Prevx1: Choosing between it and Process Guard

Discussion in 'other anti-malware software' started by george75, Dec 22, 2005.

Thread Status:
Not open for further replies.
  1. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Hi Folks!

    I posted a reply on another thread in the Process Guard forum from Prevx concerning their product and how it works together with Process Guard, together with my own questions. Bubba was unhappy with my posing questions about Prevx1 in the Process Guard forum, and referred me here.

    The main points that Prevx tells us that don't concern Process Guard are:

    1) Prevx Home is being phased out in favour of Prevx1 free; and

    2) Prevx1 is NOT compatible with Process Guard and we have to choose between one and the other.

    I seem to recall vaguely some comments about Prevx1 that it is now a signature-based product and that it has an insistent compulsion to phone home.

    So given that I have to make a decision, I wonder if someone can enlighten me about what I'll be getting into if I chose Prevx1 over Process Guard.

    I'm also very interested in what effect Prevx1 will have on my existing suite of security programs. For example, do I have to get rid of my anti-virus package, my anti-adware packages, my Ewido anti-Trojan package and so on?

    So that everything makes sense, here's the post:

    I just received a reply from Prevx on the parallel thread to this one on the Castle Cops forum:

    http://castlecops.com/modules.php?na...reply&t=133395

    I'm not a shill for anyone, but the post is so interesting that I'm going to quote all of it right now:

    We would suggest you switch to the free version of Prevx1 our latest CIPS solution. You will find the very latest version v1.1.032 and above contains the same (and many more) features that were offered in Prevx Home. If you run in Prevx1 Pro or Prevx1 Expert mode you have similar control to Home/Pro users had, but many more new features not available in these two products.

    We are going to have to at some point (soon) phase out Prevx Home in replacement for Prevx1 (now out of Beta). You will find this current version far more stable in terms of install/update then the previous beta releases.

    On your earlier point however running similar HIPS solutions as in ProcessGuard and Prevx1 together isn't recommended as they contain very similar capabilities and so will hook low level system calls and have the potential to clash. We would suggest you choose between the two solutions.

    Also check out the Prevx1 Insight from the home page http://www.prevx.com it provides you a view of the data available in the Community database.

    First of all, the post seems to recognize that Prevx1 at least can conflict with ProcessGuard. It's not clear about Prevx Home.

    Next Prevx Home is eventually going to be put out to pasture.

    Next, I seem to recall some discussion about the capabilities of Prevx1's new product: very expanded, and also with a systematic 'phone home' capability.

    My questions about this would be: what do people think about Prevx1? What do they think about the free version?

    Thanks very much.

    George75
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: Prev1: Choosing between it and Process Guard

    Just to be clear and hopefully convey to you since as you said you are an "infrequent poster" to Wilders....there was no unhappiness on my part. Your Process Guard thread was doing fairly good and we do tolerate a few side discussions. Where we try to draw the line is when questions such as....what do people think about Prevx1? What do they think about the free version?.

    Those questions is what I was speaking of and do appreciate you now starting this thread concerning those question in the appropriate Forum. Sorry to side track another of your threads but perhaps this info will be helpful to other infrequent posters like yourself when it comes to staying within the boundaries especially in the dedicated forums.

    Regards,
    Bubba
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Re: Prev1: Choosing between it and Process Guard

    Hi George,

    Did you see my response to your post on CastleCops? Hopefully this stuff can be clarified before we end up with another long thread full of misconceptions. It's not really a signature based program, but rather something of a hybrid. First it will automatically try to determine if something is malware or not using heuristics. If it's not able to then it will check the online database to see if it's something that's known to be good or bad. If the online database doesn't know, then Prevx1 will send technical info about the program (if it's trying to install a driver, install a hook, setting itself to start with Windows, if it "phones home", if it's acting like a server, etc.) to check the information against a list of rules to see if it's acting like malware (and the list of rules gets updated frequently). If the server is unable to determine that, then it will be passed on to an analyst that can make the determination (much more quickly since the program gets the analysis information). Once that determination is made, whether by an analyst or by your Prevx1, everyone has access to it because it checks in realtime, rather than downloading database updates like with normal antivirus programs. That's pretty cool, because that means that in the best case scenario, Prevx1 has the potential to stop a piece of malware just minutes after the first time it's seen on the first machine running Prevx, if not automatically. That's better than waiting for someone to recognize it and send it in, or waiting for the AV company to hunt it down some other way.

    If you have any questions about what information is transmitted, you can view it all online in the Virus Info Center on the website, or on the Insight page which shows that information in realtime as it comes in. You can also enable the advanced options and look at the settings to see exactly what's monitored

    If you are using the program in Pro or Expert mode, then you will have the option of allowing/blocking actions yourself, to what degree depends on which mode you are using, Prevx1 lets you choose which level suits you best for your comfort/skill level.

    To answer your question about compatibility with other programs, it works just fine with anti-virus/trojan/spyware scanners and firewalls, but any two HIPS type programs that do the same things are likely to conflict. Although Prevx1 is no longer purely a HIPS program, it is still built on top of that, so the same things will still apply. You might also check out the FAQ on the Prevx website, as it answers a lot of common questions.
     
  4. Looks really interesting.

    As notok says, the first thing Prevx1 does is do some sort of centralised checking which includes heuristical checking and community database.

    The main differences between the 3 modes, "ABC", "Pro" and "Expert"
    arises in their response to whether the file is known "Good", "Bad" or "unknown". There's also a 'riskware' category they called 'caution programs'.

    I presume "Bad" programs are those either flagged by heuristics or are in the community database.

    Each mode, with respect to some behavior differs as whether it is set to the following modes (from least degree of intrusiveness to most)

    1 Heuristical reporting (appears to be default)
    2 Query (unknown)
    3 Query (unknown/known)

    In addition there is a "Prevent" mode. I suspect that this always blocks 'unknown' (and bad of course) programs.

