I have been trialling "PX" and am liking the implementation so far.

Couple fo observations and queries:

Apart from the rather ghastly squishy gooey GUI (maybe I'm the only blue/green colour blind user :P ) it jhas been going well.
A couple of FP's got a quick response from support.
Failed to recognise "BOClean installation" but that may have been the packer?
Couple of other small things

To stretch a supposition a bit..if no users visit "death strike" sites where will the data base come from? In house research hopefully getting to all the gromzon
http://www.wilderssecurity.com/showthread.php?t=136452 sites and doing their research on pr0n sites LOL.

I cannot find any independent test of PX scan and remove function and no testing of screening and block functions.
Cannot see any testing of anti-termination functions
That by no means suggests it is not happening as claimed, but before plonking down $$ would like to see some verification of claims by vendors.

Many threads in the web about the "grom" rootkits scanners, Online scannersand various updates by vendors ( all seem to be having probs keeping up !!, even BOClean which I use and respect.)

Cannot find any reports of PX and grom detection or removal.

I know that a wonderful project was undertaken by the team from PX who released the first grom removal tool; that also has been superseded.
I feel a bit cheeky looking to interogate any outfit that is obviously at the cutting edge and making a serious effort.

In addition this link is a bit of a heart stopper:
http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

Could prevx protect itself?

To prevx can you demonstrate that you do as claimed?
Heh: skins ?

Any comments?
Any links to tests?
Regards.

ooppss forgot to check: i think kareldjag did a series of hips tests but cant remember if Prevx was part of that and now I cant find it

-{ Quote: "ooppss forgot to check: i think kareldjag did a series of hips tests but cant remember if Prevx was part of that and now I cant find it " }-

This one http://kareldjag.over-blog.com/1-categorie-86447.html

But it's an older version and Prevx has been updated extensively since this test. Would not take the results too seriously. Hopefully a similar test will be performed with the current version.

muf

Pervx1 in pro mode does warn about it and advices not to run it. I did however allow everything to happen.
If one chooses to run once it will allow the copying of the file projector.exe but warns and advices you not to run it.
If you still allow it it will copy things and kill your AV (if it targets your specific AV that is) Drweb is killed and then Prevx1 warns about the renamed spidernt.exe (originally component of Drweb now replaced by the malware) Prevx1 again advices not to run the modified file.


After that net.exe and net1.exe does something.
After a while Prevx1 warns about WINLLOGON.EXE wants to start and advices not to run the file.

WINLLOGON.EXE then terminates alot of programs, I didnt have time to see all of them but Geswall was one of them.

After that Prevx1 warns about PLAYMOVIE.EXE wants to run (and Prevx1 advices NOT to run it as usual)
PLAYMOVIE.EXE creates a file named RUNTIME.EXE and Prevx1 again warns about execution and advices against it.
RUNTIME.EXE creates a file named WIN32K.EXE and PREVX1 warns and advices not to run it.
WIN32K.EXE Creates a global hook and installs a file named WIN32E.EXE and Prevx1 warns and advices against the execution.
WIN32E.EXE installs a file named WIN32L.EXE and PREVX1 warns and advices not to run it.
WIN32L.EXE installs a file named ABC.EXE PREVX1 warns and advices not to run it.
And then a file named XYZ.EXE is created PREVX1 warns and advices not to run it.
Comodo blocks an attempt to connect to securityfocu.com.

But PREVX1 was not terminated but probably because the threat test did not target PREVX1.


This test info was gathered from the popups PREVX1 provided. Not very scientific but it gives you an idea how the threat test works.

edit* oops I forgot to mention it was the morgud threat test I was testing

sukarof,
If I was a member of the Prevx1 Team, I would try Prevx1 constantly on every "dangerous" website, I could find. I certainly wouldn't wait, until users report malwares to feed the "Community Database".
That's how you have to test Prevx1 by putting it in extreme situations and fix the problems in Prevx1, before users even encounter them.

-{ Quote: "This one http://kareldjag.over-blog.com/1-categorie-86447.html

But it's an older version and Prevx has been updated extensively since this test. Would not take the results too seriously. Hopefully a similar test will be performed with the current version.

muf" }-

This version of Prevx is no longer being produced it is very old. Last version number of this was 2.1 (Prevx Home and Prevx Pro).
Prevx1 was being produced along side this version.
I installed this a long time ago but didn't like it, has same features of Prevx1.
But not sure what the real difference is.
I have been using using Prevx1 for many years. Not sure if there any tests with Prevx1, I haven't been able to find any.

Rick

EDIT: Difference in old Prevx Home (Free) and Pro version 2.1 is, it does not use signatures or community databases.

-{ Quote: "If I was a member of the Prevx1 Team, I would try Prevx1 constantly on every "dangerous" website, I could find. I certainly wouldn't wait, until users report malwares to feed the "Community Database".
That's how you have to test Prevx1 by putting it in extreme situations and fix the problems in Prevx1, before users even encounter them." }-And that is just it :) Malware research does hunt down malware as much as possible, but then again the community database is bigger and sees more than any honeypot out there. I also do quite a bit of this just to test cleanup. There's also quite a few heuristic rules created for malware that may be coming up.

-{ Quote: "I have been using using Prevx1 for many years. Not sure if there any tests with Prevx1, I haven't been able to find any." }-The professional testers would need to change their testing methods drastically to test Prevx1 (as opposed to how they normally test antivirus software), so thus far there haven't really been any. You might find some enthusiast tests, but would want to take those with a pinch of salt (no matter whether they come out good or bad, or even what products they test).

If the tests are to see how a program handles memory attacks, for example, and the program is focused more on keeping the malware from getting to that point in the first place, then the review could falsely present the program as being entirely ineffective. For Prevx1 in particular if all that's tested is the behavior blocking then it's missing the entire point of the program, which is to see more malware, add detection much faster, and remove more of it. Test files can give you an idea of how a program would react to some situations, but tallying up points for how many actions it blocks doesn't give you much true perspective on how well it really keeps your system free of infection, and (IMO) is a silly thing to base your opinion of a product on. I've known programs (no, not Prevx) that would probably fail those tests miserably, but would do far more to keep your system clean than the programs that score very well. Conversely, the old Prevx Pro did well in a lot of tests, but in the real world it didn't do much, and no amount of additional leaktest protection would have fixed that.

These test can show how a particular program would react to a particular event, but that may not have any relevance to it's overall efficacy.

That's not to say anything bad about any test, just don't take it for granted that something is better or worse based on test files. Take them for what they're worth, but don't take them to measure the worth of a program. Remember that those test files (demo trojans) are made by vendors with marketing in mind. They're specifically made so that only their own software will stop it, and it's based entirely on their own unique approach to stopping malware. They're usually made to scare you into thinking that theirs is the only program that can protect you. If every vendor took the same approach then your choices would be very limited and malware writers would have an easy time writing around them.

-{ Quote: "And that is just it :) Malware research does hunt down malware as much as possible, but then again the community database is bigger and sees more than any honeypot out there. I also do quite a bit of this just to test cleanup. There's also quite a few heuristic rules created for malware that may be coming up." }-
Thank you. This way of working is for me very reassuring and Prevx1 fits more and more in my plans. I have it already installed, but I never really tested it. I have to re-install my computer first, because I need more clean backup files and archived snapshots, which I forgot during my previous off-line installation. It's almost finished on paper. After that I don't have to reinstall my computer from scratch again, at least not manually.
Acronis and FDISR are tested thoroughly and working properly. So I need another target : Prevx1. :)

I like prevx a great deal but problems? that I have just noticed

Access to physical memory.
Prevx and Outpost are both supposed to block this - not sure what they mean exactly but systeminternals physmem can access memory without an alert from either with prevx options is set to prevent.
But ... PG and SMM both alert and block the access.


