Considering prevx1

I'm considering buying Prevx1. I have a question. What exactly does it stop? Rootkits? Viruses? Spyware? Or what? I can't seem to get an impression...is it a HIPS too? I'm guessing it is, but what malware does it block?

If I get Prevx1, I still need my firewall, right? And what about my other antispyware apps? I know I'd still need Antivir, and Spyware Terminator. But what abot Ewido, A-Squared, etc? What could I remove?

 

Read through this recent thread, particularly towards the end.

Blue

 

yes u would still need a firewall.

as for antimalware apps, it all depends on how security u want. im fine with just KIS 6 and Prevx1.

 

well prevx1 has outbound filtering and you could use windows firewall for inbound filtering but its up to you.

 

Hi WSFuser,

I am also using KIS right now and was thinking to add Prevx1. How do they play together? No conflicts and how is Prevx1 regarding memory use?

 

prevx1 and kis run perfect together Don told me when i asked him the other day.

 

Thanks Iodore, it's appreciate.

 

woops i forgot to say that here https://www.wilderssecurity.com/showthread.php?t=147195&highlight=prevx

there is resource usage posted

 

Prevx1 strikes me as the ultimate stage of set-it-&-forget-it. So much so that the user has relinquished a good sized chunk of personal control over the security of his computer.

I am happy for people who want such a program, because Prevx appears to be an outstanding specimen within its class. However, I myself am not willing to turn over that much of my computer's security to a nameless, faceless "community."

I tried Prevx & found that it is 100% as advertised -- a hands-off, behind-the-scenes security program with a slick user interface. Prevx's Tutorial, as well as its Help file, pointedly discourage tweaking, and (in so many words) they say, "Leave the driving to us."

Ergo, I never figured out how to get Prevx actually to list ALL the programs/processes on my computer, so that I could tweak the settings on a process-by-process basis. For example, I couldn't find a way to set Prevx so as to protect selected applications from really aggressive attempts at termination.

The fact that I couldn't find this stuff doesn't mean it isn't there .... somewhere. But I missed the ease and clarity of the readily available tweak-controls provided by the more configurable HIPS programs such as Online Armor, System Safety Monitor, Safe-n-Secure, Process Guard, GSS, etc.

Down below I have attached an example screenshot of just ONE of several control panels provided by one of the above named HIPS. It illustrates two aspects of the point I am trying to make. Namely...

1- It shows the degree/kinds of controls that I want to have available to me.

2- It shows the visibility of controls that I want in a HIPS program.

NOTE: The HIPS programs mentioned here as examples do not require the user to mess with the detailed settings such as those illustrated in the screenshot below. Instead, they allow that degree of flexibility, if I want to use it. Basically, the only two REQUIRED settings these HIPS prescribe for any given process are (1) Allow (2) Block.

From my point of view, Prevx's two disadvantages are: (1) It doesn't provide the degree of control I want. (2) It doesn't provide the visibility of control that I prefer.

For many folks, the things I list above as Prevx's disadvantages are, to you, its major ADVANTAGES. If so, good-o for you. I just wanted to make the point that, in considering Prevx vs other HIPS, you need to ask yourself...

Do you want Prevx's security-on-autopilot approach?
OR
Do you want a security TOOL that will help you learn at the same time that it is affording you protection?

I prefer the latter. Your mileage may vary.

 

Here's the screenshot...

 

You could of course pair prevx with SMM or REg/App Defend and have the best of both world or use prevx in the one of the more intrusive modes and add some personal rules.


I tend to use prevx in ABC mode with REg/App Defend on overkill - yes but I have that extra bit of control

 

Prevx1 does seem to work well with 'other' HIPS. There is no reason it can't be run in ABC or Pro mode with a more 'controllable' HIPS. If for no other reason that if you allow something that turns out to be bad then Prevx1 could alert you that it is malware. I'm considering that approach myself. Told you i change my mind regular Although i stress at this time i'm only considering it.

muf

 

Same here.
I am a licensed user of SSM. I am testing Prevx1R for almost two months now.

From my experience both are very good programs but they have a different audience.

 

Prevx1 is a solid product. I am using it with XPs firewall and Nod. MY PC purrs like a kitten.

