Prevx1
From CastleCopsWiki
Product: Prevx1
Company: Prevx Limited
Website: http://www.prevx.com/
Support forum: http://www.castlecops.com/c37-Prevx.html
First released: 2004 (Prevx Home), 2005 (Prevx1),2007 (Prevx2)
Feature list: Main features include execution control, white listing, blacklisting, heuristic decision making, community approach, Full Feature list compared to other products
Various reviews and tests: http://www.av-comparatives.org/seiten/ergebnisse/HIPS-BB-SB.pdf , PCmag review, Nicm's test against selected "unhookers" malware
Though the review below refers to Prevx1, there are no substantial changes from Prevx1 to Prevx2 - all changes appear to be under the hood such as the Malware Virtualization module (which is basically virtualization and emulation techniques used by conventional antiviruses before the file is run) , so the review below apply to the newer Prevx2 as well.
Contents |
[edit] Quick review
The first products released by Prevx Limited was Prevx Home and pro in 2004. Despite covering several more actions and states (mostly file and directory areas) than ProcessGuard , it was still basically in the vein of earlier products, prompting and relying on users to respond correctly. Prevx found however that a lot of their users (50% or more) were making the wrong decisions and allowing malicious actions.[1]. To that end, a completely new product Prevx1 based around a new idea was created in 2005.
Along with Online Armor , Prevx was one of the first HIPS products to start using whitelists and blacklists in a big way. While most of their competitors shipped with a basic, static and limited list of legitimate files and processes or preset rules, Prevx1 has a huge database of known good files that are whitelisted. In addition, they also have a blacklist of known malware. Both lists are constantly updated and Prevx leverages their user base via a community approach to identity new files (both good and bad) to add to their database. The Prevx team is also very proud of their heuristics. There are few details on how this works , except that it isn't the same as typical antivirus heuristics (as stated by the development team). From some hints made by the members, these heuristics probably takes into account prior behaviors of the process observed on other machines. This is where the whole community aspect comes into play. Lastly there is the behavior blocker component that is familiar to users of most HIPS.
It would be a mistake however to assume that Prevx is like Online Armor, System Safety Monitor, ProSecurity etc. It would be only a slight understatement to say that of all HIPS products out there , Prevx is probably the most difficult to understand because developers and representives like to hint at the different mix of technologies involved and explain how we users don't really understand the genius of Prevx.....This page might help...
Given these different methods, there are several different ways for Prevx1 to deal with a certain suspicious behavior. For example, Say a certain process is flagged for trying to add a registry entry for auto-starting , what happens next depends on which policy (of which there are 4 types) is set for that rule.
- Heuristic reporting
The decision of whether to allow or disallow the suspect action is automatically made based on some heuristic rule. This is the easiest on the user, as the system makes all the decisions. Presumably this setting also automatically allow whitelisted known programs though. To some extent, These heuristics cause Prevx1 fall onto the Expert-based behavior blocker HIPS category.
- Query Unknown
If this setting is used, the action will be allowed automatically if it is known good process (on the whitelist). If it's unknown the user will be prompted to allow or disallow the action. This policy still gives the user some control but reduces popup fatigues by automatically allowing safe applications to carry out actions while focusing the users attention on truly dangerous situations. On the negative side, some users might disagree with Prevx1's classification of safe applications, or they might want to control safe programs from doing certain actions for other reasons.
- Query Unknown/Known
The user will be prompted for an action to allow or disallow whether the process causing this action is known or unknown. This puts you back to 'classic' HIPS mode.
- Prevent*
This option is seldom used, and applies only to physical memory protection. This automatically blocks
In Prevx1 (individual version), you can choose between ABC mode, Pro mode and Expert mode. The ABC mode is easiest on the user, and most of the settings are set to heuristics and hence decisions are determined automatically by the system. The few others that are not, are set to Query unknown. The most significant one set to Query unknown is HIPS/IDP_programs/services#Process Execution.
Given Prevx1's large whitelist of safe applications, users in ABC mode are seldom confronted with a popup and do not need to make decisions often. This is ideal for newcomers of course.The Pro modes and expert modes have more settings at the more demanding Query unknown and Query unknown/known but even at the highest expert mode, most of the settings are still set to heuristics (decision automatically made by the system).
[edit] Strengths
- Good mix of different class of technologies, whitelists and heuristics help support newcomers and reduce popups.
Prevx1 is excellent for beginners when run in ABC mode. As mentioned before , a lot of the decisions are automatically made by the system thanks to a large whitelist as well as heuristics.
- Large Database of programs (both whitelists and blacklist).
With Prevx2 you can scan your whole hard-disk (much like an Anti-virus), and unknown files will then be checked and submitted online! This provides a higher level of assurance as compared to merely scanners that rely on blacklists.
- Unlike most HIPS, Prevx offers also cleaning services not just prevention.