Keyloggers
like http://www.diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers
Prevx is set to heuristic it does not appear to alert on this keylogger. PG stops it dead, SSM deals with it pretty well , Defensewall or Appdefend do not appear to stop it

So not sure what is going on ..... Clarification would be interesting?

-{ Quote: "PG and SMM both alert and block the access.

Clarification would be interesting?" }-It's marked good because it's a legitimate tool with legitimate uses. Imagine if you were a programmer and trying to actually use the tool for it's intended purpose...

I've personally seen Prevx1 stop malware from accessing physical memory, even when it does so via a DLL injected into a process like explorer.exe.

This also goes to illustrate part of what I mean when I say there's no advantage to blocking legitimate application functions. If explorer.exe has a malicious DLL injected into it, Prevx1 won't just allow the action because explorer.exe is marked good. Malicious actions are blocked regardless, blocking legitimate system functions only creates problems.

-{ Quote: "It's marked good because it's a legitimate tool with legitimate uses. Imagine if you were a programmer and trying to actually use the tool for it's intended purpose...

I've personally seen Prevx1 stop lots of malware from accessing physical memory, even when it does so via a DLL injected into a process like explorer.exe.

This also goes to illustrate part of what I mean when I say there's no advantage to blocking legitimate application functions. If explorer.exe has a malicious DLL injected into it, Prevx1 won't just allow the action because explorer.exe is marked good. Malicious actions are blocked regardless, blocking legitimate system functions only creates problems." }-

Interesting - the keylogger has been classified as malware - it is in my holding cell but can function as it is a legitimate tool.

Can, yes, but there's no gray area with SysInternals' tools. SysInternals' tools are made for diagnosis and software development (and other such things.. made for IT admins and programmers, at any rate), they just happened to be picked up by one or two people for testing.

http://www.sysinternals.com/information/tipsandtrivia.html

I don't beleive in tests either. Like I said earlier, I have been using Prevx1 for years. I don't have any other protection. Just Prevx1 and Jetico Firewall.
I have never been infected with anything, and Prevx1 has always caught anything that tried. So that all the results I need.

-{ Quote: "Can, yes, but there's no gray area with SysInternals' tools. SysInternals' tools are made for diagnosis and software development (and other such things.. made for IT admins and programmers, at any rate), they just happened to be picked up by one or two people for testing.

http://www.sysinternals.com/information/tipsandtrivia.html" }-


Thanks for the info - I had been interested in how the other apps performed - Prevx has been part of my build for several months.

The coverage of prevx is broad - I have just been trying to find the edges compared to other products + Trying to determine the value of mixing prevx with others Hips like: SSM, Appdefend or PG.

Like many here - I like a mix of automatic and manual intervention

Longboard,
I once read a report which compare on-demand scans of many anti-malware, including Prevx1, but I have misssed that link.

Anyway, as far as on-demand scan is concerned, Prevx1 is proved to be very weak. Both the test I read and the tests I made showed AV have much higher detection rates than Prevx1. I might be because it can't scan the archives properly.

I think you can't use demo/test tools to test Prevx1. It is because Prevx1 simply adds the tools into their database (ie blacklist them), so they block it without any problem. Maybe you should disconnect from the Internet when you do such tests like termination, buffer overflow, leaktests and so on; and see how it can defend against these attacks.

-{ Quote: "sukarof,
If I was a member of the Prevx1 Team, I would try Prevx1 constantly on every "dangerous" website, I could find. I certainly wouldn't wait, until users report malwares to feed the "Community Database".
That's how you have to test Prevx1 by putting it in extreme situations and fix the problems in Prevx1, before users even encounter them." }-

Maybe you could simply run it in a test machine, where you have original Windows without any security except Prevx1. You even don't update Windows, so you can see if it can protect you from possible vulnerabilities.

Thanks for input .
I am writing this from POV of non-tech but interested end user.

I know current release is based on vast user based experience and the PrevxR testers.
Nonetheless every body here has offered opinion based on presumptive and accumulated experience : "never had an infection yet" : how do you know? There are definitely exploits that bypass PX

OR

"It (pX) found this....."

@sukarof: that was v.cool of you with DFK example: :thumb: what test bed did you use, image or rollback or FDISR or spare machine or other?

@Muf: yes that one: obviously o.o.d. now ( I hope) be nice if he did it again.
@Notok; your opinion and comment is appreciated. You said:
-{ Quote: "The professional testers would need to change their testing methods..as opposed to how they normally test antivirus software.. so thus far there haven't really been any. ...
.... For Prevx1 in particular if all that's tested is the behavior blocking then it's missing the entire point of the program, which is to see more malware, add detection much faster, and remove more of it. ...

These test can show how a particular program would react to a particular event, but that may not have any relevance to it's overall efficacy....
That's not to say anything bad about any test, just don't take it for granted that something is better or worse based on test files. ..." }-
I am not trying to misrepresent what you said, or diss you, but in attempting to support PX approach you seem to have discredited every test system unless each test is specifically designed to illuminate a specific vulnerability.
You seem to imply there may be no valid test that conforms to any recognised methodology for PX.
From the website:
-{ Quote: "Prevx1 will protect your system from attack by viruses, trojans, worms, adware, spyware and hackers. It offers much stronger protection than conventional Antivirus or Antispyware products. It will also protect you from established threats as well as new and evolved malware which bypass conventional products with ease." }-
Those are big claims and should really be backed up even with in house testing and perhaps screenies.

I appreciate there are v.specific methodologies that need to be applied for testing various scenarios. It occurs to me that it would not be beyond PX to demonstrate and make available some comparative virus malware scanning and removal tests from a compromised box.
There are many links to various rootkits and trojans that could be tested.
EG: even EP_XOFF's demo trojan.
Virtually every anti-rootkit uses hacker defender as a demo/ defacto gold standard.
As per kareldjag's site: there are any number of well described tests that could be performed.

Look, I will probably use this alongside FW and AV& BOClean and still do some on demand scanners. I think the concept is a terrific and unique application. I just wanted to try and get a little deeper into some proof of puddings.

It would be a bit disingenuous to say testing results do not influence choices.

Regards.

-{ Quote: "@sukarof: that was v.cool of you with DFK example: what test bed did you use, image or rollback or FDISR or spare machine or other?
" }-

Firstdefense snapshot.

-{ Quote: "I am not trying to misrepresent what you said, or diss you, but in attempting to support PX approach you seem to have discredited every test system unless each test is specifically designed to illuminate a specific vulnerability.
You seem to imply there may be no valid test that conforms to any recognised methodology for PX." }-My point isn't to discredit every test, just that professional tests will surely happen at some point in the future, but don't take leaktests as any real indication of how well a security application will actually protect you. You can take them into account as to how a particular program will react in such an event, but that a tally of how many prompts you receive is not an indication of actual protection. The example given of SysInternals' PhysMem is one example; Prevx1 allows it because it's a legitimate tool (it wasn't even made for testing security apps)... so does that mean that Prevx1's physical memory access protection is worthless? In the event that it was a real trojan, any given app can block the trojan at any point from when it tries to begin downloading until the end of the infection process, testing for one particular event does not tell you how or where that app would protect you.

