Whats the diff between SafeOnline vs Trusteer Rapport?

Discussion in 'Prevx Releases' started by Sceptre89, May 31, 2010.

Thread Status:
Not open for further replies.
  1. Sceptre89

    Sceptre89 Registered Member

    Joined:
    May 31, 2010
    Posts:
    2
  2. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Both aim to protect a browser session against keyboard and screen capture from an already infected machine, a kind of reverse sandbox. In terms of technical implementation, I don't know how they differ but initial testing carried out by MRG suggests that SafeOnline is the more effective of the two.

    Tested here: http://malwareresearchgroup.com/wp-...MRG-Online-Banking-Security-Test-Mar-2010.pdf

    And here: http://malwareresearchgroup.com/wp-content/uploads/2009/01/MRG-On-Demand-Scan-Test-april-2010.pdf
     
  3. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    I guess it's a question of who's doing the test, how, and why. I've been testing Prevx for a customer here in Germany for the past few days. While searching for additional information today I came across this thread and thought it's a good opportunity to share some of my findings.

    I've managed to find many security holes in Prevx and produced more than 20 different videos for my customer showing how Prevx fails some basic and some more advanced tests. I've loaded a couple of very simple examples here: [noparse]http://www.youtube.com/watch?v=jWS0YPjYnxg[/noparse] and here: [noparse]http://www.youtube.com/watch?v=snWX0SGay90[/noparse]. The more advanced examples I can't share as they involve my own code which my customer owns. But would be happy to share additional freely available tools that bypass Prevx's protection if anyone is interested.

    I haven't tested Trusteer.

    This is my first post on this forum so apologies if I'm not following recommended guidelines. Thank you.
     
    Last edited by a moderator: May 31, 2010
  4. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    On my system (XP SP3), SafeOnline protects Firefox 3.6 and IE8 passwords against Asterisk Key, which just says "Searching for password edit boxes...No password edit boxes found. Searching open web pages for passwords...No passwords found in open web pages".

    I did find, however, that Asterisk Key can read passwords hidden by asterisks as they are entered for credential protection under Safeonline's Advanced tab. It'd be nice if Safeonline protected passwords in its own entry fields as well as it appears to protect them in the browser.
     
    Last edited by a moderator: May 31, 2010
  5. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    can you please share all free tools. this is ok and i think prevx help is interested.
    i can nothing say to the video because i'm blind and its no audio :)
     
  6. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    but i think more interesting is real malware.
    take an banking trojan and test if this trojan can steal your credentials
     
  7. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  8. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    After testing some more webpages, I found that SafeOnline does not prevent Asterisk Key from reading passwords in IE8. This may be because Prevx trusts the program, so it doesn't block its behaviour. If that's so, then it doesn't constitute a weakness in SafeOnline's protection.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is indeed the case - AsteriskKey is not considered malicious to Prevx, and there are a number of other similar programs which we intentionally allow to access the browser. If AsteriskKey's techniques were included in banking trojans, however, we would block them from reading browser data.

    9501frank - could you please try the newest version of SafeOnline from http://info.prevx.com/download.asp?grab=prevxcsibeta ? We have made improvements to SpyShelter blocking even if the user trusts the SpyShelter test tool so you should see that they are properly blocked now :)

    In terms of the differences between SafeOnline and Trusteer - they are quite wide reaching. Trusteer focuses on protecting single websites while SafeOnline protects all HTTPS websites and all data stored across all of the websites. Users can of course add additional protection for HTTP websites as well in SafeOnline but irrespective of their protection settings, SafeOnline will secure all stored credentials and all credentials being entered or transmitted from browsers.

    SafeOnline also leverages the antimalware components of Prevx 3.0 so that even if a threat is able to bypass SafeOnline's protection, it will then be blocked by Prevx 3.0 and can be fully removed if needed.

    We would generally prefer to not go into a more technical discussion about the differences under-the-hood between SafeOnline and Trusteer, but please let us know if you have any direct questions.
     
  10. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    Unfortunately, my testing shows that this is not the case. I've my own code that does exactly what AsteriskKey does and it successfully reads the password. I'll ask for the permission of my customer to release my tool. Also I find it strange that you say you intentionally allow it to access the browser. Your own malware database defines AsteriskKey as "Safety Rating: Uncertain" which makes no sense. I've also debugged your code and there is nothing there that can prevent the technique used by AsteriskKey from functioning. And even if you did allow it to function -this is one big security hole. I've a code sample that automates AsteriskKey and allows me to use AsteriskKey to grab the password and extract it from from AsteriskKey. So anyway you look at it this is not good.

    I'll wait for this to get out of beta and for my own version of safeonline to get updated. Hopefully this will happen before I conclude my report. But I guess you do realize that there are other ways of taking screen shots that safeonline doesn't prevent ... I found 3 and I only worked on this less than one day.
     
  11. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    Prevx - can you share the list of tools you "whitelist"? I will then share the tools that I found to bypass safeonline and are not on your list.
     
  12. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    I've news here as well. I'm working on a couple of videos and will release them soon.

    By the way - here is something you need to be aware of: Prevx overrides functions inside Internet Explorer - apparently to remove unknown malware. Unfortunately it also removes changes made by Antivirus software (I tested with McAfee, Symantec, and Kaspersky). By removing these changes Prevx disables some of the real-time protection of these antivirus products - protections that are there to prevent you from getting infected with malware. This is not good and you should be aware that if you use an antivirus with Prevx then your antivirus is not providing its full protection.
     
