain "adware" and similar items were on it. I was also sent this link (http://individual.prevx.com/features.asp) via PM, a page that isn't linked on the PrevX homepage. Even knowing it existed, it took a while to find just where it was. No site map, no search function, no FAQ page. I'd think "what do you detect?" would be a common question and that the answer would be easy to find, if not on the first page. Best I can see, that page is 3 pages into the site, if you knew where to look.
-{ Quote: "I think I misunderstood the technical depth herbalist wanted in his original question. I hadn't realise that he mean't high level headings like worms, spyware, keyloggers etc. Sometimes its easy to get too close to a topic and forget that sometimes the very basic information isn't clear." }-
I think that's exactly what's happened here. I apologize for the way this thread has gone. It was not what I wanted to happen and if I've offended anyone, I apologize. I'm just amazed that a statement like the one I quoted or the link I just was sent should have been so hard to get. Look at it from a users perspective. Users are told they need anti-virus, anti-malware, anti-trojan, anti-spyware, anti-keylogger, anti-hacker, ad-blocker, spam-blocker, popup-blocker, etc. By the time they put it all together, it amounts to anti-PC software because it's so bogged down, it can't run anymore. Users are almost as much victims of the marketing as they are of the malware itself. Look what one trip to a rogue anti-spyware site that shows false detections can do to a user. This gives me the answers to the user questions I get, and another option to equipping average users with SSM, doing all its basic configuration, then being on-call for all the inevitable "why won't this work" or "what does this mean" questions.
One other thing. Something of a general observation/suggestion. For many users, the internet equates to "instant results", especially with so many using high speed. If they don't find exactly what they're looking for at a site in 2 minutes or so, they move on. It might make it easier if a link like this one (http://individual.prevx.com/features.asp) was easier to find, maybe linked on the homepage or something. If it already is and I'm still missing it, label me blind and disregard this entirely.
Rick

FAQ page: http://info.prevx.com/faq.asp

-{ Quote: "That was all I've wanted, a general listing of what PrevX targets, and to be able to see if just plain "adware" and similar items were on it." }-Herbalist,

Another thing to examine, which can be germane if someone is running more than one product, is a listing of the hooked kernel services. That can also provide some insight into what is monitored and general approaches employed.

Blue

-{ Quote: "That one thing is tracking cookies as we don't consider tracking cookies themselves as malicious - though that's not to say that they're off the agenda for good..." }-Oop, I knew I was missing something :X

-{ Quote: "I think that's exactly what's happened here. I apologize for the way this thread has gone. It was not what I wanted to happen and if I've offended anyone, I apologize." }-Indeed I think it was to, and no offense taken on my part - just glad it's cleared up :) It seemed like you already knew the general scope of protection, from what I had already said and/or the website, and were looking for specifics (the TAC style point system of determining whether a specific file should be included or not, like whether displaying popups counts against it, etc).

-{ Quote: "Users are told they need anti-virus, anti-malware, anti-trojan, anti-spyware, anti-keylogger, anti-hacker, ad-blocker, spam-blocker, popup-blocker, etc" }-I actually have to disagree with that. The average user is told they need Norton. They often aren't aware of the other classes of threats, and often times don't particularly want it explained. To the average user, adware is a virus. They want an overall solution that will handle everything, and so the general anti-malware products are generally presented that way (as an all-in-one solution, or at least a general anti-malware), where the specialized apps usually let you know the limits of what they detect. When you're not a mainstream app then people find your site because they need something to remove what the mainstream apps missed on their system. It's a different story when you come to the enthusiast forums, but we're by far the minority when you start thinking in terms of literally hundreds of millions of people. I can appreciate that someone like yourself might want to have a specific list, but I have to disagree that the general public is looking for the same list. Most of the time people are looking for a solution to a specific problem, like when they have a SpywareQuake infection, and they just want to know that it's an all-in-one solution. Just to be clear, I'm not saying that there's anything wrong with that point of view, it's just that most people aren't that interested, and also why they reject the idea of running all the programs that you mention that end up slowing the machine to a halt. Outside the security circles people can sometimes jump to the offensive if you suggest that they run more than one or maybe two apps. Truth is that I don't entirely disagree. So many apps want to run multiple background services that once you have just your basic drivers (with their utilities) and maintenance apps, you scarcely have resources left for the fun stuff that you're running the system for in the first place. So, regardless of the specific app, I want the greatest level of protection with the least number of processes. To bring this back to the original topic: since traditional solutions aren't normally doing that on their own, the community apps are starting to give some reprieve. Take some traditional concepts and add the community aspect, and you're back to having what you want in the smallest possible package. These days I'm finding that community based apps (even beyond any of the apps discussed in this thread) are the main ones providing innovative solutions and effective protection for what they do.

-{ Quote: "If it already is and I'm still missing it, label me blind and disregard this entirely." }-
Well, if you click on the "Clean and protect my PC" link on the front page, you do see:
-{ Quote: "Prevx1 will disable, remove, disinfect, cleanup and then protect your PC against re-infection by virtually all new and prevalent malware infections, such as viruses, trojans, adware, spyware and bots including those that bypass other leading security products." }-

-{ Quote: "I think that's exactly what's happened here. I apologize for the way this thread has gone. It was not what I wanted to happen and if I've offended anyone, I apologize." }-

No need to apologize Rick. Just glad we got it sorted out.

