Prevx 3.0: delayed detection

Joe,
I have been playing with PrevX some more on my home machine. Downloaded Adware 2009 (hxxp://www.adware-2009.com/) from a known RBN site and scanned it manually -- nothing found. Installed it on VM with PrevX, again, no complaints.
Tonight, I boot up my machine and PrevX immediately finds the insallation file I downloaded yesterday and reports it as High Risk Fraudulent Program and cleans it. Same story on the VM with Adware 2009 installed, PrevX stops it from running.
Am I wrong assuming that yesterday, my machine was used as a honeypot to some degree? I.e., PrevX uploaded file characteristics to your server when I manually scanned and installed it, and even though it thought it was clean initially, consecqutive examination on your side determined that it was indeed malicious and definitions were created. I got them today, and file(s) are detected. Here's a signature from my log:
(ACTIVE) c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\adwareprofessional.exe [PX5: 14A6205A984CA6059E65247FD347C7009A04F0FF] Malware Group: High Risk Fraudulent Security Program

Moreover, I mentioned how Spycair was not being detected yesterday. Low and behold, today everything is being blocked using the signatures below:
(ACTIVE) c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\adwareprofessional (1).exe [PX5: 14A6205A984CA6059E65247FD347C7009A04F0FF] Malware Group: High Risk Fraudulent Security Program
c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\hklm_runonce.exe [PX5: 5C861AF2007D90102E7900F4E80B7B00E3245D88] Malware Group: Medium Risk Malware Dropper
c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\hklm_runonceex.exe [PX5: B7FCD6D2000B4BB92EA400B88E221600BC1B7996] Malware Group: Medium Risk Malware
c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\ie-sethomepage.exe [PX5: 43C8BBDC00FB34FC289700AAF65B6700A7496D7C] Malware Group: Medium Risk Malware Dropper
c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\alterhostsfile.exe [PX5: 0486270400A304BC286E00AE0C51F00065FEF74C] Malware Group: Medium Risk Malware Dropper
c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\towtruck.exe [PX5: 3D14AB6300219B583EF50029A4E1BC001B71E1FB] Malware Group: Medium Risk Malware Dropper

My question is this: why didn't PrevX detect both instances of unwanted programs using its behavior analysis, but as soon as the files were analyzed on your server, signatures were issued for them? The whole appeal of the product is that it's moving away from signature-based detection and uses advanced behavior detection instead; here it looks like behavior detection failed to determine that the files were malicous and program fell back on signature-based detection instead. Is this expected?

 

I've looked at the files you pasted and all of them were determined automatically - the behavior detection didn't fail to determine the files, it just failed to determine them the first time they were seen. I suspect that we just needed more data to cross reference about the programs before they were able to be found immediately. We automatically detect thousands of new threats every day the first time they're seen, but we find many more after they've been seen by another user (we usually lock down on the threat after its been seen by the second user).

The "PX5" entries which you see are not signatures, they are just identifiers to allow us to look at the exact files. The actual detections behind the files which you have are far more complex and all held server side, but it does sometimes take data from multiple points to really determine the intent of the program.

 

Joe,
Can you please elaborate on this? I'm not sure I understand what you're saying.
When PrevX scans a file and applies behavior detection analysis to it, does it then need to confirm with the "cloud" that this file/behavior was reported elsewhere already, and only then it can be blocked? Does it mean that otherwise (like in my case), if there's no cross-reference and even though behavior detection engine recognized these files as malicous, they will not be acted upon?

 

We don't check if the behavior was reported elsewhere, but it helps to cross reference reports. Programs, especially malware, do not behave the same on every computer and it helps our confidence levels to see a semi-suspicious file from multiple perspectives (especially in the case of a rogue antispyware application).

The behavior engine locally does not make any determinations - it sends up all of the details which are then analyzed centrally to return determinations based on the newest sets of data.

 

Now I get it. If it's not a secret, what are the determinations based on when something like this is processed on the server? When you say it helps to look at the file from multiple perspectives, does it mean that you're analyzing reports from other reported sources to cross-reference if the behavior is the same?
What I'm getting to is this: let's say, I have a file that's malicious and PrevX detection knows about it, but there are no other reports to "back it up", so to speak. Would PrevX block the file based on its own behavior engine alone, or does it need to cross-reference it within the cloud with other, similar instances, and only then the "kill" is approved?

