PREVX PRO

Publié le par Kareldjag Aka Michel



PREVX PRO



Prevx is considered by its authors as an Intrusion Prevention System.

This ambitious product targets all kinds of threats (virus/trojans/worms/spywares) and try to prevent unknown ones without any scanner and signature database.

Prevx works as a" filewall" by detecting any access to a protected area like registry run keys, Ini/Sys files, memory or IE start page.



Two versions of Prevx are available:



-the Pro version which is paid (19.95 dollars),

-the Home version which is free.



Only the Pro Version is tested here.











TEST:




Configuration: Maximum mode.





***Execution control with Leaktests:



Prevx does not detect Copycat, DNSTester and Ghost.

Prevx failed agaisnt execution control test.





***Process Termination:



Prevx (Sagui.exe) can be easily terminated (and suspended) with APT: PX failed.





***Dll injection/implant:



Prevx can't detect and prevent this attack against Zapass or Copycat.

Prevx failed.











***Process hijacking:








Prevx can be hijacked without any alert: Prevx failed.





***API Manipulation:



-with APISpy32: another instance of Prevx can be launched and any API manipulation is possible. PX failed.






-with ExeHook Demo: No API hook can be detected and prevented. Prevx failed.



-with Kapimon: No API hook is detected. Prevx failed.



Prevx failed against API manipulation tests.





***Finjan Tests:


-F.Demo: PX failed (just detects the access to temp files).





-F.VBS: PX failed.



-F.JPG: PX failed.






Prevx failed against Finjan tests.





***Registry Tests:



-with Regtest 1: Prevx is the winner.






-with Regtest 2: PX detects the action (alert) but can't stop the reboot.

PX failed.



-with Scoundrel Simulator: Prevx detects the 2 startup entries and the change of IE start page: PX is the winner (3/5).







-with RegHide: PX failed.



-with RegtickPro: PX failed.



Prevx is the winner against Registry tests.




*** Simulate a Trojan with Trojan Simulator:



Prevx is the winner.




***Memory Manipulation:



-with UH (memory writting): Prevx failed (with any modification, sagui.exe stops running).







-with Physmem (access to physical device memory): Prevx failed.



Prevx failed against memory manipulation.


NB. PrevX has the ability to detect and block access to physical memory with SDTRestore but not with Phymem.













***Data theft with Trojan Demo:



Prevx failed (detects/prevents nothing).





***Service/driver manipulation:



-service installation: PX is the winner.



-modification: PrevX is the winner.



-service termination: PX failed.





-unloading a driver: PX is the winner.






Prevx detects the call to the service keys and the loaded driver.






Prevx is the winner against service/driver manipulation test.




***CDRom autorun:



Prevx failed.





***Fakes/jokes test:



For the 2 tests: Prevx detects only the start up entry of fa.exe but not final actions:


PX failed against Jokes tests.







***Buffer/Heap Overflow test:



-with maximum mode: PX failed against all tests.






-with specific rules (report mode). Prevx failed.






Prevx failed against Buffer overflow test.






***Deactivation methods:




-trashcan: Prevx failed.





-blacklisting: Px failed.





Prevx failed against deactivation methods test.










CONCLUSION:












***The Pros:




-multi-layered protection (registry, important files, IE, memory etc...)



-runs as a service (auto-start) and associated with a file system driver,









-basic but effective and enough registry protection,



- easy rules configuration,







-quality of the log file,








- good support and helpful forum (and reactive team which seems to have patched the Denial of service vulnerability),



-install (trusted) and suspend mode (for maintenance),








-original and nice graphic interface,







***The Cons:




-No executable filtring to control activities,



-alerts are interesting for detecting files access, but don't inform about the kind of action or attack ("possible virus" for a start up entry) , then could be difficult to interpret and understand for beginners,



-does not protect against some advanced attacks (hijacking, dll injection, hooks...),



-extremely annoying alerts sometimes (ex: during a set up if PX's not suspended),



-Privacy violation: very chatty PXAgent which try to connect frequently to Prevx servers in order to send (anonymously) attacks data...

Here's a capture of packets:







This option is enabled by default and if a newbie is not aware and prudent (by reading all the informations), statistics data are sent without his permission.



The user must have the choice to enable or not this option during the set up.



