New Prevx POC tested

New Prevx POC tested

XP/SP2

On my comp this new POC also failed to work, as did all the previous ones. It could be due to Prevx detecting it ? but i excluded it from detection and allowed it to run, so i doubt it's that ?

Somehow Prevx & Avira has already got hold of a copy of this new POC, but NOT from me, as i have promised i will not pass it on to anyone.

Once again i can't explain why these POC's don't work on my comp, but the fact is they do not.

******

EDIT

As "certain" info was mistakenly included in the screenies i posted earlier, i have removed them all. I know that without the screenies you now just have to take my word that it didn't work, but i can Assure it did not. Sorry for any inconvenience/disappointment etc.

 

**************

 

***********

 

It's best to test a PoC on a clean machine with only the targeted software installed. IIRC, in one of your past pictures, Process Guard intercepted (auto-blocked) the PoC from manipulating explorer.exe and some other processes. Maybe at least disable (from startup) other security software aside from Prevx when testing?

 

The "exploit" is now adding itself to load on bootup in the BootExecute key - essentially in kernel mode (native mode to be specific) and has gone down to a completely useless route. Rootkit Unhooker itself and every AV will be removed by this technique and it steps over the line of an actual self protection bypass.

Installing Prevx with a random filename will prevent it from working (as it has done with every attack in the past).

We already have updated Prevx to defend against this generically (not with a signature, but to prevent the files from being modified) but do not see any benefit in releasing it yet - the update will be included in the next round of updates.

Until EP_X0FF decides to act professionally and contact us with information on these exploits before releasing them publicly in an unprofessional manner, we are not going to give him the press and attention of the Prevx brand in discussing about it. We received the behavioral profile of the sample from our central database and indeed did not receive the sample from CloneRanger.

Therefore, I'm going to close this thread for now. Feel free to PM me if you wish to discuss or disagree with the closing of the thread!

 

I asked PrevxHelp to reopen my thread, at least for a while, as i have an update to include in it. If i'm not able to post, it will completely and permanently leave the wrong impression, which wouldn't be right or fair.

@ PrevxHelp Thanks for doing so

Thanks for confirming that And i have NOT and will NOT pass it on to Anyone, as i originally promised.

*

@ thanatos_theos

I know that's what some people say, but i believe it's not a Truly realistic situation. Malware etc doesn't ask people to do that just so they can try and install/infect ! What any malware does to one comp it won't always/ever do to another. I'm not so interested in what it can/can't do to others comps, only mine.

I start off with my security on Max to see if/what they block, then one by one disable them and allow whatever through. It's more of a test of my security, rather than testing the malware etc

*

UPDATE to the latest POC i ran.

I have been "reliably" informed that UnPrevx worked, as it did indeed kill pxrts.sys

I agree that it did, and showed that at the time. But what did Not happen was Prevx crashing or shutting down or a total ****up as predicted. Even after rebooting i found Prevx still launched and working.

I have just retested the POC, and all the above is as was before. What i discovered this time, and i "guess" i may have overlooked last time, sorry, even though Prevx is alive it's realtime detection has been halted However i am still able to do right click scans of files and folders. Plus the SOL antikeylogger web protection etc appears to be doing it's job too.

I installed Prevx with random filenames, so this "could" be why no total ****up ?

I wanted to put the record straight with this post, and i hope i have now. I didn't purposely mislead anyone, or favour any side.

I believe these POC's and other such harmless tests, like leak/keylogging etc tests, are extremely useful to both users and vendors, in various ways. Speaking personally, i appove of them, as they all go help us improve our defences, if action is taken of course by everyone

 

Whatever the result, your test and prevx's reputation is tainted now because the thread was closed in the first place. Prevx failed so "close the thread". Oh wait, it was a mistake, it passed. Oh goodie - "let's reopen the thread now"

IMO - to maintain integrity, the thread should of "remained closed!"

 

@ tobacco

Truth told, on my comp, it both passed and failed !

It failed in realtime detection, but passed in the other respects, as i mentioned.

If the thread had not been reopened as i requested it to be, people would have been left with the wrong impression, as i also stated, and that would not be right or fair to either Prevx or EP_X0FF

 

Yes i understand what your trying to convene here. But like you said, these poc tests are just "useless"

It's not real world useage. Anyways, the thread closing and the reopening just didn't sit right with me. I've said my piece

 

Also guys PrevxHelp (Joe) has already said:

So I find this topic obsolete at this point

TH

 

Good

Never ! I did NOT say that, i said the opposite

 

This thread is useless. Prevx or any other security software can be compromised by a targeted attack or malware. If some one claims that prevx is immune, it's wrong. On the other hand, if there is some thing like this, it must be fixed as soon as possible.

 

Joe already said this in his post

 

Exactly We've responded multiple times already and this response still holds true: https://www.wilderssecurity.com/showthread.php?t=279719

In the end, if the customer is able to uninstall software, it must be possible to remove the software. If the user has administrative rights, they, or any software can remove any application - there is no 100% way to prevent this. Frankly, EP_X0FF's current removal tool, which requires a reboot and a program to always be loaded as a critical system process on bootup in native mode that constantly monitors for new processes and kills them, is far more complex and cumbersome than our own uninstall routine.

I'll close this thread again for the reasons said in the other one - these discussions are irrelevant. The issue has been fixed already (I can send a test version directly if anyone wants to see it) but installing randomized, as said previously, will prevent any of these tests.