 

It is a bit of a trade secret We collect 7 distinct signatures from the physical file itself, as well as contextual data like how the program entered the system/where the program exists on the system, information on any registry entries pointing to the file, etc. as well as the behaviors that the program performs in realtime. Multiple perspectives are useful especially for rogue antimalware products which tend to behave very differently on different systems. For instance, one installation (starting from the same initial dropper) may create its files in C:\Program Files\FakeAV2009\ and use an HKLM\...\Run registry entry named "SvcHost Loader" while the exact same dropper on another system may create an HKLM\...\RunServices entry named "Microsoft Updater" pointing to its file in C:\Program Files\DifferentName2009\

Polymorphism doesn't necessarily only happen on the file level - it also frequently happens within the behavior of a program itself and our engines lock onto these characteristics to identify suspicious looking programs.

On a daily basis, we automatically identify upwards of 20,000 new programs as malicious on the first time they're seen. We would immediately block it before execution in this case, but the detection rates aren't perfect just from this layer alone. The benefit of our centralized database is that even if we can't immediately identify a file as malicious, it is likely that another file which we see in the future will be similar to it which can allow us to automatically add detection to the first file, either by seeing a new similar file or by getting additional reports from the individual file itself.

Our spread detection heuristics (in the Settings > Heuristics Settings page) work completely separately from the rest of our architecture and look at the age/popularity of programs in question. For example, if a new program has only been seen by a single user across the entire Prevx community, it is very likely that the program has polymorphic characteristics which means it is most likely server-side modified malware. This allows us to conceptually block a vast majority of 0-day threats and new polymorphic threats (i.e. the Storm worm) without having to add additional signatures.

 

Joe, thank you very much, this is exactly what I was looking for!
In my case with Adware 2009 and Spycair, the reason they were not blocked initially (even though behavior detection engine probably identify them as possibly malicious) was becasue it took some time to cross-reference them on the server and positively identify them as indeed malicious. Is this correct?

 

Yes

 

Good stuff, I think I'm getting a handle on this, at least understanding the behind the scenes magic.
So, it looks like behavior-based engine on the client is not truely independent, it still needs to check with the cloud and cross-reference behavior with known, similar variants. If there's no known cross-reference, application in question will be allowed but its actions will be further analyzed and cross-reference "signature" will be created so it can be blocked on next execution.
Is it possible to customze this behavior on the client to not rely on the cloud's cross-reference all the time, but act on threats automatically? Is there any level of customization of detection available on the client, other then heuristics?

 

Correct

We currently do not have this functionality but we are considering adding some more granular controls like this into a future version further down the roadmap.

 

Excellent, this is something I'd definitely want to see in the client. On a separate note, please check your PMs when you have a chance, I have an Enterprise licensing question.

 

@Joe

HOLY COW !!
That is fantastic: what a score.
Congratulations to PrevX. I really hope this goes well and maybe some benefits will flow downstream too. ?



With respect to this massive opportunity and workload, I am sure "we" here appreciate even more the effort the PrevX support mob: WebDesigner, MG and you Joe put in for us. I know I do.
Respect.

Heh: as to:

LOL: truly, ....I got the message... ...., penetrating slowly...just a bit slow on the uptake down here.
Coriolis effects dontcha know..
Thanks.

 

Joe,
A question on Prevx 2.0 - I have a P2 license that runs out end of August and keep the P2 installer stored on a USB stick, will I be able to renew this P2 license or would it be an automatic upgrade to P3. ie. will P2 eventually be discontinued by not renewing licenses as they expire until they have all expired?

 

Another question
When the next version of P3 surfaces with the secure browsing etc included will there be any restrictions for unlicensed users other than the present 'detection only' one.
ie: will potential paid users/customers be able to trial/use the secure browsing etc or will they be restricted in some way - the full works only available to license holders?

 

Now, what if what's not blocked at first is suddenly deemed malicious and still running - is it suddenly just blocked in real-time? (Ofc I suppose this ) For some reason, nah, obviously I'm concerned that analyzis needs to be done elsewhere, which means it can do its thing.