By the same token, some might say DefenseWall won't protect you beause the malware can actually run. If a test focused only on the fact that it allow it to run, and was verbose enough about it, you might conclude that the person is right - the malware runs, so you're left unprotected (nevermind how the software actually works). I'm not just saying this about Prevx1, this is something I came to realize a long time ago and it goes for any app with any kind of generic protection. Take those tests for what they're worth, but don't assume they're any overall indication of how well the app can protect you. If you're going to rely on someone else's word, wait for a professional and reputable tester, and until then you can ask questions on Wilders (or other forums), come to understand what the program can and cannot do, and use the best that you know - same as just about anything else.

-{ Quote: "Those are big claims and should really be backed up even with in house testing and perhaps screenies." }-Nobody would believe in-house testing, after all if we have the samples we're going to detect them, but you can peruse the virus info center here: http://virusinfo.prevx.com/. I don't know for sure, but I doubt it will be too long before a real test comes around.

-{ Quote: "It would be a bit disingenuous to say testing results do not influence choices." }-I'm not sure how we got from me saying "take them with a pinch of salt" to trying to discredit all tests and say they don't influence choices. Of course they do, all I'm saying is to be critical of what tests you allow to influence your choices and how. Take them into consideration, yes, but don't take it for granted that they show you the whole picture. After all, aren't we critical of any enthsiast tests in any other area of security?

Consider how much creedence you would give it if I had, at some point in the past, thrown a bunch of malware I had collected at a bunch of anti-spyware apps. There would be all sorts of questions about the samples, where I got them, the quality of samples and whether they were functional, whether they were appropriate to the testing I was doing, how well I did the testing, was I testing packed samples against scanners not meant to do unpacking, how I configured each app, how I prepared the test environment for each new test, and on and on and on... so if an enthusiast throws a bunch of leaktests at a firewall, should you be any less critical of how the results represent the overall worth of the firewall? (Perhaps gkweb's tests can shine as a positive example here, as he is careful not to try to represent a judgement of the overall firewall, he keeps it in perspective.) Perhaps it does indeed give you a little better idea of how the product will perform, my entire point is that it doesn't come close to giving you the entire picture.

In the meantime, there are security and IT professionals that can attest to how well various technologies have served them on networks with hundreds or thousands of (even high-risk) users, and can sometimes even give you an idea of why.

-{ Quote: "After all, aren't we critical of any enthsiast tests in any other area of security?" }-
Yes I also have many doubts regarding different AV/AS/AT/AK tests, they always have a different winner and the winner of one test is a loser in another test. ;D

Hi,folks: On this PC, I am running ZASS(minus AV,AS),BitDefender AV plus 10(FW uninstalled), AVG AS plus. I just added Prevx1 onto it, hoping w/its addition I perhahs can reduce some scanners. Guess what has happened? The popular anti-malware app,Prevx1, and the other popular firewall,ZA, could not be in speaking terms. This is how it happened. After reboot, during boot-time system scan of Prevx1, ZA firewall somehow was terminated, this has never occurred prior to Prevx1's installation. I have to shut down ZASS program completely and activate again manually. I like to keep both apps, but what in the world should I do? Any advice? Urgently. Thanks.

-{ Quote: "Hi,folks: On this PC, I am running ZASS(minus AV,AS),BitDefender AV plus 10(FW uninstalled), AVG AS plus. I just added Prevx1 onto it, hoping w/its addition I perhahs can reduce some scanners. Guess what has happened? The popular anti-malware app,Prevx1, and the other popular firewall,ZA, could not be in speaking terms. This is how it happened. After reboot, during boot-time system scan of Prevx1, ZA firewall somehow was terminated, this has never occurred prior to Prevx1's installation. I have to shut down ZASS program completely and activate again manually. I like to keep both apps, but what in the world should I do? Any advice? Urgently. Thanks." }-


Hi,

Although I have never used the ZoneAlarm Security Suite, I have used Zonealarm firewall(free & latest version). I had no problems at all and a friend of mine who is also using ZA free with Prevx(+Online Armor if it matters) is not having problems. So my advise is to check out the other modules running in ZASS as it may be one of those interferring. Try disabling them one at a time and see if you can narrow it down to which ZASS module is clashing with PX.

Failing that, consider it could simply be a bad install. Try unistalling PX and re-installing. And if you didn't, try closing all your other security apps down before you re-install it. Sometimes they really do cause installation problems while they are running.

muf

-{ Quote: "Sometimes they really do cause installation problems while they are running. " }-Especially now that some antivirus and other security software have started doing silent behavior blocking without mentioning it :P

-{ Quote: "Prevx1 will protect your system from attack by viruses, trojans, worms, adware, spyware and hackers. It offers much stronger protection than conventional Antivirus or Antispyware products. It will also protect you from established threats as well as new and evolved malware which bypass conventional products with ease." }-Those are very strong claims and they need some sort of support besides the product's own website.

Safe'N'Secure was tested by AV-Comparatives, so they can & do rightfully cite those excellent test results.

DefenseWall was tested Yonder (http://security.over-blog.com/article-3030160.html) so they can & do cite those equally excellent test results.

Why has Prevx not been tested, or submitted their program for independent testing, as did S'N'S & DW?

Back in June-July 2005 SSM (http://kareldjag.over-blog.com/8-categorie-69553.html) scored 9/10 in well-documented, meaningful tests. Process Guard (http://kareldjag.over-blog.com/7-categorie-69553.html) earned the same high score. In that same time frame, Prevx PRO (http://kareldjag.over-blog.com/1-categorie-86447.html) scored 7.5 of 10 -- a respectable score.

So there HAVE been tests -- no doubt out-dated & of an earlier version of PX, but the same also is true for SSM & PG.

Ergo, IMO the claims on PX's website should be taken with a grain of salt until they are independently substantiated. Actually, when PX is eventually tested I predict that it will substantially validate its claims. I truly hope that it does. PX is a nicely priced, superbly supported, well-documented, beautifully structured piece of anti-malware.

-{ Quote: "Why has Prevx not been tested, or submitted their program for independent testing, as did S'N'S & DW?" }-We communicate with the rest of the anti-malware community, so I don't expect it will be long. Testers only set up for AV testing will have to do things a little differently, so they can't just pull it off the shelf and give it a go, so to speak. If they tried it's even possible that they'd set off flood protection on the servers; things can get sticky if not done right.

-{ Quote: "Back in June-July 2005 SSM scored 9/10 in well-documented, meaningful tests. Process Guard earned the same high score. In that same time frame, Prevx PRO scored 7.5 of 10 -- a respectable score." }-Do see my earlier post in this thread, though (#6 as well as #18 ). Yes it "tested" fairly well, but many "fails' wouldn't have even gotten that far if it were real malware (assuming everything was blocked), and the real world test (the PAWS data collected from all users as the program was used) showed a very different story.

-{ Quote: "Back in June-July 2005 SSM scored 9/10 in well-documented, meaningful tests. Process Guard earned the same high score. In that same time frame, Prevx PRO scored 7.5 of 10 -- a respectable score." }- 8)

I recently found a bunch of malware on my computer. It apparently sailed right by McAfee, and lots of other stuff too (listed below in the signature data).

I do surf in higher risk waters than many here, so to some degree, my system will inherently be tested more than most by some of the toughest and nastiest malware out there. And thus, I do get infected more than most.

I have been flirting with the idea of Prevx for a long time. But there was a lingering doubt….. we’ve just all been so conditioned to believe that we need an AV, firewall, and for those who read boards like this, an AT and AS….

