Is Prevx vulnerable (the Matousec article)

Is Prevx vulnerable to this exploit?

http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php

More reading here:

https://www.wilderssecurity.com/showthread.php?t=271968

I realise that that report from Matousec mentions HIPS but it appears that any security application using SSDT hooks is vulnerable, including AV software.
I just wondered if Prevx uses SSDT hooks at all and if there is a possible vulnerability if this method ever circulates ITW.

 

Re: Is Prevx vulnerable

FUD = http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt but read these articles: http://www.itworld.com/security/107345/ignore-nonsense-anti-virus-software-good-ever and http://beranger.org/post/586644902/dont-buy-the-all-the-antivirus-solutions-are and of course Joe will clarify!

TH

 

Re: Is Prevx vulnerable

https://www.wilderssecurity.com/showpost.php?p=1348887&postcount=288

 

Re: Is Prevx vulnerable

That's a year and a half old so hopefully Joe can clarify on the recent builds and if we should be concerned which I doubt that we have to be!

TH

 

My wild guess... NO! Prevx is invulnerable to KHOBE

 

You are correct Prevx is not vulnerable to KHOBE, which is indeed largely FUD. This is an architectural characteristic of any multithreaded operating system - the "issue" is called 'TOCTTOU' http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use and while it can bypass components of many security products, Prevx performs its behavior monitoring in a very different manner so no actual protection compromisation can take place from it.

To be fair, many of the other vendors listed in the Matousec article are also not as vulnerable as they have made it out to seem. They assumed that if a particular call was allowed through that the vendor failed the test, but frankly, virtually no vendors condemn a program from a single system call - it is the overall interpretation of the program.

 

For what I understand, this was discovered in 1996 and no malware has made use of it yet. So, yes, this is the end of the world.......again.

 

Laughed out loud at that one - that was indeed our response... it is always surprising when "new" vulnerabilities surface like this and get such a wide following in the news media as well.

We are adding a new behavior monitoring engine to detect if a threat tries to get around protection of an AV via a "KHOBE"-style method but besides that, we are completely apathetic to it.

 

Many thanks for your usual comprehensive reply Joe.
I did realise that there was much FUD attached to this but I was interested in how Prevx implemented their protection and if it was immune to KHOBE or not.
Nice to see that you are adding a new behaviour monitoring engine 'just in case' though