Prevx as an anti-executable

I lift this here:

Doesn't Prevx with age/population heuristics set to "maximum" give a very nice replacement for Processguard/AE as an anti-executable?

It's at least very convenient to use: the number of unnecessary alarms with setting age/population heuristics as "high" has been very small for me.

Is prevx used by this way for some reason less secure than Processguard/AE?

 

I would think so- if your internet connection is distrupted or you are offline for example... a "proper" AE would still block unknown executables, however I am not sure what prevx would do as it doesn't have the latest data on age/spread at the time when you are offline.

 

If I am off line, I aint using my computer.

 

Try Returnil's anti-execute function as a replacement. It monitors for driver loading as well.

 

Shouldn't Prevx stop also loading of unknown drivers?

 

Yes, we block the loading of drivers/executables/modules/etc. - however, a note on the topic: maximum settings won't be quite as "secure" as an antiexecutable solution if your goal is really to block everything. Even at the maximum level, Prevx won't warn on EVERY program - heuristics and rules are still applied which make it imperfect but everything in security is a balance. I personally don't agree with antiexecutable systems just because of the large technical sophistication required to actually make informed decisions, but that's another topic

 

What is the probability to execute malware if I set age and population heuristics as

a)high
b) maximum

I guess it is in both cases very small. Of course, when I'm warned, I still have to decide what to do. Allow or not.

 

I don't follow you.

I would think there are 2 seperate senarios here.

1) Your are browsing internet and get warning. In AE v2 that is a definate block ( in fact you have no option to allow it ).

2) Your are installing something. In AE v2 you have to disable AE to do this. Therefore I always test a program before I install it, with a high hueristics AV locally, online scanner .
If I'm really unsure of it , I take a backup.
Then check what is happening afterwards on my PC.

There are lots of other ways to do 2) , but for 1) AE will block a lot of real-world threats.
Update to date software & browser will catch most of the rest.

 

In Prevx too "deny" is the answer here.

Here I just start installing. Prevx will then tell me (with age and population heuristics) whether it is potential malware file. Only here I have to to decide what to do. Allow or not.

 

Ako,

There is a less intrusive combo to create using DefenseWall in combination with PrevX looking at the most recent files with the highest settings. When you trust a program and install it, PrevX will scrutinise its behavior and fingerprint (like you outlined).

 

Indeed! Thats my favourite combo: Prevx+DW.

 

Ako,

Thx for your long list of security aps, it made me try out Trust-No-Exe again, a anti executable filter addition to XP.

 

You are welcome!

By the way, you have given many interesting hints in your various set-ups.

 

Excellent clarification here!

The term "Anti-execute" is thrown around so much that it means different things to different people. The user needs to define what she/he wants in such a program. Without that, its use invites unwarranted criticism from those who have a different idea in mind as to what anti-execute means.

When I set up a home system for a family, for example, I want something that will Deny by Default any attempt to download/install a program or software (an executable) without the permission of the Administrator/Owner/Parent. This falls into Joey's first scenario.

Consider these three screenshots of an alert in a drive-by download test I set up last year (real malware here!):

ProcessGuard


Software Restriction Policies


Faronics Anti-Executable v.2​

SRP and AE are Default-Deny: the user cannot proceed to download/install w/o getting permission. This is as it should be, for in this case, the user did not go looking for this file, so there is no reason to permit it.

I have never seen any problems or conflicts with this approach. It is bullet proof protection in the scenarios that it was set up to protect.

If Prevx offers this type of default-deny protection, then it is certainly a product worth considering for this scenario!

In the other scenario, as Joey points out, if the user wants to download a program, then permission can be granted and the protection turned off. At this step, this type of anti-execution protection is out of the picture.

Other means of determining whether the file to install is good or bad are available for that, ranging from one's own sense, -- trusting the source of the download/purchase, etc, -- to scanning.

Neither is 100% reliable, so I've never understood what the fuss is all about. You trust your judgment, or you trust your scanner. You choose the method that gives you the best peace of mind and comfort.

----
rich

 

Here is an off-line scenario for which I require Default Deny protection on a family computer.

Youngster in the family receives an email with attachment. Knows that opening is a No-No, but it claims to be a picture of Osama bin Laden...

Closes email, goes off-line, decides to open the file. A picture can't hurt anything, right?

​

http://www.f-secure.com/weblog/archives/archive-062005.html

Here, only the parent can open/run/install any executable not already on the computer.​

----
rich

 

Could someone expand on what age and population heuristics are ?

Sounds interesting
Is it if a piece of software has been released recently ?
Is it if a piece of software has a large install base ?

 

Yes and yes These heuristics will come close to an anti-executable solution if you set them on maximum, but they still aren't 100% anti-executable.

To respond to your post, ako: the chance of malware slipping through on maximum settings is very low, but if you really want an anti-executable solution, I think it would be best to use an anti-executable alongside Prevx 3.0 so that you get the initial block as well as a more accurate detection of if the file is malicious in the event that you clicked Allow on malware.

 

Thanks for answering. I'm quite confident now, that Prevx gives almost the protection of an anti-exe without its defects (many hard-to-answer pop-ups are a problem with PG and AE 3.x, e.g. This might not quite be the case with AE 2.x, though.) I will keep the setting "high" which seems an optimal choice: high security with minimal number of pop-ups.