 

I want both. While the autopilot is on, I can learn how to fly.

 

You summed it up quite nicely. Two completely opposite solutions, each for a different kind of user. One configures and does everything for you. The other, often called "classic HIPS" lets you choose how you want to configure everything. The key factors in choosing between these 2 methods are trust and control. With PrevX do you trust "the community" enough to let them control what will run on your PC, that they will detect and stop malicious software and not cause any other problems? With classic HIPS such as PG and SSM, the question becomes do you trust yourself, and your ability to choose what is and isn't malicious, and your computer knowlege enough to take control of your own system? Both choices have very clear advantages and disadvantages.
If you're one who feels that it's the softwares task to secure your system, or doesn't want the task of deciding what should and shouldn't be allowed to run, PrevX may be the better choice for you. Users have long trusted AVs to stop viruses and in more recent times have trusted a variety of software to defend them from different types of malware. In one respect, PrevX is a continuation and expansion of this process. Classic HIPS is more a tool for those who trust themselves to take care of their own security needs, a powerful tool in the hand of those who know or are willing to learn their systems, a potential disaster in the hands of one that doesn't know or doesn't want to learn. They're powerful teaching tools if you're a good student.
Rick

 

I've given my opinion on pure behavior blockers plenty of times now, but I think there's been times that has been confused, or has actually crossed over a little, with my work, so I think a little background and elaboration are a bit overdue on my part. Note that this is purely my own perspective and experiences, and should not be considered a reflection of anything to do with my employer (I do still come here mostly on my personal time and post mostly out of personal interest, I make a conscious effort to keep my opinions out of work related posts and many are handled privately).

The problem of malware is ultimately a problem of control. It's the struggle between you and the malware writers for control of your system. I used to like behavior blockers/HIPS with all the control it seemed to provide, all the prompts it would show me to allow or block these cryptic things that programmers use to make their programs work, which includes malware. At some point some members' arguments began to slowly sink in, then I started using Online Armor, then Prevx1, then heard the stats from both, used a few others that remain quiet, and became more interested in the rest of the security field (and came in contact with more of it), and this all made start seeing things a little differently. For protection software I got quickly accustomed to apps that did not require constant attention to keep my system working correctly. With behavior blockers I started feeling like I was not in control of my system because it forced me to constantly tweak the settings, or disable something, or confirm a hundred times that 'yes, I really really am trying to install a driver update'. For control I found that learning about your system and learning how to use real system tools yeilded a lot more information and ultimately greater control, just in a different way. It's not a question of whether behavior blockers are inherantly good or bad, it's a question of how much they really benefit in real-world practice.

When it comes to security, I've seen people loaded to the gills with every type of security app there is and still get infected, and others that have literally no software (other than a firewall) and never get infected. Fact is that security has a lot to do with knowing the right info, having the right resources, and making the right decisions. Some apps can be used as tools to help make the right decisions, but I no longer see HIPS as one of them. The simple fact is that security goes beyond any software. Some might reduce this to say "you're better off with common-sense", but I would call that an over-simplification because it assumes a good deal of existing knowledge on the part of the user, and I'd also say that it's not that easy as you would still want some good tools.

For myself, personally, I found beta testing taught me more about security than simply using any apps. Getting to know what kind of components do what, learning how my system should behave under a variety of circumstances, generating ideas that are truely valid to security, learning to use system tools to diagnose problems that are not immediatly apparent, using monitoring tools to see how processes behave and what to expect, and so on, all taught me more about my system (as well as how programs work, which helps a lot with malware) than what I believe I could have otherwise. I also get more control there because I have input into how the program actually works. Others would find this benefit in other technical persuits, whether programming, reading books like Windows Internals, or other. The other thing that I discovered is that if your system becomes infected while you're using a behavior blocker, you're just as screwed, and sometimes it makes matters worse. There are some things that I think are worth having intercepted, mainly startups, but for the rest you're generally better off with system tools you can use for diagnosis and security measures that will keep the malware off your system in the first place, not just try to contain the infection after it begins. I think you also have to ask yourself why you would be inclined to believe that you know better than a programmer how their app should behave, and how much you really think you're gaining by forcing it to behave in ways it wasn't meant to, especially when there are always alternatives. If nothing else you can usually email the developers and start a rapport.

