Is Prevx vulnerable (the Matousec article)

Discussion in 'Prevx Releases' started by Dark Star 72, May 14, 2010.

Thread Status:
Not open for further replies.
  1. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  3. jmc777

    jmc777 Registered Member

    Joined:
    Aug 6, 2004
    Posts:
    244
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    My wild guess... NO! Prevx is invulnerable to KHOBE :shifty:
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    You are correct :) Prevx is not vulnerable to KHOBE, which is indeed largely FUD. This is an architectural characteristic of any multithreaded operating system - the "issue" is called 'TOCTTOU' http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use and while it can bypass components of many security products, Prevx performs its behavior monitoring in a very different manner so no actual protection compromisation can take place from it.

    To be fair, many of the other vendors listed in the Matousec article are also not as vulnerable as they have made it out to seem. They assumed that if a particular call was allowed through that the vendor failed the test, but frankly, virtually no vendors condemn a program from a single system call - it is the overall interpretation of the program.
     
  7. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    For what I understand, this was discovered in 1996 and no malware has made use of it yet. So, yes, this is the end of the world.......again.
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :D Laughed out loud at that one - that was indeed our response... it is always surprising when "new" vulnerabilities surface like this and get such a wide following in the news media as well.

    We are adding a new behavior monitoring engine to detect if a threat tries to get around protection of an AV via a "KHOBE"-style method but besides that, we are completely apathetic to it.
     
  9. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Many thanks for your usual comprehensive reply Joe.
    I did realise that there was much FUD attached to this but I was interested in how Prevx implemented their protection and if it was immune to KHOBE or not.
    Nice to see that you are adding a new behaviour monitoring engine 'just in case' though ;)
     
Thread Status:
Not open for further replies.