PrevX under scrutiny..

Do you have the test results handy?
Or is it possible to access to these test results?

PS: Your name "Prev" looks like "Prevx"

 

Yes, I agree with you.

Since there's no such popup like "Haha... your security suite can't catch me", most people will assume their systems are clean simply because their security software say "no malware is found on your computer", and their computer seemingly behaves okay.

However malware like trojans, keyloggers, rootkits are decided to not let you know, so if you are not technical enough and look to verify that your computer is really clean, you just can't be so sure like most people claim.

There are more and more trojans/keyloggers that are very sneaky - they can hide their processes/files/registry keys. They can fool the security software or compromise them. They can even fool the Windows system to give false information to security software (so they can never detect them, or find anything wrong about their behaviour).

 

Update.

Some info abut the test I read.

I saw the test in a thread in the sub-forum Prevx at Castlecops, but I could not find the link again. Urh...

The test result is presented in a table. The left column lists the malware name. The bottom row lists the name of the anti-malware.

The best anti-malware can catch about ~4XX of samples, but Prevx can only catch less than 40 something samples.

t would be great if somone remember that link and post it here, so other readers can benefit from it. Thanks.

 

If you're talking about the test I think you are, it was just a user that threw a bunch of stuff and scanned it offline. It was also mostly text files and other non-malicious and junk files. It was a poorly done test by someone without knowledge of how Prevx1 works.

Thus far no real tests of Prevx1 have been done, you can't say anything has been proven either way. See my posts above and consider that if Prevx1 was an antivirus we'd have a 5 page thread of people questioning the validity of these tests and how they were done. The closest that we have right now is internal tests where we have scanned a bed of samples sent in by customers that were infected (stuff that Prevx1 detected and removed), and there was always a significant amount undetected by the AVs; some more than others, but always significant. The only other thing we have to go on is user experiences, and we get the bulk majority of our users by detecting and removing what other products can't (most people find out about Prevx1 by doing Google searches for some malware that they can't get rid of).

 

There you go again. I consider that karedljag's tests were *real tests*. When proponents debunk test results I am put in mind of the bon mot: "If you can't raise the bridge, lower the water."

I repeat (in so many words) the statement I made in an earlier post -- namely, the claims on Prevx's website seem rather grandiose in the absence of ANY objective support. Visit several anti-malware websites. I'll wager that 9 out of 10 of them say "we are THE best." Until it is tested, in my view Prevx should remain just another of that same bunch.

 

"We are THE best and our software is intelligent and intuitive." After reading that, I always ROFLMAO.
Well that is common for most websites.
Users have nevertheless the opportunity to test Prevx1 and compare it with the results of their scanners. If their scanners don't report anything serious anymore, except MRU's and tracking cookies, it's an indication that Prevx1 works. Of course those users have to be "dangerous" users.

 

I don't disagree, please read my previous posts.

The only thing I'll point out is that Kareldjag's tests were on Prevx Pro, not Prevx1.. as you say, there's no "objective support" either way, so in the meantime you can do with what you have; just don't take it for granted that enthusiast tests give the whole picture. If you need further examples, just imagine how OA or SocketShield would do in such a test, and compare it with how they are designed to actually protect your system.

 

So you did read that test.
What's its URL?
So I would verify whether you are referring what I am taking about.
I would also like to examine the test again, and contact the author.
Thank you.

 

That's not a good way to know whether your computer has been infected or not. Many malware are designed to be very sneaky (eg trojans, keyloggers, backdoors, droppers, rootkits). It may be neither Prevx1 nor your scanners catch them.

Probably one of the best way "to know whether your computer is clean" is to trace your computer:
- Create a clean snapshot before the test
- Try to do as many dangerous things as possible with only Prevx1 on (no other security programs)
- Create another snapshot once you have finished
- Compare both snapshots and examine the differences
This is probably much more reliable than just relying your scanners to tell you the results, although this requires more knowledge to do this task.

I know there are cases where Prevx1 claims it is clean but one or several scanners disagree, or vice versa. How do you know which party is right if you just rely your security programs to tell you the result? "Majority verdict" is not the way.

