Whats the diff between SafeOnline vs Trusteer Rapport?

What is the difference between SafeOnline vs Trusteer Rapport?

http://www.prevx.com/safeonline.asp

http://www.trusteer.com/product-0

 

Both aim to protect a browser session against keyboard and screen capture from an already infected machine, a kind of reverse sandbox. In terms of technical implementation, I don't know how they differ but initial testing carried out by MRG suggests that SafeOnline is the more effective of the two.

Tested here: http://malwareresearchgroup.com/wp-...MRG-Online-Banking-Security-Test-Mar-2010.pdf

And here: http://malwareresearchgroup.com/wp-content/uploads/2009/01/MRG-On-Demand-Scan-Test-april-2010.pdf

 

I guess it's a question of who's doing the test, how, and why. I've been testing Prevx for a customer here in Germany for the past few days. While searching for additional information today I came across this thread and thought it's a good opportunity to share some of my findings.

I've managed to find many security holes in Prevx and produced more than 20 different videos for my customer showing how Prevx fails some basic and some more advanced tests. I've loaded a couple of very simple examples here: [noparse]http://www.youtube.com/watch?v=jWS0YPjYnxg[/noparse] and here: [noparse]http://www.youtube.com/watch?v=snWX0SGay90[/noparse]. The more advanced examples I can't share as they involve my own code which my customer owns. But would be happy to share additional freely available tools that bypass Prevx's protection if anyone is interested.

I haven't tested Trusteer.

This is my first post on this forum so apologies if I'm not following recommended guidelines. Thank you.

 

On my system (XP SP3), SafeOnline protects Firefox 3.6 and IE8 passwords against Asterisk Key, which just says "Searching for password edit boxes...No password edit boxes found. Searching open web pages for passwords...No passwords found in open web pages".

I did find, however, that Asterisk Key can read passwords hidden by asterisks as they are entered for credential protection under Safeonline's Advanced tab. It'd be nice if Safeonline protected passwords in its own entry fields as well as it appears to protect them in the browser.

 

can you please share all free tools. this is ok and i think prevx help is interested.
i can nothing say to the video because i'm blind and its no audio

 

but i think more interesting is real malware.
take an banking trojan and test if this trojan can steal your credentials

 

share with Prevx tech support too
https://www.wilderssecurity.com/showthread.php?t=245129

 

After testing some more webpages, I found that SafeOnline does not prevent Asterisk Key from reading passwords in IE8. This may be because Prevx trusts the program, so it doesn't block its behaviour. If that's so, then it doesn't constitute a weakness in SafeOnline's protection.

 

This is indeed the case - AsteriskKey is not considered malicious to Prevx, and there are a number of other similar programs which we intentionally allow to access the browser. If AsteriskKey's techniques were included in banking trojans, however, we would block them from reading browser data.

9501frank - could you please try the newest version of SafeOnline from http://info.prevx.com/download.asp?grab=prevxcsibeta ? We have made improvements to SpyShelter blocking even if the user trusts the SpyShelter test tool so you should see that they are properly blocked now

In terms of the differences between SafeOnline and Trusteer - they are quite wide reaching. Trusteer focuses on protecting single websites while SafeOnline protects all HTTPS websites and all data stored across all of the websites. Users can of course add additional protection for HTTP websites as well in SafeOnline but irrespective of their protection settings, SafeOnline will secure all stored credentials and all credentials being entered or transmitted from browsers.

SafeOnline also leverages the antimalware components of Prevx 3.0 so that even if a threat is able to bypass SafeOnline's protection, it will then be blocked by Prevx 3.0 and can be fully removed if needed.

We would generally prefer to not go into a more technical discussion about the differences under-the-hood between SafeOnline and Trusteer, but please let us know if you have any direct questions.

 

Unfortunately, my testing shows that this is not the case. I've my own code that does exactly what AsteriskKey does and it successfully reads the password. I'll ask for the permission of my customer to release my tool. Also I find it strange that you say you intentionally allow it to access the browser. Your own malware database defines AsteriskKey as "Safety Rating: Uncertain" which makes no sense. I've also debugged your code and there is nothing there that can prevent the technique used by AsteriskKey from functioning. And even if you did allow it to function -this is one big security hole. I've a code sample that automates AsteriskKey and allows me to use AsteriskKey to grab the password and extract it from from AsteriskKey. So anyway you look at it this is not good.

I'll wait for this to get out of beta and for my own version of safeonline to get updated. Hopefully this will happen before I conclude my report. But I guess you do realize that there are other ways of taking screen shots that safeonline doesn't prevent ... I found 3 and I only worked on this less than one day.

 

Prevx - can you share the list of tools you "whitelist"? I will then share the tools that I found to bypass safeonline and are not on your list.

 

I've news here as well. I'm working on a couple of videos and will release them soon.

By the way - here is something you need to be aware of: Prevx overrides functions inside Internet Explorer - apparently to remove unknown malware. Unfortunately it also removes changes made by Antivirus software (I tested with McAfee, Symantec, and Kaspersky). By removing these changes Prevx disables some of the real-time protection of these antivirus products - protections that are there to prevent you from getting infected with malware. This is not good and you should be aware that if you use an antivirus with Prevx then your antivirus is not providing its full protection.

