Prevx bypassed !

It's great that Prevx cares so much about us users! To bad most other vendors can't be this way!

TH

 

Thank you

Also, we've added the additional protection now to cover all cases similar to the current bypass technique. I'm not sure if we're going to be releasing it completely today (just because we don't want to end up being detected by AVs for frequent releases, as they tend to do against us ) but if anyone wants to try it, send me a PM

 

@ PrevxHelp

Well the interesting thing is, on my comp Prevx didn't restart itself automatically, because it never shut down

PW working consistantly now, but i'll be keeping my eyes on it. Strange why that kept happening.

It's sort of funny, because EP_X0FF has for years complained about the dangers of apps hooking, and not to

Oh, only a rumor, didn't know that, but i do now

I think he's interested in both, but i don't believe he's one of the baddies, even if he knows "several" of them, whether directy and/or indirectly, and/or used to.

Now you tell us

As you must be aware, quite a number of malware such as Fake AV's for eg, do try and shut down apps, and even sometimes delete them Obviously they do it to try and prevent themselves from detection/removal, so i can understand it.

Be interesting to see how the new "additional protection" stacks up

 

Good point as I tested about 6 months ago with some AV Rogue's when I had NOD32 and Prevx running and it shut down NOD32 at the time and also would not let me run MBAM, SAS On-Demand! But it did not shut down Prevx!

TH

 

@CloneRanger

is the self protection level perhaps on the highest on your pc.
its also my question to prevxhelp how prevx react when the self protection is on maximum?

so we can all learn, working at restrected user is the right method

 

Sadly, I think the rouge AVs are mostly designed to kill the most common antimalware applications, and I don't think Prevx is one of the most common.

Nevertheless, that is an excellent thing for us avid Prevx fans. And I'd like to see someone kill Prevx when running in a Win 7 x64 environment (even when running as administrator). I would bet my left hand that it'd be really, really hard and next to impossible. However, I still think UnPrevx is doing a great thing, even when doing it on a near 9 year old OS (which is also kind of lame at the same time).

 

Well, I know we aren't a Symantec or a McAfee, but we signed on 8 million users in the last ~2 weeks so I'd tend to say we're a big enough threat to the malware authors

http://www.prnewswire.com/news-rele...-the-fight-against-online-fraud-99457029.html

http://www.prnewswire.com/news-rele...e-head-on-with-prevx-safeonline-99004009.html

 

Oh, the key word in what I mentioned to say was 'one of the big', and by that I mean the big, classic vendors you mentioned. However, we're yet to see someone kill Prevx on Win 7 x64 and not on some 9 year old OS which by design was flawed when it comes to security.

 

Thank you Prevx for addressing this issue in a prompt manner!

 

@ Triple Helix

Did you test both POC's ?

Here's both SP and H settings i have on my comp





As for restricted users, it's not for me

@ PrevxHelp

8 million users in the last ~2 weeks

Wow, that's incredible. Bet you wish they were ALL payers

 

I don't understand and when? More info please

TH

 

So i asked,

Meaning the recent UnPrevx POC's, before and after the fixes ?

 

Hello,

slightly modified this method will work against Dr.Web (Platinum self-protection award).
What about everything else, I doubt this can kill all of them or most. However this is not mean they have a perfect self-protection, no, you need just use other methods or their combination.

Regards.

 

edit:
of yes I see, guys seems to be updated it It was designed to 179 build and currently they have 185.
he will update killer
Ring0 - the source of inspiration

 

Prevx3 185 build successfully terminated from pure user mode by UnPrevx with just a little small addition. Updated version will be posted soon.

In 185 build, compiled 3 August 2010 they have used "dirty fix". As in fact they simple denied termination of prevx application through even valid/full rights handle.
And as always hooked functions returns crap instead of real status code. "Very professional" lol.

Done, should work with 185 build, probably will be fixed by Prevx in near future.

The Prevx boys should be thanking you EP for making their software stronger, but I'll bet they won't. You actually helped Kaspersky out too with their buggy klif.sys. They owe you their thanks as well.

Most of anti-virus software developers never want to write effective code & actually they don't want to learn!

 

jmonge: I'm not entirely sure what your posts are referring to, but we have already answered the new builds and information on the "bypasses" previously

Prevx 3.0.5.187 and 3.0.5.188 both successfully circumvent any attacks (.187 is currently the public version but .188 is available if anyone desires to use it, although it is unnecessary as the service/user processes will automatically restart even if they are terminated).

Let me know if you have any questions

 

will prevx be updated againts this type of attack as i can see they tried to also update their killerthat is what i mean

 

1. The test I did was six months ago with Fake AV's and Prevx was the only thing that would work and it was on Win 7!

2. I didn't test against the UnPrevx POC's as the one's I had Prevx already detected them and I didn't let it bypass plus I'm on Win 7!

TH

 

If it needs to be they will as always they are fast to act on issues like these! But Joe already said if the Prevx services are terminated that they will restart they fixed it in .187 and .188!

HTH,

TH

 

As previously stated, I'd like to see UnPrevx happen on Win 7 x64. Not on some stone aged OS which IMO, nobody should care about.

Great job by the author of it though.

 

Continues Prevx children play!

That there is a real problem confirms:

Three versions in three days, but the problem is not resolved, "Very professional" lol

~ Image removed ~

 

Does UnPrevx still prevent Prevx to restart? But still... it's on an outdated OS which is flawed by default.

 

@ Triple Helix

OK So you're on the new fangled W7 OS, not a

like me, hi shadek

A new member hosts, with english as not their first language, i wonder who it "could" be Yes the POC worked, but at least Prevx didn't sit around for weeks/months before doing something, unlike most other vendors do/would So they deserve a big for that.

 

Of Yoda sockpuppet it maybe is?.

 

I'm in the iron age but still safe as fort knox.