Which would you choose.

Discussion in 'other anti-malware software' started by trjam, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    If you had to decide between a antispyware like SS, CS, or AVG AS, would you go that route or choose something like Prevx1. Yoy can only have one or the other.
     
  2. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Prevx1. What it adds to your system in protection outweighs what the others give you. Sure, the others give some benefits that Prevx doesn't but there are plenty more benefits that Prevx give you that the others don't. Examples of what it monitors. Application control, DLL injection, outbound connection, Registry Modification, Buffer Overflow code injection


    Here's a list.
    Viruses
    Trojans
    Worms
    Adware
    Spyware
    Key Loggers
    Root Kits
    Buffer Overflow code injection
    File System Usage
    Registry Modification
    Dll Injection
    Open Processes
    Open Code Sections
    Named Objects
    Process creation/termination
    Devices
    TDI Network Events
    Malicious Web Site Detection
    Malicious Web Content
    Unique/dynamic Signature Technology
    Program Black/White execution control
    Time delayed malware

    I don't think that any of the others can match that wide a protection spectrum.

    muf
     
  3. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I am not sure that SS, CS, and AVG AS are in the same category as Prevx1 and other HIPS programs. Many of the HIPS programs will cover a more broader range of PC activity than the "run of the mill" antispyware program. Antispyware is intended to block certain types of malware that you may come across by using predefined methods of inspection, but will not monitor your system when you do something like install a new program (unless you introduce malware through that installation). HIPS is more "noisy" and will alert you if any suspicious activity is detected.

    But to go back to your question, I currently don't use any HIPS software nor even any resident antispyware program at this time. I am still looking over the options, but at this point I would be probably in the extreme minority and say "neither". :ninja:
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    right now I love Prevx1 and Greenborder, but bet they wont like each other.

    Of course Nod is a steady staple.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007

    both are great apps

    my dad could be a good mood tomorrow he likes decorating and he is gonna decorate tomorrow.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I've been seeing a lot of comparisons between Prevx1 and HIPS lately, and feel it's appropriate to add some clarity to the subject as misunderstanding is beginning to spawn a lot of different kinds of questions, and even criticisms. I apologize in advance for the long explanation, but hope it will give a clearer picture of where Prevx1 stands as a security application, and if you would want to use it as a layer (and which layer) or not.

    The old Prevx Home and Pro were pure behavior blockers, but that version was completely scrapped and Prevx1 was re-written from the "ground up" to move away from the HIPS model. (The fact that it was completely re-written is something that I can't stress enough for those that might judge Prevx1 based on previous reviews of Prevx Home/Pro; they are completely different products, with completely new code, and an entirely different approach to protection, which has shown different results.) Of course it could be argued that it still is a HIPS by the most strict definition of the term, but really only in as much as an antivirus, antispyware, and firewall are HIPS by strict definition, so I'm speaking of generic behavior blockers instead.

    Although Prevx1 uses some familliar technologies to do it's work, the end result of what it actually does to protect a system from infection is a new approach. To think of Prevx1 as a "HIPS" is to kind of miss the point, which only leads to confusion. The behavior blocking that it does is no more the focus of the app than the "Shields" are in SpySweeper or other similar anti-malware applications.

    Prevx1's primary feature is the community database with live reporting, live lookups, and most importantly automated malware analysis (automating the kind of work that malware researchers/analysts from anti-virus/spyware vendors do). Everyone here is aware of the "Zero Day" problem, and the tactics the malware writers use to otherwise overwhelm or bypass antivirus products, that leads people to finding supplemental and/or alternative solutions. This problem lies in the fact that analysts have to hunt down the file (or have it sent in by a user), prioritize it's importance, reverse engineer it, create a signature, pack the signature up into an update with many other signatures, test the update for quality assurance (to reduce FPs and such), put the update on the server, and then wait for you to download the update.

    The premise behind Prevx1 is to provide a solution to this problem by capturing and reporting the behavior of the original malware file to the community database as it happens, where the analysis information can be reviewed in realtime and/or retrospectively, along with the automated analysis through the heuristic rules (where the heuristics fail, the analysis information is presented to an actual person to be reviewed). Since the database is central, and Prevx1 looks up whether it's good or bad from the central database as needed, every Prevx1 agent has access to that new information as soon as it's there. The premise is to eliminate the steps of gathering the file, manually analyzing it, creating an update, and deploying the update, by automating it. This leaves the analysts with 2 steps: review the analysis information, and mark the file good or bad (or occassionally caution). The idea is to see each and every file that the community encounters, and add detection very early on, detecting both good and bad to help eliminate doubt. If something is unknown, then you at least know you are on your own and can make a decision according to your own comfort level, and if your comfort level is high enough then you can use the available tools for your own private analysis.

