Prevx RC 3.0.4.183

Hi Joe

Had a good read of the article and its findings re. impressive in terms of what the review covered but one small question; I noticed the following:

CANVAS:

Without v3.5 - Was able to get screenshots, keylog data
With v3.5 - Was unable to do so unless PrevX configuration modified to non-default Medium setting.

I run with the setting at Minimum. Is there any need for me to change that to Medium or are there plans afoot to make the detection work with the Minimum setting (if that is technically possible)?

Cheers


Baldrick

 

Hi Joe

Apologies for the bombardment but just another little question; the beta comes set up with protection for https://* protection, and I can see why given that it is mainly on those sites that one might be entering something via a website that a miscreatant program might consider stealing. However, in your opinion is there any point protecting http://*, ie, all non secure sites, other than for reasons of paranoia?

I have set this latter setting up for testing purposes as it allows the best interaction between test material and Prevx. I have seen no ill affects so far...and as far as I can see from initial tects browsing speed is not perceptively affected...so it may be a keeper in terms of fuller protection...but is sensible to do.

Just interested in your learned view...as ever

Back to the testing.

Cheers again


Balders

 

Hi Joe

Another observation and possible conflict...but I can see why it might happen. I use KeePass to store my logon credentials, amongst other things, and by using an add on app called KeeForm which is extension for KeePass that can launch web sites, scan for user name and password fields, and fill in that information for you automatically:

More info on the app from here: http://keeform.sourceforge.net/

I have it set up to carry out this fucntion for a couple of secure websites and since the start of my use of the Secure Web Browsing feature in Prevx the whole process does not complete successfully or KeeForm gives me an error message mid process. Nothing serious that cannot be handled manually without too much trouble but neverthe less an incompatibility that I thought it would be worth reporting.

Whilst KeeForm can still call up the web page, scan for user name and password fields, and fill in that information for you automatically previously it was able to automatically adavnce to the next web page where information MUST be entered manually. But now the auto advance (which is configured in the partameters of the command that is run by KeePass when requested) is now blocked...or so the message from KeeForm indicates that.

As I said at the beginning, I can understand why this might occur, given what the Secure Web Browsing feature is designed to do, and it is no big deal but it would be nice if there was some way to resolve this.

I am sure that KeePass/KeeForm is not the only Password Manger that offers ths sort of functionality and so if it affects other similarly might it be possible to consider some sort of coud-based White List for these sort of applications so tha what they do is not intrefered with? Just a thought but, and this is my personal view, if such a feature would compromise overall security/cause a drag on Prevx's performance (whch is superb ) then lets forget the idea.

Your humbly


Baldrick

 

1. IMO the Blacklisted Domain-alert should have a checkbox saying something like "I know the risk involved and want to proceed" and that the user has to check this one before being able to push the Ignore-button.

2. What about HTTP and other protocols, like FTP, etc.? I would definitely want protection for any other protocol than HTTPS as well - just logging into forums comes to mind straight away.

3. Can I add other applications to be protected - non-browser applications, that's? Games for example?

 

Raven, HTTP, FTP etc can be added. However, the user must configure it.

 

...

 

Indeed they can and I think that it would be useful for some expert (and I am not such a person) either in the forum or from Prevx...to kindly offer some guidance or even some template settings for http and ftp, I have currently got a user defined entry set up to cater for all http, ie, http://*, which I have based on the default https:// provided.

Any takes out there?

Hopefully, as I get a little more au fait with the functionality I will be able to tweak this user defined entry appropriately.

And I suspect that I can most probably get round the issue I posted earlier, ie, with KeeForm running under Prevx, by setting up a URL-specific entry for the URLs where I am likely to use KeeForm...but that will take some experimenting.

 

Hi Joe

Don't know if this is bugette but the Secure Web Browsing-related tab does not seem to allow/reflect the status of the expanded dialog especially when IP Verification Status is 'IP to be verified...' which is yellow/amber in the expanded dialog but still shows as Green & Ticked in the tab. It does change to the right colour/symbol once verifications has been carried out based on whatever the verification fids...as far a I can see...but it is possible for someone to see Green/Tick initially and then not notice the change to Blue/Exclamation Mark (which does not seem to generate a popup...is that correct?).

As I said, don't know if that is important but my suggestion would be that for site not yet verified the tab starts as Blue/Exclamation Mark or perhaps Yellow/ a 'V' to indicate verification is in progress.

Just a thought!

Cheers



Balders

 

Prevx 3.0.4.183 crashes often 'out of the blue' here, sure it 'repairs' itself after that coming back with green light, but I thought I'd let you know. This WinXP Pro SP3 screen was captured with Hypersnap TextSnap function, normal screenshot didn't work (because of that blocking function of Prevx I believe .. screen was black for the program.)