    At ABC mode, the amount of instrusiveness is minimised. The user will be informed if a known bad program (labelled whether from heuristics or community database??) is prevented. In effect most areas are set to heuristical checking.

    Known Good programs will always work without any alert of course.

    Unknown programs will be set to "query (unknown)" only in certain limtied areas, currently they are

    1. 'Program execution -Programs' - So yes you will be queried if you start something unknown to the community database.
    2. Host modification
    3. Changes to BHOs and browser homepage.
    4. Vulnerable windows file control (changes to windows.ini etc)

    Two caterogires Also set to 'prevent' access to physical memory and
    Disabling task manager.

    At the 'pro' mode, a lot more sections are changed from Heuristical reporting to 'querry unknown'. It's still far less intrusive then Say Appdefend/Regdefend because it still queries only on unknown programs. And secondly a lot of areas (that are normally covered by Appdefend/regdefend) are still set to heurtistical checking rather than query unknown.

    In 'expert' mode, the main change is that a lot of areas are changed from querry unknown to querry known/unknown. So you will be queried if even a known good program does something in that area. But otherwise it seems the same areas are covered as in pro mode.

    I.E there are many areas, that are still set to only heuristic checking even at the highest level.

    Two comments/questions

    1. Quite a lot of behavior is still set to only heuristical checking even for the Expert mode. I suppose some behavior is too noisy even for 'experts'? So is there some technical reason that prevents queries?

    2. Similarly, a few behavior is set to 'Prevent' even for experts. Maybe these are too dangerous even for an expert to allow?

    3. A lot of well known and common 'tests' are already in the community database and are marked good. So testing is a bit more difficult then ausual.

    All in all, it looks like a very interesting program, for beginners and 'experts' alike. The community database looks very comprehensive...
     
  5. DigitalMan

    DigitalMan Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    90
    I'm running PrevX1 1.0.33 with ProcessGuard 3.15 and all is well. No conflicts - I don't think these programs really do the exact same things, so I'm not sure I agree that you need to make an either/or decision. I'm using both...
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I'd say a bit of both. Expert is still pretty noisy, having everything enabled would be a little insane. There are also things to consider like files adding to the Windows directory.. a wrong choice on a good program can be disasterous, so better to leave that to the analysts. You'll notice that Pro will give you prompts for that from unknown programs only, where Expert only reports (since it queries known and unknown for all things while in Expert mode). I'm sure that as time goes on we'll see changes to this. The cool thing is that these are modular, so if malware starts using a lot of areas that are set to "report only", they can easily roll out a small update that will give you control. I don't know that that will happen, but Prevx1 is definitely flexible that way. Another example is disabling the XP firewall. Too many security suites do this legitimately without letting you know. If you're not expecting it and click to deny it, the result could potentially be an unstable system - probably not something Prevx wants to be responsible for, and it probably wouldn't add much more security than you can already get with the community aspect of the program.

    I think it's the same as how anti-virus programs will just flag anything using certain packers/crypters. Since they're pretty much only used by malware, there's greater security to be had by just blocking them all, and creating exceptions as needed. Again remember the support part of the equation, I'm sure such actions wouldn't be stopped if they were commonly used by many legitimate programs, it would be a support nightmare otherwise. Also, there are areas like Buffer Overflow that it uses in it's first line of heuristics, and absolutely will be stopped if it finds a definite positive on something that clearly shouldn't be acting that way. From what I understand, the Buffer Overflow protection in this version catches a whole lot more than previous versions, and with less false alarms... so just because something is in "Heuristic Report" mode, doesn't mean that there isn't generic protection for that area as well, it just means that it will be more selective about what it stops from taking that action. Prevx strikes a pretty good balance on all of these things, IMO. If you get a family (or higher) license, you can actually control a lot more, as well as keep tabs on each computer that Prevx is installed on.

    I've been bugging them about this. I don't think they knew they were going to have the options of Pro or Expert when they marked those good.


    I agree, I think this is the first to let you choose which mode you want to work in. As far as the db.. just think; it's only a couple days out of beta.
     
    Last edited: Dec 23, 2005
  7. I'm also a bit confused, about how the community thingie works.

    If at least one person has seen the file and allowed it, does it mean it's automatically classed as good? I doubt it, since That seems to be quite dangerous, since it allows potential abuse by badguys, at least until the analysts classify it properly.

    I guess i must be wrong, about the community thingie?

    I've also noticed some stuff that is classified as 'good' that IMHO might be a bit dubious depending on how paranoid the user is.

    I find "Pro" and even "Expert" pretty quiet (relatively speaking to other products), except for all the network stuff which I don't *ever* see the need to set to Query known/unknown. In fact, I would not even need it to be set to Querry unknown.

    I personally don't think i need the network stuff, since that's handled by my firewall. But the bad thing about Prevx1 now, is that you are stuck with the predefined settings for the 3 levels, so you can't turn it off unless you go down to ABC level.

    On the reverse side, as stated I'm pretty surprised at the areas that are not set to querry even for Pro/Expert level, I can accept bufferoverflows being set to heuristics (that actually makes sense to me), but there are some areas IMHO that are quiet enough and simple enough to understand that any self respecting 'expert' I think would want to control himself. Or perhaps I'm just misunderstanding the description.

    I think it's a pity they dont allow users to finetune further the level of control they want, rather than locking them into 3 choices.

    A compromise I think would be this.

    Perhaps, they could allow users to 'downgrade' settings while not allowing upgrades. By downgrades, I mean you can change from querry(known/unknown) to queery unknown or heuristics checking but not in the other directions.

    So you can run with 'expert' mode, but lower some settings down to merely heuristic checking if you don't want control of those areas

    I would prefer control in both directions, but even control in only one direction would be better than nothing.

    [/quote]

    Well this observation of mine should be tempered by the fact that the guys testing this, are people like you (notok) and i suspect, we have a lot of the same interests so i shouldnt be suprised that security related programs are well covered.

