Prevx bypassed !

hahaha nope, we didn't implement it yet, it's a new feature of Prevx 4.0

 

OK, maybe i'm lucky, or it's due to the way i've set this comp up.

So not new.

Very good but would this then result in endless looping ?

@ EraserHW

Don't forget my copyright fees

 

It depends on what the threat was to try to do, but at that point we would easily regain control of the system and wouldn't constantly try looping as long as we're loaded.

Another area worth pointing out is that all of our drivers are still loaded - it is merely killing off the usermode components temporarily. We certainly can make the drivers directly attack the threat if wanted (or dare I say, just reboot the PC and everything will return to normal ) but as I've said, it is all a bit useless anyway

 

@ PrevxHelp

Sounds reassuring

I suppose you're not expecting too much grief from the newer POC ?

 

Updated UnPrevx successfully terminating Prevx3 executables (build 187 from 05 August 2010) from pure user mode, anywhere on x86-32.

Guys, what do you do? lol, this begins to look like a true joke? lol


i_can_hook__i_can_hook

 

Looks like Prevx actually heuristically blocks this one before hand... and if you wait 10 seconds, you'll see that Prevx reappears

 

PrevxHelp, is not enough just put it in black list, with code + disappears from hdd.

This is very good when somebody is doing your work. Instead of using/creating efficient fuzzer Prevx seems to be trying to fix what others discovers. Although this is good to be fixed.

joke continue ?

i_can_hook__i_can_hook

PS: saluti da El Buono a nV 25

 

Just tried the latest POC, and it worked





Put PG in learning mode so it then allowed it







Prevx has NOT restarted since i did this test about 20 minutes ago ?

Suprisingly both test attempts never raised a peep from PEG ?

Avira intercepted it, but i allowed it. They were quick

 

Could you try this from a fresh install of Prevx 187? If you uninstall/reinstall directly with 187, it will block it and restart automatically

 

I could, but i don't want to **** up my settings I've got the FB PSOL installed. If you give me link to the latest FB version, maybe by PM if you wish, i'll consider it for you.

Could i save/copy my settings and then import into the new install ? If so what/where are they ?

All well and good if it does, but previously it was stated that my existing version would

Why hasn't it ?

 

The Facebook version doesn't show warning messages or block samples until after a review period as it is intended for SafeOnline use for non-technical users who want to protect their accounts without having to deal with malware infections. If you raise the heuristic settings, it will block it but otherwise it is intentionally not warnings.

You unfortunately can't backup settings and the automatic restarting was introduced in the new updates (.187) but is only applied on a new install currently to prevent any issues from cropping up from AVs blocking the creation of the auto-restart entry.

It would require still losing your settings, but if you uninstall/reinstall the normal Prevx 3 download link, I can get you a license that will provide the same functionality as the Facebook version but will include the normal Prevx 3 warnings (or just raise the heuristic settings which will take you out of "non-technical user" mode).

 

Bummer

Terrific

It's a deal then, will do, and then i'll retest and post the results.

Thanks

 

Retest of UnPrevx v1.0.187.2600.exe POC on the latest version of Prevx 3 with SOL.

Uninstalled the previous version, but found these still in here ?



Started the uninstall, presume this is due to Stuxnet etc tests i did ?



Installed



As soon as i opened the UnPrevx folder



Ran the 187 test and did and got ALL the previous alerts/prompts etc from my sec apps, then



Oh no it's got me again disaster, but wait, what's this i see, Prevx is still running in my taskbar, and it didn't even have to close and restart either

It's a miracle, or something Hope you're pleased, i am

Thanks for the Licence

Let's not forget that Zemana played a key role in preventing the POC's, as did ProcessGuard

So we live to see another day, i wonder what tomorrow "may" bring

By the way, did Prevx detect etc on just file name etc, or via more techy ways ?

 

Glad to hear it We were actually alerted of the existence of the sample via a back-end process within our database that looks for mismatched executions of Prevx (i.e. if Prevx was running, then wasn't running but wasn't stopped by itself). This then flagged the unknown programs that had been executed in that session to our database and we were able to proactively identify the new version, which was then further detected by a few heuristic signatures it looks like.

Admittedly, this process is not able to be tested too frequently as there haven't been threats that bypassed Prevx before, but it was certainly nice to see that the fall-back systems work

 

@ PrevxHelp

You're happy i'm happy, let's have a party

About the left over files from the uninstall.

I renamed the folder before uninstalling so i could delete it if required, thinking that as you said no settings would be saved it would be of no use. Also so that the new install wouldn't have any "potential" issues with a same named folder.

Should that folder have been uninstalled automatically, if so why wasn't it ?

If not what purpose does it serve to a new install ?

 

Those files hold some parts of the configuration, but indeed they should have been removed automatically (although they would be recreated upon reinstalling). I'll take a look as to why they would have persisted through

Thanks!

 

UnPrevx is updated to kill .187 and be undetected:
http://www.kernelmode.info/forum/viewtopic.php?f=15&t=249&start=20

 

I think it's great that this malware exists. It points at weak spots and it's great that they are exposed. It'll harden Prevx even more in the end but puts a question in my head; is Prevx self-protection really so strong as it originally claimed to be? A small update to the malware and it succeeded to nuke Prevx again. Good job and kudos to the malware developer! We need more of this! This is better than some malware doing the same thing while actually putting nasty things on the computer at the same time.

