|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
cutback
Lieutenant
Joined: Sep 28, 2004
Posts: 169
|
 Posted: Thu Jul 26, 2007 2:44 pm Post subject: PrevX v kernel level unhookers. |
|
|
Lurking at wilders:
http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm
Interesting pages.
Have to say: disappointing results for PX; despite acknowledgment that the db picked up all the samples.
The db is not meant to be the sine qua non ?
Good quick response from PX techies here:
http://www.wilderssecurity.com/showthread.php?p=1047243#post1047243
but again in a standardised comparison PX fares poorly. (cf AVComp)
Quote from Notok: My italics..
| Quote: | | Nope, it's an anti-malware program with behavioral analysis. It uses similar technology to behavior blockers, but uses them to monitor application behavior. Some limited blocking is available in Pro mode, but is considered a very last resort. ??!! If you wish to have additional protection you can set Prevx to query you to allow execution of programs unknown to the community database. Ultimately, however, we found behavior blocker programs to be entirely ineffective at protecting a system against malware. While it may look good in principal, it offers little in practice. |
Several other behavioural blockers seemed to do quite well.
While I ackowledge that PX db knew all the badwares by name, isn't it generally recognised that sig based detection lags ??
Speaking personally, I did not get a license for PX as a "scanner".
From PX home page sure looks like "behavioural" blocking is integrated and integral:
| Quote: | # Malware virtualisation - Prevx 2.0 is the only product that can detect unique new malware by getting into the guts of a file and understanding what it's going to do before it does it.
# Seven signatures for spotting malicious code - rather than giving a single classification, Prevx 2.0 identifies the structure, code sequences and behaviors of a file in seven different ways to block unwanted files faster.
# Behavior blocking - Prevx 2.0 monitors each file that is allowed to run for upto 300 possible behaviors, to ensure you are protected at all times. |
Regards.
|
|
| Back to top |
|
 |
ghiser1
Prevx Host
Premium Member
Joined: Jan 07, 2005
Posts: 315
Location: UK
|
| Posted: Thu Jul 26, 2007 2:56 pm Post subject: Re: PrevX v kernel level unhookers. |
|
|
Hi cutback,
We've thanked Nicm for running these test - they were very very useful to us. We were a little suprised by the headline results, but have gotten to the bottom of much of it and look forward to future tests. A few things should be borne in mind when reviewing these test results.
FIrst, a quote from his test results (bolding is mine):
"Prevx was used in 'Expert' mode, Behaviour for unknown programs set on 'query', 'Event Notification' enabled. Important note : ALL samples used for these tests were known from Prevx database, and were jailed automatically when folder containing these files was copied to the computer. In order to test the behaviour of Prevx in front of such unhookers, these files were set 'on probation'. Thus, their initial execution was allowed (nb : tests were done a 2nd time, after jail was cleaned, samples copied again to the computer, and without network connection, to prevent access to the Central database, to make sure results were convincing). "
It's important to consider this in context when analyzing Prevx 2's performance. First, all the samples were known to be Bad by Prevx and they were flagged as such when copied to the test system - so on normal users PC non of these samples would have been allowed to run. In order to run the test, Nicm placed all the samples "On Probation". That tells Prevx 2 to allow it to do whatever it wants and just monitor it. Now, we were suprised that Nicm wasn't queried when the rootkit drivers were loaded. It turns out that one of the our protection settings was set to report rather than query - allowing the driver to load before being checked against the CWC. This is now fixed (as you will see from the thread on Wilders about these tests) - update your Prevx 2 to benefit from this change; it isn't a software update - just a settings update.
The other interesting point being that the tests were run a second time without an Internet connection - that is, testing Prevx 2 as a HIPS rather than as a CIPS.
As a consequence, we are in the process of reviewing every security setting to see if we can sensible place ALL security settings into query mode when in expert-mode. We will activate as many as we can whilst avoiding pop-up hell - but if you're in expert-mode you should expect it 
Darren
|
|
| Back to top |
|
|
guest
Guest
IP: 91.125.*.*
|
| Posted: Thu Jul 26, 2007 3:14 pm Post subject: |
|
|
Hi Darren,
I had already seen those results yesterday and found them very interesting. One query though. Would Prevx2 still have stopped those samples in the tests if tested in ABC mode? I had always assumed that Pro and Expert simply gave the user more control (and more pop ups!) and that ABC simply did the job automatically. Is that correct.