    I extended my tests with other programs commonly in use from my other hobbies (e.g chess), and as expected it's not as well covered, but still impressive enough.

    A typical homeuser who just does normal email, and surfing should almost have zero popups even in Pro mode I think. The more comprehensive the database the less popups you are going to see in ABC/Pro modes.
     
  8. Yes. digitalman it seems to work okay with both .
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It just does automatic malware determination, so the only things automatically determined are bad, and those would have to be fairly obvious, I think (like buffer overflows and such). I know there's more complexity to it than that, but I haven't come across many false positives from it.. so I think they play it pretty safe. It's got 2 levels of automatic determination (heuristics and the rules on the central server), then the existing database of known/unknown, then the live analysts.

    That goes with any security program, I think. There's also an enterprise version that I think is actually the same, you just get back-end controls for the Prevx agents on your network. Best not to block IT tools when you've got customers like that :)

    I agree, and I suggested giving independant control of the network stuff. It does state on the page, though, that it's also being designed for all the users that are only using Prevx on their machine.. it makes a nice compliment to the XP firewall.

    All of those things go into the heuristics, so I think the point is that you've got greater security by just letting heuristics take care of those areas.

    You can if you have a family license or higher :) (you also get to see stats from those machines and can make changes like blocking things).

    I think that's a great idea.. you should submit it to support. I'm pretty sure, though, that what they did was build up the new community stuff, then basically add on some of the old functionality.. so I'm sure we'll be seeing changes to this as time goes on. Prevx has always been open to ideas and requests, so I wouldn't be too shy about submitting these things. I mean after all, they totally redesigned it when they found out that the old system wasn't working because everyone was allowing everything. I don't think I've ever seen that before.

    This is true. They do still have a pretty massive database, though.. the Insight page was reporting over 27,000 new files yesterday. If you think about it, though, it's going to be us that start and start branching out from there.. so it will probably all even out. We also still use a lot of the normal stuff, too. Then you're going to get programs that share common libraries and such. It probably won't take all that long for the DB to catch up.. it's the really common stuff that comes pre-installed that's the biggest deal, when you think about it. That stuff is all made to be super-user-friendly, and so does a lot of stuff without you knowing (think ctfmon.exe). The hobby type stuff that you download and install is usually pretty straight forward, so not as many surprises. The malware determination stuff will also be fine tuned as it goes along, so that will probably increase the speed of determinations (both good and bad) as time goes on.

    Keeping in mind that the original poster of this thread had big conflicts with Prevx Home and PG, I wouldn't necessarily recommend Prevx be used with another HIPS to the general public (it may well have been one of my posts that encouraged him to try both together).. but the more adventurous of us that can recover from major system problems can always give it a try. I can say that throughout beta testing Prevx was the one HIPS type program that conflicted with others the most. Usually after finding out how the conflicting program worked it made complete sense, it pretty much always had to do with the two programs trying to install the same kind of driver, rather than either one of them being buggy (despite being in beta). Sometimes they work, sometimes they don't.. if you're not sure, best to choose just one or at least wait to hear how everyone else fares.
     
    Last edited: Dec 23, 2005
  10. Interesting, I had the impression that if the heuristics always take a first bite at it (heuristics checking is the default), and then only if it passed, then the querry comes into play if set. So basically setting it at querry unknown, actually gives you more security if you think you can spot something that passes heuristics. At the course of noise of course.

    Really? From the website it doesnt say that. You mean if you own a family license, you can freely change levels without caring about ABC/expert/pro ?
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Well first it's going to ask the database if it's already known, but then you are correct. The problem is whether you know to allow or block it, and whether giving you that query is going to signifigantly increase your security. I think it's a question of which is better able to make the determinaiton, the heuristics or the user? Keep in mind that the old data showed that most users were allowing infections to occur (and stopping legitimate files that ended up causing problems/crashes). Basically the sets that they chose are good sets for keeping you protected, much more would increase noise too much, at a poor balance of additional security. Since it's modular, however, as the need arises new updates can be rolled out to change that, if necessary.

    Well, you can create your own set in addition to ABC/Expert/Pro, yes. This gives families parental control, and it gives businesses the opportunity to set custom profiles as necessary (it was originally intended for businesses). You can then keep tabs on, and control, each agent through a web interface. So when I give my mom her copy for xmas, I will be able to log on, see if she has any malware on her system, and adjust her profile as necessary, or create a new one if a particular query(s) proves too difficult, all from my own computer. Pretty cool, huh?
     

    Attached Files:

  12. Okay that's what i thought.

    I suppose from the POV of a ultra paranoid user, user control on top of heuristics would give more security.


    Cool yes. But it seems to presume that anyone who has a family license is more 'expert' than anyone else with a single licnese. I'm beginning to think that the reason why single licenses are not given the ability to taylor profiles has less to do with expertise than with addition features given to bigger customers. :)
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    True, but a company has to balance what would really add security vs support issues. I know they had issues with Home/Pro when people would block critical system processes, things like that. Like I say, too, some of that is going to be caught by the heuristics.. I doubt there's going to be much getting by that kills the XP firewall, for example. If it's almost always going to be caught by heuristics, then it's going to do more harm than good to keep alerts enabled because of what people might block otherwise. Pro and Expert do offer quite a bit, and as time goes on I'm sure we'll see more added. I'm sure a lot of that will be based on feedback, since they just put that functionality back in the final release. I know there's still more already in the works as well, such as script protection.

    Business customers are going to demand that kind of control, as they may have proprietary apps or other special requirements. I remember reading a thing about McAfee making a HIPS type program and pitching it to the US Millitary. The military basically said "hey, that sounds great, but the first time it alerts on something legitimate, we're taking our business elsewhere." ...and you don't get those customers back. It also makes some sense to give that to families so that they can turn things down/off if they need to.

