New Prevx POC tested

Discussion in 'Prevx Releases' started by CloneRanger, Sep 20, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    New Prevx POC tested

    XP/SP2

    On my comp this new POC also failed to work, as did all the previous ones. It could be due to Prevx detecting it ? but i excluded it from detection and allowed it to run, so i doubt it's that ?

    Somehow Prevx & Avira has already got hold of a copy of this new POC, but NOT from me, as i have promised i will not pass it on to anyone.

    Once again i can't explain why these POC's don't work on my comp, but the fact is they do not.

    ******

    EDIT

    As "certain" info was mistakenly included in the screenies i posted earlier, i have removed them all. I know that without the screenies you now just have to take my word that it didn't work, but i can Assure it did not. Sorry for any inconvenience/disappointment etc.
     
    Last edited: Sep 20, 2010
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    **************
     
    Last edited: Sep 20, 2010
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    ***********
     
    Last edited: Sep 20, 2010
  4. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    It's best to test a PoC on a clean machine with only the targeted software installed. IIRC, in one of your past pictures, Process Guard intercepted (auto-blocked) the PoC from manipulating explorer.exe and some other processes. :doubt: Maybe at least disable (from startup) other security software aside from Prevx when testing?
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The "exploit" is now adding itself to load on bootup in the BootExecute key - essentially in kernel mode (native mode to be specific) and has gone down to a completely useless route. Rootkit Unhooker itself and every AV will be removed by this technique and it steps over the line of an actual self protection bypass.

    Installing Prevx with a random filename will prevent it from working (as it has done with every attack in the past).

    We already have updated Prevx to defend against this generically (not with a signature, but to prevent the files from being modified) but do not see any benefit in releasing it yet - the update will be included in the next round of updates.

    Until EP_X0FF decides to act professionally and contact us with information on these exploits before releasing them publicly in an unprofessional manner, we are not going to give him the press and attention of the Prevx brand in discussing about it. We received the behavioral profile of the sample from our central database and indeed did not receive the sample from CloneRanger.

    Therefore, I'm going to close this thread for now. Feel free to PM me if you wish to discuss or disagree with the closing of the thread!
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I asked PrevxHelp to reopen my thread, at least for a while, as i have an update to include in it. If i'm not able to post, it will completely and permanently leave the wrong impression, which wouldn't be right or fair.

    @ PrevxHelp Thanks for doing so :thumb:

    Thanks for confirming that :thumb: And i have NOT and will NOT pass it on to Anyone, as i originally promised.

    *

    @ thanatos_theos

    I know that's what some people say, but i believe it's not a Truly realistic situation. Malware etc doesn't ask people to do that just so they can try and install/infect ! What any malware does to one comp it won't always/ever do to another. I'm not so interested in what it can/can't do to others comps, only mine.

    I start off with my security on Max to see if/what they block, then one by one disable them and allow whatever through. It's more of a test of my security, rather than testing the malware etc ;)

    *

    UPDATE to the latest POC i ran.

    I have been "reliably" informed ;) that UnPrevx worked, as it did indeed kill pxrts.sys :(

    I agree that it did, and showed that at the time. But what did Not happen was Prevx crashing or shutting down or a total ****up as predicted. Even after rebooting i found Prevx still launched and working.

    I have just retested the POC, and all the above is as was before. What i discovered this time, and i "guess" i may have overlooked last time, sorry, even though Prevx is alive it's realtime detection has been halted However i am still able to do right click scans of files and folders. Plus the SOL antikeylogger web protection etc appears to be doing it's job too.

    I installed Prevx with random filenames, so this "could" be why no total ****up ?

    I wanted to put the record straight with this post, and i hope i have now. I didn't purposely mislead anyone, or favour any side.

    I believe these POC's and other such harmless tests, like leak/keylogging etc tests, are extremely useful to both users and vendors, in various ways. Speaking personally, i appove of them, as they all go help us improve our defences, if action is taken of course by everyone ;)
     
  7. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Whatever the result, your test and prevx's reputation is tainted now because the thread was closed in the first place. Prevx failed so "close the thread". Oh wait, it was a mistake, it passed. Oh goodie - "let's reopen the thread now" :rolleyes:

    IMO - to maintain integrity, the thread should of "remained closed!"
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ tobacco

    Truth told, on my comp, it both passed and failed !

    It failed in realtime detection, but passed in the other respects, as i mentioned.

    If the thread had not been reopened as i requested it to be, people would have been left with the wrong impression, as i also stated, and that would not be right or fair to either Prevx or EP_X0FF
     
  9. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Yes i understand what your trying to convene here. But like you said, these poc tests are just "useless"

    It's not real world useage. Anyways, the thread closing and the reopening just didn't sit right with me. I've said my piece ;)
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Also guys PrevxHelp (Joe) has already said:

    So I find this topic obsolete at this point ;)

    TH
     
    Last edited: Sep 22, 2010
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Good

    Never ! I did NOT say that, i said the opposite :mad:
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    This thread is useless. Prevx or any other security software can be compromised by a targeted attack or malware. If some one claims that prevx is immune, it's wrong. On the other hand, if there is some thing like this, it must be fixed as soon as possible.
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Joe already said this in his post ;)
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Exactly :) We've responded multiple times already and this response still holds true: https://www.wilderssecurity.com/showthread.php?t=279719

    In the end, if the customer is able to uninstall software, it must be possible to remove the software. If the user has administrative rights, they, or any software can remove any application - there is no 100% way to prevent this. Frankly, EP_X0FF's current removal tool, which requires a reboot and a program to always be loaded as a critical system process on bootup in native mode that constantly monitors for new processes and kills them, is far more complex and cumbersome than our own uninstall routine.

    I'll close this thread again for the reasons said in the other one - these discussions are irrelevant. The issue has been fixed already (I can send a test version directly if anyone wants to see it) but installing randomized, as said previously, will prevent any of these tests.
     
Thread Status:
Not open for further replies.