Prevx bypassed !

Yes, it has been booooring for quite some time now. Why it has not been locked by now is a mystery to me.

 

@ Ring0

Thanks for the PW, they have several on there, so it looks like the one i used earlier was incorrect after all Strange why it successfully unzipped into what it did, as the first attempt only produced a Zero byte file ?

Prevx v.187 detected the static file. Stopped Prevx from monitoring for 15 minutes, disabled PEG and enabled SD, then went ahead with the test.







Allowed it



So put PG in learning mode



Didn't work !

Maybe it ony works on v.188 ? Possibly others can test it as above on v.188 and see what happens with their defences, or not

Some people might think these POC's are cat and mouse games, but actually i believe they are credible. Why, because just detecting these, and similar, by file name and the like, is not real interjection/detection/prevention. Yes they get blocked by this method, but remember these POC's are designed to show/prove what can be done to disable products. If they were incorporated into REAL malware, then your AV etc would need to proactively recognise the attack vector by heuristics etc, and interject if it didn't have the definitions for it yet.

How many AV's would ? As you can see from this test, several of my other apps jumped in to prevent the attack

Better to have someone providing POC's like this so vendors can "hopefully" improve their products, and they are not only relevant to Prevx, as these vectors are applicable to All AV's, apparently So i see it as very worthwhile, because if these were real malware targetting most peoples AV's out there, then poof goes their protection, with all that it implies

 

McAfee 8.7i Artemis Cloud instantly deleted the file as soon as it hit the desktop.

 

cool

 

http://www.kernelmode.info/forum/vi...sid=90f96017e3c79a3629d674c6528d5682&start=30

pwd: I_will_never_generate_crappy_signatures_anymore

 

cool

 

did you tried it againts hips programs such as defensewall?thanks for testing

 

@ Ring0

Yeah i've seen it listed there, but i'm not a member, and as you must know that means NO DL



If you, or someone provided a working link that's available then more of us could test it/them

@ jmonge

I only tested it/them with the apps i have, and already shown in this and the previous POC's

Have you tested it/them, if so what with ? and ?

 

Update

Managed to get the lataest POC and tested it in exactly the same way. Got exactly the same results = didn't work

 

didnt work did you get to test defensewall?thanks for testing

 

Hi,

we are investigating this issue and we are going to fix it. Actually it is very funny reading these childish attempts to break security softwares keep going on, even from a "supposed to be" good guy, working in the same field as us.

He never contacted us, and you can read that by yourself on his blogs - he never contacted any security company to help them fixing the issues he is finding out. He is just interested in showing everyone how cool he is, by insulting everyone else.

By the way, every attack he ran against us needed administrative privileges. When you have administrative privileges, what else do you need? Even Microsoft KPP was supposed to be a strong self-defense against kernel patching. Truth is that it has been bypassed, as every self-protection, because you are working at the same privilege level of the security routines.

So, not matter what we are going to do, he will always find a way to kill us because he's working at the same our level. This is not a surprise, even because his anti-rootkit is prone to the same problem too. If you have administrative privileges, you can do what you want - from user mode or kernel mode, it doesn't matter. Just load a driver and kill every security application - it is very easy, just a few quick steps. Very different story is if you are running from a limited account and/or admin account protected by UAC.

So, we are very happy if people want to help us improving our technology, we will collaborate with these guys. As you have seen, we always monitor our customers's thoughts and wish list, and we appreciate a lot (and we thank him) what this security researcher is doing, helping us fixing vulnerabilities. What we don't like, and it really shouldn't be part of a security professional, is insulting people.

Regards

 

This is exactly why I use a limited user account. But at the moment there are still problems for such users since Prevx autoupdate does not work for them. Please fix it soon.

PS. I'm not sure UAC offers any extra security over LUA. AFAIK it just provides a way to get some admin priveleges if you know the password. It probably lowers security if anything.

 

I think everyone here can see what sort of person he is. Talented, sure, but also a sandwich short of a picnic, as they say.