Is this completely true if I, say, turn off Age/Spread heuristics? If that would *sometimes* block the new malware, it means it's sometimes useful, but greatly increases the risk of FPs and maybe prompts for the user.

 

Indeed we do. On another note, I get an error when I go to that page - says it doesn't exist. Would you mind posting the results that Prevx got?

 

Some problem with the 'quote'
here is the link from joe's post.
http://www.scmagazineuk.com/Prevx-s...ent-with-IT-solutions-company/article/138350/

search 'prevx unisys' for lots of references.

 

Joe,
Should PrevX be able to detect PDF exploits? If yes, where do I submit a file it didn't detect?

 

We're still deciding exactly how all of the functionality will be given to users - we will let everyone know exactly what comes of the discussions

 

I've sent you a PM with an address of one of our researchers - EraserHW

 

It is still possible to renew a P2 license to P2 (and we will continue to support it), but you can renew P2 > P3 or just upgrade to P3 for free from P2 by using our license swap utility: http://info.prevx.com/licenseswap.asp

 

I find this interesting as I scanned the executable with KL and it reported nothing. Even accessing the website with the web AV on didn't prompt any alerts. I sent the file for analysis to KL while I did some more testing.

Virustotal displayed only 4/39 vendors detecting this file, including PrevX. Virscan only showed 2/38, and these two were in the other group, namely Comodo and DrWeb.

A KL Virus Analyst replied saying there's no malicious code in the file. I don't wish to dispute the accuracy of these guys as they are renowned the world over for their expertise, but I'm curious as to whether the program is really that malicious given so few vendors recognise it.

adware-2009.com is on a number of malware domain blocklists.

A similar program to this - errorclean.exe - from errorclean.com is detected by KL, and I assume by PrevX as well.

All this just got me wondering why given the similarity between such programs and the fact they're listed by a number of other places why certain vendors don't recognise it.

 

Here's my dumbed down understanding of how PrevX works:
- you execute a program and its fingerprint is created on the fly and checked agains the "cloud"
- if matching fingerprint is found, application is blocked using signature engine detection
- if matching fingerprint is NOT found, then behavioral engine kicks in
- if malicious behavior is identified, it is cross-referenced against other, similar behaviors in the cloud
- if cross-reference match is found, application is blocked via behavior engine detection
- if cross-reference match is NOT found (or not sufficient), process is allowed and you are infected
- process behavior is then sent in for further analysis (manual or automatic, I don't know), and if found malicious, fingerprints are released. This is how one program is not detected (and infected you) today, but caught and removed tomorrow.

I have a BIG problem with second to last item, to be honest. I feel that behavior-based detection option should be customizable; i.e. I should be able to specify how sensitive the detection is, and decide whether I want to allow the process whose behavior appears to be malicious, but for which there's no signature/behavior cross-reference available, or I want to quarantine or block/delete it altogether. I am really hoping PrevX will incorporate this option in the future release.

 

The reason why we don't have this currently is that it is a <very> techie-oriented feature. 99+% of users would never touch it or have any idea what it does. We did have this functionality in previous products but have since removed it and haven't looked back because, through our telemetry over previous products, we saw a far less than 1% adoption of the more technical features which allowed granular configuration of what behaviors to block.

What exactly would you define as an apparent malicious behavior? Regarding "no signature/behavior cross-reference" - we see more than 250,000 new programs every day, many of which are completely new products with no ties to previous programs.

What you are describing is, in my opinion, much more a whitelist approach (which we offer) than a behavioral approach - only allow in what you trust and block everything else.

In the case of adware-2009, it is clearly evident that the program doesn't contain any malicious behavior at all - as supported by the response from Kaspersky's analyst - but the program is indeed malicious. I don't see how any company could possibly identify this heuristically if it isn't doing anything bad and is a brand new program

 

Just a clarification on this step - we send up <any> behavior, malicious or not. We filter them down locally so as to not report every pixel drawn to the screen, but the local agent does not have a concept of malicious behavior (as individual behaviors are not malicious, entire programs are).