    With the additional maintenance of the back-end (this is going to make the software more complex) and the additional support, it kind of makes sense that it would cost a bit more. Five licenses for the price of two isn't a bad deal if you really want that additional kind of control. The more important things in that list for a family situation, IMO, is the ability to disable the checkboxes that let you remove the password, etc.
     
    Last edited: Dec 25, 2005
  14. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Thanks to all for the information.

    I have scanned the exchanges between Notok and others here, read Notok's presentation on the parallel thread on Castle Cops http://castlecops.com/t133395-Can_Prevx_home_free_and_PC_Guard_free_work_together.html, and read the presentation that Prevx1 has on its website about how its product works, including the FAQ's. However, one thing bugs me: the question of privacy. It is clear that the fundamental difference between Prevx1 and your standard signature-based or heuristic-based antivirus/adware/antitrojan package is the centralized Prevx database. What I understand is that when you install Prevx1, a scan is executed of your computer, and a local database constructed, which is validated against the Prevx1 central database, for each program on your computer to be flagged as acceptable, unknown, or bad. Moreover, I understand that every program that Prevx1 ever encounters anywhere in the world is marked with a unique identifier--so that all the programs on your computer are fit into this unique world-wide identifier schema. I also see that the Prevx1 threat centre lists information on bad websites. Now in the FAQ's, Prevx is careful to say that it doesn't read your email and so on. What is not clear to me is whether the central Prevx database is keeping a personally identifiable inventory of your programs and perhaps even of the websites you visit. I wonder about this because somewhere--I didn't find it again--I seemed to see a note that Prevx is capable of informing its clients once a program previously treated as unknown has been analysed at Prevx headquarters to be malware. Now there are only two ways this can be done: a general broadcast to all users about program x with unique identifier y, or else a specific message to users a b and c (i.e. to the Prevx1 program installed on their computers) that use program x with unique identifier y. But to be able to send messages to users a b and c about program x with unique identifier y, the central database must have a data element keyed to unique identifier y with a list of all users who have it installed, or, equivalently, a data element keyed to users a b and c with a list of all the programs installed on their computers by unique identifier y, z and so on. This ability to inform users about programs determined to be malware seems to be apart from the routine interrogation of the central database before running a program considered uncertain by the local database. Similarly, if there is any communication to specific users about websites that are bad, then there must be personally identifiable information kept for each user about his surfing behaviour. I would even be a little uneasy about having Prevx1 phone home every time I visited a website--presumably one that hadn't been put on the local database as okay. While it is not the same thing as uploading a copy of your email, personally identifiable information about the programs you have on your computer, and perhaps even about the websites you visit, can be very revealing of who you are. I wonder if someone from Prevx--not Notok; it has to be an official answer--can clarifiy these issues.

    Thanks very much,


    George75
     
    Last edited: Jan 1, 2006
  15. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    Hi george75,

    I'm the Prevx1 Security Architect. Here's how Prevx1 communicates with the central database....

    We have a common communication protocol that goes between the prevx1 agents and central database - its a simple request/response protocol. This communication occurs on three distinct occasions:

    1. initial scan;
    2. execution of a new program; that is one that was not present when the scan was performed;
    3. When any program exibits a new behaviour that triggers a security setting.

    On each request, the Prevx1 agent provides details of the filename and path of the process violating the rule and (if applicable) the filename and path of the file/module on the system effected by it. This also includes things like the version of the agent, the status of any other AV/FW installed - whether it is on/off/outofdate, whether windows update is active etc. - and the agents current view as to whether the actor and victim are good/bad/unknown and whether the user has overridden the central setting. This forms the basis of the stats provided by the central DB.

    Each request can contain multiple "events", so if your offline they will be requested in bulk when the network connection is available again. The on-install scan also works in bulk.

    The response from the center is very straight forward and comes in two parts. The first part contains an answer to each event in the request. This allows us to indicate the central determination (good/bad/unknown) of the process (actor) and the victim. It also allows the DB to indicate to the Prevx1 agent whether or not more information is required for the "event" (version info details or the unique signature that the agent has generated for the actor or victim (yes signatues are generated by Prevx1 agents not Prevx staff)) and whether the research team would like a copy of the physical file. If we would like the file, the user will be asked permission before uploading. BTW, we've never needed to use this feature.

    So, take a typical example.. Running notepad.exe from explorer.exe to edit the hosts file.

    In this case 3 events are raised:

    1. Execution of notepad.exe (victim) by explorer.exe (actor).
    2. Hosts file modification event by notepad.exe (actor).
    3. Termination event by notepad.exe (actor).

    If notepad.exe was new on your system, event 1. would have been checked against the DB immediately and you would be queried if notepad.exe was unknown.

    If notepad.exe had been seen before (and was good), event 1 would be queued and the flow would be as follows:

    In Expert-Mode: event 2. would be checked against your rules, and queried if not present. It would then be queued for sending to the DB.

    In Pro/ABC-mode: event 2 would be allowed (as Actor is Good) and queued for sending to the DB.

    In all modes Termination events are informational, so would simply be queued.

    At some point later (usually within 30 seconds) the agent would attempt to report the three events to the central DB.


    So, basically on each "event" the agent will contact the DB (either immediately or within 30 second (if online)) and request a determination for the actor and victim of the event. This gives the DB the opportunity of informing the agent when a determination changes from unknown to Bad, and the agent can take action to terminate the bad process (if its running). To reduce network traffic, we only send events if they've never been sent before or the actor or victim haven't had their determination rechecked for more than a day.

    The first part of the event response allows the agent to obtain updates for the signatures that it has when and only when that process causes an event to be raised. If it is not active on your system it will not raise any events.

    The second part of the event response is a broadcast mechanism. It allows us to push out signatures and determinations to ALL prevx1 agents when it is appropriate. For example, when a new version of Office comes out, our a major Windows service pack. It allows us to pre-install the signatures that are most used by our users. It also allows us to broadcast a Bad determination for a fast-propagating worm almost instantly to all users.