What if you are infected by a rootkit? It may manage to "lie" to your Windows and so your security systems. You need to examine your comptuer before Windows is loaded, or it may be very hard to spot it out.

You need to install additional security programs because your scanners are not reliable, but in turn you rely on scanners to tell you reliable results. It doesn't make sense.

 

Yes, some will tell more lies (eg we can detect *ALL* malware, so you are completely safe), while some may be a bit honest about that (eg we can't detect *ALL* malware, but because..., we can do a much better job than others). That's the reality.

Let's consider the cases in AV / Firewall / AS. I have yet to see one company which can stand at the very top in all 3 aspects.

Kaspersky is one of the best AV, but not really in Firewall, much worse in AS.
Zone Alarm is one of the best firewall (except spying ), but its AV is below average. Its AS is not good either.

Someone who uses all-in-one security suite from one company is most likely worse than someone who tries to pick the best combination from different companies, not to say it is much harder to disable/terminate all different security products (possible but harder) than just 1 security suite.

On the Prevx website, it states it can be used as a standalone security product replacing your existing Antivirus, Firewall, Antispyware and so on. It is probably one of the worst advice in the planet. I am strongly against that. Think about it:
- What if the malware manages to compromise your Prevx? You will be doomed. Every security products have holes. It is no exception.
- Every security product misses something other security products offer. No one can provide all-round solutions.
- Even if both provide the same aspect of protection, one will do better one is worse. What's the chance that someone can do the best in *ALL* aspects?
- It is also against multi-layered protection approach.

PS: Although it sounds like there are many criticisms about Prevx, it has its merits. Similar to what Online Armour did, the company is going in a right direction where it builds up a database to help average users to make security decisions. I would imagine more and more HIPS will follow this approach in future. Nice job, Prevx.

 

Well...all I can say at this point is I am impressed with what is going on with PrevX and will follow with much interest and at some point may consider it.

I do think it has a place in the world of security products. I think the way they are approaching dealing with malware in a community based approach so it can protect its membership is very good.

I was sad to see a company use a similar approach fail and go out of business a number of years ago.

While I do not have it on any PC currently as the title of this thread indicates I too am giving them a hard look over. and wish them much success. Good postings very interesting fellow creatures.

One final note so I am not misunderstood Prevx should be used as an additional security product sure it can replace maybe your AT or your AS, if you are overloaded or short on resources, but I agree it should not be considered as stand alone protection. I agree there with Wai Wai for sure. Also I am very much in favor of the build your own suite of great security products and not the commercial suites that are out.

 

@ all
Thanks for responding to my thread.

Notok: fighting the good fight.
There are a highly suspicious bunch of hyperactive observers and testers here

Obviously there is a lot of good feeling towards PX and lots of users.
The as yet untested and unproven hyperbole on the website is what prompted my query and it seems is a bit of a red flag to many.

The depth of expertise that is evident in the Gromozon removal test is an elliptical recommendation to my mindset at the moment.

Sukarofs little experiment was an eye-opener. Google those exes and you'll see.
A good demo.

@F-T-P

That sounds interesting.

AT this point I am still trialling PX and going well.
Excellent strategy having a trial.
Looking forward to a robust test from somewhere.
Regards.

 

Hi,folks: Although I am still in the process of sorting out compitabilty issue with Prevx, I have observed users's comments are Pros more than Cons. I will definitely give another try soon after the problems solved. HIPS or CIPS or even RIPS( borrowed from Erik's Rollback I.P.S. concept) is the way to go, but I do a wish for Prevx owner, if you can secure a strong independent endosement (such a thorought test), that will clearup some folks' doubts . Just a wish.

 

PrevX is indeed difficult to test , mainly because it is not a pure behavior blocker (and even that has not formal testing methodology).

If you focus just on blacklists, you can treat it like an antivirus, executing malware (or better yet scanning it using the file scanner option) and seeing if Prevx1 recognises it and stops it.

If you want to focus on the HIPS component, you will have to run various tests that 'does stuff' to see if PrevX flags the changes.

