PrevX under scrutiny..

Discussion in 'other anti-malware software' started by Longboard, Oct 11, 2006.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    I have been trialling "PX" and am liking the implementation so far.

    Couple fo observations and queries:

    Apart from the rather ghastly squishy gooey GUI (maybe I'm the only blue/green colour blind user :p ) it jhas been going well.
    A couple of FP's got a quick response from support.
    Failed to recognise "BOClean installation" but that may have been the packer?
    Couple of other small things

    To stretch a supposition a bit..if no users visit "death strike" sites where will the data base come from? In house research hopefully getting to all the gromzon
    https://www.wilderssecurity.com/showthread.php?t=136452 sites and doing their research on pr0n sites LOL.

    I cannot find any independent test of PX scan and remove function and no testing of screening and block functions.
    Cannot see any testing of anti-termination functions
    That by no means suggests it is not happening as claimed, but before plonking down $$ would like to see some verification of claims by vendors.

    Many threads in the web about the "grom" rootkits scanners, Online scannersand various updates by vendors ( all seem to be having probs keeping up !!, even BOClean which I use and respect.)

    Cannot find any reports of PX and grom detection or removal.

    I know that a wonderful project was undertaken by the team from PX who released the first grom removal tool; that also has been superseded.
    I feel a bit cheeky looking to interogate any outfit that is obviously at the cutting edge and making a serious effort.

    In addition this link is a bit of a heart stopper:
    http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

    Could prevx protect itself?

    To prevx can you demonstrate that you do as claimed?
    Heh: skins ?

    Any comments?
    Any links to tests?
    Regards.

    ooppss forgot to check: i think kareldjag did a series of hips tests but cant remember if Prevx was part of that and now I cant find it
     
  2. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    This one http://kareldjag.over-blog.com/1-categorie-86447.html

    But it's an older version and Prevx has been updated extensively since this test. Would not take the results too seriously. Hopefully a similar test will be performed with the current version.

    muf
     
  3. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Pervx1 in pro mode does warn about it and advices not to run it. I did however allow everything to happen.
    If one chooses to run once it will allow the copying of the file projector.exe but warns and advices you not to run it.
    If you still allow it it will copy things and kill your AV (if it targets your specific AV that is) Drweb is killed and then Prevx1 warns about the renamed spidernt.exe (originally component of Drweb now replaced by the malware) Prevx1 again advices not to run the modified file.

    • After that net.exe and net1.exe does something.
    • After a while Prevx1 warns about WINLLOGON.EXE wants to start and advices not to run the file.
    • WINLLOGON.EXE then terminates alot of programs, I didnt have time to see all of them but Geswall was one of them.
    • After that Prevx1 warns about PLAYMOVIE.EXE wants to run (and Prevx1 advices NOT to run it as usual)
    • PLAYMOVIE.EXE creates a file named RUNTIME.EXE and Prevx1 again warns about execution and advices against it.
    • RUNTIME.EXE creates a file named WIN32K.EXE and PREVX1 warns and advices not to run it.
    • WIN32K.EXE Creates a global hook and installs a file named WIN32E.EXE and Prevx1 warns and advices against the execution.
    • WIN32E.EXE installs a file named WIN32L.EXE and PREVX1 warns and advices not to run it.
    • WIN32L.EXE installs a file named ABC.EXE PREVX1 warns and advices not to run it.
    • And then a file named XYZ.EXE is created PREVX1 warns and advices not to run it.
    • Comodo blocks an attempt to connect to securityfocu.com.
    • But PREVX1 was not terminated but probably because the threat test did not target PREVX1.

    This test info was gathered from the popups PREVX1 provided. Not very scientific but it gives you an idea how the threat test works.

    edit* oops I forgot to mention it was the morgud threat test I was testing
     
    Last edited: Oct 11, 2006
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    sukarof,
    If I was a member of the Prevx1 Team, I would try Prevx1 constantly on every "dangerous" website, I could find. I certainly wouldn't wait, until users report malwares to feed the "Community Database".
    That's how you have to test Prevx1 by putting it in extreme situations and fix the problems in Prevx1, before users even encounter them.
     