Ian
|
|
| Back to top |
|
|
ghiser1
Prevx Host
Premium Member
Joined: Jan 07, 2005
Posts: 315
Location: UK
|
| Posted: Thu Jul 26, 2007 3:31 pm Post subject: |
|
|
| guest wrote: | Hi Darren,
I had already seen those results yesterday and found them very interesting. One query though. Would Prevx2 still have stopped those samples in the tests if tested in ABC mode? I had always assumed that Pro and Expert simply gave the user more control (and more pop ups!) and that ABC simply did the job automatically. Is that correct.
Ian |
That's correct, they would have been stopped by Prevx2 ABC mode as all the samples were known to be Bad in the Prevx database. Expert-mode is basically a "user answers the questions" mode. In these tests, Nicm deliberately bypassed the automatic response of Prevx2 to test it as a HIPS.
|
|
| Back to top |
|
|
ErikAlbert
Warnings : 3
Captain
Joined: Jan 20, 2005
Posts: 424
|
| Posted: Tue Jul 31, 2007 8:20 am Post subject: |
|
|
In other words, Prevx is more like an antivirus really. But one that uses a very different semi-automated method to identify nasties and create signatures. Unlike other HIPS, Prevx gets stronger the more people use it, and the more programs the system gets to see. The blacklist they keep is really the core of the system.
From what I have observed, if you are the first one to get hit by something new (cos you chose to run something unknown), chances are Prevx might be too late to save you* (unless you run in Expert mode and respond correctly...and even then maybe not) , but once that occured Prevx is quick to figure it out and the next guy to be hit by it , should in theory (I say in theory because I notice updates can be 1-2 days lag time) be protected.
* Haven't really tested how good the cleanup options are.
Still I have no doubt I explained it wrongly , I have noticed that whenever someone tries to set out what he thinks Prevx is and how it works, he will inevitably be told he is wrong.
|
|
| Back to top |
|
|
Biscuity
Lieutenant
Joined: May 05, 2007
Posts: 227
Location: Isle of Man
|
| Posted: Tue Jul 31, 2007 12:32 pm Post subject: |
|
|
| ErikAlbert wrote: | | (I say in theory because I notice updates can be 1-2 days lag time) be protected. |
I think in that example the relevant update would be on the Prevx server database, so the clients updating would not be necessary in your example.
|
|
| Back to top |
|
|
ErikAlbert
Warnings : 3
Captain
Joined: Jan 20, 2005
Posts: 424
|
| Posted: Tue Jul 31, 2007 2:15 pm Post subject: |
|
|
| Biscuity wrote: | | ErikAlbert wrote: | | (I say in theory because I notice updates can be 1-2 days lag time) be protected. |
I think in that example the relevant update would be on the Prevx server database, so the clients updating would not be necessary in your example. |
I have no idea how this server update works (i've read some long winded details but i could never get it straight), but I do know that I have confirmation by Prevx support that a sample I uploaded is bad. But on another computer it still doesnt' recognise it as bad...
It took about 1-2 days after that before that changed. I don't think that is a unique observation.
|
|
| Back to top |
|
|
simmikie
Lieutenant
Joined: Nov 01, 2006
Posts: 192
Location: USA
|
| Posted: Tue Jul 31, 2007 10:25 pm Post subject: |
|
|
hey eric. if Prevx was only a white-list/black-list diddy, then my guess would be that for Prevx2 to work then someone would always have to "fall on the sword", but because of the 7 signatures and the behavioural comparison to 300 known malicious behaviours, and the sandbox which previews unknown files for malicious code/objects and comparing it to 100 million objects in Prevx2 database (whatever the hell those are) are alleged to all work together to spot malware faster. it may be good to remember Prevx2 actually resides on Prevx's servers and we only get to lease the 'agent'. all of the heavy lifting is done through the 'super-computer' known to us as Prevx.
and therein lies my particular ongoing beef with Prevx. there appears to be no way for us the end user to test or have tested the veracity of Prevx claims. for me the software and concept are compellng enough to keep me on board as a user and now a beta-tester (i think). but man i would really like to be sure that she's really a girl (errr Mikespeak for, i would like to be sure it is what it claims to be).