 

Hi 9501frank,

Thanks for your reply and welcome to Wilders.

Will you also be testing Trusteer Rapport? The only tests I've seen so far are the ones carried out by MRG.

 

Last time I tested KeyScrambler, Rapport and SafeOnline, about a month ago, with Elite Key Logger.

- Rapport failed
- SafeOnline failed if elite key logger was installed
- SafeOnline Passed if Elite Key logger was installed after safeonline
- KeySrambler Passed

Hope it might had been fixed until now.

 

Probably - one of my customers is interested in this. I'm waiting for them to approve and prioritize this project. The current project was about Prevx and Avast.

 

I haven't been able to reproduce any issues with Elite Antikeylogger at all so you should be safe to go

 

I don't have this data as the Prevx database has information on literally billions of programs.

We've found dozens of ways around every other security product's browser protection as well so this certainly isn't anything new. None of the products claim to be a silver bullet and obviously can never achieve perfection. If you would please contact us directly with these techniques, we can update our protection to handle them. The Prevx beta version will protect against all SpyShelter techniques and all public leaktests.

We're looking closer at AsteriskKey but no browser protection product could possibly be perfect and SafeOnline leverages the Prevx 3.0 antimalware intelligence as well so a threat would have to bypass literally dozens of layers of security for it to steal user credentials.

Might I add that debugging Prevx is illegal and completely against our copyright so if you wish to continue this discussion, we recommend continuing it privately where we can assist you directly and please cease to interact with any of the Prevx software in an illegal manner.

 

You first said that: "there are a number of other similar programs which we intentionally allow to access the browser." Now it's billions? If your system deliberately allows programs to access the browser then I'm sure it's a small number of programs and not billions.

Not sure what you're trying to say - that you are as bad or good as others? You're tested against your own claims and you claim "Protects immediately - even if your PC is infected". There is a big difference between perfection and something that can be bypassed in a day of work.

I will cease, as requested. I'm sure the bad guys will too.

 

Among the billions of programs, it is hard to find exactly what you're specifically looking for. We've allowed many applications through as they are legitimate but I don't have a list of it just because of the vastness of software.

Our internal testing and tests performed by numerous third party organizations (only some of the reports have been released publicly) have proven time and time again that SafeOnline provides wider and deeper protection over the other browser security solutions but it is still not perfect and we are comfortable admitting that because we've built it upon our other protection layers. If an infection comes out that bypasses SafeOnline's protection, we can immediately eradicate it with the Prevx 3.0 antimalware engine and contact any affected customers while we prepare a fix for SafeOnline's protection.

You portrayed yourself as a tester previously but you have yet to show any degree of interest in proper disclosure of issues or any willingness to work with us to improve our products. Based on the registration of your Youtube account and membership here, it looks as if you have some vendetta against Prevx and one could suspect you are likely working for a competitor of ours looking to "expose" something about Prevx (possibly in retaliation from lost customers?)

If not, we are more than willing to work with you in any way possible to investigate your research further. We have multiple third party firms which we hire on a continuing contracted basis to provide penetration testing of our software to ensure we're succeeding in blocking the newest threats and staying several steps ahead of the malware authors in browser security. Feel free to send me a PM if you'd like to discuss further.

 

It's you that keeps bringing up your competitors, not I, as if people have no other option but to get a product from either one of you. I don't know your competition and I seriously don't care. I suggest you focus on learning and improving from the feedback given instead of being obsessed about your competitors.

 

But...

Apart from cyber criminals and security companies, who else hires someone to make malicious code for him to keep?.

 

Ain't you funny? Or scared? Perhaps both. what do you think authors of malicious code are doing? that user should share the findings for other to know.

 

Thanks.

 

It's a standard security testing procedure. Whenever you test a website or a product you provide the tools or the code to prove your claims. You can't provide a theoretical report with no actual proofs. It's usually required by the customer for a few reasons (1) they want to see that the attack you describe is "real" (2) they want to estimate how easy or hard it is to execute the attack based on the time it took you to develop it. I usually classify both severity and complexity from 1 to 10 on each finding. (3) They want to have the ability to revisit the findings in the future and make sure they were fixed. When they have the tools or the code that does it, it's easier Obviously it's all depends on the customer and how much time and money they're willing to invest in the process. I have a customer for example that tests every single product they use internally and externally every six months. They use 3 different contractors for that and spend a lot of money on it. They also test their websites once a month. Other customers may test something only when they buy it and never test it again, which is really bad as a lot changes over time both in the product and the attacks.

 

Prevx zaps tens of thousands of malware programs every day. Would malware using your code would be treated any differently?

Moreover, Immunity's test of Prevx's browser protection states that "PrevX's 'extrusion prevention' also hooks several APIs in order to prevent any stolen credentials from being sent back to a botnet's command and control machines."

Can your code get round this? Or is it limited to a PC user being able to read his or her own passwords?