Prevx OK's rogue AV site

Prevx is showing this rogue AV site as verified, and https.



"livesoftrock com / purchase?r=57.0"



It is not ok, or https. Please examine it as soon as you can to help prevent people from getting scammed.

 

ummmm...out of nod,prevx and mbam.... only mbam ip protection blocks access to the said site.....so to mbam. and a ? for joe to answer

 

WOT blocks that site too.

 

McAfee SiteAdvisor/Trusted Source also blocked it and has it flagged as red.

 

Another one.

"scanner just-protect-pc info / scan.php?campaign=mmb_815609071&landid=6"

I had to allow scripts for the scan to take place, but didn't install anything.





As for the https i mentioned in my first post, i now think i may have mistaken the Prevx padlock symbol for an https padlock, if so i appologise. Confusing though i would imagine for some other people too probably. Maybe you might consider changing it to different symbol, like a tick etc.

 

Hello,
Thank you for the report - I will have this added to our blacklist, although "Verified by Prevx" means that the website is resolving correctly, not that it is legitimate.

 

Hey Joe,
In all fairness, you said 5 months ago on this thread that you thought this green tick for the IP verification could be giving users a false sense of security. You also noted that, "We don't have all of our antiphishing/url-blocking capabilities turned on yet."

Would you say that you have all of your url-blocking capabilities turned on now? I'm not trying to be harsh. Just wondering if the product is still in development, or were these simply a couple of missed detections?

 

PrevxHelp



"Verified by Prevx" doesn't mean what i expected it to. Thought it showed you had checked and OK'd as free from harm etc. I feel many people will be led into a false sense of security as Page42 pointed out.

"Website protected" if this doesn't mean verified as HTTPS, as i initially thought, what does it show ?

 

I'm glad you brought this up.
I thought it meant the site was safe.
I guess I need to look further.
Hugger

 

i installed prevx safeonline some days before and entered about 10-15 malicious sites that i know(including rogue sites). Prevx blocked only 2 sites and didnt detect other sites.

 

It appears there is a false sense of security being given by prevx. The Green with Padlock symbol clearly states in the help file:

"The website and session are being fully protected by Prevx and by an SSL certificate. This is the highest level of protection and provides security over the local data and remote data sent to the destination server."

 

Thi is referring to the browser tab rather than to the clip window shown in CloneRanger's post. There's no padlock on the tab for http.

The help file explains all this in two separately headed sections ("Prevx SafeOnline Browser Tab" and "Prevx SafeOnline Browser Tab Clip Window"). Website protection is explained under "Add Protection/Website Protected".

 

the ip verification means that the Hostname whatever .com resolves to the correct IP and that your DNS server or your hostfile is not poisoned or redirected

and when it say protected means that whatever you do in that site wont be recorded by any keylogger

 

These are just a couple missed detections - we've been improving the detections constantly, but we're looking to do so in unconventional means: by not using the standard black lists and instead focusing on heuristically identifying malicious websites.

We're primarily focused on blocking banking phishing websites, in particular, the ones which our current banking clients are using. A website like this rogue AV would be reasonable to get past most URL blocking services because it would require the manual analysis of the software itself and then the subsequent blocking of the address.

 

Well, just from the few members posting on this thread we learned that MBAM, WOT and McAfee SiteAdvisor/Trusted Source all blocked the sites.

However, I think that the greater issue here is not, "These are just a couple missed detections", but instead the feed back users are giving you along the lines of, "I thought it (the green check) meant the site was safe".

That's the area of concern, from what I can see.

 

exactly.

Another thing is: I went to this site and selected "buy". Prevx now intervened and I got a pop up with the choices "block" or "ignore". I chose "block" but when I opened Opera I got this same Prevx popup screen again and again.

 

Thanks everyone, i'm clearer now as to what "Verified by Prevx" and "Website protected" actually mean. Not what i and others thought they meant.

The two padlocks might cause confusion, so i suggest keeping just one for HTTPS, and a different icon for kelogger protection, such as a RED key instead.

Visted a well known malware writers site, downloaded a RAT, and this is what SOL shows.





