Prevx OK's rogue AV site

Discussion in 'Prevx Releases' started by CloneRanger, Feb 7, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Prevx is showing this rogue AV site as verified, and https.

    p.png

    "livesoftrock com / purchase?r=57.0"

    avs.png

    It is not ok, or https. Please examine it as soon as you can to help prevent people from getting scammed.
     
  2. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    ummmm...out of nod,prevx and mbam.... only mbam ip protection blocks access to the said site.....so :thumb: to mbam. and a ? for joe to answer
     

    Attached Files:

  3. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    867
    Location:
    Turkey/İzmir
    WOT blocks that site too.
     
  4. noblelord

    noblelord Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    162
    Location:
    UK
    McAfee SiteAdvisor/Trusted Source also blocked it and has it flagged as red.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Another one.

    "scanner just-protect-pc info / scan.php?campaign=mmb_815609071&landid=6"

    I had to allow scripts for the scan to take place, but didn't install anything.

    p2.png

    p2a.png

    As for the https i mentioned in my first post, i now think i may have mistaken the Prevx padlock symbol for an https padlock, if so i appologise. Confusing though i would imagine for some other people too probably. Maybe you might consider changing it to different symbol, like a tick etc.

    sym.png
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Thank you for the report - I will have this added to our blacklist, although "Verified by Prevx" means that the website is resolving correctly, not that it is legitimate.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hey Joe,
    In all fairness, you said 5 months ago on this thread that you thought this green tick for the IP verification could be giving users a false sense of security. You also noted that, "We don't have all of our antiphishing/url-blocking capabilities turned on yet."

    Would you say that you have all of your url-blocking capabilities turned on now? I'm not trying to be harsh. Just wondering if the product is still in development, or were these simply a couple of missed detections?
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    PrevxHelp

    sym2.png

    "Verified by Prevx" doesn't mean what i expected it to. Thought it showed you had checked and OK'd as free from harm etc. I feel many people will be led into a false sense of security as Page42 pointed out.

    "Website protected" if this doesn't mean verified as HTTPS, as i initially thought, what does it show ?
     
    Last edited: Feb 8, 2010
  9. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I'm glad you brought this up.
    I thought it meant the site was safe.
    I guess I need to look further.
    Hugger
     
  10. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    i installed prevx safeonline some days before and entered about 10-15 malicious sites that i know(including rogue sites). Prevx blocked only 2 sites and didnt detect other sites.:doubt:
     
  11. jad_123

    jad_123 Registered Member

    Joined:
    Apr 18, 2008
    Posts:
    29
    It appears there is a false sense of security being given by prevx. The Green with Padlock symbol clearly states in the help file:

    "The website and session are being fully protected by Prevx and by an SSL certificate. This is the highest level of protection and provides security over the local data and remote data sent to the destination server."
     
  12. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    Thi is referring to the browser tab rather than to the clip window shown in CloneRanger's post. There's no padlock on the tab for http.

    The help file explains all this in two separately headed sections ("Prevx SafeOnline Browser Tab" and "Prevx SafeOnline Browser Tab Clip Window"). Website protection is explained under "Add Protection/Website Protected".
     
  13. Dr33

    Dr33 Registered Member

    Joined:
    Jan 23, 2009
    Posts:
    103
    the ip verification means that the Hostname whatever .com resolves to the correct IP and that your DNS server or your hostfile is not poisoned or redirected

    and when it say protected means that whatever you do in that site wont be recorded by any keylogger
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    These are just a couple missed detections - we've been improving the detections constantly, but we're looking to do so in unconventional means: by not using the standard black lists and instead focusing on heuristically identifying malicious websites.

    We're primarily focused on blocking banking phishing websites, in particular, the ones which our current banking clients are using. A website like this rogue AV would be reasonable to get past most URL blocking services because it would require the manual analysis of the software itself and then the subsequent blocking of the address.
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Well, just from the few members posting on this thread we learned that MBAM, WOT and McAfee SiteAdvisor/Trusted Source all blocked the sites.

    However, I think that the greater issue here is not, "These are just a couple missed detections", but instead the feed back users are giving you along the lines of, "I thought it (the green check) meant the site was safe".

    That's the area of concern, from what I can see.
     
  16. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    exactly.

    Another thing is: I went to this site and selected "buy". Prevx now intervened and I got a pop up with the choices "block" or "ignore". I chose "block" but when I opened Opera I got this same Prevx popup screen again and again.
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Thanks everyone, i'm clearer now as to what "Verified by Prevx" and "Website protected" actually mean. Not what i and others thought they meant.

    The two padlocks might cause confusion, so i suggest keeping just one for HTTPS, and a different icon for kelogger protection, such as a RED key instead.