I work for an organization that does testing of some types of Anti-malware applications for a government entity (although this aspect of the operation has nothing to do with what I do). They have tested all sorts of applications in all sorts of ways for all sorts of reasons. I know that is kind of vague, but if I say more, I could be violating some of the terms of my employment.

I tried and tried to get them to test Prevx. It took awhile, but they finally they did test it. Since the software team does not usually test software with an open internet connection, they had to get regulatory approval to conduct the test – and that took a little while.

The test came out very well. All of a sudden, a bunch of the software tech’s who previously were interested in other security applications now include Prevx in the informal office security software discussions of which applications are best..... The test was not comprehensive in a commercial testing sense, but threw at Prevx some unusual attack methods and unusual malware. Prevx was not perfect, but MUCH better than most applications.:thumb:

I’ve been waiting for awhile hoping that commercial tests would be conducted to validate Prevx for me, giving me the vote of confidence to install it. I’ve always liked the Prevx theory, but wondered about the application.

Now that I got my warm and fuzzy from the testing tech’s at work, I now just need to download it and figure out which programs I’m going to get rid of.

In a theoretical sense, I’m convinced that Prevx and a free AV will give me better protection than any of the top paid AVs alone.

We shall see.

-{ Quote: "
I tried and tried to get them to test Prevx. It took awhile, but they finally they did test it. Since the software team does not usually test software with an open internet connection, they had to get regulatory approval to conduct the test – and that took a little while.

The test came out very well. All of a sudden, a bunch of the software tech’s who previously were interested in other security applications now include Prevx in the informal office security software discussions of which applications are best..... The test was not comprehensive in a commercial testing sense, but threw at Prevx some unusual attack methods and unusual malware. Prevx was not perfect, but MUCH better than most applications.:thumb:
" }-

Do you have the test results handy?
Or is it possible to access to these test results?

PS: Your name "Prev" looks like "Prevx" ;D ;D ;D

-{ Quote: "
I know current release is based on vast user based experience and the PrevxR testers.
Nonetheless every body here has offered opinion based on presumptive and accumulated experience : "never had an infection yet" : how do you know? There are definitely exploits that bypass PX
" }-

Yes, I agree with you.

Since there's no such popup like "Haha... your security suite can't catch me", most people will assume their systems are clean simply because their security software say "no malware is found on your computer", and their computer seemingly behaves okay.

However malware like trojans, keyloggers, rootkits are decided to not let you know, so if you are not technical enough and look to verify that your computer is really clean, you just can't be so sure like most people claim.

There are more and more trojans/keyloggers that are very sneaky - they can hide their processes/files/registry keys. They can fool the security software or compromise them. They can even fool the Windows system to give false information to security software (so they can never detect them, or find anything wrong about their behaviour).

-{ Quote: "Longboard,
I once read a report which compare on-demand scans of many anti-malware, including Prevx1, but I have misssed that link.

Anyway, as far as on-demand scan is concerned, Prevx1 is proved to be very weak. Both the test I read and the tests I made showed AV have much higher detection rates than Prevx1. I might be because it can't scan the archives properly." }-

Update.

Some info abut the test I read.

I saw the test in a thread in the sub-forum Prevx at Castlecops (http://www.castlecops.com/forums.html), but I could not find the link again. Urh...

The test result is presented in a table. The left column lists the malware name. The bottom row lists the name of the anti-malware.

The best anti-malware can catch about ~4XX of samples, but Prevx can only catch less than 40 something samples.

t would be great if somone remember that link and post it here, so other readers can benefit from it. Thanks. :)

If you're talking about the test I think you are, it was just a user that threw a bunch of stuff and scanned it offline. It was also mostly text files and other non-malicious and junk files. It was a poorly done test by someone without knowledge of how Prevx1 works.

Thus far no real tests of Prevx1 have been done, you can't say anything has been proven either way. See my posts above and consider that if Prevx1 was an antivirus we'd have a 5 page thread of people questioning the validity of these tests and how they were done. The closest that we have right now is internal tests where we have scanned a bed of samples sent in by customers that were infected (stuff that Prevx1 detected and removed), and there was always a significant amount undetected by the AVs; some more than others, but always significant. The only other thing we have to go on is user experiences, and we get the bulk majority of our users by detecting and removing what other products can't (most people find out about Prevx1 by doing Google searches for some malware that they can't get rid of).

-{ Quote: "Thus far no real tests of Prevx1 have been done..." }-There you go again. I consider that karedljag's tests were *real tests*. When proponents debunk test results I am put in mind of the bon mot: "If you can't raise the bridge, lower the water.";)

I repeat (in so many words) the statement I made in an earlier post -- namely, the claims on Prevx's website seem rather grandiose in the absence of ANY objective support. Visit several anti-malware websites. I'll wager that 9 out of 10 of them say "we are THE best." Until it is tested, in my view Prevx should remain just another of that same bunch.

-{ Quote: "Visit several anti-malware websites. I'll wager that 9 out of 10 of them say "we are THE best." " }-
"We are THE best and our software is intelligent and intuitive." After reading that, I always ROFLMAO. ;D
Well that is common for most websites.
Users have nevertheless the opportunity to test Prevx1 and compare it with the results of their scanners. If their scanners don't report anything serious anymore, except MRU's and tracking cookies, it's an indication that Prevx1 works. Of course those users have to be "dangerous" users. :)

-{ Quote: "There you go again. I consider that karedljag's tests were *real tests*. When proponents debunk test results I am put in mind of the bon mot: "If you can't raise the bridge, lower the water.";)

I repeat (in so many words) the statement I made in an earlier post -- namely, the claims on Prevx's website seem rather grandiose in the absence of ANY objective support. Visit several anti-malware websites. I'll wager that 9 out of 10 of them say "we are THE best." Until it is tested, in my view Prevx should remain just another of that same bunch." }-I don't disagree, please read my previous posts.

The only thing I'll point out is that Kareldjag's tests were on Prevx Pro, not Prevx1.. as you say, there's no "objective support" either way, so in the meantime you can do with what you have; just don't take it for granted that enthusiast tests give the whole picture. If you need further examples, just imagine how OA or SocketShield would do in such a test, and compare it with how they are designed to actually protect your system.

-{ Quote: "If you're talking about the test I think you are, it was just a user that threw a bunch of stuff and scanned it offline. It was also mostly text files and other non-malicious and junk files. It was a poorly done test by someone without knowledge of how Prevx1 works. " }-

So you did read that test.
What's its URL?
So I would verify whether you are referring what I am taking about.
I would also like to examine the test again, and contact the author.
Thank you.

-{ Quote: ""We are THE best and our software is intelligent and intuitive." After reading that, I always ROFLMAO. ;D
Well that is common for most websites.
Users have nevertheless the opportunity to test Prevx1 and compare it with the results of their scanners. If their scanners don't report anything serious anymore, except MRU's and tracking cookies, it's an indication that Prevx1 works. Of course those users have to be "dangerous" users. :)" }-

That's not a good way to know whether your computer has been infected or not. Many malware are designed to be very sneaky (eg trojans, keyloggers, backdoors, droppers, rootkits). It may be neither Prevx1 nor your scanners catch them.

Probably one of the best way "to know whether your computer is clean" is to trace your computer:
- Create a clean snapshot before the test
- Try to do as many dangerous things as possible with only Prevx1 on (no other security programs)
- Create another snapshot once you have finished
- Compare both snapshots and examine the differences
This is probably much more reliable than just relying your scanners to tell you the results, although this requires more knowledge to do this task.

