PrevX Missing Detection

We are testing an Enterprise version of PrevX and have been busy putting it to test. Results, sadly, are disappointing. Out of 5 test machines, two were succesfully infected and continued to remain infected until remote session from PrevX support was established and infections were removed manually.
The failure remains the inability (or unwillingness) of PrevX behavior detection engine to identify malicious behavior, and this has been discussed in other threads by myself and others. PrevX is marketed as advanced behavioral detection engine but so far it failed to detect the most trivial malicious behavior we observed in our tests.
Consider the following (REAL) scenario
- file downloaded and executed, it's a true 0-day and PrevX has no signature for it and lets it run.
- file registers itself in all Autorun locations
- file integrates in Windows shell
- file installs BHO in IE and makes a host of other changes, like modifiying IE security settings, changing search page and installing its own rogue proxy
- file installs its own versions in SystemRestore and other Windows locations to prevent easy removal and detection
- its dependencies execute on each boot and download existing and new versions from hosts in China
None of the above is detected by PrevX behavior-based detection engine. PrevX detects that some of the files being pulled from Chinese web servers are malware and blocks it, and have caught the initial install EXE after it was submitted to PrevX, but upon every reboot system gets infected again and again. PrevX scans and bluescreens it on every startup as it can't clean all infections in real time, but behavioral engine -- the core component that should've prevented this in a first place! -- is siltently allowing system to get reinfected on every conseqcuitive boot.
I was very excited about PrevX at first, especially after 175+ pages of nothing but praises here on WS. We were looking for an enterprise solution that had an intelligent behavioral detection engine, and it looked like PrevX would fit the bill, despite minor bugs and overall "beta-like" feel of the enterprise console. However, our tests showed that unless there's a way to tune behavior detection engine settings to suit our needs, PrevX is nothing but a lightweight cloud-based antivirus.
I'm really hoping PrevX would reconsider their "fits all" approach and give its customers the ability to decide what's best for them, versus "protecting them from themselves", because as it stands right now I see no use of PrevX in our enterprise.

 

Here's a screen of bad things executing on a VM in question:
http://i41.tinypic.com/2illzs0.png

Here's a post-execution scan with MBAM and PrevX:
http://i42.tinypic.com/2j0cz82.png

 

Hello,
As I've said before, there is no perfect solution and behavior monitoring is really not the solution you're looking for. It is very trivial to block "point" behaviors, such as all changes to the HOSTs file, etc. which you have described, but that doesn't actually add any security which can be used by the average user. It would honestly be a matter of a few easy days of work to get it implemented but we have had virtually no demand for it and we do not want to go back the route of making our software overly complex.

An Enterprise should lock down all software installations regardless of the behavior of the program. In an Enterprise, you really should either be using limited user accounts or whitelisting or ideally - both. We offer this functionality and our Enterprise customers use the whitelisting-based approaches rather than trying to lock down specific behaviors. Regardless of the "techie" level of the Enterprise IT manager, they will not let users install arbitrary programs into their network - it simply is a bad idea for any corporation and opens everything wide up for problems.

We don't claim to be 100% effective and I suspect you could take any AV and perform the same tests and see identical results. Behavior blocking may have improved the protection marginally but at what cost Users would be prompted with dozens of prompts every day for legitimate software - it is a much better idea to just block any software from installing in this case.

None of our users have reported similar issues, but if you could please let us know the details of the BSODs and minidumps if available, we could help diagnose the problem, however, I suspect that the crashes are due to the malware on the system and not Prevx itself.

 

Joe,
You make valid points and I agree with what you're saying, however in my test, I have five machines that I tested PrevX against, and three out of them are infected to some degree. As you can see from the screenshot, PrevX is not detecting everything using signature-based method (MBAM seems to be doing a better job there) and behavior-based detection is not catching it either pre or post-execution. This is not a good score in my book for a product that claims to protect against 0-day and behavior-based attacks.
I also agree on having users log in as underpriviliged users but this is not an option in my case. If PrevX can only provide adequate protection when operating in conjunction to that, I am definitely wasting my time then, as I'm not in position to change the way this enterprise operates.
I am honestly not clear why you are so against making adjustments to behavior-based detection available (at least in Enterprise version), the way it seems to have been in v2. If there're no plans to make it a viable option in the future, please let me know as soon as possible and I will stop wasting everyone's time. I'm not here to bash PrevX or stir up unnecessary emotions.

 

This is just because nothing is perfect. Can you send a scan log from the infected machines to report@prevxresearch.com so that we can add protection for this new rogue?

Anyone can take any AV and find thousands of threats which bypass it in a matter of hours, so I'm not sure your test proves anything new except the fact that nothing is perfect.

It's not that are against making the changes, it's just that there is virtually zero demand for it. We offered a free upgrade to users from Prevx 2.0 to 3.0 and nearly everyone had converted over within the first two weeks, including our Enterprise users. The average user does not understand behavior blocking and we are developing software for the 99+% of the population rather than the < 1%.

