Prevx1
From Wikipedia, the free encyclopedia
Note that this request is not binding, and the page may still be deleted if it is considered that the page unquestionably meets the speedy deletion criteria, or if the promised explanation is not provided very soon.
If this page does not meet the criteria for speedy deletion, or you intend to fix it, please remove this notice, but do not remove this notice from pages that you have created yourself. If you created this page and you disagree with this page’s proposed speedy deletion, please add:
- {{hangon}}
to the top of this page, and then explain why you believe the article should not be deleted on its talk page.
This will alert administrators to your intention, and should permit you the time to write your explanation. Administrators, remember to check what links here, the page history (last edit), the page log, and any revisions of CSD before deletion.
- Please consider placing {{subst:spam-notice|pg=Prevx1}} ~~~~ on the User Talk page of the author.
Prexv1 is a behavioral anti-malware solution for Windows 2000, XP, & 2003, made by Prevx Ltd headquartered in Derby UK. Prevx1 is made to be a standalone security solution, but is also compatible with other security solutions. It's primary features are the endpoint security agent, community database, and extensive realtime heuristics. Prevx1 currently registers over 200,000 new files each day, over 2000 of which are automatically identified as malware. Prevx1 is made to suit both home environments as well as small business and corporate environments, with centralized management for business customers.
Background:
Prevx was founded in 2001, starting with a Host Intrusion Prevention System (HIPS) for business environments.
The software's purpose was to reside between software running on the host system and operating system resources. When software attempted to utilize monitored resources, Prevx would suspend the operation and query the user with a prompt to block or allow the event to continue. Prevx would intercept file system events, registry events, and memory events such as buffer overflows and physical memory access.
In 2004 Prevx developed a consumer based HIPS solution, Prevx Home, which was distributed as freeware. A commercial version, Prevx Pro 2005, was later developed, introducing a new Community HIPS concept utilizing a central database to collect information from the agents for analysis. This data was used to provide technical details of propagating malware, how and where it was spreading, what products it was bypassing, and how users were reacting to the Prevx queries.
As Prevx reviewed the collected data, it was observed that the vast majority of Prevx queries were being allowed, allowing malware, such as the Netsky worm, to infect the majority of users' computers. Malware was increasingly using tactics to blend in with system files, and users were confusing malware files with legitimate system files. As much as malware was being allowed, legitimate system files were also being blocked.
With these observations, Prevx decided to redesign the product in early 2005 with a new concept that they felt would be more effective. This led to the creation of Prevx1, which launched at the end of 2005. This version utilizes the reporting mechanism to use the collected data to block malware through a combination of real-time reporting, automated heuristic and generic detection routines, and review by live analysts.
Technical concept:
Security vendors face great challenges keeping up with new malware due to the increasing volume in malware being spread and the time needed to perform the analysis and create and distribute definition files to antivirus customers. Prevx researched the problem through the Community data, and Prevx1 was made as a solution to this problem by automating this process. The new product combines the concepts of both antivirus and HIPS in an effort to create a new approach with a high degree of automation.
Prevx1 utilizes simple themes in an effort to make the concept accessible to the average consumer that does not have extensive knowledge of security technologies. Prevx1 introduced the use of a traffic light system. The status of files that are good, unknown, or bad, are indicated with a traffic light: green, yellow, or red, respectively. If a bad file is seen then Prevx1 will automatically catch the file and move it to the Jail (equivalent to quarantine). The whole of the Prevx1 network of agents works on the Community concept, creating a network of agents operating as a "Community Watch". The Prevx1 agent installed on the user's computer monitors program execution and a variety of technical information about how program files interact with the operating system. This information is reported to a central server as the events occur, and the central server builds a profile of the individual files and subjects them to behavioral heuristics, in addition to review by an in-house team of analysts.
Technical information:
When a new file first runs Prevx1 temporarily stops the file from running to compare the file's signature against the local and/or community database (which is held on the central server rather than the user's computer). If the community database already has a record of the file and it has been marked good, then the Prevx1 agent allows the file to run without any prompts or further interference.
If the file has a record that has been marked bad, then the file is automatically blocked.
If the file does not have an existing entry then technical information about the file and it's behaviors are recorded, compiling a profile about the file, which is subjected to behavioral heuristic and generic detection routines. If those routines are not able to determine the file automatically then the information continues to be collected and gets passed on to the in-house analysts. At this point the user is given the opportunity to block the program from running on their computer through a prompt (much like a firewall prompt), with the understanding that Prevx1 cannot determine it's safety.
Along with the file determinations, heuristic rules are also maintained by the analysts on the central database to give realtime access to all changes. The monitoring points of the system are dynamically updated through policy updates, which are deployed through the update mechanism. This does not require changing the code of the program itself, and so new features can be added "on the fly" within the same broad framework that the program provides.
The behavior blocking aspects utilized by the old Prevx Home and Pro versions are still available to advanced users that wish to enable them (by changing to "Pro" or "Expert" mode), but queries are considered a last resort, and only displayed if the file is both unknown and cannot be automatically determined by the behavioral heuristics. However Prevx included the behavior blocking mechanisms more to automatically block malware, as a means of helping to contain a malware infection for easier removal without necessitating steps by the user to remove difficult malware infections, such as disabling the network connection or rebooting into safe mode.
As Prevx1 continued to be developed, malware detection and removal routines were added. Most prominently, Prevx1 no longer took a simple cryptographic hash of the file as Prevx Home and Pro did, it now contained more advanced detection routines capable of detecting advanced malware techniques such as polymorphic viruses and other types of malware specifically designed to evade detection by anti-malware software. Prevx1 also contains the ability to scan program files and their components running in memory, so it can detect malicious components loaded into legitimate processes, with the ability to remove these components without deleting the whole file if necessary. The cleanup routines use additional heuristics to contain and remove undetected malware components, including methods used to complicate or counteract removal. It also uses information collected in the community database.
While Prevx1 focuses on identifying malicious files, it may use behaviors to identify the presence of malware. Any obviously malicious events that positively indicate the presence of malware would trigger a heuristic detection and the malware would be identified and removed. Prevx1 also tracks individual components, such as DLL files, regardless of the process using that component. As an example, malware may inject a DLL into a legitimate process like explorer in order to make a malicious action appear as though it is coming from the legitimate explorer.exe process. Prevx1 was made to recognize that such behavior is being specifically caused by this foreign DLL in order to block the action and remove the DLL and it's related components without damaging the legitimate system processes. As Prevx1 was made to move away from being a traditional HIPS, this was made to provide an alternative that is usable by anyone without sacrificing effectiveness. Where Prevx Home or Pro may have raised a query for an otherwise normal event occurring by a legitimate system process, Prevx1 was made to be able to automate the decision making process by analyzing the event through it's relational components.
Prevx maintains an ever-evolving model for security to continually adapt it's strategy through observation and prediction of malware trends through the "community" network. The highly modular framework allows Prevx to implement new features as they are developed. Prevx continues development into the Windows Vista environment with little change to the same principals used for previous Windows environments.