  5. kr4ey

    kr4ey Registered Member

    Joined:
    Aug 13, 2006
    Posts:
    187
    Location:
    Florida USA
    This version of Prevx is no longer being produced it is very old. Last version number of this was 2.1 (Prevx Home and Prevx Pro).
    Prevx1 was being produced along side this version.
    I installed this a long time ago but didn't like it, has same features of Prevx1.
    But not sure what the real difference is.
    I have been using using Prevx1 for many years. Not sure if there any tests with Prevx1, I haven't been able to find any.

    Rick

    EDIT: Difference in old Prevx Home (Free) and Pro version 2.1 is, it does not use signatures or community databases.
     
    Last edited: Oct 11, 2006
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    And that is just it :) Malware research does hunt down malware as much as possible, but then again the community database is bigger and sees more than any honeypot out there. I also do quite a bit of this just to test cleanup. There's also quite a few heuristic rules created for malware that may be coming up.

    The professional testers would need to change their testing methods drastically to test Prevx1 (as opposed to how they normally test antivirus software), so thus far there haven't really been any. You might find some enthusiast tests, but would want to take those with a pinch of salt (no matter whether they come out good or bad, or even what products they test).

    If the tests are to see how a program handles memory attacks, for example, and the program is focused more on keeping the malware from getting to that point in the first place, then the review could falsely present the program as being entirely ineffective. For Prevx1 in particular if all that's tested is the behavior blocking then it's missing the entire point of the program, which is to see more malware, add detection much faster, and remove more of it. Test files can give you an idea of how a program would react to some situations, but tallying up points for how many actions it blocks doesn't give you much true perspective on how well it really keeps your system free of infection, and (IMO) is a silly thing to base your opinion of a product on. I've known programs (no, not Prevx) that would probably fail those tests miserably, but would do far more to keep your system clean than the programs that score very well. Conversely, the old Prevx Pro did well in a lot of tests, but in the real world it didn't do much, and no amount of additional leaktest protection would have fixed that.

    These test can show how a particular program would react to a particular event, but that may not have any relevance to it's overall efficacy.

    That's not to say anything bad about any test, just don't take it for granted that something is better or worse based on test files. Take them for what they're worth, but don't take them to measure the worth of a program. Remember that those test files (demo trojans) are made by vendors with marketing in mind. They're specifically made so that only their own software will stop it, and it's based entirely on their own unique approach to stopping malware. They're usually made to scare you into thinking that theirs is the only program that can protect you. If every vendor took the same approach then your choices would be very limited and malware writers would have an easy time writing around them.
     
    Last edited: Oct 11, 2006
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thank you. This way of working is for me very reassuring and Prevx1 fits more and more in my plans. I have it already installed, but I never really tested it. I have to re-install my computer first, because I need more clean backup files and archived snapshots, which I forgot during my previous off-line installation. It's almost finished on paper. After that I don't have to reinstall my computer from scratch again, at least not manually.
    Acronis and FDISR are tested thoroughly and working properly. So I need another target : Prevx1. :)
     
  8. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    I like prevx a great deal but problems? that I have just noticed

    Access to physical memory.
    Prevx and Outpost are both supposed to block this - not sure what they mean exactly but systeminternals physmem can access memory without an alert from either with prevx options is set to prevent.
    But ... PG and SMM both alert and block the access.


    Keyloggers
    like http://www.diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers
    Prevx is set to heuristic it does not appear to alert on this keylogger. PG stops it dead, SSM deals with it pretty well , Defensewall or Appdefend do not appear to stop it

    So not sure what is going on ..... Clarification would be interesting?
     
    Last edited: Oct 11, 2006
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It's marked good because it's a legitimate tool with legitimate uses. Imagine if you were a programmer and trying to actually use the tool for it's intended purpose...