The additional "techie" controls which we will be adding in a future version will include the ability to see a report of the behavior of a file but I do not see us opening up the controls to the point where a user can block a specific action like "modifying x file/x registry entry" as this defeats the purpose of using a security application for most users - you may as well open up a debugger and set a breakpoint on various system calls like RegSetValueExW and WriteFile to get the highest level of control

 

Understood. Thanks for your help, Joe, I must say that PrevX support has been nothing but amazing so far!
Unfortunately, I don't see us being able to use the product in its current form in our enterprise. I will definitely keep a close eye on it in case situation on either end changes.

 

I have found Prevx sometimes misses rogues and often lets them install and run without detection. Sometimes Prevx will detect the active rogue if a system scan is run.

To cover this weakness, I have found Zemana Antilogger to be good. Zemana has picked up on everything Prevx has missed - and yet it is not as annoying / noisy as most HIPS in that it only ever seems to alert on REAL malware or risky behavour.

I realise running Zemana with Prevx probably wont be the solution you are after - but it may well be of value to home users.

Puss

 

I'm just thinking of which malware you used? I mean, in enterprise, who will browse to those sites anyway? There is a small chance that someone will. I mean, if Prevx fails on these rogues (and some other malware), is it a total failure? I think not. But to be honest, I prefere Prevx to detect them
Sometimes there is a small lag between user and Prevx's server. You may wait 10 minutes and make rescan, maybe some new malware will be detected.
I think you may be more worried about email viruses or so.
I'm not defending Prevx, but I am just thinking about your test

 

I just went to a well known site which lists the domains of these malware and rogus etc and managed to find three which Prevx misses (it found two of the five) - I just downloaded them in date order.

Its easy to read more than you should in to Prevx missing things (well, possibly!) as Prevx is probably going to catch most of what is in circulation - by which, I mean, what has been seen in the Prevx community (5 million I believe) - so any significant threats out there will be countered. This said however, I think Prevx should be able to catch these rogues etc (even if not seen in the community) as everyone knows where to find them and it wouldnt take much to employ some bored teenager and get them to gather all the new rogues from these well known sites.

Dont get me wrong - I have tested Prevx several times and it is one of the best three in detecting new malware - but as I say, it should be able to detect some of the stuff it misses - even if it is has not been seen by the community - as there is always the first time - and as the thread starter has shown, the behavoural analysis cant be counted on to catch all the rogues.

Puss

 

Gentlemen,
My concern was not that PrevX misses detection per se, Joe is absolutely correct in saying that no one detects 100% of everything. For some reason I was under assumption that PrevX'es behavior-based detection was superior to those already currently on the market, and this is where I concentrated in my tests. Unfortunately, I was not happy with results and currently researching other options for what we're trying to achieve.
I don't want this thread to become a PrevX bashing central, this was not my initial purpose nor my current intent. PrevX is a good product for its own niche; it just doesn't fit ours.

 

Trust me, Im not bashing Prevx, I think its top notch and i understand nothing catches 100%

 

and those 3 that were missed were detected, under what name, and removed using what software?

 

They were detected and removed using A2.

One of them was detedted and removed by hitman

All were detected and removed by Avira

All were detected and removed by F-Secure

 

thanks, and the malware name(s)?

 

Rather than waste my time, have a look here and see for yourself:

~Link removed. No links to malware in the forums.~

Puss

 

i wouldn't want you to waste time. i was curious what malware was missed by Prevx but detected by others as in the name the others gave to the malware.

 

I've got few PMs with questions and suggestions. It looks like what we need is something along the lines of ThreatFire and Mamutu. Unfortunately, neither product is available as an enterpise solution, which is too bad, because I had excellent results with A2 at home. So the search continues..

 

Thx for the test dlimanov.

Did you run the test out of the box?

What about highest heuristic settings? I am very interessted of how PrevX is preventing against unknown malware if the settings are at maximum...

 

It can work the other way too. One program PrevX detects that you highlighted in a previous post - adwareprofessional.exe - is still not recognised by a number of AVs. Strangely enough though, this program isn't picked up by Hitman Pro, which also uses PrevX so I'm a bit confused as to why that is.

 

Hitman Pro uses a very old version of our engine and scans files in a different manner which most likely explains why they miss it.

 

Thanks for the explanation.

 

Have you considered a HIPS type program like Malware Defender or DefenseWall along with Prevx?

 

I think it was mentioned before, but what were the heuristics set to? There is a big leap from default to high

Also, of course no program detects it all and that is why you need layers to protect your enterprise. You could have Prevx all alone in a working environment with an enforced strict policy + url filtering. Prevx would catch the stuff that gets through, which is what it is there for.

I am not being biased towards your test, rather pointing out how in a business environment Prevx is very well suited. Not to mention a home environment...but with that said I wouldn't use Prevx alone. Prevx is well worth the purchase if you want that added protection or even standalone protection if you aren't a risky surfer

 

You set your time or money on the wrong horse. I am sure.

It isn´t worth a penny, sorry for my harshness, but that´s my opinion.
The hard truth about it is that approx 30-50% of its alarms are fp´s, the true dangers
remain undetected by this unimportant tool.