A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #1820  by ssj100
 Fri Aug 06, 2010 5:31 am
Well I'm sure the Prevx developers (and spies haha) will take into account your comments here. I don't use Prevx (nor do I ever intend to), but I'm always on the look-out for any interesting bypasses, particularly those that I can test.

Thanks for your work (trust me, no one else will thank you, even though you probably deserve it), and look forward to seeing more of it. Cheers.

EDIT: I'm actually surprised Prevx has not "thanked" or "acknowledged" you or your work in any way...or have they done it privately? The FACT that they specifically released version 187 in response to your POC implies that they "cared" enough about the bypass. Right?

moderator:
This thread created from Breaking Prevx 3 self-protection and contains non technical discussion about antivirus self-protection.
Last edited by EP_X0FF on Thu Aug 12, 2010 7:23 am, edited 2 times in total. Reason: thread info added
 #1821  by EP_X0FF
 Fri Aug 06, 2010 5:51 am
They always carried about self-protection bypass. No matter what company and what they speak on public. Of course on official forums and maybe blogs they will tell "no problem" and "who need AV termination" and other kind of 'see no evil'. It is typical marketing lie. There are a lot of malwares successfully terminating AV while its work. So having enough strength and armored self-protection is required option for any modern AV product. What about "thanks" etc, I don't care :) Prevx self-protection is weak and requires a lot of work to fix numerous termination possibilities.
 #1825  by ssj100
 Fri Aug 06, 2010 11:27 am
EP_X0FF wrote:They always carried about self-protection bypass. No matter what company and what they speak on public. Of course on official forums and maybe blogs they will tell "no problem" and "who need AV termination" and other kind of 'see no evil'. It is typical marketing lie. There are a lot of malwares successfully terminating AV while its work. So having enough strength and armored self-protection is required option for any modern AV product. What about "thanks" etc, I don't care :) Prevx self-protection is weak and requires a lot of work to fix numerous termination possibilities.
Well, without trying to come across harsh to anyone, I must admit that Prevx's "marketing" has often been very mis-leading, in my humble opinion. I am not an elite programmer, so it's hard to argue with many things they say, but I am not the only one to dislike their marketing strategies. I first noticed these "dodgy" marketing tactics from comments made by PrevxHelp (at Wilders) around the middle of last year (2009) - I'll not mention any specifics for obvious reasons (and anyway, it'd be hard to link his exact quotes unless I was very very bored haha). Unfortunately, there're always going to be fanatic users of Prevx out there agreeing with everything they have to say etc. In my opinion, when honest objectivity goes out the window, so does logic.

And again, it appears that making your POC's public is doing a great favour to Prevx. If they are brushing it away (or playing it down) in official forums/blogs, how can they explain the fairly immediate release of version 187 to rectify the "bypass"?
 #1833  by Alex
 Fri Aug 06, 2010 4:21 pm
I am familiar with all these process/thread killers, I also followed EP_X0FF's PoC's (SpiDiE) series, tested some software including anti rootkits with same results - I always could terminate/destroy protected environment. So I wonder it is possible to protect one or more processes especially if they have GUI without SDT, inline and DKOH hooks? I don't think there is any software (hips/av/ark) which is resistant to all these methods. Vendors can improve their products or ignore such PoC's but if an attacker have admin rights which are significant in this case he/she will always find a way to terminate his/her target. BTW more interesting is to attack selected target from inside using its own features like kernel modules bugs - all security software contain one or more kernel modules which incorrectly validates user supplied parameters which finally allows to privilege escalations.

Alex
 #1839  by ssj100
 Fri Aug 06, 2010 10:49 pm
LeastPrivilege wrote:Uh-oh, Windows 7 Ultimate with Security Policies enforced and UAC, oh dear. :o
Windows XP is still being used all over the world. In fact, a significant proportion of users still use the no longer supported XP, SP2. Keep in mind that Windows XP still owns over 50% of the market share. Until that number drops to say below 5-10% (will that ever happen within the next 4 years?), there shouldn't be any excuse not to support it. Anyway, let's wait to see if Prevx releases new versions specifically in response to this. If they do, for their reputation's sake, I hope it won't be bypassed so quickly this time haha.
 #1842  by EP_X0FF
 Sat Aug 07, 2010 3:33 am
Excellent, probably watchdog added in 188. This is not a problem and it's bypassing is just a question of 188 release time. Although I already has version which is able to kill it by different method.
 #1876  by Triple Helix
 Mon Aug 09, 2010 6:15 pm
EP_X0FF wrote:Here is UnPrevxDemo for 188 build. This is swf file and it is better played with MPC. It demonstrates realtime killing of the latest beta build of Prevx3.0 from pure user mode (188 build).
Watchdogs can't help and prevx processes has zero chances for resurrection. Sligthly extended version of this UnPrevx build can totally remove Prevx3 from machine no matter what it hooks and where.

Since Prevx started playing typical suckers game - adding UnPrevx to their malware (OMG) database (by calculating checksums for VERSION_INFO) binary files and source code will be available only for trusted people.

edit: as in fact 188 build is some sort of lol. I can terminate it by old UnPrevx (processes will be resurrected after few seconds of course).
Can you send the file to me? I don't work for Prevx I'm just a Prevx Forum Helper over at Wilders!

TIA,

TH
 #1906  by ssj100
 Thu Aug 12, 2010 6:39 am
EP_X0FF wrote:This subforum is about user mode development.
Marketings, "give-me-sample" posts and other kind of typical bs posts will be deleted without any notice.
If you have technical questions - feel free to ask, however answers are not guaranteed.
Sounds good EP_XOFF. Look forward to the release of your POC. By the way, have you tried your methods on other Antivirus/Antimalware products? If so, did it work? Cheers.