With that in mind, I don't really call trying to stop some behaviors of malware half-way into the infection truely "pro-active", nor does it really add any security. To me, proactive means:

- Learning how to head off the malware in the first place - learning how malware can enter your system and close those doors, avoid places that might distribute malware, use "intelligence" (in the FBI sense) tools, and so on. You identify potential holes, asses the risk, and take precautions accordingly.
- Knowing how to recognize malware even if it's something you've not encountered before
- Use the resources (including informational resources) you have to their fullest rather than piling on more and more
- Know the advantages and disadvantages of software you use (security and otherwise)
- and learn how to remove malware if you should become infected, or at least have a plan to get your system back to normal.

There's been a lot of tried and true methods that have gone by the wayside for apps that block things that may or may not even be relevant. For instance:

- Configuring your firewall with a tight ruleset has become a lost art
- Integrity checkers are as relevant today as before but now scarecely mentioned
- You can have quite a bit of behavior blocking in a limited user account.
- Network analyzers/port sniffers can tell you exactly what's going on. Security professionals and black hats often use this before anything else, but is barely mentioned here.
- Lots of malware gets distributed through advertising networks, but many just consider ads little more than a nuisance

...and on and on.

Get creative, you can use what you have to create a defense unlike anyone else's, and that would give you unique protection that would be better than those that just add different kinds of software. You could potentially create a limited user account and set your browser to "run as..." that user, maybe even set some software restriction policies for that account so that it can't spawn any child processes, and harden the system (and choose sofware wisely) to reduce vulnerabilities that could be used to break out of that. Also become familair with system tools like what SysInternals makes, they can show you just about anything and often provide all you would need to disinfect. If you have an outbound firewall with a tightly configured set of rules then there should be little room for data leakage, and your backups should be able to replace anything of consequence if lost. HIPS, of various types, often just mimic these things. Having lots of features may leave you thinking that they can stop more, but I consider the better solutions the more elegant ones (which isn't the same as simple), and to me that means focused; only bringing to my attention what is actually relevant and necessary. You can control what malware does in memory, I'll focus on not letting the malware even get in memory in the first place.

If you want to talk about control, I just got a hardware firewall set up that allows me to control all sorts of stuff. I have full control of what's allowed and what's not allowed, and if a backdoor opens up on my network then it will be shut off automatically and I will be notified, even if the integrity of the kernel has been violated and host software can't see it. I could use this to detect rootkits without worrying about whether it's patched the kernel in a whole new way. On the host I have another packet filter to control LAN communications and control how apps communicate. I know when any event occurs, I can shut off all the components I don't need reducing attack surface, I can set file and registry permissions and policies to ensure that only apps and users of my choosing can access them, I know how to peek into a variety of corners of the OS to see what's going on in ways that behavior blockers can't, and so on and so forth. I would argue that I have gained far more control of all the systems in this house since I let go of the idea of trying to control what APIs and hooks known legit apps use, and will continue to learn new ways of doing so more. The fact is that I have found very little real world value trying to control how applications operate in ways that I, not being a programmer, don't fully understand. So you've blocked your browser from creating a hook, how is that going to make you any more secure? How is that going to help you in the event that malware has run on your system? More importantly, if malware is consistently fooling even very techy users into thinking that the files are legitimate system files, are you going to know better? What if the new process pops up and belongs to an update of some sort that botches a driver install? Even I had problems with these on occassion, but ultimately I found that all I was ever blocking were legitimate apps, malware wasn't infecting my system simply because I had gained the right perspective and because of just one or two well placed apps that helped - which were not behavior blockers. Now I have solutions that don't bog down my machine, don't interfere with normal operation, and offer much better protection than at any time before. I ultimately have more control now than ever, without becoming a programmer anyway, but it's actually under my control and doesn't bother me when I don't want to be.

My greatest advice would be to catch up on the rest of the security field. Learn what pen testers are doing and why, learn more about how Windows really works, read up on news/blogs/podcasts/whatever by/for the security community, and just consider the security implications of anything added or done to your system, and what you can do with your system now.

It's perfectly understandable if you don't want to go that route, but by using a pure behavior blocker you are putting yourself in the position of the malware expert. As with everything, when we don't have the expertise to do something, we pay others for their expertise and either trust them to do the job well or find someone better.