The 'heuristics' option further complicates matters, because for many protections it is set to heuristics. So even if a certain change is made, PrevX might not flag it, not because it doesn't have the capability of detecting it but because it considers the change harmless (which it is of course because it's just a testing tool).


One thing I was curious about though was the nature of the 'blacklists' maintained by PrevX, how do they match up to antivirus signatures. I remember asking about it and someone assured me that it wasn't just a simple hash, a very weak form of signature that can be easily defeated.

I decided to do some basic checking. Basically what scriptkiddies do....

First I did a simple hex editing of wordpad , just changed a single text string (DOS to DAS). I ran it and suddenly prevx1 didn't recognise it anymore! Next I edited the resource section, as expected, PrevX didn't recognise it either.
(Yeah I checked to see if the samples are still functioning)

Lastly, another common test is to see how AVs handle packers. I packed wordpad with UPX (the most common packer out there) and again PrevX didnt' recognise it. Okay you antivirus experts don't need to start rushing in here and telling me that this doesn't 100% prove that Prevx doesn't handle UPX, but I think given the evidence above, it seems extremely likely.

I repeated the test with something PrevX considered bad and got the same results. Basically simple hex editing and Prevx fails to recognise it.

Antiviruses aren't totally immune to such tricks of course, but they definitely won't fail so easily (by changing a single inconsequential text character)!

Okay I'm no expert on AVs but I think all this pretty much proves or at least gives strong evidence that PrevX is doing some simple minded hashing of files at least for most of them.

One possibility of course that I cannot rule out is that Prevx is doing strong signatures for some subsets of really dangerous and common malware, (I read some antivirus companies do something like this) .......

Still assuming this isn't done, I think the fact that Prevx's blacklist can be so easily fooled is bad news. I would think any malware could easily circumvent Prevx's blacklist given the way it is currently implemented (and I'm not even talking about , polymorphic or metamorphic worms!)

Is it fair of me to expect PrevX to have strong signatures as in antiviruses?
Maybe not, because PrevX has never claimed to be one, and certainly the claim that through their community network they are spotting malware faster
is independent of whether how strong their signatures are.

And of course Erikalbert doesn't care at all and would probably tell you that this shows again why blacklisting is bad.

There's of course still heuristics........

Note: I have nothing against Prevx1 and I think they have a fine even great product, I'm just bringing out some information here for discussion and to balance some of the positive views brought out here.

 

Another question.

I notice that for the protection "Physical memory" it is set to "prevent". My understanding is that this means it will block such activity always.

I checked with several tools like kproccheck and sysinternals physmem which are supposed to access physical memory, and both worked without being blocked from prevx? I'm not sure if the whitelist was affecting this, so i did a simple hex edit to ensure that Prevx treated them as unknown files.

Does the protection of physical memory actually work? Or am I misinterpreting this?

 

I found the same posts 8-11 with Notoks answer

 

Post 8-11 don't seem to apply. For one thing Prevx is not recognising the tool as good.

Because I already hex edited the tools and when i ran them Prevx1 doesn't recognise them (it is not marked good) and asks me if I want to run them.

Heuristics might have something to do with it, but for physical memory it is marked as "Prevent" not "heuristics", which I interpreted as saying it blocks everything that does this action.

One possibility I'm considering is that Prevx1 is defining this protection differently from the others, so the actions done by physmem doesn't count as violating this rule.

 

Devil's Advocate,

I've not used either tool, but you use the word "access". The protection offered by PrevX is modification of memory. Am I missing something here (wouldn't be the first time if I am )

Blue

 

Blue as usual you are right.

But this is going beyond my depth anyway. So I'm shutting up.

 

As far as it's detection, it does do more than simple hashing. Obviously I can't give any more details than any other vendor would about their detection routines. It's not exactly the same as an antivirus, but much closer than simple hashing and I'm sure there's a fair bit of difference between scanners anyway (Prevx1 has it's own unique qualities for detection that no AV has, and many more in the works... and made by developers with antivirus experience). Like any other anti-malware, it's not going to detect each and every change or file. Nobody is here claiming that Prevx1 has 100% detection, but Prevx1 is indeed capable of detecting things like polymorphic malware.. it's a complex system that isn't always predictable; after all, predictable systems are easy to bypass. Sometimes it can do it entirely on it's own after seeing just one, sometimes it needs a little help from the analysts, other times it may be more beneficial in the end to gather intelligence and wait until enough intel is gathered before taking action.