I know there are cases where Prevx1 claims it is clean but one or several scanners disagree, or vice versa. How do you know which party is right if you just rely your security programs to tell you the result? "Majority verdict" is not the way.

What if you are infected by a rootkit? It may manage to "lie" to your Windows and so your security systems. You need to examine your comptuer before Windows is loaded, or it may be very hard to spot it out.

You need to install additional security programs because your scanners are not reliable, but in turn you rely on scanners to tell you reliable results. It doesn't make sense.

-{ Quote: "
I repeat (in so many words) the statement I made in an earlier post -- namely, the claims on Prevx's website seem rather grandiose in the absence of ANY objective support. Visit several anti-malware websites. I'll wager that 9 out of 10 of them say "we are THE best." Until it is tested, in my view Prevx should remain just another of that same bunch." }-

Yes, some will tell more lies (eg we can detect *ALL* malware, so you are completely safe), while some may be a bit honest about that (eg we can't detect *ALL* malware, but because..., we can do a much better job than others). That's the reality.

Let's consider the cases in AV / Firewall / AS. I have yet to see one company which can stand at the very top in all 3 aspects.

Kaspersky is one of the best AV, but not really in Firewall, much worse in AS.
Zone Alarm is one of the best firewall (except spying ;) ), but its AV is below average. Its AS is not good either.

Someone who uses all-in-one security suite from one company is most likely worse than someone who tries to pick the best combination from different companies, not to say it is much harder to disable/terminate all different security products (possible but harder) than just 1 security suite.

On the Prevx website, it states it can be used as a standalone security product replacing your existing Antivirus, Firewall, Antispyware and so on. It is probably one of the worst advice in the planet. I am strongly against that. Think about it:
- What if the malware manages to compromise your Prevx? You will be doomed. Every security products have holes. It is no exception.
- Every security product misses something other security products offer. No one can provide all-round solutions.
- Even if both provide the same aspect of protection, one will do better one is worse. What's the chance that someone can do the best in *ALL* aspects?
- It is also against multi-layered protection approach.

PS: Although it sounds like there are many criticisms about Prevx, it has its merits. Similar to what Online Armour did, the company is going in a right direction where it builds up a database to help average users to make security decisions. I would imagine more and more HIPS will follow this approach in future. Nice job, Prevx. :thumb:

Well...all I can say at this point is I am impressed with what is going on with PrevX and will follow with much interest and at some point may consider it.

I do think it has a place in the world of security products. I think the way they are approaching dealing with malware in a community based approach so it can protect its membership is very good.

I was sad to see a company use a similar approach fail and go out of business a number of years ago. :'(

While I do not have it on any PC currently as the title of this thread indicates I too am giving them a hard look over. :) and wish them much success. Good postings very interesting fellow creatures. :thumb: ;)

One final note so I am not misunderstood Prevx should be used as an additional security product sure it can replace maybe your AT or your AS, if you are overloaded or short on resources, but I agree it should not be considered as stand alone protection. I agree there with Wai Wai for sure. Also I am very much in favor of the build your own suite of great security products and not the commercial suites that are out.:P

@ all
Thanks for responding to my thread.

Notok: fighting the good fight. :thumb:
There are a highly suspicious bunch of hyperactive observers and testers here :D

Obviously there is a lot of good feeling towards PX and lots of users.
The as yet untested and unproven hyperbole on the website is what prompted my query and it seems is a bit of a red flag to many.

The depth of expertise that is evident in the Gromozon removal test is an elliptical recommendation to my mindset at the moment.

Sukarofs little experiment was an eye-opener. Google those exes and you'll see.
A good demo.

@F-T-P
-{ Quote: "I work for an organization that does testing of some types of Anti-malware applications for a government entity (although this aspect of the operation has nothing to do with what I do). They have tested all sorts of applications in all sorts of ways for all sorts of reasons. I know that is kind of vague, but if I say more, I could be violating some of the terms of my employment.

I tried and tried to get them to test Prevx. It took awhile, but they finally they did test it. Since the software team does not usually test software with an open internet connection, they had to get regulatory approval to conduct the test – and that took a little while.

The test came out very well. All of a sudden, a bunch of the software tech’s who previously were interested in other security applications now include Prevx in the informal office security software discussions of which applications are best..... The test was not comprehensive in a commercial testing sense, but threw at Prevx some unusual attack methods and unusual malware. Prevx was not perfect, but MUCH better than most applications.
" }-That sounds interesting.

AT this point I am still trialling PX and going well.
Excellent strategy having a trial.
Looking forward to a robust test from somewhere.
Regards.

Hi,folks: Although I am still in the process of sorting out compitabilty issue with Prevx, I have observed users's comments are Pros more than Cons. I will definitely give another try soon after the problems solved. HIPS or CIPS or even RIPS( borrowed from Erik's Rollback I.P.S. concept) is the way to go, but I do a wish for Prevx owner, if you can secure a strong independent endosement (such a thorought test), that will clearup some folks' doubts . Just a wish.:-*

PrevX is indeed difficult to test , mainly because it is not a pure behavior blocker (and even that has not formal testing methodology).

If you focus just on blacklists, you can treat it like an antivirus, executing malware (or better yet scanning it using the file scanner option) and seeing if Prevx1 recognises it and stops it.

If you want to focus on the HIPS component, you will have to run various tests that 'does stuff' to see if PrevX flags the changes.

The 'heuristics' option further complicates matters, because for many protections it is set to heuristics. So even if a certain change is made, PrevX might not flag it, not because it doesn't have the capability of detecting it but because it considers the change harmless (which it is of course because it's just a testing tool).


One thing I was curious about though was the nature of the 'blacklists' maintained by PrevX, how do they match up to antivirus signatures. I remember asking about it and someone assured me that it wasn't just a simple hash, a very weak form of signature that can be easily defeated.

I decided to do some basic checking. Basically what scriptkiddies do....

First I did a simple hex editing of wordpad , just changed a single text string (DOS to DAS). I ran it and suddenly prevx1 didn't recognise it anymore! Next I edited the resource section, as expected, PrevX didn't recognise it either.
(Yeah I checked to see if the samples are still functioning)

Lastly, another common test is to see how AVs handle packers. I packed wordpad with UPX (the most common packer out there) and again PrevX didnt' recognise it. Okay you antivirus experts don't need to start rushing in here and telling me that this doesn't 100% prove that Prevx doesn't handle UPX, but I think given the evidence above, it seems extremely likely.

I repeated the test with something PrevX considered bad and got the same results. Basically simple hex editing and Prevx fails to recognise it.

Antiviruses aren't totally immune to such tricks of course, but they definitely won't fail so easily (by changing a single inconsequential text character)!

Okay I'm no expert on AVs but I think all this pretty much proves or at least gives strong evidence that PrevX is doing some simple minded hashing of files at least for most of them.

One possibility of course that I cannot rule out is that Prevx is doing strong signatures for some subsets of really dangerous and common malware, (I read some antivirus companies do something like this) .......

Still assuming this isn't done, I think the fact that Prevx's blacklist can be so easily fooled is bad news. I would think any malware could easily circumvent Prevx's blacklist given the way it is currently implemented (and I'm not even talking about , polymorphic or metamorphic worms!)

Is it fair of me to expect PrevX to have strong signatures as in antiviruses?
Maybe not, because PrevX has never claimed to be one, and certainly the claim that through their community network they are spotting malware faster
is independent of whether how strong their signatures are.