    To give a specific example: There was a press release earlier this year about a (rather low-profile) rootkit called Rootkit.Hearse. The report was published sometime around March 20th 2006, stating that this rootkit was first seen on the 15th and was being tracked and researched since. Upon seeing this press release, I looked in the database and found that the community database recorded the first instance of this rootkit on the 11th, and generic detection was added within hours of it first being seen. The community database could also show where it came from, how it was spreading, where it was spreading, and how it works. It wasn't behavior blocking that protected the community, it was the automated malware analysis that was reported live, as it happened. Only one person needed to see it (although I don't know what the exact number was in this case, since I wasn't the one that originally caught it), and they didn't necessarily even need to allow it to run. That is what Prevx1 was made to do, not just allow you to block behaviors here and there.

    Prevx1 is ultimately an anti-malware, it just works a little differently. Instead of downloading a database to identify specific files, Prevx1 identifies every program file that runs. It looks at the file inside and out. Far from a simple hash of the executable it actually looks through the whole file to try to get a "genetic fingerprint" of the file, so that it can identify malware of the same family, even if the file is polymorphic or you have encountered a brand new variant. After that it watches it's behavior externally, rather than disassembling the file. Since it does have an actual memory scanner, it can also identify malware DLLs, and such, that are loaded into legitimate processes, which means that unlike a "HIPS" it won't just let explorer.exe access physical memory since explorer.exe is good, instead it analyzes the behavior of this new DLL, or blocks it if it's known to be bad. Prevx1 is not focused on setting a trap and stopping anything that trips it, it is instead analyzing executable files and their individual components, and more importantly what they all are and how they are interacting.

    Long story short, it's not blocking behaviors or shielding system resources/components, it's analyzing the "behind the scenes action", looking to classify what is good, what is bad, and what needs further information. This is rather different than a "dumb" blocker (I mean "dumb" in the technical sense) as the program is doing the kind of analysis that any anti-malware scanner does, it's just that the resources are appropriated and placed quite differently. I think we can probably all agree that where anti-malware scanners are file based solutions, HIPS are based on behaviors. Prevx1 is focused on files first and foremost. It monitors and analyzes the file's behavior to determine how the file should be treated. If a comparison is needed, then I would say to take a look at Norman's Sandbox Analyzer, as the program is of vaguely similar principal (with a different implementation) - monitoring behavior to decide how the file should be treated.

    Prevx1 does indeed provide some some behavior blocking for users that want that extra layer, although it focuses entirely on files that have not yet been marked explicitly as safe or dangerous and serves are more informational role. I mentioned elsewhere, and believe it to be the most important point on the subject, that I have never actually heard of anyone ever using the behavior blocking to contain unknown malware (emphasis on "contain", because if it's already run then it's already done damage; no behavior blocking will stop the infection entirely, you can only hope to reduce a portion of the damage). Either it was blocked automatically or blocked from running by the user, but if they consciously allowed it to run then they continue to allow it to do what it needs to do. What it has done, however, is to help contain malware when installed on an already infected system, which is usually done automatically. This does things like stop a bot trojan from communicating with the internet, for example, which helps to make the removal process much easier, negating the need to do things like drop offline or reboot into safe mode (of course a real memory scan helps this as well, since it doesn't just try to delete the file but actually retraces the malware's steps to undo what the malware has done.. even in cases where it's injected a DLL or similar).

    For those that want to know what's going on behind the scenes and/or use security tools to learn about how software works, Prevx1's approach is to give you all the information, through the Event Notification and/or Program Monitor, without blocking (and therefore potentially breaking) anything. You can then change modes if something requires attention and you know what you're doing. The idea behind this is to give you a more complete picture before taking action, while anything critical is stopped before it happens, bringing the necessary skill level down from malware expert to system administrator, or at least giving IDS type information to the enthusiast (which is normally only accessible to network administrators, unless you're a real enthusiast lucky enough to have a decent network).

