[ssj100]

Blovex for Prevx

Experimental destroyer for Prevx 3.0.5.188 build. Used another attack vector totally different than in UnPrevx 1.0.188.
In my tests it perfectly crash target, making it mad and unworkable :)
Since 188 build self protection is very unstable this proof-of-concept work is not guaranteed.
Because of consequences better try it on VM ;)

It needs some time to get Prevx crazy :)

Seems to work in my VM XP, 32-bit. The Prevx icon disappears from the system tray and the prevx.exe process constantly uses 99% CPU power. I can't seem to bring up its GUI or do any right-click context menu scans. And of course, Prevx fails to detect this file as malicious.

This proves (once again) that Prevx is simply a black-lister. Sure, the marketing team will describe behaviour blocking and in-the-cloud technology etc, but at the end of the day (like with all antivirus software), it will fail to detect a large proportion of true zero-day malware.

[EP_X0FF]

Offtopic content moved to AV self-protection

Seems to work in my VM XP, 32-bit. The Prevx icon disappears from the system tray and the prevx.exe process constantly uses 99% CPU power.

Blovex exploiting bugs added since Prevx started to "fix" their self-protection.

[EP_X0FF]

LOL @ Prevx.
They started typical idiocy with signatures generation.
If we follow their logic then Prevx does not need self-protection at all, calculation of checksums is very strong and efficient method of protection against everything :)))

Detection of Blovex by checksum calculation for VERSION_INFO block. So primitive and pointless answer is expected.
Seems to be it is time to publish source code and write very funny article about Prevx.

Here is the updated Blovex.exe (actually you can update it yourself with simple PE editor, required almost 1 byte modification).
I'm waiting and ready to blacklisting by filenames and other kind of idiocy ;)

pwd: I_will_never_generate_crappy_signatures_anymore

[Buster_BSA]

LOL prevx :mrgreen:

[xqrzd]

You could copy the version info from a MS file, it would force them to write a different signature type...

[EP_X0FF]

Thanks for suggestion :) Actually calculation of checksums (hashes) is preferred (and only one?) type of signatures created by this AV product (as I saw before) :D However it is not a problem to break signature even API-based or so-called "generic" signature. As in fact by starting pathetic trolling over boards and generating signatures Prevx confirmed it was defeated. What about ridiculous trolling attempts, well unfortunately for Prevx trolls I have facts, they have nothing :)

Too bad for company users, having enough strong self-protection is required option for any modern AV. If this game makes them stronger - well it is ok :) Otherwise it is Epic fail. Looking on their answers (185, 187, 188) - self-protection division requires new team of developers, because these "answers" are childish.

p.s.
and some funny stuff (as predicted here http://www.kernelmode.info/forum/viewto ... 1981#p1981)
http://www.prevx.com/filenames/X2290916 ... X.EXE.html

Failed even here, because Blovex not run any additional processes :)

[ssj100]

I think Prevx as it is will always be vulnerable to these "attacks". As you said, it needs a HIPS component (or an LUA + SRP type environment) in order to reliably prevent such exploits. I doubt Prevx will ever implement such a HIPS component though, mainly because it would potentially make it less user-friendly. I think they rely on a combination of being user-friendly as well as clever marketing tactics. These marketing tactics can still be seen. A large proportion of people still run as full blown Administrator (particularly those that use Windows XP) and those that have Vista or 7 have switched off UAC (let's face it, the average user finds UAC annoying). Belittling and playing down your POC's by saying they only work if they have Administrator access is therefore simply another marketing tactic. I find this to be rather irresponsible actually.

Anyway, software like Comodo Internet Security (CIS) will always be stronger than Prevx because of its HIPS component. And don't forget, CIS is completely free too, unlike software like Prevx.

[EP_X0FF]

Signatures calculation continuing. This time Prevx engine revealed that it can also generate signatures for code buffers :) I'm really surprised :) Seems to be it's really some sort of AV! :o

Actually what they did: in binary map was selected small code buffer and for it was calculated checksum. This can be done by robot or lazy analyst.
Signature sent to testing, if no false alarms detected it is applied, otherwise cycle continued until success.

Very primitive stuff.

Here is the code buffer "Medium Risk Malware" (BTW did you saw many malware with proof-of-concept message dialog at startup and working only if designated Prevx found and user selected "Yes"? Ridiculous Prevx behavior truly enjoyable)

if (ZwWaitForSingleObject(EventHandle, false, nil) = 0) then;

As you can see, actually it was bug in Blovex, because this code has no effect, because of ";" at the end of "then".

So actually I must "thank you" Prevx for pointing me directly on my bug. Gladly because of your signature I was able to fix it :)

Here is an updated Blovex eradicating this new signature.

I'm going to publish source code soon and open private service for deploying hot new versions always clean from Prevx ridiculous checksums.

[Triple Helix]

Thanks for suggestion :) Actually calculation of checksums (hashes) is preferred (and only one?) type of signatures created by this AV product (as I saw before) :D However it is not a problem to break signature even API-based or so-called "generic" signature. As in fact by starting pathetic trolling over boards and generating signatures Prevx confirmed it was defeated. What about ridiculous trolling attempts, well unfortunately for Prevx trolls I have facts, they have nothing :)

Too bad for company users, having enough strong self-protection is required option for any modern AV. If this game makes them stronger - well it is ok :) Otherwise it is Epic fail. Looking on their answers (185, 187, 188) - self-protection division requires new team of developers, because these "answers" are childish.

p.s.
and some funny stuff (as predicted here http://www.kernelmode.info/forum/viewto ... 1981#p1981)
http://www.prevx.com/filenames/X2290916 ... X.EXE.html

Failed even here, because Blovex not run any additional processes :)

Why are you calling us Troll's when we are interested? And part of the security community! :?

TH

[EP_X0FF]

Why are you calling us TROLLS when we are interested? And part of the security community!

Capslock off.
Currently only one troll was here - PX6. I'm talking about different places.