    We do not keep any record of the events raised by individual agents. We have structured our data in such a way so that every agent will generate the same "event request" to the central DB for the same set of actor/victim/event. This means that once we have seen the event from any agent in the world we now know that that actor causes that behaviour on that victim. From that point on we simply keep a count of the number of agents that make a request for that identical event, and the filename/paths that that agent has seen the event on.

    As far as web-tracking goes, we do the following:

    1. When you browse to a web-site we note the URL (but do not send it anywhere).
    2. We then monitor the browsers behaviour (as we do any other process).
    3. If the browser breaks a trigger rule (e.g. creates a .exe in %windir%\system32) we substitute the URL for the browser as the actor in the event raised to the DB. In doing this we normalize the URL. We remove all attributes, we remove any username/password that may be in the URL.

    This has the following consequences:

    1. We DO NOT track every web-site you go to.
    2. We DO track the URL when your browser breaks a trigger rule.

    This means that we can identify which web-sites are hosting particular spyware/adware/exploits. Otherwise, we would see your browser as being the culpret in the attack.

    This essentially means that we gather the URL of web-sites you visit if and only if one of the follow occurs when you visit that site:

    1. We detect a buffer overflow attack within your browser.
    2. We detect the creation of a new executable program by your browser before you browse to another site.

    The only exception to this is for corporate and family-license clients. He we note which agent has seen which signatures when and only when the signature is Bad or unknown. This allows administrators to see what malware and currently unknown programs are installed in their user-base. But event in this case we do not keep an inventory of events for each agent - the storage requirements and performance implications are prohibitive for doing this.

    BTW, this has allowed us to get a handle on the recent WMF/WMV exploit very quickly. Checkout http://research.prevx.com/ and click on WMF/WMV Executable Code exploits in the chart.

    Hope this helps,

    ghiser1
     
  16. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Dear Ghiser1

    Thank you for a very, very serious reply--and indeed a very speedy reply. I will have to reflect on what you say, but I am quite grateful to you and to Prevx for having the courtesy to send such an authoritative reply. I will post some questions and comments over the next few days.

    george75
     
  17. Arup

    Arup Guest

    ghiser1,

    Thanks for your excellent clarification, now my question is that if I use P2P apps which have a habit of making multiple connections, would PrevxR see that as a buffer exploit and block those connections or would they be allowed?
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    I have a question for Ghiser1.

    I installed the release version of Prevx1 to take a look. I found the results of the initial scan a bit bizzare. First I have a folder with several keyloggers, that really excite most scanners, and Prevx1 totally ignored them, but it jailed several files from some of the scansoft products(Paperport, and Omnipage) which I know are clean. Also I couldn't find anyway of telling Prevx1 that these files were okay. Did I miss something?

    Pete
     
  19. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I've never had any problems

    You just have to drag-and-drop them from the "holding cell" to "probation". If you want to report them as false positives you can double click on the file, and click "Disagree ?" in the upper right-hand corner of the webpage that brings up.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    I guess thats what I have never like about Prevx. If there is an expert mode for users who know what they are doing, then it should have a way for me to mark them safe. Till that changes, for me Prevx1 is still in Jail.
     
  21. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Putting them in the Probation means that you're marking them safe.. that's your exclusion list, and it shouldn't bother you any further after that. Unless you're talking about changing it on the central database for everyone else as well, but I don't know of any scanner that will let you do that. You can, however, report the false positive so the analysts can take a look and make the correction for everyone else.
     
  22. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    Hi Arup,

    The simple answer is that Prevx1 would not see this as a buffer overflow exploit. Buffer overflow exploits have nothing to do with the load on the system or the number of network connections a program makes.

    I think it's probably worth outlining the simplest example of a buffer overflow and how it related to Prevx1 detection of them. This (hopefully) will allow you to understand the general nature of what a buffer overflow exploit is and when Prevx1 would detect one.

    I'll assume you have knowledge of 'C' here - at least for reading it. Take a simple 'C' program that takes a single string parameter, copies that parameter to an internal "buffer" and then prints it out.

    int main(int argc, char *argv[])
    {
    char buffer[ 10 ];

    strcpy( buffer, argv[1] );

    printf( buffer );

    return 0;
    }

    In this example, the program has space in the buffer for 10 characters. That is enough to safely store a 9 character 'C' string as such strings require a '\0' character on the end as an end of string marker.

    If the program is called with a parameter of 9 characters all is ok.

    e.g prog.exe 012345678

    The question is what happens if it is called with more than 9 characters?

    e.g prog.exe 0123456789ABC

    The buffer only has room for 10 characters, but here we have supplied 13 characters (don't forget the '\0' on the end). The program doesn't do any checking to ensure that there is enough space in its "buffer" and so when the strcpy() is performed the entire 13 characters are copied to the memory address that holds "buffer". This corrupts the address space of the process and causes the program to crash. Even though this buffer has been overflowed, Prevx will not raise a buffer overflow event here as there is no threat to the system.

    I'll explain when Prevx1 will alert shortly, but first its worth looking at what happens inside the program when this 13 character string is passed in.

    To understand what happens withing the program we need to look at how the 'C' compiler uses the programs stack to store local variables - in this case "buffer". We also need to understand how the processor handles functions calls - specifically how the processor knows where to continue executing from after the function completes.

    Let's assume for our example that the main() function of the program above lies at a memory address of 0x22222222 (it could be anywhere, but this is a useful number for this example).

    When you run this program the 'C' runtime library performs its initialization and then it calls main(). In order to call the main() function, the 'C' runtime will use the x86 CALL instruction. This instruction does two things:

    1. It places the address of the next instruction onto the stack.
    2. It changes the program counter (EIP register) to point to the function being called.

    So if the 'C' runtime library's CALL instruction is at address 0x44444440 (say) the address of the next instruction (the one to execute when the CALL completes) will be placed on stack - say 0x44444444.