I'll leave this with a simple principle that security professionals all know, that really sunk in and has stayed with me: "Every software application that you install is a potential security liability." - even your security software can have a vulnerability that could potentially allow malware a way in. Don't keep software installed that you don't use, choose the software that you do use wisely, know it's weaknesses and keep it up to date. You can check places like Secunia for vulnerabilities, and you can probably work around it by either changing settings in something you already have or choosing a suitable alternative. It's great to try out new apps and learn how they work, but when you start actually measuring how well behavior blockers actually keep systems malware free, it doesn't look so good, and Prevx wasn't the only one to see this (you can ask Tall Emu, for example). As for the rest, keeping the malware off your system entirely should be of greater importance than blocking a hook that some malware may or may not use after it's infected your system.

Is Prevx1 enough on it's own? I think that's something you'll ultimately have to decide for yourself, as opinions are fully valid both ways, but I would at least suggest considering other types of security than adding several of the same kinds of software. There's lots of other things you can do, they don't all have to just block events to keep your system clean. You can practice defense in depth (aka layered security) without piling up the software. For a more official comment I would also point out that Prevx1 does give you prompts in the (uncommon) occassion that something is not known to be specifically legitimate or specifically malware, and if you just don't run anything unknown to the community database until it's been determined, then malware won't stand much of a chance.

 

Indeed, although I do hope that the lessons Prevx (and Tall Emu, and I'm sure plenty of others) learned the hard way will be considered. Prevx doesn't try to compete directly with HIPS, they're a different kind of product, even though Prevx1 does still offer some of the same, but when you (personally) learn that something defies "common knowledge" then you're inclined to let others know about it. Prevx1 isn't a HIPS. I supposed it could be presented as one that's easy to use, but the database has simply proven more effective than behavior blocking did, so the focus was put more onto making it more like an anti-virus/malware with automated analysis that can work alone or alongside other apps.

Don't get me wrong, there's no marketing in me giving my opinion about behavior blocking or explaining why Prevx moved away from it, the marketing is in proving that Prevx1 detects more malware than the likes of Norton. You don't have to choose between Prevx1 and a standard HIPS if you don't want to, but now you can see my opinion on the matter. It is true, however, that Prevx1 is built with the same technology, so the potential for conflicts is greater than with a traditional AV. IMO, if you're not technically minded enough to feel comfortable with that risk, then you should reconsider the HIPS anyway.

Is it a question of trusting the "community" or a question of trusting the analysts not to mark bad things good? The community reports what's happening on their computers, they don't control anything on your PC. Whether someone allowed something or not is no longer reported, and has little bearing on whether it will run on your system.

 

I'm not a malware expert, but I do know the processes that are loaded on my computer. I know when they are supposed to run, and when they are not.

My HIPS ensures I don't get spoofed. My HIPS ensures that my security programs don't get terminated. My HIPS asks me questions, & helps me get answers, but it leaves the driving to me.

If a new process suddenly starts up or manifests a changed CRC, & I didn't do any direct action to cause it to do so, I know enough to be suspicious (at the very least) & let my security programs block it until I can do a bit of research.

The resources for doing that sort of research are very abundant, simple to use, helpful, & friendly. So (no offense) but I don't need Prevx to do it for me. To name just a few of the readily available resources: Security Task Manager, http://www.processlibrary.com/, CastleCops, Wilders, Win Tasks, Gladiator, DSLR. These resources help me to learn and grow.

Wilders is what I consider *community*. I sometimes irritate people here. And some folks irritate me from time to time. But at the bottom line, Wilders & similar venues are the sort of community I like and trust. These forums are communities of people who have gathered around a shared interest in security, and a shared goal of helping one another. Some of the best, most respected friends I know now, or have ever known, were met through this process. Big brother programs don't do that that for me.

But then... everyone to his own tastes.

 

This has been a very interesting thread. I have a situation that contains both sides. I want to see that my security is working,so some popups are ok. My wife on the other hand doesn't like them. So I have both Prevx1 and SSM. Probably overkill but they are playing nice together.

