A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #2440  by Triple Helix
 Sat Aug 28, 2010 12:14 pm
ssj100 wrote:By the way, the latest Prevx fails pretty badly here:
http://www.youtube.com/watch?v=zx7vlH1FJ2A

Just goes to show that it's "just another antivirus" (with an extremely clever marketing team).
I'm sorry but the testing methods where flawed right from the start and he he rushed it and didn't follow the instructions that the Prevx client was trying to tell him to do and also no AV will detect 100%

TH
 #2442  by ssj100
 Sat Aug 28, 2010 12:26 pm
Triple Helix wrote:...and also no AV will detect 100%
Completely agree with that, and Prevx is no exception. In my opinion, because of the clever marketing, there has been an air of superiority of Prevx over other decent Antivirus products like Avira, Avast, MSE etc (note that these have completely free, decently functional versions). Ultimately, Prevx is just another black-listing program that will never do well against zero-hour/zero-day malware (unless they implement a HIPS or anti-executable component - BluePoint Security is a great example). The video clearly demonstrates that Prevx is no exception - it will continue to miss a large proportion of zero-hour/zero-day malware.

I often find it difficult to get straight and clear answers from the Prevx team when it comes to discussing flaws and anything that might produce a negative image of their product. One example is here:
http://www.prevx.com/blog/152/Isolated- ... ility.html
Notice how I asked in the comments section: "So what you're saying is that Prevx could block all variants of this malware (heuristically) from day zero?"
As I expected, this question was ignored.

As for your comments on the testing method - all methods are flawed to some extent when it comes to testing Antivirus products.
 #2816  by CloneRanger
 Tue Sep 21, 2010 12:07 am
New Prevx POC tested

After a small delay in getting the new POC ;) i got it and tested it against Prevx v.199

To save time, and also repeating what i have already put together, here's my result of this latest POC

Thanks for the POC

*********

EDIT

As you can see the link is no longer here. That's because i've removed the screenies showing the test, so there's not much to see now ! What i can say though, is just like the previous ones, the latest POC didn't work on my comp, why i don't know ?
 #2847  by ssj100
 Thu Sep 23, 2010 8:46 am
Did you test it with Shadow Defender enabled?

Prevx seriously need to cut out the marketing propaganda and focus on developing some form of HIPS function. EP_X0FF is taking them apart. The same goes for any software out there which doesn't have some sort of HIPS function. The days of relying on black-listing/behaviour-blocking/heuristics are over.

Vendors like Comodo (with their Defense+ HIPS component) and BluePoint (with their cloud anti-execution component) are on the right track. BluePoint Security is definitely one of the most under-rated pieces of security software out there.
 #2859  by CloneRanger
 Fri Sep 24, 2010 11:45 am
Originally Posted by ssj100

Did you test it with Shadow Defender enabled?
No of course not, otherwise the reboot file activation etc wouldn't have worked :P

*

I updated my Wilders thread with some more info, for those that don't already know.
 #2866  by ssj100
 Fri Sep 24, 2010 11:13 pm
I heard Prevx are fixing this. Obviously, they were able to reproduce it like me. What's galling is that there are probably numerous other (similar) methods to "bypass" Prevx. Keep in mind that EP_X0FF is not being paid to write malware code (at least I don't think so haha) for malicious purposes. I completely agree with him that Prevx needs to incorporate a HIPS or anti-execution (default-deny) function if they want to stop playing cat and mouse!
 #2924  by STRELiTZIA
 Sun Oct 03, 2010 5:27 pm
Hi,
[Prevx Freezer] Prevx releases v 3.05.206 and old was affected.

Concept:
This application tries to create (if not exists) "%AppData%\PrevxCSI\csidb.csi" file,
and change the file attributes to READ ONLY.

Result: ACCESS DENIED When Prevx tries to handle "csidb.csi" file.

Tested sucessfully on: Windows (Xp, Vista and Seven) X86 and X64 platforms.

IMPORTANT: Vulnerability published only for educational purposes.


Tests:
1- If Prevx is already installed, install the Exploit and reboot your PC.
2- If Prevx is not installed,install the Exploit and try to install Prevx.

Application attached.

Status: Vendor notified.

Regards.
Attachments
(8.06 KiB) Downloaded 30 times
 #2925  by CloneRanger
 Sun Oct 03, 2010 6:11 pm
@ STRELiTZIA

Hi, just seen your post on Wilders. I'm about to test this and will post my results.

Wouldn't this type of "exploit" work on many other apps, security and otherwise ?
 #2947  by nullptr
 Wed Oct 06, 2010 4:59 pm
Amusing replies to this POC at wilders.
On one hand there's
Thank you for the information We will have this fixed in the next release
and then
Why not, "uninstall Prevx from Add-Remove Programs". That would be more straightforward.
Exactly This is just the same as the previous PoCs - useless as we offer our own uninstall routine
LOL, so why do they fix these 'useless' issues?