| View previous topic :: View next topic |
| Author |
Message |
WhirledTurn
Trooper
Joined: May 24, 2007
Posts: 27
|
|
| Back to top |
|
 |
WhirledTurn
Trooper
Joined: May 24, 2007
Posts: 27
|
 Posted: Fri Jun 15, 2007 9:50 pm Post subject: |
|
|
My question really is twofold.
Does Prevx2 protect not only itself, but other processes from termination?
I read that OA has this capability, and I'd like to find a program that will protect others as well as itself.
Any Prevx2 users know?
|
|
| Back to top |
|
|
ghiser1
Prevx Host
Premium Member
Joined: Jan 07, 2005
Posts: 315
Location: UK
|
| Posted: Fri Jun 15, 2007 10:35 pm Post subject: |
|
|
It has the potential to, with respect to its protection framework, but we haven't yet released the security setting to do it - but it is an area I'm actively progressing. Initially, it would be for expert mode only.
The setting is there today but its in report-only mode.
Darren
|
|
| Back to top |
|
|
WhirledTurn
Trooper
Joined: May 24, 2007
Posts: 27
|
| Posted: Sat Jun 16, 2007 6:32 pm Post subject: |
|
|
So at this time Prevx2 can be turned off in Task Manager?
And Prevx2 does not protect other processes from termination?
Just trying to make sure I understand.
|
|
| Back to top |
|
|
ghiser1
Prevx Host
Premium Member
Joined: Jan 07, 2005
Posts: 315
Location: UK
|
| Posted: Sun Jun 17, 2007 10:55 am Post subject: |
|
|
| WhirledTurn wrote: | | So at this time Prevx2 can be turned off in Task Manager? |
No, it protects itself from termination.
| WhirledTurn wrote: |
And Prevx2 does not protect other processes from termination?
|
Correct, it does not prevent the termination, but it does take note of it and report the behaviour to the Prevx Community Watch Controller. If the process doing the termination is seen terminating certain types of applications, like AV products, but not normal programs - that is its not a generic process termination tool, but a targeted attack against AV products - it is likely that it will be determined as Bad by the community watch controller.
Once this happens, attempts to run that process on any other system that has Prevx 2.0 installed will cause that execution attempt to be blocked.
So, in terms of traditional HIPS functionality, it doesn't prevent the termination of non-Prevx processes. However, it terms of CIPS (Community Intrusion Prevention System) functionality, it prevents the termination of non-Prevx processes by preventing the process that would terminate them from running in the first place.
This is the reason why we call Prevx a CIPS product not a HIPS product. Yes, in expert-mode its a partial HIPS, but its not designed as a true HIPS products. Sometimes, it is benificial to the community to allow certain behaviours to proceed on a few systems in order to determine whether they are truly malicious; to protect the community as a whole.
It's critical to realize that you cannot provide Information Security without Security Information! Intelligence is key in any battle and in the battle against malware it is critical. Unfortunately, this means that the needs of the many (the Prevx community) outway the needs of the one (an individual agent) and in all battles sacrifices have to be made.
Of course, in the Prevx case, that sacrificed agent will be corrected and cleaned as soon as the the malicious program is determined as Bad, so its only a temporary sacrifice.
Compare this to traditional AV, where all users are sacrificed until a signature can be developed and distributed to them - and this can sometimes take weeks.
Hope that helps put things into perspective for you.
Regards,
Darren
Last edited by ghiser1 on Sun Jun 17, 2007 7:25 pm, edited 1 time in total |
|
| Back to top |
|
|
WhirledTurn
Trooper
Joined: May 24, 2007
Posts: 27
|
| Posted: Sun Jun 17, 2007 2:33 pm Post subject: |
|
|
| ghiser1 wrote: | | Hope that helps put things into perspective for you. |
Very enlightening. Thank you for the detailed explanation.
|
|
| Back to top |
|
|
ErikAlbert
Warnings : 3
Captain
Joined: Jan 20, 2005
Posts: 424
|
| Posted: Tue Jun 26, 2007 1:40 pm Post subject: |
|
|
Interesting i admit i have not being watching Prevx2 as much, due to various reasons.
I will update the table for Prevx2 soon.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
