Prevx and fake AVs

The Age/Popularity protection is designed to work on specific types of threats and doesn't necessarily work as an anti-executable program. Set to maximum, it should catch much more but it still takes into account the behavior of the program and other attributes before condemning it. If you could please let me know exactly how you're testing these rogues, I will check to see if it would be in line with our Age/Popularity filters.

Thanks!

 

First of all, wouldn't a firewall w/HIPS, like OA, fare better than LnS?
Set the browser to Run Safer to limit what the download can do to the system.
And what about a policy sandbox like GeSWall?
I'd like to know how the rogues do against something like my setup.
I think OA would throw up a warning, and if the user trusted the rogue, then GeSWall would limit its ability to harm the system.
I think this is what would happen, but even with Acronis images on hand, I am not of a mind to test them.

 

I am happy to say that the latest rouge AVs aren't passing Prevx proction.

 

LoL!! Ok, so a rouge AV that didn't pass protection due to age/popularity criteria before (like 2 hours ago), now passes the protection of Prevx!!!! How is that even possible? Worth noticing is that I've launced the application 7 times since then... did it get whitelisted because the popularity raised? I am talking about the 'a-fast.exe' sample I've sent manually. Someone care to explain?

 

Age/Popularity are simply that - they likely either became more popular or older. I've looked through the samples you submitted earlier and it appears that all of them have now been automatically determined as bad.

It's probably worth noting that Prevx expects detected programs to be removed when they're caught by Age/Popularity protection, otherwise there are some cases where the warnings will be revoked because of the user's decision not to clean the threats.

However, everything is blocked here on normal settings so let me know if you're seeing something different

 

Thank you for the input! They malware are now blocked since I've sent them in manually via e-mail. (not sure if that was needed though?)

 

I don't really understand the surprise here
The installation of zeroday mals and "non-malicious" .exes has always been the achilles heel of current PrevX ( and the marketing spiel )

Dum de Dum...Singing an old song here:... there was an option for "do you want to run this" in Px v2.0 ; ie an "anti .exe".
There was also an "This xxx.app wants to call out do you want to let it?" option, now gone.
These app control options have been dropped for the cloud based and heuristsically weighted approach which is -gasp - obviously flawed at some levels.

Less pop-ups but loss of granular control

Accept it for what it is -and the limitations-, and PrevX is a good tool, no doubt at all.
Just don't be the first to load that innocous .exe ? Eh..

Need to combine with some more granular installation and activity controls imho to plug the gaps in the current implementation .... I dare to suggest that perhaps even more "detailed" behavioural based detection methods will still not be enough.??

 

I would agree with Longboard

 

Ok, I've made a video showing how Prevx completely misses a sample, with ALL heuristic files set at max on a 0-day sample. Accordning to these settings, I should be nearly 100% protected. See what happens;

-http://www.youtube.com/watch?v=Ma9c6SasVBo- <-- be sure to watch the video with 1080p option for greater quality.

I hope this video better will describe what I mean by rouge antiviruses bypassing Prevx, even though this time it was a trojan. Hope this make things clearer for you Prevx when you asked me what settings I ran under.

 

What you expect from Prevx? There is no security suite what detects every sample of malware. Its phisycally imposibble. And the test on the small number of samples is not authoritative, credible. Prevx will be behave diffrently with a two samples and with the two hundred samples.

 

I agree. But why wasn't the file scanned against the age/popularity criteria like it's supposed to (watch the video I added)? It would've been stopped then.

 

The problem is those who don't know as much as we do would still allow the fake AV program to run because that's what they want it to do as, in most cases, they downloaded it in the first place. I don't see how an anti-executable approach helps them in this instance.

 

Well, as you could've observed in the video I made... Prevx won't stop executables via age/popularity heuristic. I wonder, is something broken?

 

Thanks

Now let's see how "Ronjor" is gonna delete "those VirusTotal Results"! Should be fun

 

~Phrase removed~ That is a video with an educational intent.

 

It would be easy to find a sample that bypasses any single AV/AM; PrevX included. There are a number of measures that can be taken to protect against rogues. I chose AppGuard for simplicity and to compliment PrevX. Solid and flawless so far. BTW it's good to hear PrevX is going for 100%; I think some vendors use "100% is impossible" as an excuse for lack of protection.

 

@ shadek you are expecting to much from Prevx and any other AV or AM to catch everything you have to use some common sense! If you like testing them go ahead a post your findings without blaming your Anti-Malware provider, when you find a single product that stops everything even if you let it run and tells you to remove it or block it and you don't, let us know and we will all jump on the band wagon.

EDIT: And with Version 4 they have big things to come and with all this discussion will help Prevx to improve there product but we will have to wait and see what they come up with! Suggestions are better placed here: https://www.wilderssecurity.com/showthread.php?t=245091

To Quote PrevxHelp:

Regards,

TH

 

I've only know PrevX since v3, but it seems those are more HIPS/firewall features..

 

Yes it was and it would be nice to add some of those features into v3 or v4 I think it's on the list and yes it is Thanks to Habakuck: https://www.wilderssecurity.com/showpost.php?p=1485300&postcount=2 and https://www.wilderssecurity.com/showpost.php?p=1485767&postcount=16

TH

 

Hi:

Have you tried malwarebytes ip blocker? I think it is the only one that will block access to the malwares that prevx failed to do. I am very amazed at malwarebyte ip blocker. It is amazing the only downside is its update feature.

 

Thanks for the suggestion but we are discussing to make Prevx better not adding another program as this is the Prevx support forum!

Regards,

TH

 

The Age/Popularity heuristic is not a finite engine component - it still takes into account overall program behavior and various other details gathered about the program, not necessarily just saying that "if X program is less than X days old then block". We had functionality like that in place in one of the earlier versions of Prevx 3.0 but users complained that those detections were "false positives" when they changed configuration to Maximum and we subsequently got a lot of backlash from several forum members so we toned down the Age/Popularity protection.

 

I see.

 

Ah very nice Do you also know what direction it will be going more?(IDS/HIPS/Behavior Blocker)

 

Thought I read something about a behaviour blocker against rouge AV somewhere.