PrevX Missing Detection

[Triple Helix]

Quote:

Originally Posted by ronjor

As stated in the introduction of Prevx to the Forums:In this context, it is a very useful program.

Thanks Ron I couldn't of said it better myself!

Cheers,

TH

[dlimanov]

@G1111: I am researching other products right now, and will definitely include Malware Defender in my tests.

@333halfevil: With enterprise version of Prevx, heuristics settings are set automatically for you and can not be changed, or so I was told by support. Without a little registry hack, you don't even see the regular Prevx GUI when agents are deployed. We were considering using Prevx alongside Symantec SEP for behavior-based detection of unknown and 0-day threats; SEP does a fairly good job doing signature-based detection.

Currently, I am testing newest A-squared Anti-Malware and F-secure Client Security. First product is not a true enterprise solution but I just wanted to get a feel for it as it combines signature-based detection as well as cloud/community option and behavior-blocking via Mamutu. F-secure I haven't touched yet, but they claim to have the fastest cloud-based detection and a powerful behavior-based engine with DeepGuard 2.0. Unfortunately, even if F-secure is as good as they say they are, it's an overkill for us as we have a traditional virus scanner in place already.
Stay tuned, I will keep this thread updated, if Joe and other moderators don't mind, of course.

[PrevxHelp]

Quote:

Stay tuned, I will keep this thread updated, if Joe and other moderators don't mind, of course.

Not a problem at all

[jrmhng]

Quote:

Originally Posted by dlimanov

@G1111: I am researching other products right now, and will definitely include Malware Defender in my tests.

You can try all the classical behavior blockers that look at point behaviors (as in single bahaviors like adding entries to startup) but you will have to either gives users control as to what to block or have a predefined policy. If you have a predefined policy, unless you really finely tune your rules, things are bound to screw up and you support staff are going to have a hell of a time. If you let users decide, you may just as well as not have it (because users are lazy, generally dont give a damn and will click allow). These products DO NOT work in a corporate environment.

Quote:

Originally Posted by dlimanov

Currently, I am testing newest A-squared Anti-Malware and F-secure Client Security. First product is not a true enterprise solution but I just wanted to get a feel for it as it combines signature-based detection as well as cloud/community option and behavior-blocking via Mamutu. F-secure I haven't touched yet, but they claim to have the fastest cloud-based detection and a powerful behavior-based engine with DeepGuard 2.0. Unfortunately, even if F-secure is as good as they say they are, it's an overkill for us as we have a traditional virus scanner in place already.
Stay tuned, I will keep this thread updated, if Joe and other moderators don't mind, of course.

And the results are going to be almost exactly the same as any other blacklist scanner with Prevx. Or if they are different, I suggest it will be because of you not having a statistically large enough sample rather than any of the two solutions being inheriently better than the other.

The Prevx moderators here may be too polite to tell you this (or they are quietly confident that you fill find this out in due time) but putting it bluntly, your quest with behavior blockers will be in vain. Classic behavior blockers just dont work in a corporate environment. Smart behavior blockers will be more or less the same.

If you are looking for that close to 100% assurance in a corporate environment, I'd suggest to you that you 1) Have a robust patching cycle such that no have NO vulnerable software on computers (or at lease minimize the window for when they are vulnerable). Secunia has a program called NSI which can be extremely useful for this. 2) White list exes using Anti-Executable or a similar program. 3) Black list websites using either your inbuilt capability at the gateway level or through a service like OpenDNS. Kill social networking sites, common free email providers (gmail, live mail, yahoo mail), porn and warez sites etc. Seems draconian but thats the only way you can really get that level of assurance you seem to expect. Otherwise, lower your expectations with blacklisting + behavior blocking + 'cloud technology' and what not.

EDIT: Also have strict policies in place such that either work computers can only be used for work and educate users not to do stupid things like opening attachments from people they don't know, dont click on "you may have a virus" banners etc.

