PrevX under scrutiny..

I have now re evaluated my view on leaktests (and other malware testing tools). They are made to test firewalls with HIPS functionality (Or regular HIPS if you want) but Prevx1 never claimed to be a HIPS afaik.

Personally I wont complain about Prevx1 not doing what it claims until I see proof of it. If it does, I will let everyone interested know about it
Sure, it requires a bit of trust, but when you think of it; you put your trust into every HIPS (even though Prevx1 shouldn't be considered as a HIPS). PG, Tiny Personal Firewall, Ghost Security suite, SSM and so on - they all do their job until they fail. You put your trust into them. For me personally so far, all of the above mentioned programs has proved to me nothing else than that they block leaktests, nothing more really since I have not encountered any real malware. Well, they have educated me in the inner works of windows of course. and for that purpose HIPS are great.

So it all boils down to how much control you want to have. I have learned, after a couple of years living with HIPS, that I don't need all the control (and hassle) a HIPS gives you. I have chosen to let Prevx1 do the control for me. I understand if others want the full control, but Prevx1 was never aimed at them anyway AFAIK.

 

But how could you know if you are truly clean?
Is it because your security products don't prompt for malware and your computer seems to run well?

A trojan or keylogger or backdoor would not tell you they have infected your computer, and they won't ruin your computer like virus does. Even worse, if you get a customised/personalised trojan, it my be able to bypass all AV/AT detections for years.

 

First of all, I browse with Firefox with noscript and JAVA turned off (what is it for anyway?). I rarely click on attachments (they never contain anything that interest me anyway) if I do Geswall are supposed to take care of it. Or maybe I do it in sandboxie.

I am sure GSS would have told me if it tried to install it self (registry and certain folders), then GSS would have alerted me when the keylogger wanted to hook itself and my firewall would have warned me when the trojan wanted out on the net.
I do online scans now and then to see if my AV missed something in its scans. I even do one or two antispyware scans every year just to be sure
I check all my connections to the net with Port explorer often. I have rootkit detection software that I run now and then. In process explorer it is easy to see if there is something that shouldn't be there, even if something agains all odds has hooked itself to a legitimate process (provided you have the knowledge, and I´d like to believe I have by now)
But, yes when doing computing (especially as admin) one have the chance of being in the border of sickly paranoid if one wants, but as I said it is hard to get infected even without all the defenses I have used, as long as one uses just a bit of common sense you are a hard target imo. But as I said; I have never had any use of the stuff mentioned above; they have never warned me about anything malicious (that I didn't know of when testing with testing tools)

But now I have dropped GSS and let Prevx1 prove itself. If it fails me, tuff sh*t but that was my approach with all the HIPS too but computing is so much simplier now
I know that my views above is a bit like swearing in church here at wilders but one has to learn from experience sometime.

 

Hmm, how come it put a * in your bad word, but not in the Inspectors. Could it be a bug.

Bleep

 

That's on purpose.

 

@sukarof

That is a well reasoned POV

I dont really expect any software to get all malware either.
Every utility we have will fail some test cf gkwebs tests.

I was looking at the firewall leak tests as a very simple, safe to me and well known set of exploits. I am comng to understand the PX mode de emploi a bit better as I go along.

http://forum.sysinternals.com/forum_posts.asp?TID=7003&PN=0&TPN=72

that is "kareldjag" posting

Edit not sure which version of PX he was testing

 

You can get infected simply by visiting the website and do nothing.
While Firefox is saferthan IE, we don't know whether the malware writer may exploit any unknown vulnerability in Firefox (there must have some, as always in every program).

Turning off scripts or javascript or Java further lower your chance of getting infected by visiting a webpage, or being redirected to a malicious page.

But then you may lose some user expereinces, functionality or any fancy-looking decoration offered from the website.

Do it in sandboxie means any change made from your browser is discarded (unless the malware manages to break through its protection). You may specify what to save afterward (eg bookmarks, history, cookies).

That's sounds a reliable check, although it is still far from 100% reliable.
Good job!

Just to remind you in case if you don't realise.
You don't need to install anything to get infected. There are other ways you can get infected:
- you may open any seemingly harmless file type like a text file or image, but get infected. The file type may be even genuine like *.txt, *.jpg
- you visit a malicious webpage, or you are being redirected to a malicious webpage unknowingly while you are browsing legitimate websies (but since you use Firefox, you are much safer)
- this is probably the most scary part: the only pre-requisite of getting infection is to connect to the Internet (or any external sources like infected CDs), nothing more, nothing less. You don't need to do anything else. Imagine if a malware writer manage to find holes in your operating system, depending on that vulnerability, it may be able to execute files directly without your permission.
- if you are infected by a rootkit at the same time, you may never be able to detect it since it can (nearly) completely hide itself since it can alter the communications between your operating system and you. Imagine it instructs the operating system to lie that there's no such program (it is malicious) to your security programs, they couldn't find it out even if they can detect it.
- The only safe way to detect a rootkit or the like is to search the system from outside the system itself. You may boot it and scan from another clean operating system, or a CD etc.