Of course most people wouldn't do that, i just use it as an example to illustrate that apart from "IP not verifed" it shows exactly the same details as for www.wilderssecurity.com

Only want to help and try improve the quality of info shown on SOL. I believe a lot of people out there will take the positive looking display as a green light that everything is ok, when it might not be.

 

I have to say, SafeOnline isn't something that I think the average user would be able to use to great effect easily. It doesn't work "out of the box" - I think it should come with several hudred well known sites (especially banks and financial services providers) pre-loded instead of needing to be added manually.

 

Bit disappointed to hear this about Prevx. I generally assume words like 'site verified' or 'protected' and padlock images indicate safety.

Here's how NIS2010 notifies. Says 'Site is Safe' in green if safe, 'Site is unsafe' in red if unsafe. Seems simple enough.

 

I can only hope they rethink safeonline and with version 4 dump it and add a sandbox. Prevx is very good but safeonline was a flop. Hopefully they will look at this.

 

I think SafeOnline is worth keeping, especially for those who use online banking and the like. However it needs to be made clear that SafeOnline makes sure that communication between you and your site of choice is secure, along with an IP blacklist to filter out dodgy sites. SafeOnline is a valuable tool, but only with enough clear information on how to best utilise it, I feel.

 

Should I be adding each of my banking sites individually even though the default policy for HTTPS is maxed out?

 

Really? I think you are speaking for yourself there. There is a real market demand for the sort of protection that SafeOnline offers - just witness the take up of Trusteer Rapport. If there is a problem with Safeonline it is the somewhat misleading representation of what it is protecting in the status tab. But flop? Total nonsense.

 

No You will be fully secured on all HTTPS websites with this, default policy. The primary use for the configuration is to add individual HTTP websites (i.e. websites like Facebook which primarily use normal HTTP traffic).

 

SafeOnline will warn you very quickly when it detects a problem with the website you're on. For instance, if you do end up landing on a phishing website which we've blacklisted, you'll receive a prompt like:



I honestly don't see where the confusion comes from with the IP Verification: it says: "IP Verification - Verified by Prevx". This means that the IP is verified by Prevx as being resolved to the correct website. The website could still be found as malicious, but you'd see a prompt like the one above if that were the case. The padlock on the browser clip window is placed on a button - clicking that button will secure the user's data while on that website. It is very likely that you will see "Verified by Prevx" on a phishing or malicious website because that website itself will not be being phished. If a phishing website was being phished, however, you'd receive a full-screen warning (whether that is from a poisoned DNS server, HOSTs file change, or other man-in-the-middle attack).

I believe we explain this fairly clearly in our help file for SafeOnline which is viewable here: http://info.prevx.com/safehelp.asp

Regarding missing websites in our blacklist: blacklist based prevention is highly ineffective at best. The root of the issue is the speed with which accurate determinations can be made on websites. We tried some of the common blacklists but found far too many false positives and no real added benefit on top of what our users would already receive by using IE's or Firefox's filtering.

Instead, we offer two different approaches: first, we provide a more heuristic approach to blocking URLs than many services which has its advantages and disadvantages. For our affiliated banks/financial institutions, we offer very strong protection based on their known-good IP addresses and domain names. We still do provide basic URL filtering but the battle of trying to update a blacklist of URLs was immediately outdated as soon as it started - the volume of new malicious URLs far exceeds the volume of new malware and malware blacklisting became outdated far before it reached its current volume Therefore, we strongly recommend using the Credential Protection functionality under the Advanced tab within SafeOnline's configuration.

This function will lock your specific credentials down to a website and will show a warning if you try and enter them elsewhere. This will immediately block any phishing attempt if the user actually tries to be phished. We aren't looking to receive perfect scores on blocking all phishing URLs, but our goal is to block the phishing itself, which starts at protecting the credentials rather than trying to keep up with the phishers who can register thousands of domains an hour.

Please let me know if something is still unclear or if you'd like any other clarification on it! I'm definitely keen on clearing up any misconceptions or helping to clarify the graphical functionality.