[dlimanov]

@huangker: Thank you for your input. With exception of restricting user logon to unpreviliged user, we have all of the items you mentioned, plus some. I disagree that behavioral detection doesn't work in enterprise, however. Is it time-consuming to implement and fine-tune? Absolutely! But we are using Cisco Security Agent, a true behavior-based HIPS on all mission-critical servers, and it works like champ, protecting systems that are in DMZ against unknown attacks and doing a fine job at that, I might add.
To give you a good idea of what I'm trying to achieve, here's a scenario:
- User clicks on link or visits a malicious website; address is checked against known malicious hosts in the cloud (or local or central server) and alert is generated/presented to user, asking if he wants to continue;
- User decides to continue, downloads the malicious file and executes it. File is checked against signature in the cloud (or local or central server, doesn't matter at this point) and if signature is available, file is blocked/quarantined and user is notified of the action.
- If signature is not available and this a true 0-day or modified existing threat (like million of Conficker variants), this is where it gets interesting. Behavior engine kicks in and analyzes the ENTIRE scope of the process execution that occured thus far: i.e., download from potentially malicious site, lack of signature and some general file header or other specific file information, like how it was packed, formed, etc. File is than "sandboxed" and allowed to execute, so its actions can be monitored and analyzed further, with emphasis on virus-like behavior. Resulting combination of the pre- and post-sandbox behavior is checked against the cloud OR centrally-defined policy and appropriate action is taken and/or user is notified and given an option to execute or block/quarantine the file.

Now many would argue that this could break legitimate processes that fall under some of the categories of actions that we'll be looking for, and this argument is 100% correct. For this, initial scan for infections is performed immediately after installation to make sure machine is clean, and then a learning period takes place, where program learns the "normal" behavior of the machine and builds appropriate rules automatically. Additionally, certain "allow" rules should be pre-built, WindowsUpdate or SMS, for example, to make admin's life easier.

Scenario above is the "perfect world" example of what should happen, IMO. Various vendors have various levels and pieces of what I described above. FWIW, this is merely food for thought scenario to better illustrate my point and keep discussion going.

[Habakuck]

@dlimanov:

I think Kaspersky running interaktive will fulfil all your needs...

And it will provide another layer of security to the internet user: The sandbox!

[PrevxHelp]

Quote:

Originally Posted by dlimanov

- If signature is not available and this a true 0-day or modified existing threat (like million of Conficker variants), this is where it gets interesting. Behavior engine kicks in and analyzes the ENTIRE scope of the process execution that occured thus far: i.e., download from potentially malicious site, lack of signature and some general file header or other specific file information, like how it was packed, formed, etc. File is than "sandboxed" and allowed to execute, so its actions can be monitored and analyzed further, with emphasis on virus-like behavior. Resulting combination of the pre- and post-sandbox behavior is checked against the cloud OR centrally-defined policy and appropriate action is taken and/or user is notified and given an option to execute or block/quarantine the file.

Besides the ability to support a "centrally defined policy", this is exactly what we do and I'm unaware of any enterprise vendor which does offer the ability for an admin to make a complex policy like this.

[dlimanov]

Quote:

Originally Posted by PrevxHelp

Besides the ability to support a "centrally defined policy", this is exactly what we do and I'm unaware of any enterprise vendor which does offer the ability for an admin to make a complex policy like this.

Joe,
I really wish you did have this option, I truly do.
I think F-secure's Client Security has something like this, I've yet to install the demo, however, so don't hold me responsible just yet.

[dlimanov]

Quote:

Originally Posted by PrevxHelp

Besides the ability to support a "centrally defined policy", this is exactly what we do and I'm unaware of any enterprise vendor which does offer the ability for an admin to make a complex policy like this.

P.P.S.:

Joe,
I think if Prevx would give an end-user an option (versus making a decision for them), it would be very helpful in my particular case. In other words, since central policy is not available, I'd like to be able to at least give user an option when potentially malicious behavior is detected but no signature/cross-reference is available in the cloud. A2 does this with "paranoid" mode, maybe Prevx can have this setting available in the future? Not sure if this belongs here or in "Future Requirements" thread.

[PrevxHelp]

We're still in early stages of designing a lot of the Prevx 4.0 functionality but it looks as though this will be present as we will be having a significant amount of the server-side analysis available to the enterprise customers as configuration options (including the ability to view full reports on what individual programs change on the system and the ability to block classes of programs by behavior).

However, the version of Prevx 4.0 for Enterprise will be ready later than the consumer version and this level of granular control will be one of the final features to be added in the roadmap (I'm not sure on exact timings at this point).

[Habakuck]

Quote:

Originally Posted by PrevxHelp

it looks as though this will be present as we will be having a significant amount of the server-side analysis available to the enterprise customers as configuration options (including the ability to view full reports on what individual programs change on the system and the ability to block classes of programs by behavior).