    I've personally seen Prevx1 stop malware from accessing physical memory, even when it does so via a DLL injected into a process like explorer.exe.

    This also goes to illustrate part of what I mean when I say there's no advantage to blocking legitimate application functions. If explorer.exe has a malicious DLL injected into it, Prevx1 won't just allow the action because explorer.exe is marked good. Malicious actions are blocked regardless, blocking legitimate system functions only creates problems.
     

    Attached Files:

    Last edited: Oct 11, 2006
  10. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Interesting - the keylogger has been classified as malware - it is in my holding cell but can function as it is a legitimate tool.
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Can, yes, but there's no gray area with SysInternals' tools. SysInternals' tools are made for diagnosis and software development (and other such things.. made for IT admins and programmers, at any rate), they just happened to be picked up by one or two people for testing.

    http://www.sysinternals.com/information/tipsandtrivia.html
     
  12. kr4ey

    kr4ey Registered Member

    Joined:
    Aug 13, 2006
    Posts:
    187
    Location:
    Florida USA
    I don't beleive in tests either. Like I said earlier, I have been using Prevx1 for years. I don't have any other protection. Just Prevx1 and Jetico Firewall.
    I have never been infected with anything, and Prevx1 has always caught anything that tried. So that all the results I need.
     
  13. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    Thanks for the info - I had been interested in how the other apps performed - Prevx has been part of my build for several months.

    The coverage of prevx is broad - I have just been trying to find the edges compared to other products + Trying to determine the value of mixing prevx with others Hips like: SSM, Appdefend or PG.

    Like many here - I like a mix of automatic and manual intervention
     
  14. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Longboard,
    I once read a report which compare on-demand scans of many anti-malware, including Prevx1, but I have misssed that link.

    Anyway, as far as on-demand scan is concerned, Prevx1 is proved to be very weak. Both the test I read and the tests I made showed AV have much higher detection rates than Prevx1. I might be because it can't scan the archives properly.

    I think you can't use demo/test tools to test Prevx1. It is because Prevx1 simply adds the tools into their database (ie blacklist them), so they block it without any problem. Maybe you should disconnect from the Internet when you do such tests like termination, buffer overflow, leaktests and so on; and see how it can defend against these attacks.
     
  15. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Maybe you could simply run it in a test machine, where you have original Windows without any security except Prevx1. You even don't update Windows, so you can see if it can protect you from possible vulnerabilities.
     
  16. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Thanks for input .
    I am writing this from POV of non-tech but interested end user.

    I know current release is based on vast user based experience and the PrevxR testers.
    Nonetheless every body here has offered opinion based on presumptive and accumulated experience : "never had an infection yet" : how do you know? There are definitely exploits that bypass PX

    OR

    "It (pX) found this....."

    @sukarof: that was v.cool of you with DFK example: :thumb: what test bed did you use, image or rollback or FDISR or spare machine or other?

    @Muf: yes that one: obviously o.o.d. now ( I hope) be nice if he did it again.
    @Notok; your opinion and comment is appreciated. You said:
    I am not trying to misrepresent what you said, or diss you, but in attempting to support PX approach you seem to have discredited every test system unless each test is specifically designed to illuminate a specific vulnerability.
    You seem to imply there may be no valid test that conforms to any recognised methodology for PX.
    From the website:
    Those are big claims and should really be backed up even with in house testing and perhaps screenies.

    I appreciate there are v.specific methodologies that need to be applied for testing various scenarios. It occurs to me that it would not be beyond PX to demonstrate and make available some comparative virus malware scanning and removal tests from a compromised box.
    There are many links to various rootkits and trojans that could be tested.
    EG: even EP_XOFF's demo trojan.
    Virtually every anti-rootkit uses hacker defender as a demo/ defacto gold standard.
    As per kareldjag's site: there are any number of well described tests that could be performed.

    Look, I will probably use this alongside FW and AV& BOClean and still do some on demand scanners. I think the concept is a terrific and unique application. I just wanted to try and get a little deeper into some proof of puddings.