    So yes, there are similarities, and the technology it uses is similar to what you see in a behavior blocker, but ultimately Prevx1 is not a behavior blocker any more than anti-spyware programs are behavior blockers (and it prompts less an an AS anyway). After all, nearly all software uses technologies similar to other kinds of software. While these kinds of features are there for those that wish to use them, the practical application for those features are used more for dealing with an already infected system than really containing malware if you happen to allow it... because lets face it: if you see that prompt that says "hey, we haven't seen this before, you should be careful. Do you really want to allow it to run?" then you're either going to explicitely allow it or not, and not likely to change your mind when it does what it's designed to do. Like I say, I have not once heard any reports of people stopping malware half way through the infection process. Either it was stopped from the start, or it was cleaned up later. I'm sure it's happened, but it's far more the exception than the rule.

    To sum up where it stands among the plethora of available security software available, Prevx1 can provide an alternative for those that like behavior blockers (providing equal, or arguably better, protection of the same sort), but that is far from being the primary focus of the overall solution it is meant to provide. A behavior blocker, even with a whitelist and blacklist, just isn't suited to be an all-in-one security solution as Prevx1 is made to be, and behavior blockers also don't do [real] memory scans, disk scans, malware removal on previously infected systems, and identify specific malware by name (save for those that include an antivirus in addition). Most importantly, behavior blockers do not, themselves, analyze program files and pass on information to a full-time team of malware researchers, as behavior blockers are not concerned with individual files. For files that Prevx has not had a chance to analyze, you may have the opportunity to control the situation yourself, but then the reality is that those kinds of prompts are few and far between as the community database grows ever more mature.

    For further reading on the same subject you can see THIS POST for some background, and THIS THREAD for more on how it works. Also feel free to PM me or drop by our official forums at CastleCops with any questions.
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Seen it both ways. We had a report of one person that couldn't get them to work together, but when I tried it out they worked just fine side by side. I'd say give it a try, but do prepare for the worst, just in case (always should be anyway :) )
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina

    Thank you my friend. The key is to installing Greenborder first. It will not even allow itself to install with Prevx and says those exact words. Billy! But installing it first, then Prevx, not one problem. And now with Nod, I have pure Green as my system icons in the tray. Not a bad combo. take care notok.
     
  9. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Thanks for the clarification. I was referring to the older program, Prevx Home, with which I have read more about than the newer Prevx1. I also know that each program has it own unique features and don't compare exactly between each other as well as any strict software definition.
     
  10. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Notok,
    Thanks for that educational post regarding Prevx1.
    I wasn't aware of the changes to the newer version of this program.
    Prevx does look very interesting and well worth a look.
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Notok:

    Your post on Prevx1 was excellent.

    3 questions I hope are not too "dumb" to answer.:oops:

    1) I have ZA Pro which looks at programs wanting to run and "challenges" them and uses a data base to advise user to block of not. Once accepted they remain accepted. Also watches OS compents for "suspicius" behavior.
    How is that different from Prevx1?

    2) I have BitDefender 9 which scans files loading and uses heuristics against them as well as it's data base updated almost hourly.
    Again then how is that different than Prevx1?

    3) Same thing for my SS 5.2 with shields and it's signatures



    Overall thought I got from your post is MAYBE I COULD SCRAP ALL 3 and replace them with Prevx1? Or just add Prevx1 to the mix? AND forget a HIPS.

    Please be as blunt as you like in replying, it's easier to get to the bottom of matters that way!
     
  12. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Good deal, do let me/us know if you run into anything. We're in communication with GB, but we just can't reproduce the problem.

    Thanks ccsito and Tester :)

    Escalader: The main thing is the online database. If you happen to be the unlucky first to be hit with a new piece of malware, Prevx1 would send analysis information for that file to the Community database, first for automated analysis then for review by a live researcher. It's possible that the researcher will see it right after it hits, and detection can be added within minutes (if you happened to allow it, then Prevx1 will kill it and remove it as soon as it sees the file has been determined, and it does check up on unknowns periodically until they are determined either good or bad). Sometimes the reality really is just minutes, but the average is within the first day, which is often days or weeks before other vendors even know it exists. Like I say, the main difference is that it cuts out a lot of the steps that cause the Zero Day problem. As far as the behaior blocking that is there, if you do turn it on then it will be limited to just files that have not been specifically marked good or bad. That means you'll never be asked about stuff that everyone knows is good, and it will actually analyze even minute behaviors, rather than blanketly blocking broad behaviors for all files.

    Hope that helps to clear it up. Unfortunately I've fallen very ill.. if you have any further questions, please feel free to PM me and I will answer you as soon as I can :) (PM'ing me will make sure that I can keep track of the questions, so if I don't get a chance before I'm better then you'll be sure to get a response as soon as I am)
     
Loading...
Thread Status:
Not open for further replies.