    Let's assume for this simple example that the stack is empty before this CALL and the stack is held at address range 0x60000000 through 0x60000100. The process registers and memory locations of interest will change as follows:

    Before CALL to main():

    EIP: 0x44444440 program counter contains address of CALL
    ESP: 0x60000100 stack pointer points to top of the stack

    CALL instruction performs:

    ESP is set to ESP-4
    *(ESP) contents of ESP are set to 0x44444444
    EIP is set to 0x22222222

    After CALL instruction to main()

    EIP: 0x22222222 program counter now at the beginning of main()
    ESP: 0x600000FC stack pointer has been decreased by 4
    Stack: 44 44 44 44 the address of the instruction to execute after main()

    When the main() function completes it will execute an x86 RET instruction. This does the opposite of CALL. It POP's the value in *ESP and places it in the EIP register.

    If the program has run sucessfully, the RET sequence at the end of main() would look like this:

    Before RET:

    EIP: 0x22222300 (say) address of RET
    ESP: 0x600000FC
    Stack: 44 44 44 44

    During RET:

    EIP is set to *ESP (0x44444444)
    ESP is incremented by 4

    After RET:

    EIP: 0x44444444
    ESP: 0x60000100
    Stack: Empty

    As you can see the CALL/RET instructions act as a pair placing the program back to where it was before the main() was called.

    Now, let's look at the storage and overflow of buffer.

    As main() starts, the first thing it has to do is allocate space for the "buffer" local variable. In this example the buffer is stored on the stack an the space for the buffer is allocated by changing the stack pointer ESP register. To allocate 10 bytes of stack space the x86 instruction SUB ESP,10 is used.

    The effect of this is as follows:

    Before SUB ESP,10

    EIP: 0x22222222
    ESP: 0x600000FC
    Stack: 44 44 44 44

    After SUB ESP,10

    EIP: 0x22222226
    ESP: 0x600000F2
    Stack: 00 00 00 00 00 00 00 00 00 00 44 44 44 44
    *
    So here you can see that the stack has grown by 10 characters. * indicates the start of "buffer". The 44 44 44 44 is the RETurn address that the CALL instruction placed on the stack.

    Now when you call this program with prog.exe 012345678 the ASCII form of this characters will be copied into buffer as follows.

    Before strcpy():

    Stack: 00 00 00 00 00 00 00 00 00 00 44 44 44 44

    After strcpy():

    Stack: 30 31 32 33 34 35 36 37 38 00 44 44 44 44

    If instead the 13 character string is used.... prog.exe 0123456789ABC

    Before strcpy():

    Stack: 00 00 00 00 00 00 00 00 00 00 44 44 44 44

    After strcpy():

    Stack: 30 31 32 33 34 35 36 37 38 39 41 42 43 00

    Here you can see that the RETurn address that the CALL instruction placed on the stack has been overwritten. What is the effect of the RET instruction at of main() now. When it will perform the same steps as before:

    Before RET:

    EIP: 0x22222300 (say) address of RET
    ESP: 0x600000FC
    Stack: 41 42 43 00

    During RET:

    EIP is set to *ESP (0x00434241)
    ESP is incremented by 4

    After RET:

    EIP: 0x00434241
    ESP: 0x60000100
    Stack: Empty

    As you can see the effect of overflowing the "buffer" caused the program counter (EIP) to change to an address that isn't part of the program - this causes the program to crash.

    Although it crashes, no exploit code has been executed, so Prevx1 doesn't raise any alarm.

    A buffer overflow exploit makes use of this ability to change the EIP register by placing values in the data stream that causes the EIP register to be changed so that it points back into the datastream itself. This allows an attack to embed executable instructions in the datastream and have them executed when the original programs RET instruction is executed.

    Prevx1 detects the execution of code from within an overflowed buffer.

    As you can see, this has nothing to do with network connections or system load. A buffer overflow vulnerability is essential a part of a program where a "buffer" is used that isn't safety checked before being written to. In somecases, these buffers can only be overwritten to cause the program to crash - a denial of service attack. In other cases, executable code can be injected into the buffer and run - this is an exploit. This is this that Prevx1 detects.

    Google around for "buffer overflow example". There are lots of tutorials out there. This example is the simplest example. There are lots of other types, but in essence they are all about one thing - modifying the execution of a program by injecting code into it through a data buffer. Programs that may be at risk from attack include: any network service (the client attacks), any program that accesses a network service (the server may attack you), any program that reads an input file to parse it (rogue file - JPG/GIF/WMF etc).

    Hope this helps,

    ghiser1
     
  23. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    Hi Pete,

    If we raise any false positives, please do the following for each of them:

    Double-click on the entry for the program in the Jail screen. This will open your browser and display the community view of that program. On the first screen you will see a small link in the top right-hand corner which says Disagree? Please that link at tell of what that program is. This will cause a job to be raised to customer support and we will investigate each one and update where appropriate. We have had some cases of disagreements where the file in question was an infected version of a legitimate program. But please submit them so that we can examine them.

    In the case of your false negatives, could you please place a support call manually using the Support link in Prevx1 - right click on the task-bar icon. Mention that you have some known keyloggers and that ghiser1 asked you to call support. We can then go through the files with you and mark them in our database accordingly. Please give as much information as possible about the path/filename where you have them stored.

    Regards,

    ghiser1
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    hi ghiser

    Debated about responding, but decided to do so. First in case you have seem me in some of the threads here, I have/am beta testing in several other hips type programs. I also have two licenses to Prevx. I currently have 3 of the Hips programs on and running. I loved Prevx Pro, and in some ways am sorry I switched my license to Prevx1.

    I ran the Prevx1 beta for a while, but there was something that I found intolerably annoying, particularily as a beta tester when you are always doing installs. That was when encountering a new program, and marking it trusted you asked for a description. That was fine, the first time, but if you did an install on the same program, to keep being pestered for the description became a real nuisance. Got the point, I'd just put an x or some tacky comment in there, and finally gave up and uninstalled.