    It would be a bit disingenuous to say testing results do not influence choices.

    Regards.
     
    Last edited: Oct 12, 2006
  17. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Firstdefense snapshot.
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    My point isn't to discredit every test, just that professional tests will surely happen at some point in the future, but don't take leaktests as any real indication of how well a security application will actually protect you. You can take them into account as to how a particular program will react in such an event, but that a tally of how many prompts you receive is not an indication of actual protection. The example given of SysInternals' PhysMem is one example; Prevx1 allows it because it's a legitimate tool (it wasn't even made for testing security apps)... so does that mean that Prevx1's physical memory access protection is worthless? In the event that it was a real trojan, any given app can block the trojan at any point from when it tries to begin downloading until the end of the infection process, testing for one particular event does not tell you how or where that app would protect you.

    By the same token, some might say DefenseWall won't protect you beause the malware can actually run. If a test focused only on the fact that it allow it to run, and was verbose enough about it, you might conclude that the person is right - the malware runs, so you're left unprotected (nevermind how the software actually works). I'm not just saying this about Prevx1, this is something I came to realize a long time ago and it goes for any app with any kind of generic protection. Take those tests for what they're worth, but don't assume they're any overall indication of how well the app can protect you. If you're going to rely on someone else's word, wait for a professional and reputable tester, and until then you can ask questions on Wilders (or other forums), come to understand what the program can and cannot do, and use the best that you know - same as just about anything else.

    Nobody would believe in-house testing, after all if we have the samples we're going to detect them, but you can peruse the virus info center here: http://virusinfo.prevx.com/. I don't know for sure, but I doubt it will be too long before a real test comes around.

    I'm not sure how we got from me saying "take them with a pinch of salt" to trying to discredit all tests and say they don't influence choices. Of course they do, all I'm saying is to be critical of what tests you allow to influence your choices and how. Take them into consideration, yes, but don't take it for granted that they show you the whole picture. After all, aren't we critical of any enthsiast tests in any other area of security?

    Consider how much creedence you would give it if I had, at some point in the past, thrown a bunch of malware I had collected at a bunch of anti-spyware apps. There would be all sorts of questions about the samples, where I got them, the quality of samples and whether they were functional, whether they were appropriate to the testing I was doing, how well I did the testing, was I testing packed samples against scanners not meant to do unpacking, how I configured each app, how I prepared the test environment for each new test, and on and on and on... so if an enthusiast throws a bunch of leaktests at a firewall, should you be any less critical of how the results represent the overall worth of the firewall? (Perhaps gkweb's tests can shine as a positive example here, as he is careful not to try to represent a judgement of the overall firewall, he keeps it in perspective.) Perhaps it does indeed give you a little better idea of how the product will perform, my entire point is that it doesn't come close to giving you the entire picture.

    In the meantime, there are security and IT professionals that can attest to how well various technologies have served them on networks with hundreds or thousands of (even high-risk) users, and can sometimes even give you an idea of why.
     
    Last edited: Oct 12, 2006
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes I also have many doubts regarding different AV/AS/AT/AK tests, they always have a different winner and the winner of one test is a loser in another test. :D
     
  20. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,folks: On this PC, I am running ZASS(minus AV,AS),BitDefender AV plus 10(FW uninstalled), AVG AS plus. I just added Prevx1 onto it, hoping w/its addition I perhahs can reduce some scanners. Guess what has happened? The popular anti-malware app,Prevx1, and the other popular firewall,ZA, could not be in speaking terms. This is how it happened. After reboot, during boot-time system scan of Prevx1, ZA firewall somehow was terminated, this has never occurred prior to Prevx1's installation. I have to shut down ZASS program completely and activate again manually. I like to keep both apps, but what in the world should I do? Any advice? Urgently. Thanks.
     