I have been testing Prevx1 for a couple of days now and I must say that I do like this community-based HIPS idea.
I have for a long time been a security junkie needing to know what happens in my computer all the time.
The most intrusive program I know of is App and Regdefend (GSS). It will tell you everything about what is happening (until rules have been made).
Until recently that has been exactly how I wanted it. It has been nice to know (have control) what was going on behind my back. I have learnt quite alot from it (and other HIPS)
My conclusion, after playing around with HIPS for a couple of years, is that it is quite hard to get infected with anything at all (atleast with my setup) only the leaktests has shown me that there are alot of loop holes for malware, but I have never encountered a real malware (according to the HIPS and AV I have tried) So I feel quite safe letting the community decide what is good or bad since obviously the community do find more malware than I have done :)

I have grown really, really tired of confirming every obscure little detail with every install/uninstall I make, and I install and uninstall alot. Lately I have bypassed GSS most of the time when I installed something. By doing so I of course I reduced my security and made GSS more or less impotent. Therefore I find that community-based HIPS (Online Armor, Prevx1 are the only ones I´ve heard of) suites me better nowadays.

I still get, if I want, info on what is going on but I dont have to confirm everything anymore which is a big relief.
I have installed different kind of HIPS in some of my not so computer skilled friends computers, but that has of course been a disaster since they had no clue of what was happening which rendered in quite a few phone calls :D I think that software like Prevx1 is perfect for less skilled (or rather; less interrested in security) people.

-{ Quote: "Why couldn't someone have said that a full forum page earlier? That was all I've wanted, a general listing of what PrevX targets, and to be able to see if just plain "adware" and similar items were on it. I was also sent this link (http://individual.prevx.com/features.asp) via PM, a page that isn't linked on the PrevX homepage. Even knowing it existed, it took a while to find just where it was. No site map, no search function, no FAQ page. I'd think "what do you detect?" would be a common question and that the answer would be easy to find, if not on the first page. Best I can see, that page is 3 pages into the site, if you knew where to look.

I think that's exactly what's happened here. I apologize for the way this thread has gone. It was not what I wanted to happen and if I've offended anyone, I apologize. I'm just amazed that a statement like the one I quoted or the link I just was sent should have been so hard to get. Look at it from a users perspective. Users are told they need anti-virus, anti-malware, anti-trojan, anti-spyware, anti-keylogger, anti-hacker, ad-blocker, spam-blocker, popup-blocker, etc. By the time they put it all together, it amounts to anti-PC software because it's so bogged down, it can't run anymore. Users are almost as much victims of the marketing as they are of the malware itself. Look what one trip to a rogue anti-spyware site that shows false detections can do to a user. This gives me the answers to the user questions I get, and another option to equipping average users with SSM, doing all its basic configuration, then being on-call for all the inevitable "why won't this work" or "what does this mean" questions.
One other thing. Something of a general observation/suggestion. For many users, the internet equates to "instant results", especially with so many using high speed. If they don't find exactly what they're looking for at a site in 2 minutes or so, they move on. It might make it easier if a link like this one (http://individual.prevx.com/features.asp) was easier to find, maybe linked on the homepage or something. If it already is and I'm still missing it, label me blind and disregard this entirely.
Rick" }-


Thanks for your questions and comments, herbalist.

But I think the descriptions in this link (http://individual.prevx.com/features.asp) is still not accurate . For example, the support team here did mention they will detect adware/spyware. However I don't see they are mentioned in the feature list.

Even if it includes the simple word of adware/spyware, it doesn't solve the problems. This is not a big problem for signature-based antimalware and classic HIPS since the final decision is passed on to me. However Prevx1 will decide on our behalf, so we need to know more in what circumstances it blocks something, in what circumstances it doesn't. The examples which have mentioned by you are:
delivers popup ads
banner ads
data miner
calls home
updates silently
downloads more software
modifies hosts file
modifies internet zone settings or adds itself to trusted zone
questionable changes in products EULA
vendor shares data with other companies

Some problems may arise when you wish to run that program which display ads or collect some personal data which you approve but is blocked by Prevx1 since they think this is the best to you.

-{ Quote: "I think the descriptions in this link (http://individual.prevx.com/features.asp) is still not accurate . For example, the support team here did mention they will detect adware/spyware. However I don't see they are mentioned in the feature list.
" }-

Hi,

If I follow your link and click 'Overview' then it provides some more info. Scroll down to "Stops New and Established Threats" and it clearly states that "Prevx1 ABC will protect your system from attack by viruses, trojans, worms, adware, spyware and hackers. It offers much stronger protection than conventional Antivirus or Antispyware products. It will also protect you from established threats as well as new and evolved malware which bypass conventional products with ease."

Hope this helps.

muf

-{ Quote: "Hi,

If I follow your link and click 'Overview' then it provides some more info. Scroll down to "Stops New and Established Threats" and it clearly states that "Prevx1 ABC will protect your system from attack by viruses, trojans, worms, adware, spyware and hackers. It offers much stronger protection than conventional Antivirus or Antispyware products. It will also protect you from established threats as well as new and evolved malware which bypass conventional products with ease."

Hope this helps.

muf" }-

Thanks for the info.

The point I would like raise is I think the vendor should try to include these two into the feature list. If they are not there when people reading the feature list, they may assume it doesn't deal with "adware & spyware".

-{ Quote: "Thanks for the info.

The point I would like raise is I think the vendor should try to include these two into the feature list. If they are not there when people reading the feature list, they may assume it doesn't deal with "adware & spyware"." }-

Yep, I agree with what you are saying. They appear to have split the list into two. There is also no mention in the feature list of protection from viruses, trojans and worms. Along with Spyware and adware I would have thought these five definition's the most important?

muf

-{ Quote: "They appear to have split the list into two. There is also no mention in the feature list of protection from viruses, trojans and worms. Along with Spyware and adware I would have thought these five definition's the most important?" }-That list would be for the behaviors monitored, where the other list would be the kinds of malware that are specifically marked "bad".