 

Did you guys contact Microsoft about the now infamous 'Black Screen of Death' issue before going public with it?

 

Yes, but that wasn't a vulnerability - more so an oddity caused by malware

 

Typical example of comparing apple with pears .... BSOD had nothing to do with responsible disclosing of vulnerability issues. The game played is just childish and unprofessional. For sure it does not help building up a reputation and consideration in the security community. Probably he is just happy having the support of 'un-aware' masses

 

We've been testing this internally and have still not been able to get it to work... has anyone here actually been able to terminate Prevx with it?

As Marco said above, he's using a rather useless approach still. We'll probably end up closing this thread soon as it has continued down the path of trying to kill an AV with full administrative rights that give it equivalent strength to actually low-level format the harddisk from within the OS, also killing Prevx

Prevx's self protection has to work alongside every other AV's self protection and protection - in the first releases of Prevx, we had self protection set to Minimum intentionally so that we would be compatible with other AVs. The attacks that EP_X0FF has been using are not used by malware in the wild and frankly are wasting his time as well as ours.

We are of course interested in fixing any actual issue but if we go too far down the path of locking specific aspects of this down, we will end up breaking compatibility. Then, someone will suggest that we detect if an AV is installed and only then start the compatibility mode, to which EP_X0FF will register a fake AV into the security center and terminate us

This is an endless cycle - if you have any semi-intelligent low-level developer sit in front of any AV/security product/etc. for probably less than 30 minutes, you can break past it (not only signatures, but self protection, realtime protection, etc).

I'll leave this thread intact for now but the public opinion does seem to be swaying towards this becoming boring, and I agree One of his next PoCs is going to be: "Install Prevx, go to a hardware store, buy a hammer, destroy PC... Prevx is disabled" On the software-side, that's effectively what he's doing with the latest PoCs as well

 

I agree and well said Joe and Marco!!

TH

 

"Yes" you did contact Microsoft before going public, or was that a dismissive "Yes"?

I know, but that's not the point I'm getting at. This guy's going public with a flaw in your software, and EraserHW had a pop at him for failing to contact Prevx first (and I side with EraserHW on that). Prevx thought it had discovered a flaw with some Microsoft software and went public with it — if you didn't contact Microsoft before Mel Morris (Edit: wrong name: David Kennerley) went public then that would make me think of that saying about the pot and the kettle.

I know that, I'm just running a quick 'Hypocrisy scan'.

I agree with this.

 

Yes we did (non-dismissive ), but this is a completely different scenario - the black screen was a software bug and not a potential security issue. Security issues, for the safety of the public, are always required to be reported privately first and then the affected company fixes the issue and gives the reporter credit for it. In our case with EP_X0FF, however, he is taking a completely unprofessional route which will likely end up smearing his credibility.

I've used RkU in the past but personally I would never touch it again knowing how "black hat" his tactics are. I should have known this prior but I hadn't seen his posts about Dr. Web's self protection - anyone releasing "exploits" in this type of unprofessional manner shouldn't be trusted with then securing the PCs they're compromising...

 

Irrespective of whether it's a security flaw, or a 'bug', the person(s) who discovered it should get in touch with the vendor — giving them a chance to fix it — rather than seeking cheap publicity, fame, infamy, fortune, or whatever. That's why I asked my original question, because blogs — including the Microsoft Security Response Center blog — suggest that Prevx didn't.

 

I'm not going to rehash the story but the media and many of the parties involved completely misinterpreted the story and what was said between us - it is not worth further discussion and not relevant to this thread

 

How to interpret these two different claims ?


http://www.prevx.com/filenames/X2290916748660434724-X1/BLOVEX.EXE.html

 

Our filenames pages are generated automatically with no human intervention involved.

 

Why don't you just close this thread, you're only giving fuel for that guy by making this saga continue.
Haven't tried his tool, but as I can see it doesn't work.

Just an advice ...