 

You do realize, don't you, that that post had nothing to do with Prevx1? That I was posting my opinion about behavior blockers as a Wilders member, and not as a Prevx representative, and to try to give some background on how I came to that opinion? You and I had a friendly, albeit limited, rapport before I took this job, it saddens me to think that my job is all you can see in my posts anymore.. or perhaps I just made a poor choice in which thread to post it in.

 

I imagine at times I sound like a representative for SSM. Just to clarify, I'm a beta tester for them, nothing more, and I don't recommend everything I test. Given some of the overtones of this thread, I thought it would be good to put that on the table.
Regarding my statement which you partially quoted, I would think the 2nd half that wasn't quoted explained the first section, as did the next paragraph.

You have to admit though, trust plays an important role with an app like PrevX. It has full access to your system, the ability to control processes, delete files, and send out data to its home. Those also describe the abilities of trojans and rootkits. If an app like PrevX were controlled by a malicious group or individual, it would make for a nasty piece of malware that could easily defend itself. The big difference is who is "doing the driving". The user has to trust the ones responsible for PrevX's operation. Don't even take this as questioning their integrity. I'm not. I'm merely pointing out that the user has to trust that those who control PrevX can and will use it for its stated purpose and no more. In addition, the user has to trust that PrevX can't be easily exploited and used maliciously, not just on their PC but on the server side as well. It would be a tempting target. How many remote administration programs and similar tools get targeted by anti-spyware apps (or hackers), either because of their potential for abuse or because someone already has used them maliciously?
Maybe you could clarify something else here for me. The term "community" has been used rather loosely throught this and other threads. Even on the PrevX homepage, they refer to it as "community intrusion prevention". I'm also seeing it referred to as community HIPS. Does "community" refer to anything more than the PCs PrevX is installed on that send data back to the company?

In this statement, would "PrevX software" be a correct substitute for the term "community"? I'm assuming the "reports" are automatically sent by PrevX, correct me if I'm wrong. If so, what is the role of the community as it applies to the users themselves, if they have a role, besides general feedback?
I would also like to address several of the points you made in your longer post.

"Real world practice" covers quite a range of users and user behavior. The users habits greatly influence how much activity they'll see from apps like SSM and PG. For users who are constantly installing something, a new game, the next toolbar they find, etc, the prompts can be very annoying. For users that don't install much or pretty well have their system set up as they want them, apps like SSM stay pretty quiet. I rarely see a prompt, unless I'm accessing something I chose not to make a permanent rule for. Apps like SSM and PG (classic HIPS) are better suited for PCs with finished setups. By that I mean the user has the software they want and aren't trying a lot of new stuff. Classic HIPS is good for locking down a finished system or a childs system and leave the UI disconnected so they can't install new apps or tamper with existing ones. For users who try out a lot of software or are constantly changing something, with classic HIPS, they'll be seeing plenty of prompts. For these users PrevX is definitely the easier option.
Although this is a PrevX thread, a few of the other items in your longer post hit the mark nicely. Even if they're a bit off topic, more users need to realize how important they are and not put all their trust in the newest and most talked about items (like HIPS in whatever form).