Mike
|
|
| Back to top |
|
|
Pulsar_55
Trooper
Premium Member
Joined: Apr 10, 2006
Posts: 17
Location: USA
|
| Posted: Wed Aug 01, 2007 12:46 am Post subject: |
|
|
Ditto what simmike said. The Prevx2 users are requesting proof of what you say you can do! I know its only a small miniority, but in all good conscience,
I cannot recommend this product based on Prevx2 theory of operation. We need evidence!
Allen
|
|
| Back to top |
|
|
ErikAlbert
Warnings : 3
Captain
Joined: Jan 20, 2005
Posts: 424
|
| Posted: Wed Aug 01, 2007 8:44 pm Post subject: |
|
|
| simmikie wrote: | hey eric. if Prevx was only a white-list/black-list diddy, then my guess would be that for Prevx2 to work then someone would always have to "fall on the sword",
|
I didn't say "only". The "great" thing about prevx as I said is that no matter how much you think you understand it is supposed to work you don' cos it supposedly has tons of other technologyt. My observations (use and watching responses from staff) is that yes, it's main strength is the white-list/blacklist, but according to them the magic is how it acquires the signatures...
That is why it just got killed in NicM's test when that was turned off.
And yes, i suspect that most of the time someone indeed has to fall on the sword, then you have to rely on how good their cleanup process is.
| Quote: |
but because of the 7 signatures and the behavioural comparison to 300 known malicious behaviours, and the sandbox which previews unknown files for malicious code/objects
|
About the sandbox....
I can easily rule out the sandboxing component being a big part because it was not included in Prevx1, so unless you are saying Prevx1 is way weaker, I would say this new sandboxing thing is not a very major part.
In any case it strikes me as being nothing special (no doubt Prevx will claim I'm wrong) compared to similar 'sandbox heuristics' used by various AVs which try to determine if some sample if malicious by emulations or similar before it is actually run.
300 known malicious behavior is impressive, but malware needs only show one and most of the time you can't tell whether it is legimate or not... 
| Quote: |
and comparing it to 100 million objects in Prevx2 database (whatever the hell those are) are alleged to all work together to spot malware faster. it may be good to remember Prevx2 actually resides on Prevx's servers and we only get to lease the 'agent'. all of the heavy lifting is done through the 'super-computer' known to us as Prevx.
|
All theory. In practice I do not see Prevx doing better (the few tests I have seen do not indicate they are better than conventional AVs in fact , I'm thinking particularly of the avcomparitive one on prevx1).
To be honest, what little experience I have with running unknown malware is that prevx does not realize it is malware until it is too late and sometimes not even then.
My own feeling is that no matter how good the system is, Prevx has to let the malware do its stuff (or maybe try to), BEFORE it can figure out it is bad (and that is assuming they really have a very very smart system and that would be an amazing feat), so in a sense somone indeed does have to fall on the sword first.
For example i have this unknown installer try to install a driver, I can't see how Prevx's super system can figure out if it is malicious or not. Unless it is some kind of Turing oracle. Maybe it might guess correctly based on other clues, but I don't see it being able to figure it out eve with good like powers, until the malware has revealed itself...
| Quote: |
and therein lies my particular ongoing beef with Prevx. there appears to be no way for us the end user to test or have tested the veracity of Prevx claims. for me the software and concept are compellng enough to keep me on board as a user and now a beta-tester (i think). |
Ah a beta-tester... Shouldn't you be more supportive or something?
|
|
| Back to top |
|
|
simmikie
Lieutenant
Joined: Nov 01, 2006
Posts: 192
Location: USA
|
| Posted: Thu Aug 02, 2007 2:04 am Post subject: |
|
|
ah i should call it as i see it. and exactly what point are you laboring to make?
Mike
|
|
| Back to top |
|
|
ErikAlbert
Warnings : 3
Captain
Joined: Jan 20, 2005
Posts: 424
|
| Posted: Thu Aug 02, 2007 3:27 am Post subject: |
|
|
| simmikie wrote: | ah i should call it as i see it. and exactly what point are you laboring to make?
Mike |
That my opinion is correct. Isn't that the point of 99% of posts on forums?
|
|
| Back to top |
|
|
simmikie
Lieutenant
Joined: Nov 01, 2006
Posts: 192
Location: USA
|
| Posted: Sat Aug 04, 2007 10:19 pm Post subject: |
|
|
| ErikAlbert wrote: | | simmikie wrote: | ah i should call it as i see it. and exactly what point are you laboring to make?
Mike |
That my opinion is correct. Isn't that the point of 99% of posts on forums? |
yep...exactly.
simmikie
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
