Prevx SafeOnline almost fully bypassed!!

Just found this interesting test tool feedback on another forum here at wilders. Looks like SafeOnline is unable to proactively prevent screenshots or even clipboard access.

https://www.wilderssecurity.com/showpost.php?p=1635047&postcount=27

Hmm ....

 

Can confirm those results I got yesterday, have just tried it again with the Heuristics all set to max and using an https page.
I know these are only tests but would be very interested in Prevx's view on this.

Would have posted this before but am very tied up at the moment and Wilders was of course down this morning when I had a spare hour.

 

I may be mistaken, but I thought SO only protected against web based/browser attacks,
This test was done via downloaded software.
That's what I initially thought anyway.

 

Hmmmm... I'm not able to reproduce these results. SafeOnline fully blocks clipboard stealing and screenlogging everywhere I've tried. One possibility is that there is an application installed that would cause lowered protection - possibly Zemana Antilogger, but I'm not sure.

SafeOnline will intentionally not block webcam capture or sound capture, so I'm not sure what the test results said there.

I'm currently out-of-the-office but Ill post more specific test results here if needed, but it looks like there was an issue in the test as these are not the results which occur on a clean test environment.

 

I just downloaded that test program tonight, and tried it on Windows XP 64bit SP2, with Prevx 3.0.5.85 as my only security program (other than Ghostwall).

It failed every test.

I'm very familiar with Prevx, as I was one of the first resellers in NA, right when they started their reseller program, after the redesign from the CIPS/HIPS to Prevx1.

I've been a long time lurker to this forum.

 

Joe, I was using Windows XP Home SP3 and Windows FW with Prevx SafeOnline 3.0.5.85, no other security software installed, let alone disabled. Have had Zemana installed but that was in another snapshot. Very strange, look forward to some more info on this.

 

I just tried on a brand new XP Pro SP3 VM, nothing else installed. It looks like they are seeing the clipboard data but that's because of the determination of the antitest.exe file (we're manually marking it as Good internally because otherwise it would be blocked before running).

However, (and I can fully reproduce this if someone wants me to make a video), Prevx is fully blocking any keylogger/screengrabber. SafeOnline doesn't protect everything system-wide so I suspect there may be some difference here in testing. Make sure your configuration is on the defaults after install and then try the keylogging test with http://www.paypal.com open and try entering in login credentials - they are fully blocked. Then try taking a screenshot with the same website open and it produces an error.

Not sure what else other users are seeing SafeOnline is not trying to protect system-wide, but it will protect these areas within the browser. Webcam/Sound record/system protection are all intentionally not covered by Prevx.

Let me know if you're seeing anything different!

 

I was using it from within the browser. I was using it in IE and Firefox on HTTPS sites, with the green tab saying protected, typing into those windows. It copied my clipboard, took screen shots, edited a registry key, and logged everything I typed everywhere.

I even maxed out my settings for Safe Online and tried again, same exact result.

Something is amiss, and there needs to be more interest in finding out why. I already see some general conclusions that are trying to redefine the scope.

The fact is, sometimes it works (at least on other people's machines) and sometimes it doesn't at all (on mine so far) and other people have intermittent results.

This *is* a big deal. Your website doesn't have an asterisk next to the Safe Online functionality saying "well, it's not system wide protection, results may vary".

This is a feature that should work all the time, every time, with every skill level of user, and not have caveats as to the intent, unless you intend to put that in your marketing literature.

It should also be demonstrable. None of this, "Well, it's an OK program. It's not *real* malware." If it's that simple, leave these programs on the blacklist (they are harmless anyways), because at least then we could see something in action, like EICAR files. To make excuses looks bad. Transparency is the key.

Don't tell me there's not a category these types of programs could be classified in that allows them to *show off* Prevx's capabilities.

 

Hi Lucidtek,
We are clearly having some significantly different experiences with this leaktest. If you could send me a PM with contact details, I'd like to take a look remotely if possible. We are definitely interested in fixing any issue if one exists, but I am quite honestly at a loss with how to reproduce any of the problems.

If you'd like, I can make a video of my user experience with it and we can compare what you're seeing, but I'm definitely keen to investigate further if needed.

It also may be worth noting that, based on a number of user reports seen here on the forum, the protection does work properly - if it did not, we wouldn't have people complaining about using SnagIt or LogMeIn Rescue

It is very possible that something was left residually on your PC from an earlier alpha/beta build so I'd recommend uninstalling, rebooting, and reinstalling to see if this clears it up.

Let me know what you find!