  13. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Hi 9501frank,

    Thanks for your reply and welcome to Wilders. :)

    Will you also be testing Trusteer Rapport? The only tests I've seen so far are the ones carried out by MRG.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Last time I tested KeyScrambler, Rapport and SafeOnline, about a month ago, with Elite Key Logger.

    - Rapport failed
    - SafeOnline failed if elite key logger was installed
    - SafeOnline Passed if Elite Key logger was installed after safeonline
    - KeySrambler Passed

    Hope it might had been fixed until now.
     
  15. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    Probably - one of my customers is interested in this. I'm waiting for them to approve and prioritize this project. The current project was about Prevx and Avast.
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I haven't been able to reproduce any issues with Elite Antikeylogger at all so you should be safe to go :)
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I don't have this data as the Prevx database has information on literally billions of programs.

    We've found dozens of ways around every other security product's browser protection as well so this certainly isn't anything new. None of the products claim to be a silver bullet and obviously can never achieve perfection. If you would please contact us directly with these techniques, we can update our protection to handle them. The Prevx beta version will protect against all SpyShelter techniques and all public leaktests.

    We're looking closer at AsteriskKey but no browser protection product could possibly be perfect and SafeOnline leverages the Prevx 3.0 antimalware intelligence as well so a threat would have to bypass literally dozens of layers of security for it to steal user credentials.

    Might I add that debugging Prevx is illegal and completely against our copyright so if you wish to continue this discussion, we recommend continuing it privately where we can assist you directly and please cease to interact with any of the Prevx software in an illegal manner.
     
  18. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    You first said that: "there are a number of other similar programs which we intentionally allow to access the browser." Now it's billions? If your system deliberately allows programs to access the browser then I'm sure it's a small number of programs and not billions.


    Not sure what you're trying to say - that you are as bad or good as others? You're tested against your own claims and you claim "Protects immediately - even if your PC is infected". There is a big difference between perfection and something that can be bypassed in a day of work.

    I will cease, as requested. I'm sure the bad guys will too.
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Among the billions of programs, it is hard to find exactly what you're specifically looking for. We've allowed many applications through as they are legitimate but I don't have a list of it just because of the vastness of software.


    Our internal testing and tests performed by numerous third party organizations (only some of the reports have been released publicly) have proven time and time again that SafeOnline provides wider and deeper protection over the other browser security solutions but it is still not perfect and we are comfortable admitting that because we've built it upon our other protection layers. If an infection comes out that bypasses SafeOnline's protection, we can immediately eradicate it with the Prevx 3.0 antimalware engine and contact any affected customers while we prepare a fix for SafeOnline's protection.


    You portrayed yourself as a tester previously but you have yet to show any degree of interest in proper disclosure of issues or any willingness to work with us to improve our products. Based on the registration of your Youtube account and membership here, it looks as if you have some vendetta against Prevx and one could suspect you are likely working for a competitor of ours looking to "expose" something about Prevx (possibly in retaliation from lost customers?)

    If not, we are more than willing to work with you in any way possible to investigate your research further. We have multiple third party firms which we hire on a continuing contracted basis to provide penetration testing of our software to ensure we're succeeding in blocking the newest threats and staying several steps ahead of the malware authors in browser security. Feel free to send me a PM if you'd like to discuss further.
     
    Last edited: Jun 1, 2010
  20. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    It's you that keeps bringing up your competitors, not I, as if people have no other option but to get a product from either one of you. I don't know your competition and I seriously don't care. I suggest you focus on learning and improving from the feedback given instead of being obsessed about your competitors.
     
  21. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    But...

    Apart from cyber criminals and security companies, who else hires someone to make malicious code for him to keep?.
     
  22. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Ain't you funny? Or scared? Perhaps both. what do you think authors of malicious code are doing? that user should share the findings for other to know.
     
  23. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Thanks.
     
  24. 9501frank

    9501frank Registered Member

    Joined:
    May 31, 2010
    Posts:
    10
    It's a standard security testing procedure. Whenever you test a website or a product you provide the tools or the code to prove your claims. You can't provide a theoretical report with no actual proofs. It's usually required by the customer for a few reasons (1) they want to see that the attack you describe is "real" (2) they want to estimate how easy or hard it is to execute the attack based on the time it took you to develop it. I usually classify both severity and complexity from 1 to 10 on each finding. (3) They want to have the ability to revisit the findings in the future and make sure they were fixed. When they have the tools or the code that does it, it's easier ;) Obviously it's all depends on the customer and how much time and money they're willing to invest in the process. I have a customer for example that tests every single product they use internally and externally every six months. They use 3 different contractors for that and spend a lot of money on it. They also test their websites once a month. Other customers may test something only when they buy it and never test it again, which is really bad as a lot changes over time both in the product and the attacks.
     
  25. MaxEntropy

    MaxEntropy Registered Member

    Joined:
    May 21, 2009
    Posts:
    101
    Location:
    UK
    Prevx zaps tens of thousands of malware programs every day. Would malware using your code would be treated any differently?

    Moreover, Immunity's test of Prevx's browser protection states that "PrevX's 'extrusion prevention' also hooks several APIs in order to prevent any stolen credentials from being sent back to a botnet's command and control machines."

    Can your code get round this? Or is it limited to a PC user being able to read his or her own passwords?
     
Thread Status:
Not open for further replies.