Stubbs100 mentioned in another thread that it's his/our conviction that malware intelligence is the way forward. That's the foundation that Prevx1 is based on, and why the program has so many tools for seeing what's going on "behind the scenes" such as the program monitor, event notification, and all the information you see in the web info for any given file, along with things like the Research Tracker for private analysis.

A better test would probably be to find one of the infector sites that creates a new variant every time it's downloaded. If it doesn't specifically detect it, then the next test would be to see the turnaround time for getting detection added - that is, after alll, the point of the community database: to drastically reduce turnaround time between when a new malware file is released and when detection can be added. The current average is within the first 24 hours, which is usually days or weeks before other vendors (depending). You can verify some of this for yourself by comparing info with the vendor websites.

 

Perv, Prev....ya, it's all the same

I know it's not that helpful, but the test results are not releasable. It's government proprietary information. Additionally, much of the test evaluates things other than a standard public test would. So it would make its usefulness dubious as you could not compare apples to apples...

Overall, the more I think about the fight against malware, the more I think that something like Prevx or Sandboxie or even DeepFreeze is preferable to the standard method of AV, Firewall, AT, AS.... That standard method has a track record of failure.

None of the newer non-standard methods seem perfect, but all move away from the traditional approach that has never really worked. I'd even say that all the 'newer methods' already work better. It's just deciding what side effects are acceptable.

 

Reload:

Not happy with Prevx at the moment:
Have been allowing as many "browser exploit/leak tests as I can find and am frankly very dissappointed that PX has failed to warn on many.

Basically have been going to the test pages with Spare FDISR snapshot with full normal set-up: everything set to warn blah blah:

Letting evrything run: PX has allowed many of the exploits to run withot warnings! Even without sigs, where is the much vaunted heuristics?
Apart from GreenBorder these tests are not new.
Most recently here: http://www.greenborder.com/scan/
PX let everything through

Flurry of e-mails to PX
Wait and see.
Anybody else care to have a go?
Regards.

 

Numerous OT posts concerning the Greenborder browser test have merged into that ongoing thread.

Bubba

 

Hi Longboard,

I'm looking into the specifics of a number of tests, but in the meantime, you may want to read the thread on our Castlecops forum about testing tools and Prevx1 - http://www.castlecops.com/t166260-Prevx1R_and_various_Security_Testing_utilities.html.

It has some useful discussion around testing tools vs malware and the purpose of Prevx1.

Regards,

ghiser1

 

ghiser1

Thanks for commenting
Thanks for checking this out. Very kind of you to spare the time.
I'm probably lol, definitely not the person to be making any challenges from any sort of tech standpoint.
Just wanting to seek a little deeper.

as per Ilya Rabinovich in this thread
https://www.wilderssecurity.com/showthread.php?t=150840

Launching the script .hta file has caused several changes to the start up list and left some files on users systems.

Only basic end user here: but that is dangerous.
The Comodo leak test can do the same.

I have been plowing through the various "how and why" threads at castlecops in the PX1research and PX1 subforums.
Lots of posts from some names I recognise and others making enquiries v.similar to this.
Lots of Vhappy users.

There is another "surfer" there with a similar thread
You are busy tonight

Could I make a small suggestion:
I got this as part of a reply to a support question;

We, I, do not need spruiking as part of support query or sending of information. Just a bit irritating

I'm sure this has been raised before;
When will you have dedicated forum?
Although the response to now has been v.quick, the current support contact proceedure is abit clumsy.
Respect that is the way it may have to be but sheesh

I have read the info re "trial" and start of trial period.
Isnt that a marketing issue.
People get the trial they get 30 days. Personally I could n't wait to go and run a few tests which leads us to here

Disclaimer: I am paid up licensee. Dont ban me yet
If people are going to complain about <10c/day too bad.