 

I have noticed the same thing like that poster finds.
The detection of anti-virus programs are still stronger than Prevx1.
After all, if you pick up Prevx1, don't run it exclusively. Use it along with other security products. There are already several tests out there pointed out the weaknesses of Prevx1.

 

Well if "truly clean" means 100% certainity, I guess even if you ran a million scanners you wouldn't know that either.

But how could you know if you are truly clean?
Is it because your security scanners don't find malware and your computer seems to run well?

 

@Devil's advocate

I'm sorry I completely missed your post #39
That was interesting tooling around.
Wish I could do that. Rather than just pushing a POV and sometimes inane questions.
Did you run the same altered packages against anyother utilities.?

Everywhere I read, various experts opine that all software companies (heh esp MS) need to get outsiders to challenge their utilities and find the holes: pen testing if you like: because the developers themselves may have lost perspective.

Prevx seems to represent some unique difficulties wrt testing.

Regards.

 

Interesting test DA. What all is talking about is how Prevx1 fails tests (not just on this board) but what I haven't seen yet is anyone complaining about Prevx1 letting real malware go unnoticed (someone really gets infected and Prevx1 didn't protect them so the malware can do all it is intended for). Has that happened? Once, constantly?
That would be even more interesting.
I understand they have problems with Gromozon´s changing versions (they find a cure but then the bad guys change it) anything else?

 

skarof

Good point. How might some users Know?
Certainly cant complain about PX making an effort, and thats just half of it lol.

 

Prevx1 is good, but I still think the sandbox approach is the securest.

 

Maybe. Or possibly something like DeepFreeze.

It's the side effects.

I don't like having to do cartwheels (in a cyber sense) to get updates and download things...

 

I agree about the cartwheels. That is why I have DefenceWall . If I am going to a site I'm not sure of ,I turn on DW and go in untrusted and I am protected.

 

That use to be my complaint with Greenborder but now that Firefox is added ,its a mute point. It allows you to specify which browser to use as default. So surfing is done with Firefox and Greenborder and updates with IE.

 

So is this good or bad based on your findings. Sorry, just trying to understand.

 

Hard to say, but it does give you a sense of the material that is filtered and/or examined in some way. It's how they put it all together that matters.

Blue

 

Why not to run the browser always untrusted?

 

Why not to run the browser always untrusted?

 

Another option is Virtualization (eg VMWare).

 

One question.

If you do Windows updates with Greenborder on, won't it be true that any patches/changes made will be trashed/reversed?

So we still need to use unsandoxed IE to do that update.

 

@?

Not sure: just showing that PX is really "setting some hooks" :hopefully to catch the fishes (That screeny was half the full list from Rootkit Hook analyser)
@Blue Zanetti

Yes: exactly.

Apart from getting some warnings, has anyone seen PX catch a fish ?
Sukarof's demo of he DFK simulator was impressive but apart from that anybody else?

 

Well one thing i notice is that people tend to blame their antiviruses more than their other security tools such as HIPS. Perhaps this is because what their HIPS actually claim to do is not really understood, how many times have you seen someone complain "HIPS X failed test Y" and the vendor responds "But my product is not meant to stop that?".


I think with real malware it is somewhat similar, people tend to blame their antiviruses first, and less their fallback tools (of which HIPS are typically considered as).

And there is always the good old , "The HIPS protected you, by prompting when you click to run it, but you ignored the warning to run it"...... (or what I call execution control is GOD camp)

Never mind if the hips claimed to be able to protect your processes from all type of termination attacks, but the fact that you clicked on it and allowed it to run, meant that IT'S ALL YOUR FAULT that it manages to go on and terminate every one of your security programs.

OMG, the little prompt that occurs asking me if i really want to run x just after i clicked to run it by my own will, is the perfect defense and excuse!!

Antiviruses have no such excuse, they have to stop baddies period. Even if you were the one that clicked on the file to run it that doesn't absolve the antivirus of it's duties to stopping the baddies.

Of course, there is the obvious fact, that most people here are so well armored and careful , the chance of them getting hit by anything is so small, it doesn't matter what product they use.

So HIPS don't fail them, because they are hardly tested.