 

Hi Joe.

Why do i have to add protection for each singel website? What about a checkbox to do that for every website?

 

I have some issues here. System is Vista Home with FF 3.5.2.

I installed the Beta over the existing version.

First i tested the Secure Browser with sandboxed FF. Everything works fine. The quick scan was started bevor i could login.
After that i tried it on another site. The quick scan starts as normal. I hit "stop scan" and logged myself in.

After that i tried it with normal FF without sandboxie. It works (shows the PrevX tab) but the quick scan is not running but the config for that site says it should be.

Now i do not get the PrevX Tab in sandboxed FF. Only in normal FF but the quick scan does not work.

 

This is a "feature" P not trying to be annoying but it is intentional ) - if you abort a scan, we won't try and rescan the next time around. However, I think this may be confusing to users who are expecting the scan to start - I'll see what changes we can make for this

I suspect there are some issues when dealing with sandboxed browsers. It is our goal to eventually support them but there are many areas which need to be handled quite differently.

 

By default, https websites are protected. HTTP websites are inherently far less secure than https because of the lack of security on the data coming from the client PC to the server, which is why we don't show a Green tab by default or automatically protect http.

You can configure it to protect all http websites, however, by clicking the tab, click Configure, All Websites, type http://* and then click Add and tick the boxes as desired.

You can also protect a single website on-demand by clicking the Tab and then clicking Add Protection, which will immediately load protection over that website.

Let me know if you have any other questions!

 

Thank you for the information - we'll try and investigate this from the crash offset provided but if it does occur more frequently or can be reproduced on demand, please let us know and we'll work on how to diagnose it further with you.

 

I agree - I think that is a good feature to have in. The IP address verification will take a minute or so to complete (possibly longer for some webites like GMail). If the IP Address Verification were to fail (saying that the website is malicious), a black "block" screen will show immediately which should be a good deterrent

 

Definitely agreed.

Just replied to that one here: https://www.wilderssecurity.com/showpost.php?p=1536653&postcount=68

Currently no, but we technically can add this protection as the core of the protection does not exist within the browser, but in kernel mode. We've focused on the browsers currently as they are the primary target for fraud/theft but are planning a version to cover a wider scope of applications later down the roadmap

 

I think it is a very good addition - we currently have some techniques in place to allow a key manager to write to the screen but not read from the screen and I suspect we're bugging up KeePass/KeeForm somewhere along the line in its process as we block browser access pretty tightly

I'll add them to the list of known issues and will definitely be seeing how we can implement a system to securely allow them to still function properly!

 

Bombardment is recommended and encouraged!

I've replied partially here: https://www.wilderssecurity.com/showpost.php?p=1536653&postcount=68 and should add another point that we also block screen capturing and it could get a bit annoying if you do take many screenshots.

We've had requests for http:// protection from other places as well but for now we're still holding off on it, mostly to limit the scope of issues for the initial release, but we can definitely add it in if everything clears fine.

 

In the new version (if you uninstall and reinstall), it will automatically set up the protection to Maximum. We've re-engineered the self protection engine to be much more compatible across the system and with other security products so you shouldn't encounter any problems when using it on Maximum.

One note, however, is that their testing was related to directly attacking Prevx and using it to then attack the system. While this is definitely a good area to lock down, the risk is relatively low as a threat would have to be Prevx-aware and focus primarily on injecting itself into Prevx, which is (essentially) impossible to do on Maximum.

 

That's quite interesting - could you let me know what programs you're opening that you receive this warning on? "Invalid Handle" is the warning which Prevx produces when a program tries to terminate it or access its memory so its possible that this is related to the self protection and memory protection put in place over the browser.

Thanks!

 

I didn't immediately reproduce this but indeed it sounds like an issue which can be caused by Prevx - I'll add it to the list and we'll get it fixed hopefully in the next release

That tab positioning looks relatively accurate for that skin. Where would you like the tab to appear in this case?

 

OK, cheers for the response...will up the protection level to Medium and see how it interacts withthe SYstem & KIS 2010.

Will post back if I detect any issues.

 

We haven't tested with KIS 2010 yet but have tested with KIS 2009 and it all works fine Let me know what you find!

 

1. I guess there must be some drawback with this new feature since otherwise it would be a feature that scales over the whole system and your activities?

2. If I add a particular website, it gets added to the list of protected items, right? (In other words it's not just temporarily for that session or so?)

 

I have just had this problem when trying to use Screenshot Captor so I will not raise seperately but I think that Whitelisting this sort of applciation either locally or in the cloud might pay dividend in terms of usability...if it does not impact performance in which case I would just turn off protection temporarily, capture the screen & then switch abck on.