Prevx as an anti-executable

Discussion in 'other anti-malware software' started by ako, Apr 23, 2009.

Thread Status:
Not open for further replies.
  1. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    I lift this here:

    Doesn't Prevx with age/population heuristics set to "maximum" give a very nice replacement for Processguard/AE as an anti-executable?

    It's at least very convenient to use: the number of unnecessary alarms with setting age/population heuristics as "high" has been very small for me.

    Is prevx used by this way for some reason less secure than Processguard/AE?
     
  2. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    I would think so- if your internet connection is distrupted or you are offline for example... a "proper" AE would still block unknown executables, however I am not sure what prevx would do as it doesn't have the latest data on age/spread at the time when you are offline.
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    If I am off line, I aint using my computer.:doubt:
     
  4. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    Try Returnil's anti-execute function as a replacement. It monitors for driver loading as well.
     
  5. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    Shouldn't Prevx stop also loading of unknown drivers?
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, we block the loading of drivers/executables/modules/etc. - however, a note on the topic: maximum settings won't be quite as "secure" as an antiexecutable solution if your goal is really to block everything. Even at the maximum level, Prevx won't warn on EVERY program - heuristics and rules are still applied which make it imperfect but everything in security is a balance. I personally don't agree with antiexecutable systems just because of the large technical sophistication required to actually make informed decisions, but that's another topic :D
     
  7. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    What is the probability to execute malware if I set age and population heuristics as

    a)high
    b) maximum

    I guess it is in both cases very small. Of course, when I'm warned, I still have to decide what to do. Allow or not.
     
  8. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I don't follow you.

    I would think there are 2 seperate senarios here.

    1) Your are browsing internet and get warning. In AE v2 that is a definate block ( in fact you have no option to allow it ).

    2) Your are installing something. In AE v2 you have to disable AE to do this. Therefore I always test a program before I install it, with a high hueristics AV locally, online scanner .
    If I'm really unsure of it , I take a backup.
    Then check what is happening afterwards on my PC.

    There are lots of other ways to do 2) , but for 1) AE will block a lot of real-world threats.
    Update to date software & browser will catch most of the rest.
     
  9. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    In Prevx too "deny" is the answer here.

    Here I just start installing. Prevx will then tell me (with age and population heuristics) whether it is potential malware file. Only here I have to to decide what to do. Allow or not.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ako,

    There is a less intrusive combo to create using DefenseWall in combination with PrevX looking at the most recent files with the highest settings. When you trust a program and install it, PrevX will scrutinise its behavior and fingerprint (like you outlined).
     
  11. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    Indeed! Thats my favourite combo: Prevx+DW.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ako,

    Thx for your long list of security aps, it made me try out Trust-No-Exe again, a anti executable filter addition to XP.
     
  13. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    :) You are welcome!

    By the way, you have given many interesting hints in your various set-ups.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Excellent clarification here!

    The term "Anti-execute" is thrown around so much that it means different things to different people. The user needs to define what she/he wants in such a program. Without that, its use invites unwarranted criticism from those who have a different idea in mind as to what anti-execute means.

    When I set up a home system for a family, for example, I want something that will Deny by Default any attempt to download/install a program or software (an executable) without the permission of the Administrator/Owner/Parent. This falls into Joey's first scenario.

    Consider these three screenshots of an alert in a drive-by download test I set up last year (real malware here!):

    [​IMG]
    ProcessGuard

    [​IMG]
    Software Restriction Policies

    [​IMG]
    Faronics Anti-Executable v.2​


    SRP and AE are Default-Deny: the user cannot proceed to download/install w/o getting permission. This is as it should be, for in this case, the user did not go looking for this file, so there is no reason to permit it.

    I have never seen any problems or conflicts with this approach. It is bullet proof protection in the scenarios that it was set up to protect.

    If Prevx offers this type of default-deny protection, then it is certainly a product worth considering for this scenario!

    In the other scenario, as Joey points out, if the user wants to download a program, then permission can be granted and the protection turned off. At this step, this type of anti-execution protection is out of the picture.

    Other means of determining whether the file to install is good or bad are available for that, ranging from one's own sense, -- trusting the source of the download/purchase, etc, -- to scanning.

    Neither is 100% reliable, so I've never understood what the fuss is all about. You trust your judgment, or you trust your scanner. You choose the method that gives you the best peace of mind and comfort.

    ----
    rich
     
    Last edited: Apr 24, 2009
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Here is an off-line scenario for which I require Default Deny protection on a family computer.

    Youngster in the family receives an email with attachment. Knows that opening is a No-No, but it claims to be a picture of Osama bin Laden...

    Closes email, goes off-line, decides to open the file. A picture can't hurt anything, right?


    picsscr.gif


    http://www.f-secure.com/weblog/archives/archive-062005.html


    Here, only the parent can open/run/install any executable not already on the computer.​


    ----
    rich
     
    Last edited: Apr 24, 2009
  16. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Could someone expand on what age and population heuristics are ?

    Sounds interesting
    Is it if a piece of software has been released recently ?
    Is it if a piece of software has a large install base ?

    :doubt:
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes and yes :) These heuristics will come close to an anti-executable solution if you set them on maximum, but they still aren't 100% anti-executable.

    To respond to your post, ako: the chance of malware slipping through on maximum settings is very low, but if you really want an anti-executable solution, I think it would be best to use an anti-executable alongside Prevx 3.0 so that you get the initial block as well as a more accurate detection of if the file is malicious in the event that you clicked Allow on malware.
     
  18. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    Thanks for answering. I'm quite confident now, that Prevx gives almost the protection of an anti-exe without its defects (many hard-to-answer pop-ups are a problem with PG and AE 3.x, e.g. This might not quite be the case with AE 2.x, though.) I will keep the setting "high" which seems an optimal choice: high security with minimal number of pop-ups.
     
Loading...
Thread Status:
Not open for further replies.