And of course Erikalbert doesn't care at all and would probably tell you that this shows again why blacklisting is bad. ;D

There's of course still heuristics........

Note: I have nothing against Prevx1 and I think they have a fine even great product, I'm just bringing out some information here for discussion and to balance some of the positive views brought out here.

Another question.

I notice that for the protection "Physical memory" it is set to "prevent". My understanding is that this means it will block such activity always.

I checked with several tools like kproccheck and sysinternals physmem which are supposed to access physical memory, and both worked without being blocked from prevx? I'm not sure if the whitelist was affecting this, so i did a simple hex edit to ensure that Prevx treated them as unknown files.

Does the protection of physical memory actually work? Or am I misinterpreting this?

-{ Quote: "Another question.

I notice that for the protection "Physical memory" it is set to "prevent". My understanding is that this means it will block such activity always.

I checked with several tools like kproccheck and sysinternals physmem which are supposed to access physical memory, and both worked without being blocked from prevx? I'm not sure if the whitelist was affecting this, so i did a simple hex edit to ensure that Prevx treated them as unknown files.

Does the protection of physical memory actually work? Or am I misinterpreting this?" }-


I found the same posts 8-11 with Notoks answer

-{ Quote: "I found the same posts 8-11 with Notoks answer" }-

Post 8-11 don't seem to apply. For one thing Prevx is not recognising the tool as good.

Because I already hex edited the tools and when i ran them Prevx1 doesn't recognise them (it is not marked good) and asks me if I want to run them.

Heuristics might have something to do with it, but for physical memory it is marked as "Prevent" not "heuristics", which I interpreted as saying it blocks everything that does this action.

One possibility I'm considering is that Prevx1 is defining this protection differently from the others, so the actions done by physmem doesn't count as violating this rule.

-{ Quote: "One possibility I'm considering is that Prevx1 is defining this protection differently from the others, so the actions done by physmem doesn't count as violating this rule." }-Devil's Advocate,

I've not used either tool, but you use the word "access". The protection offered by PrevX is modification of memory. Am I missing something here (wouldn't be the first time if I am :))

Blue

Blue as usual you are right.

But this is going beyond my depth anyway. So I'm shutting up.

As far as it's detection, it does do more than simple hashing. Obviously I can't give any more details than any other vendor would about their detection routines. It's not exactly the same as an antivirus, but much closer than simple hashing and I'm sure there's a fair bit of difference between scanners anyway (Prevx1 has it's own unique qualities for detection that no AV has, and many more in the works... and made by developers with antivirus experience). Like any other anti-malware, it's not going to detect each and every change or file. Nobody is here claiming that Prevx1 has 100% detection, but Prevx1 is indeed capable of detecting things like polymorphic malware.. it's a complex system that isn't always predictable; after all, predictable systems are easy to bypass. Sometimes it can do it entirely on it's own after seeing just one, sometimes it needs a little help from the analysts, other times it may be more beneficial in the end to gather intelligence and wait until enough intel is gathered before taking action.

Stubbs100 mentioned in another thread that it's his/our conviction that malware intelligence is the way forward. That's the foundation that Prevx1 is based on, and why the program has so many tools for seeing what's going on "behind the scenes" such as the program monitor, event notification, and all the information you see in the web info for any given file, along with things like the Research Tracker for private analysis.

A better test would probably be to find one of the infector sites that creates a new variant every time it's downloaded. If it doesn't specifically detect it, then the next test would be to see the turnaround time for getting detection added - that is, after alll, the point of the community database: to drastically reduce turnaround time between when a new malware file is released and when detection can be added. The current average is within the first 24 hours, which is usually days or weeks before other vendors (depending). You can verify some of this for yourself by comparing info with the vendor websites.

-{ Quote: "Do you have the test results handy?
Or is it possible to access to these test results?
PS: Your name "Prev" looks like "Prevx" " }-

Perv, Prev....ya, it's all the same:P

I know it's not that helpful, but the test results are not releasable. It's government proprietary information. Additionally, much of the test evaluates things other than a standard public test would. So it would make its usefulness dubious as you could not compare apples to apples...

Overall, the more I think about the fight against malware, the more I think that something like Prevx or Sandboxie or even DeepFreeze is preferable to the standard method of AV, Firewall, AT, AS.... That standard method has a track record of failure.

None of the newer non-standard methods seem perfect, but all move away from the traditional approach that has never really worked. I'd even say that all the 'newer methods' already work better. It's just deciding what side effects are acceptable.

Reload:

Not happy with Prevx at the moment:
Have been allowing as many "browser exploit/leak tests as I can find and am frankly very dissappointed that PX has failed to warn on many.

Basically have been going to the test pages with Spare FDISR snapshot with full normal set-up: everything set to warn blah blah:

Letting evrything run: PX has allowed many of the exploits to run withot warnings! Even without sigs, where is the much vaunted heuristics?
Apart from GreenBorder these tests are not new.
Most recently here: http://www.greenborder.com/scan/
PX let everything through :(

Flurry of e-mails to PX
Wait and see.
Anybody else care to have a go?
Regards.

Numerous OT posts concerning the Greenborder browser test have merged into that ongoing thread (http://www.wilderssecurity.com/showthread.php?t=150840).

Bubba

-{ Quote: "Not happy with Prevx at the moment:
" }-

Hi Longboard,

I'm looking into the specifics of a number of tests, but in the meantime, you may want to read the thread on our Castlecops forum about testing tools and Prevx1 - http://www.castlecops.com/t166260-Prevx1R_and_various_Security_Testing_utilities.html.

It has some useful discussion around testing tools vs malware and the purpose of Prevx1.

Regards,

ghiser1

ghiser1

Thanks for commenting :)
Thanks for checking this out. Very kind of you to spare the time.
I'm probably lol, definitely not the person to be making any challenges from any sort of tech standpoint.
Just wanting to seek a little deeper.

as per Ilya Rabinovich in this thread
http://www.wilderssecurity.com/showthread.php?t=150840
-{ Quote: "Confirm- hta script runes by trusted svchost, not by browser. Hm, it was really surprise for me! Already fixed, will be released with the next version. Need to check out other staff...
" }-

Launching the script .hta file has caused several changes to the start up list and left some files on users systems.

Only basic end user here: but that is dangerous.
The Comodo leak test can do the same.

I have been plowing through the various "how and why" threads at castlecops in the PX1research and PX1 subforums.
Lots of posts from some names I recognise and others making enquiries v.similar to this.
Lots of Vhappy users.

There is another "surfer" there with a similar thread
You are busy tonight ;)

Could I make a small suggestion:
I got this as part of a reply to a support question;
-{ Quote: "Prevx1 is a leading technology detecting malware in reality rather than detecting testkits. We capture malware much faster and more than other products do." }-
We, I, do not need spruiking as part of support query or sending of information. Just a bit irritating :(

I'm sure this has been raised before;
When will you have dedicated forum?
Although the response to now has been v.quick, the current support contact proceedure is abit clumsy.
Respect that is the way it may have to be but sheesh :-\

I have read the info re "trial" and start of trial period.
Isnt that a marketing issue.
People get the trial they get 30 days. Personally I could n't wait to go and run a few tests which leads us to here ;D

Disclaimer: I am paid up licensee. 8) Dont ban me yet :o
If people are going to complain about <10c/day too bad. :P

I have now re evaluated my view on leaktests (and other malware testing tools). They are made to test firewalls with HIPS functionality (Or regular HIPS if you want) but Prevx1 never claimed to be a HIPS afaik.