Very true. So many firewalls are now firewall suites, with HIPS components or something similar. With a lot of people, the firewall component takes a back seat to the rest of the suite. Many just don't realize that controlling traffic in and out of a PC is half the battle. I remember a thread regarding a firewall test, PCAudit. It adds a randomly named DLL, sets a hook, and manages to go past most firewalls. There was post after post about how the HIPS component caught the hook and beat the test. They can't seem to realize that they never actually tested the firewall itself, just the HIPS component. Then many conclude that a firewall without HIPS is worthless, while forgetting 2 things.
1, Good firewall rules will also defeat that test with no help from HIPS needed.
2, HIPS doesn't have to be part of the firewall.
That said, of the user running firewalls with enough configuarbility to defeat that kind of test, only a few will bother to do so. "Why bother when the HIPS component does it so well?" Not only are they missing the point of layered security, they're potentially making themselves vulnerable later by relying on just the HIPS to stop such a problem. Right now HIPS, whether it's classic HIPS, community HIPS, sandboxes, whatever kind of HIPS, they're relative newcomers to most users and security setups. They differ significantly from the application firewalling that came before them but didn't get the same recognition. As relative newcomers, they're enjoying that quiet period of time many of the better programs get, that time period during which they appear to be the answer everyone's been waiting for. Then someone finds a hole, which leads to another, then before you know it, someone defeats it. It gets patched, then defeated again, and we end up seeing the same cycle everything else goes thru, move and contermove. If that HIPS was all that protected you from exploits that worked like PCAudit, you've got a big wide open hole when someone defeats the HIPS software. They'll be attacked. PrevX, SSM, PG, all of them will be targeted. All their maintainers will be tested hard. All good software goes thru this. The more popular it gets, the more it will be targeted. Look to Mozilla and Firefox for examples of this. For a while, some thought them bulletproof. We've all seen otherwise. They're finding holes regularly now.
There's one disadvantage to self configuring software that hasn't been mentioned. Whether is a firewall, HIPS, or whatever, self configuring software leads to users who can't configure software. When operating system and security-ware do everything for the user, the user doesn't learn how to do those things. This is one of Windows (and a lot of software that runs on it) biggest weaknesses, though Microsoft portrays it as a feature. You don't have to, we'll do it for you. Software is a poor replacement for user knowlege. The sheer amount of malware in circulation and the percentage of infected PCs proves the point. No one program can do it all. Not SSM, not PrevX, not PG. They're not the solution, only part of the solution.
Rick

 

NOTOK, I wasn't replying to any specific post when I mentioned Prevx. Check out the title of this thread -- the entire thread deals with Prevx, right?

Ergo, I was addressing anyone & everyone who is "considering Prevx1." Namely, I mentioned some of the reasons why I advocate HIPS programs that empower the user with added flexibility in making decisions & defining settings.

In the past few weeks there have been a flurry of posts about whitelists, blacklists, communities, experts, frozen snapshots, and such -- mostly centered around just a few HIPS-type security programs that have sort of become the "flavor of the month." But these types of programs are not all that new, and several of them have been subjected to objective testing rather than simply anecdotal comments. Examples...

14 HIPS tests

4 more HIPS tests

test of DefWall

AV-Comparatives tests of BufferZone & of Safe'n'Secure -- Click "Comparatives" bar. That will take you to a new page. Then scroll down to the list of special reports.

I feel that prospective users of HIPS should research some of the other choices rather that basing their selection mainly upon whatever program happens to be the *darling of the forums* at some particular point in time. Again -- no offense intended toward anyone.

 

As much as I love to bash these forums, one thing I can say is that this forum is pretty open to new security products and people are always willing (too willing if you ask me) to experiment and switch. This is a fact that has not gone unnoticed by security vendors who come here to court users who will champion their product.

That said no doubt this forum has certain *darlings* and there are opinion leaders here who collectively help decide what is popular. As long as these people, remain independent and don't get too hung up on the same products, this is fine.

Formal tests are great, but lacking that, following leaders who has proven to be knowledgable is not a bad idea. In any case, most of the darlings here, don't do that badly in formal tests (probably because formal tests is one of the criteria used for deciding what is popular!), which shows that we are not complete fools, though no doubt high quality entries might fail to be popular for various reasons which have nothing to do with the quality of the product.

For example, whether a vendor comes here to answer questions alone, helps boasts the popularity of the product independent of any other characteristics. If you don't have one here, your chances of becoming popular here is much lowered.

More like favour of the last 2 years. I suspect the creation of the anti-malware forum (a good idea!), consolidated and focused all the posts together (compared when in the past they were scattered around several forums) also helped.

My impression is that SSM has always being semi-popular here even back before it was sold, and PREVX1 has certainly made in roads in the past year or so. And before that Online Armor. Defensewall to some extent as well, though the momentum seem to have died down.

All of the above don't have any thing to be ashamed above when subjected to formal tests.

 

I can't speak for others, but IMHO given your statement opinions on the subject and seeing the direction PrevX1 headed, I wasn't surprised to hear you went over to PrevX.

Yes.

Exactly!!! I have always hated the way people throw around the word "pro-active". As far as I can tell, most people seem to use it as a synonym for not antivirus.

Tell that to the guys who run 2/3/4 HIPS lol.

You make a lot of sense Notok (even for a guy who sold his soul to Prevx lol) and the rest of your post should be required reading for lots of people in this forum.