[ssj100]

Well I'm sure the Prevx developers (and spies haha) will take into account your comments here. I don't use Prevx (nor do I ever intend to), but I'm always on the look-out for any interesting bypasses, particularly those that I can test.

Thanks for your work (trust me, no one else will thank you, even though you probably deserve it), and look forward to seeing more of it. Cheers.

EDIT: I'm actually surprised Prevx has not "thanked" or "acknowledged" you or your work in any way...or have they done it privately? The FACT that they specifically released version 187 in response to your POC implies that they "cared" enough about the bypass. Right?

moderator:
This thread created from Breaking Prevx 3 self-protection and contains non technical discussion about antivirus self-protection.

[EP_X0FF]

They always carried about self-protection bypass. No matter what company and what they speak on public. Of course on official forums and maybe blogs they will tell "no problem" and "who need AV termination" and other kind of 'see no evil'. It is typical marketing lie. There are a lot of malwares successfully terminating AV while its work. So having enough strength and armored self-protection is required option for any modern AV product. What about "thanks" etc, I don't care :) Prevx self-protection is weak and requires a lot of work to fix numerous termination possibilities.

[ssj100]

They always carried about self-protection bypass. No matter what company and what they speak on public. Of course on official forums and maybe blogs they will tell "no problem" and "who need AV termination" and other kind of 'see no evil'. It is typical marketing lie. There are a lot of malwares successfully terminating AV while its work. So having enough strength and armored self-protection is required option for any modern AV product. What about "thanks" etc, I don't care :) Prevx self-protection is weak and requires a lot of work to fix numerous termination possibilities.

Well, without trying to come across harsh to anyone, I must admit that Prevx's "marketing" has often been very mis-leading, in my humble opinion. I am not an elite programmer, so it's hard to argue with many things they say, but I am not the only one to dislike their marketing strategies. I first noticed these "dodgy" marketing tactics from comments made by PrevxHelp (at Wilders) around the middle of last year (2009) - I'll not mention any specifics for obvious reasons (and anyway, it'd be hard to link his exact quotes unless I was very very bored haha). Unfortunately, there're always going to be fanatic users of Prevx out there agreeing with everything they have to say etc. In my opinion, when honest objectivity goes out the window, so does logic.

And again, it appears that making your POC's public is doing a great favour to Prevx. If they are brushing it away (or playing it down) in official forums/blogs, how can they explain the fairly immediate release of version 187 to rectify the "bypass"?

[Alex]

I am familiar with all these process/thread killers, I also followed EP_X0FF's PoC's (SpiDiE) series, tested some software including anti rootkits with same results - I always could terminate/destroy protected environment. So I wonder it is possible to protect one or more processes especially if they have GUI without SDT, inline and DKOH hooks? I don't think there is any software (hips/av/ark) which is resistant to all these methods. Vendors can improve their products or ignore such PoC's but if an attacker have admin rights which are significant in this case he/she will always find a way to terminate his/her target. BTW more interesting is to attack selected target from inside using its own features like kernel modules bugs - all security software contain one or more kernel modules which incorrectly validates user supplied parameters which finally allows to privilege escalations.

Alex

[LeastPrivilege]

Uh-oh, Windows 7 Ultimate with Security Policies enforced and UAC, oh dear. :o

[ssj100]

Uh-oh, Windows 7 Ultimate with Security Policies enforced and UAC, oh dear. :o

Windows XP is still being used all over the world. In fact, a significant proportion of users still use the no longer supported XP, SP2. Keep in mind that Windows XP still owns over 50% of the market share. Until that number drops to say below 5-10% (will that ever happen within the next 4 years?), there shouldn't be any excuse not to support it. Anyway, let's wait to see if Prevx releases new versions specifically in response to this. If they do, for their reputation's sake, I hope it won't be bypassed so quickly this time haha.

[LeastPrivilege]

Anyway, let's wait to see if Prevx releases new versions specifically in response to this.

http://www.wilderssecurity.com/showthread.php?t=278777

[EP_X0FF]

Excellent, probably watchdog added in 188. This is not a problem and it's bypassing is just a question of 188 release time. Although I already has version which is able to kill it by different method.

[Triple Helix]

Here is UnPrevxDemo for 188 build. This is swf file and it is better played with MPC. It demonstrates realtime killing of the latest beta build of Prevx3.0 from pure user mode (188 build).
Watchdogs can't help and prevx processes has zero chances for resurrection. Sligthly extended version of this UnPrevx build can totally remove Prevx3 from machine no matter what it hooks and where.

Since Prevx started playing typical suckers game - adding UnPrevx to their malware (OMG) database (by calculating checksums for VERSION_INFO) binary files and source code will be available only for trusted people.

edit: as in fact 188 build is some sort of lol. I can terminate it by old UnPrevx (processes will be resurrected after few seconds of course).

Can you send the file to me? I don't work for Prevx I'm just a Prevx Forum Helper over at Wilders!

TIA,

TH

[ssj100]

This subforum is about user mode development.
Marketings, "give-me-sample" posts and other kind of typical bs posts will be deleted without any notice.
If you have technical questions - feel free to ask, however answers are not guaranteed.

Sounds good EP_XOFF. Look forward to the release of your POC. By the way, have you tried your methods on other Antivirus/Antimalware products? If so, did it work? Cheers.