    Visted a well known malware writers site, downloaded a RAT, and this is what SOL shows.

    r1.png

    r2.png

    Of course most people wouldn't do that, i just use it as an example to illustrate that apart from "IP not verifed" it shows exactly the same details as for www.wilderssecurity.com

    Only want to help and try improve the quality of info shown on SOL. I believe a lot of people out there will take the positive looking display as a green light that everything is ok, when it might not be.
     
  18. noblelord

    noblelord Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    162
    Location:
    UK
    I have to say, SafeOnline isn't something that I think the average user would be able to use to great effect easily. It doesn't work "out of the box" - I think it should come with several hudred well known sites (especially banks and financial services providers) pre-loded instead of needing to be added manually.
     
  19. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    Bit disappointed to hear this about Prevx. I generally assume words like 'site verified' or 'protected' and padlock images indicate safety.

    Here's how NIS2010 notifies. Says 'Site is Safe' in green if safe, 'Site is unsafe' in red if unsafe. Seems simple enough.


    screenshot.jpg
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I can only hope they rethink safeonline and with version 4 dump it and add a sandbox. Prevx is very good but safeonline was a flop. Hopefully they will look at this.
     
  21. noblelord

    noblelord Registered Member

    Joined:
    Aug 19, 2009
    Posts:
    162
    Location:
    UK
    I think SafeOnline is worth keeping, especially for those who use online banking and the like. However it needs to be made clear that SafeOnline makes sure that communication between you and your site of choice is secure, along with an IP blacklist to filter out dodgy sites. SafeOnline is a valuable tool, but only with enough clear information on how to best utilise it, I feel.
     
  22. jad_123

    jad_123 Registered Member

    Joined:
    Apr 18, 2008
    Posts:
    29
    Should I be adding each of my banking sites individually even though the default policy for HTTPS is maxed out?
     
  23. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Really? I think you are speaking for yourself there. There is a real market demand for the sort of protection that SafeOnline offers - just witness the take up of Trusteer Rapport. If there is a problem with Safeonline it is the somewhat misleading representation of what it is protecting in the status tab. But flop? Total nonsense.
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No :) You will be fully secured on all HTTPS websites with this, default policy. The primary use for the configuration is to add individual HTTP websites (i.e. websites like Facebook which primarily use normal HTTP traffic).
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    SafeOnline will warn you very quickly when it detects a problem with the website you're on. For instance, if you do end up landing on a phishing website which we've blacklisted, you'll receive a prompt like:

    block.png

    I honestly don't see where the confusion comes from with the IP Verification: it says: "IP Verification - Verified by Prevx". This means that the IP is verified by Prevx as being resolved to the correct website. The website could still be found as malicious, but you'd see a prompt like the one above if that were the case. The padlock on the browser clip window is placed on a button - clicking that button will secure the user's data while on that website. It is very likely that you will see "Verified by Prevx" on a phishing or malicious website because that website itself will not be being phished. If a phishing website was being phished, however, you'd receive a full-screen warning (whether that is from a poisoned DNS server, HOSTs file change, or other man-in-the-middle attack).

    I believe we explain this fairly clearly in our help file for SafeOnline which is viewable here: http://info.prevx.com/safehelp.asp

    Regarding missing websites in our blacklist: blacklist based prevention is highly ineffective at best. The root of the issue is the speed with which accurate determinations can be made on websites. We tried some of the common blacklists but found far too many false positives and no real added benefit on top of what our users would already receive by using IE's or Firefox's filtering.

    Instead, we offer two different approaches: first, we provide a more heuristic approach to blocking URLs than many services which has its advantages and disadvantages. For our affiliated banks/financial institutions, we offer very strong protection based on their known-good IP addresses and domain names. We still do provide basic URL filtering but the battle of trying to update a blacklist of URLs was immediately outdated as soon as it started - the volume of new malicious URLs far exceeds the volume of new malware and malware blacklisting became outdated far before it reached its current volume :) Therefore, we strongly recommend using the Credential Protection functionality under the Advanced tab within SafeOnline's configuration.

    This function will lock your specific credentials down to a website and will show a warning if you try and enter them elsewhere. This will immediately block any phishing attempt if the user actually tries to be phished. We aren't looking to receive perfect scores on blocking all phishing URLs, but our goal is to block the phishing itself, which starts at protecting the credentials rather than trying to keep up with the phishers who can register thousands of domains an hour.

    Please let me know if something is still unclear or if you'd like any other clarification on it! :) I'm definitely keen on clearing up any misconceptions or helping to clarify the graphical functionality.
     
Thread Status:
Not open for further replies.