That sounds fantastic!

By the way: I have to correct myself. A friend of mine wrote a test sample (of course completely unknown in the cloud) and tested it against PrevX.
PrevX did its job very well and detected it as low risk malware!
After that he tested an other programm written by himself which is not malicious.
PrevX did again a good job by not classifying it as malicious.

Accordingly PrevX definitely has behavior analysis implemented. And i can understand the PrevX Team not to tell us all tricks they do for analysing the files...

So PrevX works perfect for me and i think the next upgrades will be even better!

best regards

[dlimanov]

Quote:

Originally Posted by PrevxHelp

We're still in early stages of designing a lot of the Prevx 4.0 functionality but it looks as though this will be present as we will be having a significant amount of the server-side analysis available to the enterprise customers as configuration options (including the ability to view full reports on what individual programs change on the system and the ability to block classes of programs by behavior).

However, the version of Prevx 4.0 for Enterprise will be ready later than the consumer version and this level of granular control will be one of the final features to be added in the roadmap (I'm not sure on exact timings at this point).

This is the best news I've heard all week, thanks Joe! When beta time for the enterprise comes, please put me on the list of beta-testers, if such thing exists.

[PrevxHelp]

Quote:

Originally Posted by dlimanov

This is the best news I've heard all week, thanks Joe! When beta time for the enterprise comes, please put me on the list of beta-testers, if such thing exists.

Will do!

[PrevxHelp]

Quote:

Originally Posted by Habakuck

That sounds fantastic!

By the way: I have to correct myself. A friend of mine wrote a test sample (of course completely unknown in the cloud) and tested it against PrevX.
PrevX did its job very well and detected it as low risk malware!
After that he tested an other programm written by himself which is not malicious.
PrevX did again a good job by not classifying it as malicious.

Accordingly PrevX definitely has behavior analysis implemented. And i can understand the PrevX Team not to tell us all tricks they do for analysing the files...

So PrevX works perfect for me and i think the next upgrades will be even better!

Glad to hear

Indeed the next upgrades to v3 and to development of v4 will mark another major step-change for Prevx - we're moving forward on a number of pieces of functionality simultaneously but as soon as everything is ready we will be passing around Betas to everyone interested.

[Habakuck]

Quote:

as soon as everything is ready we will be passing around Betas to everyone interested.

Here's one...

[mvdu]

Prevx has been the only constant in my setup of late; improved behavioral detection would be great as I currently have no HIPS. Version 4 will be better in this regard?

[PrevxHelp]

Quote:

Originally Posted by mvdu

Prevx has been the only constant in my setup of late; improved behavioral detection would be great as I currently have no HIPS. Version 4 will be better in this regard?

We will indeed have significantly improved behavioral detection, however, for consumers, we are staying away from a full blown classical HIPS/behavior blocker to stay with the same mentality of very few popups/near-silent security.

[mvdu]

Quote:

Originally Posted by PrevxHelp

We will indeed have significantly improved behavioral detection, however, for consumers, we are staying away from a full blown classical HIPS/behavior blocker to stay with the same mentality of very few popups/near-silent security.

I like the silent philosophy. I am glad it's possible to improve behavioral detection while keeping it that way.

[Habakuck]

Quote:

Originally Posted by mvdu

I like the silent philosophy. I am glad it's possible to improve behavioral detection while keeping it that way.

Me too!

I changed from Kasperksy to PrevX cause i didnt like the vast array of PopUps.

[jrmhng]

Quote:

Originally Posted by dlimanov

- If signature is not available and this a true 0-day or modified existing threat (like million of Conficker variants), this is where it gets interesting. Behavior engine kicks in and analyzes the ENTIRE scope of the process execution that occured thus far: i.e., download from potentially malicious site, lack of signature and some general file header or other specific file information, like how it was packed, formed, etc. File is than "sandboxed" and allowed to execute, so its actions can be monitored and analyzed further, with emphasis on virus-like behavior. Resulting combination of the pre- and post-sandbox behavior is checked against the cloud OR centrally-defined policy and appropriate action is taken and/or user is notified and given an option to execute or block/quarantine the file.

This is hard to do. Prevx is supposed to be one of the better behavior blockers. This leg of the transaction wont give you anywhere near the level of assurance you are looking for.