 

Getting a bit concerned reading this thread. We are assuming that the authors of this UnPrevx.exe are not 'bad', but what if the 'bad guys' start using it to disable Prevx, without the user's knowledge, and obtain personal data? Can't prevx warn when Unprevx is around?

 

They change the code enough for it not be detected but if anyone gets them send them off to Prevx!!! https://www.wilderssecurity.com/showthread.php?t=245129 to me and the Prevx mods it's just a game as it only works on XP https://www.wilderssecurity.com/showpost.php?p=1724319&postcount=14 and Prevx will restart if it does get shut down by Unprevx variants and soon will be detected and Block by Prevx until the malware writer gets fed up with this game! IMHO Believe me as soon as the new variant is detected Prevx will be on it ASAP https://www.wilderssecurity.com/showpost.php?p=1724360&postcount=24

TH

 

@ PrevxHelp

Hi, a couple of things. This time round i chose to randomise the Prevx file names, great feature to have When i installed earlier i put PG in learning mode for a while to enable it to remember Prevx's actions, then unticked it. On booting up today PG blocked this



So i put PG back in learning mode and rebooted so it could learn that. As this particular event didn't happen earlier i'm wondering, is the randomisation fixed on install, or do the names change on boot ?

Also i've had a number of problems gaining access to the GUI due to this



I was able to get in after several attempts, all the correct PW. This bug seems to be sparodic, sometimes it works, other times not ?

The good news is, i have not seen any high CPU usage, as reported by some people.

RE - Left over configuration files. I can safely remove these now, yes ?

*

@BoerenkoolMetWorst

My test in post 38 was with the latest 187 POC and Prevx passed

@shadek

I agree, it's infinately better that non malicious POC's such as these are released, rather than real nasties. This way vendors can make the appropriate changes needed. Though not many will respond as quick as Prevx has/does. The way they have detected/fixed it is open to question - http://www.kernelmode.info/forum/viewtopic.php?f=15&t=249&start=20 - but it works.

I believe Prevx are open/welcome constructive critisism, not all vendors are.

@silverfox99

EP_X0FF who coded Unprevx isn't bad at all, he's one of the leading malware researchers and ARK coders in the world. He, along with a few others, coded one of the best ARK's, Rku = RootKitUnhooker. If he was on the dark side instead of ours, we would have a lot more to be concerned about. He now works for MS

 

Are you saying that Prevx would restarts itself if both Prevx tasks are terminated ?
Without reboot of course.

 

@CloneRanger: Agreed. Prevx are very open with this issue and I like it. On a side note, here's some more information about the thoughts of the creator of UnPrevx.


"EP_X0FF » Thu Aug 05, 2010 4:53 am
Any AV product without HIPS component is vulnerable and has weak self-protection.
Prevx is just have a worst self-protection I've seen for all AV products I tried.
Definitely this help them to improve. Some sort of motivation. However everything I used before and in next release - well known since ages.
It is very strange Prevx self-protection authors don't know these methods. Must be they still testing programs with APT which is total trash."
- Kernelmode.info


As previously stated, kudos to the maker of this UnPrevx. Shows a weakness I never thought Prevx would have when it's basically claiming impossible to terminate. This makes me look forward to Prevx 4.0 even more! I think the dev-team of Prevx are very busy thinking out their next move, which needs to come very soon.

 

Let me just emphasize here that it has NOT passed If you've noticed CloneRangers' tests, Prevx restarts itself automatically

The randomization is fixed on install - but indeed it is a very strong feature of our self protection as well

It is case sensitive - could there possibly be a different cased character? We unfortunately (or fortunately ) don't have a way of getting at the password when it's set - it might be worthwhile resetting your password to something easy to test and if you see it happening on some screen, let me know

Yes you can

We are well aware of what EP_X0FF "wants" us to add as self protection but we don't want to go that route at the moment. These exploits are only relevant on XP and we already have much stronger self protection built on Vista/7/2008. The method of hooking that EP_X0FF is expecting is highly unstable and is the cause for a good deal of the issues seen by other antivirus products. Therefore, the solution we have in place right now which restarts the product automatically is far more effective

Well, I suppose there are degrees of legitimacy I agree that RkU is a very good antirootkit program... but him working at MS has been one great rumor and his irresponsible disclosure of these "vulnerabilities" shows that he enjoys his black hat much more than his white/gray one We pay researchers for testing us in the manner that he has been... it's unfortunate for him that he would go the route of testing like this... but to each his own

As I mentioned above, EP_X0FF is living in a world of Windows XP. On Vista/7/2008, we have extremely strong self protection, and his tool immediately exits if it detects those operating systems. Because Prevx tries to exist with perfect compatibility between it and EVERY other security product, it has to make some changes with how it works on Windows XP, which does not offer the kernel-side functionality that the newer OS' do. If you recall, Prevx had self protection disabled entirely by default when Prevx 3.0 was first released just because we were focused on achieving compatibility as wide as possible.

We do appreciate the testing that EP_X0FF is doing, but it is still a bit illogical in comparison to the end goal of bypassing a security product. Disabling the AV is probably the most obvious thing that a malware infection can do and if it is already on the system with full, debug-level access to memory, the hard disk, and kernel mode (as this example requires), I honestly can't see why it would bother killing the AV

 

Good informative post. Thank you!