Personally I wont complain about Prevx1 not doing what it claims until I see proof of it. If it does, I will let everyone interested know about it :)
Sure, it requires a bit of trust, but when you think of it; you put your trust into every HIPS (even though Prevx1 shouldn't be considered as a HIPS). PG, Tiny Personal Firewall, Ghost Security suite, SSM and so on - they all do their job until they fail. You put your trust into them. For me personally so far, all of the above mentioned programs has proved to me nothing else than that they block leaktests, nothing more really since I have not encountered any real malware. Well, they have educated me in the inner works of windows of course. :) and for that purpose HIPS are great.

So it all boils down to how much control you want to have. I have learned, after a couple of years living with HIPS, that I don't need all the control (and hassle) a HIPS gives you. I have chosen to let Prevx1 do the control for me. I understand if others want the full control, but Prevx1 was never aimed at them anyway AFAIK.

-{ Quote: "...For me personally so far, all of the above mentioned programs has proved to me nothing else than that they block leaktests, nothing more really since I have not encountered any real malware..." }-

But how could you know if you are truly clean?
Is it because your security products don't prompt for malware and your computer seems to run well?

A trojan or keylogger or backdoor would not tell you they have infected your computer, and they won't ruin your computer like virus does. Even worse, if you get a customised/personalised trojan, it my be able to bypass all AV/AT detections for years.

-{ Quote: "But how could you know if you are truly clean?
Is it because your security products don't prompt for malware and your computer seems to run well?

A trojan or keylogger or backdoor would not tell you they have infected your computer, and they won't ruin your computer like virus does. Even worse, if you get a customised/personalised trojan, it my be able to bypass all AV/AT detections for years." }-

First of all, I browse with Firefox with noscript and JAVA turned off (what is it for anyway?). I rarely click on attachments (they never contain anything that interest me anyway) if I do Geswall are supposed to take care of it. Or maybe I do it in sandboxie.

I am sure GSS would have told me if it tried to install it self (registry and certain folders), then GSS would have alerted me when the keylogger wanted to hook itself and my firewall would have warned me when the trojan wanted out on the net.
I do online scans now and then to see if my AV missed something in its scans. I even do one or two antispyware scans every year just to be sure :)
I check all my connections to the net with Port explorer often. I have rootkit detection software that I run now and then. In process explorer it is easy to see if there is something that shouldn't be there, even if something agains all odds has hooked itself to a legitimate process (provided you have the knowledge, and I´d like to believe I have by now)
But, yes when doing computing (especially as admin) one have the chance of being in the border of sickly paranoid if one wants, but as I said it is hard to get infected even without all the defenses I have used, as long as one uses just a bit of common sense you are a hard target imo. But as I said; I have never had any use of the stuff mentioned above; they have never warned me about anything malicious (that I didn't know of when testing with testing tools)

But now I have dropped GSS and let Prevx1 prove itself. If it fails me, tuff sh*t but that was my approach with all the HIPS too :) but computing is so much simplier now :)
I know that my views above is a bit like swearing in church here at wilders ;) but one has to learn from experience sometime.

Hmm, how come it put a * in your bad word, but not in the Inspectors. Could it be a bug.:-[

Bleep (http://www.wilderssecurity.com/showpost.php?p=862797&postcount=10)

-{ Quote: "Hmm, how come it put a * in your bad word, but not in the Inspectors. Could it be a bug.:-[

Bleep (http://www.wilderssecurity.com/showpost.php?p=862797&postcount=10)" }-
That's on purpose.

@sukarof
-{ Quote: "Personally I wont complain about Prevx1 not doing what it claims until I see proof of it. If it does, I will let everyone interested know about it" }-
That is a well reasoned POV :thumb:

I dont really expect any software to get all malware either.
Every utility we have will fail some test cf gkwebs tests.

I was looking at the firewall leak tests as a very simple, safe to me and well known set of exploits. I am comng to understand the PX mode de emploi a bit better as I go along.

http://forum.sysinternals.com/forum_posts.asp?TID=7003&PN=0&TPN=72-{ Quote: "@ Lonboard: be aware of PrevX marketing: it's a good HIPS; no more, no less thant others.
Its rootkit detection feature is less effective than KAV's one: it does not display objects as hidden; the malware is jailed/quarantined or the user is warned about the infection.
Here's some results:

- Backdoor Flux: detected.
-Trojan spy agent .d (MSSync) : detected.
- Haxdoor KG: not detected.
- RKStart: not detected.
- BadRkdemo: not detected.
" }-that is "kareldjag" posting

Edit not sure which version of PX he was testing

-{ Quote: "First of all, I browse with Firefox with noscript and JAVA turned off (what is it for anyway?). " }-

You can get infected simply by visiting the website and do nothing.
While Firefox is saferthan IE, we don't know whether the malware writer may exploit any unknown vulnerability in Firefox (there must have some, as always in every program).

Turning off scripts or javascript or Java further lower your chance of getting infected by visiting a webpage, or being redirected to a malicious page.

But then you may lose some user expereinces, functionality or any fancy-looking decoration offered from the website.

-{ Quote: "I rarely click on attachments (they never contain anything that interest me anyway) if I do Geswall are supposed to take care of it. Or maybe I do it in sandboxie." }-

Do it in sandboxie means any change made from your browser is discarded (unless the malware manages to break through its protection). You may specify what to save afterward (eg bookmarks, history, cookies).

-{ Quote: "
I do online scans now and then to see if my AV missed something in its scans. I even do one or two antispyware scans every year just to be sure
I check all my connections to the net with Port explorer often. I have rootkit detection software that I run now and then. In process explorer it is easy to see if there is something that shouldn't be there, even if something agains all odds has hooked itself to a legitimate process (provided you have the knowledge, and I´d like to believe I have by now)
But, yes when doing computing (especially as admin) one have the chance of being in the border of sickly paranoid if one wants, but as I said it is hard to get infected even without all the defenses I have used, as long as one uses just a bit of common sense you are a hard target imo. But as I said; I have never had any use of the stuff mentioned above; they have never warned me about anything malicious (that I didn't know of when testing with testing tools)" }-

That's sounds a reliable check, although it is still far from 100% reliable.
Good job! :thumb: :thumb:

Just to remind you in case if you don't realise.
You don't need to install anything to get infected. There are other ways you can get infected:
- you may open any seemingly harmless file type like a text file or image, but get infected. The file type may be even genuine like *.txt, *.jpg
- you visit a malicious webpage, or you are being redirected to a malicious webpage unknowingly while you are browsing legitimate websies (but since you use Firefox, you are much safer)
- this is probably the most scary part: the only pre-requisite of getting infection is to connect to the Internet (or any external sources like infected CDs), nothing more, nothing less. You don't need to do anything else. Imagine if a malware writer manage to find holes in your operating system, depending on that vulnerability, it may be able to execute files directly without your permission.
- if you are infected by a rootkit at the same time, you may never be able to detect it since it can (nearly) completely hide itself since it can alter the communications between your operating system and you. Imagine it instructs the operating system to lie that there's no such program (it is malicious) to your security programs, they couldn't find it out even if they can detect it.
- The only safe way to detect a rootkit or the like is to search the system from outside the system itself. You may boot it and scan from another clean operating system, or a CD etc.

