[EP_X0FF]

Yes, LUA is good built in defense :) With sandboxing and rollback software in proper hands that the best security setup.

I'm currently working on another attack vector against newest Prevx. Specially for Daniel it will be named "TheEnd.exe"

[Triple Helix]

Yes, LUA is good built in defense :) With sandboxing and rollback software in proper hands that the best security setup.

I'm currently working on another attack vector against newest Prevx. Specially for Daniel it will be named "TheEnd.exe"

What Daniel as my name is Daniel also :D

TH

[EP_X0FF]

:D

This one http://rootkit.com/user.php?name=h3h3

[EP_X0FF]

PoC testing issues offtopic moved to separate thread.

UnPrevx PoC's testing issues

[EP_X0FF]

New UnPrevx (internally labeled as 1.1.189, version will be changed in release) successfully passed internal testing :) TheEnd.exe included. Technique can be easily used by any malware.

I would call it - total f.... of self-protection :) Still from user mode.

Additionally I have some new ideas regarding bypassing because I finished reconstruction of pxrts driver :)

When it will be released? Well it is difficult to say, because all now depends on Prevx release time. Currently their release version is 187 build. So previously demonstrated UnPrevx 189 can be released to public when 189 build of Prevx will be labeled as "release" also. And UnPrevx TheEnd edition respectively next.

So it is just a beginning :D

[EP_X0FF]

Daniel and co updated pxrts.sys and mentioned "improvement".

Actually all what they did - hooked more stuff in SSDT. And did this in Prevx usual behavior - nobody cares about valid status codes or valid operations - everything restricted lol.
NtOpenSection/NtSystemDebugControl useless hooks added. Kinda childish and absolutely useless move.

So it's time to test UnPrevx "TheEnd" edition :)
It is able to totally bypass Prevx 3.0.5.199 all kind of self-protection. Still from user mode :) Everyone who interested and not affiliated with Prevx feel free to drop me a PM for sample.

[ssj100]

Just tested it. This seems to be quite a concerning weakness in Prevx. After executing the POC, the system spontaneously restarts and Prevx fails to load. When I try to manually start Prevx, nothing happens.

[EP_X0FF]

Fuzzer tool updated, Prevx 209 totally bypassed. Multi-vectored attack approach used, still pure user mode. No registry/byte hacks :)
Seems to be this is final release, because I don't want to spend more time on such mediocre product and fight with prevx crutches.
This product simple need refactoring and recoding (at least some of part of it).

Everyone who interested and not affiliated with Prevx feel free to drop me a PM for sample.

[kmd]

prevx is very poor coded product.
no need such attention imho.

[EP_X0FF]

Few months after, no changes, previously released TheEnd.exe edition kills any new build etc. Not really interesting, so here is new "pain for the back side of the body" to this 90% PR based antimalware.
Just in case if somebody in Prevx said - "Pheeeww we made it..." or Daniels "The end of the end" No you don't :D
Product still full of holes.

This is demo of UnPrevx v1.1.220. This version bypasses all hooking trash introduced in 2xx builds and makes with Prevx some funny things, it does not appreciate this and goes into a coma (all work of both processes is paralyzed and can not be recovered without rebooting the operating system).

Contact me via PM if want sample and not affiliated with affected company.

P.S.
I know guys likes to detect stuff by filenames so Prevxme.exe is UnPrevx new name (add to db note). All from user mode. Little debugging and this method will work everywhere on NT.