    When I comment on Prevx1, I am commenting from the point of view of running either in the pro or expert mode. I realize for the mode for mum and auntie jo things are differnt.

    I also understand the value of reporting false positives. I am currently running the KAV 6.0 beta. When run with the extended data base I do get a couple of false positives. Kav is aware of one of them, but for some reason it keeps appearing. BUT, I just flag it as trusted, and never see it again. Granted I have to do this with each new beta, but if I wasn't bothering with beta's I'd never see this again.(unless I go and look in the list of trusted stuff). Bottom line is if I want to report an FP I can, or if busy, I can simply flag it as trusted, and it's out of sight and mind.

    So it bugs me(and this may just be me) when I see files from programs as well respected as Microsoft, and which I know are clean showing up in Jail. Sure I dragged them to probation. But frankly I, running in expert mode find it irrating see them on "probabation" They in no way fit the definition of the word probation, and as a user I might not want to have to go thru what you suggested to flag them as "trusted". I want to have the ability to make that call. It should be there in expert mode.

    As to the keyloggers that weren't detected, you are asking me to call support. First these are commercially available trials of keyloggers, that could be used against me, like Elite Keylogger. They all can be found on the web. Surely your people can find them. I have a them in a folder on my desktop, so they should be found by the scan.

    If you are going to claim you are providing this service, then I shouldn't have to do this for you.

    When I said in the post above that Prevx1 was in Jail, what I ment is it has been uninstalled. There are some good competitive products out there, so I can't see running something that annoy's me.

    All this being said, I think you are on a good path, for mum and dad, but in your expert mode, you might rethink some of this. I wrote this, not trying to be critical, but help you understand one point of view.

    All the best

    Pete
     
  25. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Dear ghiser1:

    I have finally got around to replying to your very detailed response on privacy. My questions are very much keyed to your text, so I have taken the liberty to reproduce your text in full (offline, so it doesn’t follow the Wilders forum quote convention), with my questions in-line. Your text is in block quotes, whereas mine is set flush left.

    We have a common communication protocol that goes between the prevx1 agents and central database - its a simple request/response protocol. This communication occurs on three distinct occasions:

    1. initial scan;
    2. execution of a new program; that is one that was not present when the scan was performed;
    3. When any program exibits a new behaviour that triggers a security setting.

    On each request, the Prevx1 agent provides details of the filename and path of the process violating the rule
    Are these what we would call heuristic rules for detection of generic behaviour that is suspect?

    And (if applicable) the filename and path of the file/module on the system effected by it. This also includes things like the version of the agent, the status of any other AV/FW installed – whether it is on/off/outofdate, whether windows update is active etc.
    Is this equivalent to a systems profile?

    and the agents current view as to whether the actor and victim are good/bad/unknown​

    Are these the determinations pre-existing at the time the request is issued, based on the initial scan and previous communication with the central data base?

    and whether the user has overridden the central setting.​

    Is this central setting the setting that the agent has originally established as to whether the actor and victim are good/bad/unknown?

    Can you clarify whether this request contains unique identifier information for the computer that is running the agent—i.e. the computer user?

    This forms the basis of the stats provided by the central DB.

    Each request can contain multiple "events", so if your offline they will be requested in bulk when the network connection is available again. The on-install scan also works in bulk.​

    This seems straightforward.

    The response from the center is very straight forward and comes in two parts. The first part contains an answer to each event in the request. This allows us to indicate the central determination (good/bad/unknown) of the process (actor) and the victim. It also allows the DB to indicate to the Prevx1 agent whether or not more information is required for the "event" (version info details or the unique signature​

    Is this signature that you are here referring to the PX5 unique identifier of the actor/process and victim? There is a bit of confusion in the nomenclature: I understand signature to be a piece of code characteristic of a certain virus that an AV program looks for; those signatures are contained in the AV database downloaded every so often from the AV company. I understand unique identifier to be a way of identifying uniquely an executable module, even distinguishing it from minor variants. I understand heuristic to be a generic rule that does not identify specific viruses but looks for the sort of behaviour that an analyst thinks a virus-writer might like to try.

    that the agent has generated for the actor or victim (yes signatues are generated by Prevx1 agents not Prevx staff))​

    See above as to what signature means.

    and whether the research team would like a copy of the physical file. If we would like the file, the user will be asked permission before uploading. BTW, we've never needed to use this feature.
    So, take a typical example.. Running notepad.exe from explorer.exe to edit the hosts file.

    In this case 3 events are raised:

    1. Execution of notepad.exe (victim) by explorer.exe (actor).
    2. Hosts file modification event by notepad.exe (actor).
    3. Termination event by notepad.exe (actor).

    If notepad.exe was new on your system, event 1. would have been checked against the DB immediately and you would be queried if notepad.exe was unknown.

    If notepad.exe had been seen before (and was good), event 1 would be queued
    I.e. for execution by my computer, not for sending to the central DB?

    and the flow would be as follows:

    In Expert-Mode: event 2. would be checked against your rules, and queried if not present. It would then be queued for sending to the DB.​

    This is the central DB?

    In Pro/ABC-mode: event 2 would be allowed (as Actor is Good) and queued for sending to the DB.​

    Again the central DB?

    In all modes Termination events are informational, so would simply be queued.
    Queued for what? Evidently for sending to the central DB.

    At some point later (usually within 30 seconds) the agent would attempt to report the three events to the central DB.


    So, basically on each "event" the agent will contact the DB (either immediately or within 30 second (if online)) and request a determination for the actor and victim of the event. This gives the DB the opportunity of informing the agent when a determination changes from unknown to Bad, and the agent can take action to terminate the bad process (if its running). To reduce network traffic, we only send events if they've never been sent before or the actor or victim haven't had their determination rechecked for more than a day.
    This is a very important statement but I find it a little ambiguous. It seems to suggest that you are sending the event—i.e. the reply by the server to the computer user’s Prevx1 agent request concerning the three stages of the modification to the Hosts file by notepad.exe—to a specific user, not broadcasting it to the whole population of Prevx1 users. This seems technically reasonable in the sense that you would have a horrible traffic problem if you were sending broadcast messages to all and sundry for every event on every user. However, this means that the central program (master program?) on Prevx’s server is communicating with specific users by name as it were. This I suppose is what you meant when you said above that you were using a simple request/response protocol.