  21. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England

    Hi,

    Although I have never used the ZoneAlarm Security Suite, I have used Zonealarm firewall(free & latest version). I had no problems at all and a friend of mine who is also using ZA free with Prevx(+Online Armor if it matters) is not having problems. So my advise is to check out the other modules running in ZASS as it may be one of those interferring. Try disabling them one at a time and see if you can narrow it down to which ZASS module is clashing with PX.

    Failing that, consider it could simply be a bad install. Try unistalling PX and re-installing. And if you didn't, try closing all your other security apps down before you re-install it. Sometimes they really do cause installation problems while they are running.

    muf
     
  22. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Especially now that some antivirus and other security software have started doing silent behavior blocking without mentioning it :p
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Those are very strong claims and they need some sort of support besides the product's own website.

    Safe'N'Secure was tested by AV-Comparatives, so they can & do rightfully cite those excellent test results.

    DefenseWall was tested Yonder so they can & do cite those equally excellent test results.

    Why has Prevx not been tested, or submitted their program for independent testing, as did S'N'S & DW?

    Back in June-July 2005 SSM scored 9/10 in well-documented, meaningful tests. Process Guard earned the same high score. In that same time frame, Prevx PRO scored 7.5 of 10 -- a respectable score.

    So there HAVE been tests -- no doubt out-dated & of an earlier version of PX, but the same also is true for SSM & PG.

    Ergo, IMO the claims on PX's website should be taken with a grain of salt until they are independently substantiated. Actually, when PX is eventually tested I predict that it will substantially validate its claims. I truly hope that it does. PX is a nicely priced, superbly supported, well-documented, beautifully structured piece of anti-malware.
     
  24. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    We communicate with the rest of the anti-malware community, so I don't expect it will be long. Testers only set up for AV testing will have to do things a little differently, so they can't just pull it off the shelf and give it a go, so to speak. If they tried it's even possible that they'd set off flood protection on the servers; things can get sticky if not done right.

    Do see my earlier post in this thread, though (#6 as well as #18 ). Yes it "tested" fairly well, but many "fails' wouldn't have even gotten that far if it were real malware (assuming everything was blocked), and the real world test (the PAWS data collected from all users as the program was used) showed a very different story.

    :cool:
     
  25. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    I recently found a bunch of malware on my computer. It apparently sailed right by McAfee, and lots of other stuff too (listed below in the signature data).

    I do surf in higher risk waters than many here, so to some degree, my system will inherently be tested more than most by some of the toughest and nastiest malware out there. And thus, I do get infected more than most.

    I have been flirting with the idea of Prevx for a long time. But there was a lingering doubt….. we’ve just all been so conditioned to believe that we need an AV, firewall, and for those who read boards like this, an AT and AS….

    I work for an organization that does testing of some types of Anti-malware applications for a government entity (although this aspect of the operation has nothing to do with what I do). They have tested all sorts of applications in all sorts of ways for all sorts of reasons. I know that is kind of vague, but if I say more, I could be violating some of the terms of my employment.

    I tried and tried to get them to test Prevx. It took awhile, but they finally they did test it. Since the software team does not usually test software with an open internet connection, they had to get regulatory approval to conduct the test – and that took a little while.

    The test came out very well. All of a sudden, a bunch of the software tech’s who previously were interested in other security applications now include Prevx in the informal office security software discussions of which applications are best..... The test was not comprehensive in a commercial testing sense, but threw at Prevx some unusual attack methods and unusual malware. Prevx was not perfect, but MUCH better than most applications.:thumb:

    I’ve been waiting for awhile hoping that commercial tests would be conducted to validate Prevx for me, giving me the vote of confidence to install it. I’ve always liked the Prevx theory, but wondered about the application.

    Now that I got my warm and fuzzy from the testing tech’s at work, I now just need to download it and figure out which programs I’m going to get rid of.

    In a theoretical sense, I’m convinced that Prevx and a free AV will give me better protection than any of the top paid AVs alone.

    We shall see.
     
    Last edited: Oct 13, 2006
Thread Status:
Not open for further replies.