colbru said:
Hi everyone
I've stumbeld over this
www.prevex.com protection software.
I was looking for a solution agains a Trojan that got me
and Norton and Trendmicro was not able to get this thing removed.
prevex1 worked like a charm...
Reading into theire site to me it sounds like this thing is the Holy
Grail
against rootkits, virus and all kinds of malware.
Anyone has experience with this software?
Recommendations?
Microsoft's Windows Defender (previously MS AntiSpyware) and WinPatrol
are examples of products that POLL for changes to your system. That
means everything they find is found too late. That is why they can
never report what process was trying to make the change because the
process is already done making the change and has gone away. Try a
test: edit the hosts file using Notepad. Only when you exit Notepad and
save the file will Windows Defender announce the change but that
announcement is 10 to 50 seconds AFTER the change was already made and
why it cannot report to you which process made the change and they
cannot offer the ability to let the user allow or block future changes
from that product (because they simply don't know WHAT made the change).
WinPatrol is even worse. It covers less objects to detect changes and
the minimum polling interval is 1 minute (which is WAY after a process
is gone after making the change).
Prevx intercepts the change AS IT OCCURS. The process that wants to
make the change is made to pend until Prevx notifies the user of the
change and asks for permission to allow or block (and can remember that
selection). Like a firewall with application allowing/blocking of
Internet connections, you will get prompts in Prevx but not nearly as
many. It has a large database of known good and bad files. If you use
Prevx in its ABC mode (rather than Expert), you don't get prompted when
a known good program makes a change.
I've used Prevx since it was called Prevx Home (for the free version).
They no longer provide a free personal-use version and just have their
pro version which is now just called Prevx. You can get a free
"research" version, though (
http://free.prevx.com). Since users are
talking about Microsoft Windows Defender which is also still BETA then
obviously they don't care about using another beta version product, and
I've had far less problems with Prevx's beta than I did with Windows
Defender's beta. They can both be used together but eventually you'll
want to dump one since you are duplicating protective coverage. I
dumped Windows Defender simply because it catches the changes too late
and won't let you define rules to remember your actions (because it
hasn't a clue what made the changes). I have had few problems with the
beta version of Prevx and it consumes less resources than WD and impacts
the system less than WD regarding responsiveness. Prevx is less
susceptible than WD in a pest turning it off or disabling it.
It has never happened to me under several installs but a few testers
have reported high CPU usage when using Prevx. However, from what I've
read in the WD newsgroup on Microsoft's private NNTP server and in the
Prevx forums, and if the polling-versus-interception paridigm in
detection were ignored, I'd still pick Prevx. I had both and dumped WD.
There are still some changes to Prevx that I would like to see in the
future. While it doesn't include a firewall (something promised for
later), it will intercept apps that try to make Internet connects and
ask you to allow or block and if you want to remember your selection. I
already have a firewall with app rules so this ends up duplicating the
prompts. However, that is when I run under the Expert mode: in ABC
(simple) mode, good known apps are allowed to connect (so you'll still
want a firewall because to maintain control even over known good apps).
It won't check the file that was called using rundll32.exe but many
products fail that test, so I never define (i.e., remember) a rule to
allow that process so I get prompted each time "rundll32.exe ...
<somefile>.dll ..." is used to run a program. Unlike Microsoft, Prevx
has been far quicker to fix bugs. After all, you are testing their
"research" version which is used to develop their released and
commercial version. Expert mode can be too expert. There are times
when it alerts on server-side scripts that have you answering prompts
that can be difficult to make a choice on an action at the time. Prevx
isn't for newbies since the user is expected to know or research a
process reported in a prompt. Prevx catches the process making a change
but the user is ultimately the authority deciding what to do - but, at
least, the user knows about the change WHEN it occurs rather than
sometime too late when the process isn't even around anymore.
You might also want to look into ProcessGuard (from DiamondCS). I used
it for awhile and it is good but eventually I considered it overkill.
Too much protection eventually gets in the user's way. For example, I
have Ad-Aware and Spybot S&D installed but don't bother loading their
real-time monitors (Ad-Watch and TeaTimer) and only use them for
manually initiated scans. Same for eWido and a-Squared (but I don't
have those installed anymore).