    Now what needs, in my opinion, to be clarified, is how the master program determines whether or not to reply to the event. For you seem to be saying that if it concludes that the victim and actor have been seen before, and have had their determination checked in less than a day, then the master program on the server is not going to reply to the Prevx1 agent on the user’s computer. Could you clarify this? It seems to say that the master program needs to know what has happened for that user with regard to that actor and victim in the last twenty-four hours. Which again suggests that you are keeping personally identifiable records on your central DB’s concerning events.

    The first part of the event response allows the agent to obtain updates for the signatures that it has when and only when that process causes an event to be raised. If it is not active on your system it will not raise any events.​

    This seems technically reasonable: you do the full scan once, then you recheck only when the module is run again.

    The second part of the event response is a broadcast mechanism. It allows us to push out signatures and determinations to ALL prevx1 agents when it is appropriate. For example, when a new version of Office comes out, our a major Windows service pack. It allows us to pre-install the signatures that are most used by our users. It also allows us to broadcast a Bad determination for a fast-propagating worm almost instantly to all users.
    Correct me if I’m wrong, but this broadcast mechanism seems to be in addition to the normal event mechanism you have just outlined: as I understand it, in the normal course of affairs, the master program on the server is communicating individually with Prevx1 agents based on the programs they are using. But you also have the facility for a general broadcast. This again makes technical sense. Now the question would be this: is this general broadcast to ALL Prevx1 agents, or do you keep a list of what programs each Prevx1 agent is using, so that the broadcast is targeted? After all, if my computer uses OpenOffice, and not Windows Office, I’m not very interested in the latest version of Windows Office, although I am interested in the latest version of OpenOffice.

    We do not keep any record of the events raised by individual agents.
    But are you keeping other personally identifiable information about the programs (or, as you put it, signatures) on the user’s computer?

    We have structured our data in such a way so that every agent will generate the same "event request" to the central DB for the same set of actor/victim/event.​

    From what you are saying, however, even a minor variant of an actor, victim or action will generate a new event, since the signatures are not grouped into equivalence classes, but treated as unique.

    This means that once we have seen the event from any agent in the world we now know that that actor causes that behaviour on that victim. From that point on we simply keep a count of the number of agents that make a request for that identical event, and the filename/paths that that agent has seen the event on.​

    Does the filename/path include the user’s computer name/identifier?

    As far as web-tracking goes, we do the following:

    1. When you browse to a web-site we note the URL (but do not send it anywhere).
    2. We then monitor the browsers behaviour (as we do any other process).
    3. If the browser breaks a trigger rule (e.g. creates a .exe in %windir%\system32) we substitute the URL for the browser as the actor in the event raised to the DB. In doing this we normalize the URL. We remove all attributes, we remove any username/password that may be in the URL.

    This has the following consequences:

    1. We DO NOT track every web-site you go to.
    2. We DO track the URL when your browser breaks a trigger rule.

    This means that we can identify which web-sites are hosting particular spyware/adware/exploits. Otherwise, we would see your browser as being the culpret in the attack.

    This essentially means that we gather the URL of web-sites you visit if and only if one of the follow occurs when you visit that site:

    1. We detect a buffer overflow attack within your browser.
    2. We detect the creation of a new executable program by your browser before you browse to another site.

    The only exception to this is for corporate and family-license clients. He we note which agent has seen which signatures when and only when the signature is Bad or unknown.
    Where do you note this? On the central data base or on the computer administrator’s local database? Obviously, this would create a very serious privacy issue if it were on your central database.

    This allows administrators to see what malware and currently unknown programs are installed in their user-base. But event in this case we do not keep an inventory of events for each agent - the storage requirements and performance implications are prohibitive for doing this.​

    Granted that this is so, are you keeping an inventory in personally identifiable form for each Prevx1 user of the signatures that he has on his computer? This, from what you say would include the ‘normalized URL’s’ of suspect websites that the user had visited—suspect according to the criteria that you outline above.

    BTW, this has allowed us to get a handle on the recent WMF/WMV exploit very quickly. Checkout http://research.prevx.com/ and click on WMF/WMV Executable Code exploits in the chart.

    Hope this helps,

    ghiser1
    I have tried to provide some questions, ghiser1, that I think need to be asked from the point of view of privacy. I could pose other questions in an attempt to distinguish practically between Prevx1 and a good suite of ‘classical’ antivirus and anti-adware programs. It seems to me that much of the quality of a security system is in the signatures (i.e. the code fragments that identify known viruses) and in the heuristics (i.e. the rules that generically define suspicious behaviour). Here, there enters in the human factor: you’re only as good as your analysts who are working on getting the viruses identified and inventing the heuristics to find unknown viruses. I may be wrong, but I think that in this Prevx1 isn’t really much different from a classical AV. The advantage of Prevx1 would lie in its Intrusion Protection features: it will stop code from executing, whereas a classical AV would only flag or delete data sets. Of course, this is not to minimize the technical features of your centralized database. But with a classical AV, you get an anonymous set of signatures/heuristics and you communicate with the AV company only if you feel like it (and, sometimes, only if the AV company feels like it): there is no privacy issue. It seems to me that a potential user has to evaluate the potential privacy risks against the potential security advantages with Prevx1 in comparison with a classical AV which downloads updates once an hour say. Moreover, you can only automate so much. After that, it’s a matter of the analysts you have.

    Thanks very much.

    George75
     
Loading...
Thread Status:
Not open for further replies.