Though as of 29 Sep 2007, this is available only to paid customers.
- Leveraging their community system , they can quickly spot fast spreading malware.
Their community based system, gives them a wealth of information on what files and processes are being used on the net. Various other information collected includes their typical paths, names, what files and registry entries they create, what generic type of behaviors they do etc These are used by human analysts as well as their automated systems to quickly spot malware. See for example http://info.prevx.com/ . According to Prevx representives this is a very major reason why Prevx is different from their competitors, they have even [coined the term http://www.wilderssecurity.com/showthread.php?t=130174&highlight=cips "Community based intrusion prevention system" (CIPS)] to differentitate themselves from their competitors.
- Wide range of behaviors covered*
Prevx1 offers a wide range of behavior covered besides the typical process execution/modification/hooking protections. From browser related settings, windows system changes (changes to file extensions handlers, hosts files, creation of ADS, changes to C:\Windows, windows restore areas, changes to windows firewall settings etc) to more exotic settings (Buffer overflows). Because Prevx1 sets most of these to "heuristics", they can afford to monitor these areas, without burdening users with excessive popups.
- Offers network control
Some basic network control relating to outbound connections as well as the ability of applications to accept inbound connections (act as server).
In ABC mode, everything relating to networking is set to heuristics so the user will never be prompted at all. In pro and expert mode, everything is set to Query known/unknown, which is basically how a standard firewall works.
For people who want to rely on their firewalls , there is another switch to completely turn off networking control. This is particularly useful for people who want to run in Expert or Pro mode, but don't want warnings about network events (covered by a firewall).
[edit] Weaknesses
- Requires network connection for constant checking , also might slow down the system
It is impossible for Prevx1 to completely download the full list of known safe and unsafe programs so what Prevx1 does is to query the online database whenever required (or at certain intervals such as at startups). Of course if you are one of those who actually pay for bandwidth or do not have constant internet access this might not be ideal. Also everytime you start a new process that you do not have a record on your local database, Prevx1 will have to query the online server to see if this process is known. Depending on your network connection speed, this might lead to a slow down while you wait for a response.
Note: Prevx1 works without a internet connection.
- Inflexible settings, lack of control for experts.
Prevx1 has only 3 settings ABC, Pro, Expert. While you can toggle through the 3 modes, you cannot individually set policies for each protection.(The family version offers such a capability though.) Even in expert mode, the bulk of settings are at heuristics or query unknown, this might frustrate a user who is used to total control from a HIPS and wants to be prompted for everything. For example, addition of layered Service providers,process hijacking (code injection etc) , changes to windows scheduler tasks among others are set to heuristics so the user has no control over them when they are changed.
This reflects the fact that Prevx is really not meant to be competitive with packages like ProSecurity or System Safety Monitor. A fact they have stressed many times.
Notok(Prevx representative) wrote:
|
Prevx1 is not a behavior blocker, it is an anti-malware that uses system monitoring for automating the process of malware analysis. There are some options for behavior blocking (of unknown files) for advanced users that may wish to contain an infection, but these are more of an extra as Prevx1 was specifically made because HIPS (the kind of software those tests are made for) do not work (unlike other vendors that may say so, we say this from past experience). |
- Some privacy issues
[edit] Comments for free version
The free version of Prevx1&2 has a fairly unusual system, it is fully functional but....
Firstly, a word about Prevx1; Prevx1 already provides free detection of malware. Each user is also offered 30 days full clean up and protection. The 30 days begins only when Prevx1 is used to remove and existing infection or stop a new infection. If your PC is never infected, or your PC is never re-infected after this 30 day period then Prevx1 is entirely free to use.
If you have used Prevx1 and your pre-paid clean up and protection has expired the only way to reinstate it is to buy a license. Trying to de-install and re-install Prevx1 will not re-instate your clean up and protection. You must buy a license. Also, switching the product off and switching it back on several days later does not extend the clean up and protection window.
Note that, the phrase "stop an infection" means that if Prevx1 detects any malware on your computer trying to run, the 30 day count down begins. Given that Prevx1 now consider various testing tools (leak tests for instance) as malware (in the past they didn't), and flags them, if you choose to test Prevx1 by running such tests you will instantly trigger the 30 day count down.
Once the 30 days are over, Prevx1 will continue to warn you of infections, but won't stop or cure them.
[edit] Summary
Prevx1 is an interesting blend of various security technologies not seen in most other HIPS. Online Armor comes the closest with whitelists and blacklists, but leaving aside the differing sizes of the lists, Prevx1 also includes the use of heuristics to make decisions for the user.
The ABC mode is particularly ideal for beginners who prefer not to be faced with constant popups. The expert user who wants total control might be less thrilled though, because they cannot fully control what is being monitored.
Lastly unlike other HIPS, Prevx provides cleanup and removal of malware like a normal antivirus. This is available only for the free version though.