NB. Here's the answer (extracted from an e-mail) of Paul S. (Head of R&D):





-pretentious advertising arguments,





-takes too much time to load during the boot,



-not compatible with old Windows versions,



-only available in english language.





NB:PrevX seems more interesting on detection mode (but alerts are more frequent).






COMMENTS:





Prevx is presented as the ultimate defense against known und unknown threats (virus, trojans, worms, spywares...).

But after the test, i'm legitimatelly disapointed about Prevx: i like to see a product doing what its authors claim...

Prevx authors are perhaps too ambitious (PrevX as an "all in one against all" security soft): the ultimate defense software is not ready to be borned.


-I really doubt about the keylogger protection:

How PrevX could prevent known/unknown keyloggers if it can't detect and prevent basic API hooks?



-I really doubt about the unknown worm protection.

Has Prevx stop the recent worm invasion on Messenger (kelvir worm) when antivirus and antitrojans had seen nothing during a few hours? I'm not sure...

For detecting unknown worms, a multi-level behavioural approch and specific architectures are necessary, especially because infection vectors are various.



-I also really doubt about Buffer Overflow protection and others specific personal tests confirm this affirmation: a protection of Windows Service is not a sufficient and effective defense against Buffer/Heap Overflows.

And even specialized products could be bypassed and defeated.


NB. Here's the answer of PrevX team (from the same e-mail):






If the pretentious advertising method is condemned here, it's not the case of the product:


A program which targets the monitoring of important files and areas of the system is on the right way: any suspect access can be intercepted and notified by an alert.

And in this case, PrevX is one of the most exhaustive product on the list (with Viguard and SSM).


But if the advanced user can be easily familiar with all alerts, it could not be the same for a novice or a classical user.

In all case, PrevX Pro seems to be a promising demonstration of the Know-how of the PrevX Team which provides a well known corporate HIPS.


With some improvements (exe. control, more prevention attack by attack etc), Prevx could be an efficient product to integrate on a line defense.





COMMENTAIRES:



Existant en version entreprise, "Home" (gratuite) et "Pro" (environ 19 euros), PrevX est considéré par ses concepteurs comme un IPS ou système de prévention d'intrusions.

Ses fonctions de prévention et de détection s'exercent pricipalement au niveau de la surveillance des accés aux zones importantes du système succeptibles d'êtres vecteur de toute forme de parasite et d'attaque.


Ainsi, tout accés au clefs de démarrage, au fichiers INI, Temporaires ou à la mémoire physique sont détéctés et signalés par une alerte à l'utilisateur.

Toutefois, ses alertes se révélent parfois imprécises (entrée de registre lors d'une installation de programme signalée comme un "possible virus") et vite énervante, même si le mode "maximum", la configuration et la fonction "trusted install" peut en réduire le nombre et faciliter la maintenance (installation d'un nouveau logiciel).


L'ensemble est intéressant de par sa protection multi-niveaux (registre, fichiers importants, services, mémoire) et par un prix trés compétitif.

Un marketing agressif et quelque peu exagéré présente PrevX comme le dernier rempart contre les attaques par virus, trojans, vers et autres parasites connus ou non.

A l'éreuve des faits at au vu des tests, force est de constater que PrevX est loin de tenir ses promesses.

Il apparaît trés ambitieux pour un produit de cette nature de prétendre lutter contre les vers inconnus et de pouvoir prévenir n'importe quelle attaque par débordement de tampon (buffer overflow).


Il convient également de signaler à tout utilisateur soucieux de ses droits à la vie privée, que PrevX dispose d'une foction de collecte d'informations (Paws).

En effet, sous pretexte de lutter contre le crime, PrevX procéde à la collecte d'informations anonymes des événements survenant sur le système.

Si aucune information privée et nominative n'est transmise, il est regrettable que cette fonction soit activée par défaut lors de l'installation (il suffit de la désactiver dans le menu "preference").


Au final, l'ensemble me laisse sur ma faim, et surtout plus proche de la déception que du réel enthousiasme.

Toutefois, les auteurs semblent avoir pris conscience des limites de leur produit et préparent une version 2 qui verraient ses présentes fonctions renforcées, de nouvelles s'ajouter et ses quelques faiblesse corrrigées.








RATING: 7.5/10


Commenter cet article