-{ Quote: "Be aware of PrevX marketing: it's a good HIPS; no more, no less thant others.
Its rootkit detection feature is less effective than KAV's one: it does not display objects as hidden; the malware is jailed/quarantined or the user is warned about the infection.
Here's some results:

- Backdoor Flux: detected.
-Trojan spy agent .d (MSSync) : detected.
- Haxdoor KG: not detected.
- RKStart: not detected.
- BadRkdemo: not detected." }-

I have noticed the same thing like that poster finds.
The detection of anti-virus programs are still stronger than Prevx1.
After all, if you pick up Prevx1, don't run it exclusively. Use it along with other security products. There are already several tests out there pointed out the weaknesses of Prevx1.

-{ Quote: "But how could you know if you are truly clean?
Is it because your security products don't prompt for malware and your computer seems to run well?
" }-

Well if "truly clean" means 100% certainity, I guess even if you ran a million scanners you wouldn't know that either.

But how could you know if you are truly clean?
Is it because your security scanners don't find malware and your computer seems to run well?

@Devil's advocate
-{ Quote: "First I did a simple hex editing of wordpad , just changed a single text string (DOS to DAS). I ran it and suddenly prevx1 didn't recognise it anymore! Next I edited the resource section, as expected, PrevX didn't recognise it either.
(Yeah I checked to see if the samples are still functioning)
Lastly, another common test is to see how AVs handle packers. I packed wordpad with UPX (the most common packer out there) and again PrevX didnt' recognise it. Okay you antivirus experts don't need to start rushing in here and telling me that this doesn't 100% prove that Prevx doesn't handle UPX, but I think given the evidence above, it seems extremely likely.
I repeated the test with something PrevX considered bad and got the same results. Basically simple hex editing and Prevx fails to recognise it." }-
-{ Quote: "Still assuming this isn't done, I think the fact that Prevx's blacklist can be so easily fooled is bad news. I would think any malware could easily circumvent Prevx's blacklist given the way it is currently implemented (and I'm not even talking about , polymorphic or metamorphic worms!)" }-
-{ Quote: "Note: I have nothing against Prevx1 and I think they have a fine even great product, I'm just bringing out some information here for discussion and to balance some of the positive views brought out here.
Reply With Quote" }-

I'm sorry I completely missed your post #39
That was interesting tooling around.
Wish I could do that. Rather than just pushing a POV and sometimes inane questions. 8)
Did you run the same altered packages against anyother utilities.?

Everywhere I read, various experts opine that all software companies (heh esp MS) need to get outsiders to challenge their utilities and find the holes: pen testing if you like: because the developers themselves may have lost perspective.

Prevx seems to represent some unique difficulties wrt testing.

Regards.

Interesting test DA. What all is talking about is how Prevx1 fails tests (not just on this board) but what I haven't seen yet is anyone complaining about Prevx1 letting real malware go unnoticed (someone really gets infected and Prevx1 didn't protect them so the malware can do all it is intended for). Has that happened? Once, constantly?
That would be even more interesting.
I understand they have problems with Gromozon´s changing versions (they find a cure but then the bad guys change it) anything else?

skarof-{ Quote: "what I haven't seen yet is anyone complaining about Prevx1 letting real malware go unnoticed (someone really gets infected and Prevx1 didn't protect them so the malware can do all it is intended for). Has that happened? Once, constantly?
That would be even more interesting." }-
Good point. How might some users Know?
Certainly cant complain about PX making an effort, and thats just half of it lol.

Prevx1 is good, but I still think the sandbox approach is the securest.

-{ Quote: "Prevx1 is good, but I still think the sandbox approach is the securest." }-

Maybe. Or possibly something like DeepFreeze.

It's the side effects.

I don't like having to do cartwheels (in a cyber sense) to get updates and download things...

I agree about the cartwheels. That is why I have DefenceWall . If I am going to a site I'm not sure of ,I turn on DW and go in untrusted and I am protected.

-{ Quote: "Maybe. Or possibly something like DeepFreeze.

It's the side effects.

I don't like having to do cartwheels (in a cyber sense) to get updates and download things..." }-

That use to be my complaint with Greenborder but now that Firefox is added ,its a mute point. It allows you to specify which browser to use as default. So surfing is done with Firefox and Greenborder and updates with IE.

-{ Quote: "skarof
Good point. How might some users Know?
Certainly cant complain about PX making an effort, and thats just half of it lol." }-


So is this good or bad based on your findings. Sorry, just trying to understand.

-{ Quote: "So is this good or bad based on your findings. Sorry, just trying to understand." }-Hard to say, but it does give you a sense of the material that is filtered and/or examined in some way. It's how they put it all together that matters.

Blue

-{ Quote: "I agree about the cartwheels. That is why I have DefenceWall . If I am going to a site I'm not sure of ,I turn on DW and go in untrusted and I am protected." }-
Why not to run the browser always untrusted?

-{ Quote: "I agree about the cartwheels. That is why I have DefenceWall . If I am going to a site I'm not sure of ,I turn on DW and go in untrusted and I am protected." }-
Why not to run the browser always untrusted?

-{ Quote: "Prevx1 is good, but I still think the sandbox approach is the securest." }-

Another option is Virtualization (eg VMWare).

-{ Quote: "So surfing is done with Firefox and Greenborder and updates with IE." }-

One question.

If you do Windows updates with Greenborder on, won't it be true that any patches/changes made will be trashed/reversed?

So we still need to use unsandoxed IE to do that update.

@?-{ Quote: "So is this good or bad based on your findings. Sorry, just trying to understand." }-
Not sure: just showing that PX is really "setting some hooks" :hopefully to catch the fishes (That screeny was half the full list from Rootkit Hook analyser)
@Blue Zanetti
-{ Quote: "Hard to say, but it does give you a sense of the material that is filtered and/or examined in some way. It's how they put it all together that matters." }-
Yes: exactly.

Apart from getting some warnings, has anyone seen PX catch a fish ?
Sukarof's demo of he DFK simulator was impressive but apart from that anybody else?

-{ Quote: "What all is talking about is how Prevx1 fails tests (not just on this board) but what I haven't seen yet is anyone complaining about Prevx1 letting real malware go unnoticed (someone really gets infected and Prevx1 didn't protect them so the malware can do all it is intended for). Has that happened? Once, constantly?
" }-

Well one thing i notice is that people tend to blame their antiviruses more than their other security tools such as HIPS. Perhaps this is because what their HIPS actually claim to do is not really understood, how many times have you seen someone complain "HIPS X failed test Y" and the vendor responds "But my product is not meant to stop that?".


I think with real malware it is somewhat similar, people tend to blame their antiviruses first, and less their fallback tools (of which HIPS are typically considered as).

And there is always the good old , "The HIPS protected you, by prompting when you click to run it, but you ignored the warning to run it"...... (or what I call execution control is GOD camp)

Never mind if the hips claimed to be able to protect your processes from all type of termination attacks, but the fact that you clicked on it and allowed it to run, meant that IT'S ALL YOUR FAULT that it manages to go on and terminate every one of your security programs.

OMG, the little prompt that occurs asking me if i really want to run x just after i clicked to run it by my own will, is the perfect defense and excuse!!

Antiviruses have no such excuse, they have to stop baddies period. Even if you were the one that clicked on the file to run it that doesn't absolve the antivirus of it's duties to stopping the baddies.

Of course, there is the obvious fact, that most people here are so well armored and careful , the chance of them getting hit by anything is so small, it doesn't matter what product they use.

So HIPS don't fail them, because they are hardly tested.