 

These work for me:

zemana keyboard logger is blocked
zemana clipboard logger is blocked

This one doesn't: (but it did prior to .85)

zemana screen capture is not blocked.

Pressing the print screen key to copy the screen is blocked, however.

 

I've tested the Zemana keyboard and screen tests. The keyboard logging is prevented by Prevx. The screen test produces strange results but I would consider it a pass, e.g.

- If I go to Play.com (http site) and click on "My Account" (https) then screen capture of the "My Account" screen is prevented and Zemana locks on the Play.com main screen
- But if I Google "Barclays Online Banking" and go straight to their site (which is https) then Zemana captures the loading of the https screen (I can see the Barclays Online Banking page in the Zemana window). Thereafter it captures nothing.

So why the difference? Play.com http > Play.com https - totally blocked. Google http > Barclays Online Banking https - blocked after loading the https page, but that page is captured by Zemana.

 

Just tested zemana clipboard logging and Prevx correctly blocks that too on my system.

Edit: forgot to add - I'm on Win7 32bit

 

Yes this the same behaviour as me. I see a static picture of the protected screen but it doesn't update when I type things in etc.

I have vista 32 bit

 

So when you said "zemana screen capture is not blocked" you are actually seeing the same mixed results as me - total block on some https sites, partial block on others?

 

Hello all,
I didn't notice the first line posted by LucidTek and feel it is necessary to clarify the protection of SafeOnline on 64bit operating systems. Because of PatchGuard, there is no way to fully protect against screen grabbers and clipboard stealers like is done on a 32bit OS. However, SafeOnline utilizes the layered protection of Prevx to generically block unknown screen grabbers/clipboard stealers with the antimalware/fuzzy matching within Prevx 3.0 on 64bit operating systems so while the initial screen grabbing could potentially take place, any malicious actions trying to be performed by that threat will be stopped. The other layers of the SafeOnline protection are all still applied - including protection of stored credentials, browser memory protection, protection of cookies, protection of form injection attacks, protection against keyloggers, and a wide range of other protection elements on top of what the Prevx 3.0 antimalware technology already applies.

That being said, I believe a few of you are still having some issues with screen grabber protection on 32bit OSs as well - if you have configured SafeOnline into "High" protection from Maximum at some point (to fix an incompatibility with a printer or screen capture utility), you will likely need to uninstall, reboot, and reinstall SafeOnline to take it out of "Compatibility Mode". This feature is in place in order to allow users with some printers to use Prevx properly past an uninstallation/reinstallation so as to not negatively interfere with printing from certain applications. We are implementing a measure within our protection to allow printers to work better with SafeOnline, which will allow users to configure up protection back to turn off compatibility mode, which will be released in a new update within the next couple days.

The goal of SafeOnline is to protect credentials and user data from malicious capture and this is accomplished by protecting website sessions as soon as they load - which is why in some cases the immediate display of a page will be captured but not any subsequent page or login screen.

We will be preparing a Youtube video to describe the differences in protection on 32bit operating systems and 64bit operating systems, and how Prevx protects against each of the types of threats. For what it's worth, the same issues apply to other products as well (Trusteer Rapport, Zemana, and other anti-loggers) as PatchGuard on 64bit operating systems fully prevents modifications to the "shadow service descriptor table" which is necessary to provide deep protection against these types of threats. If any security product does block against these threats on x64 OSs, they are primarily using a usermode technique which can easily be bypassed by a real threat.

Prevx does not modify itself to work properly against leaktests which is why, in some cases, different results are shown for tests than would be seen by real malware. Adding an override for a file to allow it through the Prevx antimalware components could negatively affect the protection of SafeOnline because that file will then be considered "trusted" to Prevx. However, if a file is new or unknown, the protection will be applied the same - it is only when a user override comes into play that protection will change.

Please let me know if you have any questions with this - I'm definitely keen on explaining any of the discrepancies that may be seen here.

 

Tried that with www.amazon.co.uk as I do not have a PayPal account.
The SpyShelter keylogger test showed the typed in login while I was on the https page and also took a screenshot of it.

 

Dark Star 72: Do you have Maximum configuration enabled for Amazon? It might be worth trying uninstalling/rebooting/reinstalling to see if it is a case of compatibility mode being enabled, but let me know if you'd be available for some remote support and I'll take a look if possible.

 

Hello all,
I've created a new thread for continuing this discussion which gives some more context over testing SafeOnline. Hopefully everything will be explained there - if you're still experiencing any issues after reading through the testing recommendations, please let me know!

https://www.wilderssecurity.com/showthread.php?t=267205

I've closed this thread for now to give more relevant background when looking through the tests.

Thanks for the help!