What is Prevx? Salvation or scam?

It prevents, detects, and fixes everything bad on your computer and it’s free. If it works, Symantec and MacAfee are doomed. Sounds too good to be true:

Anyone know anything about Prevx?

Well, the company is legit, apparently. I’ve seen them mentioned positively in ZDNet:

As a computing professional, I skimmed the URL you provided and the ZDNet article, and my feeling is that Prevx probably works, but like any security measure, doesn’t work 100% of the time.
As an anal-retentive computer security Nazi though, I think the fundamental idea behind Prevx is brilliant. I’ll point out that if they want it to
A) stop the bad stuff and
B) not overly restrict the good stuff,
then their development costs are going to be substantial.

Hard to say if the ZDnet link is talking about the same product. There are three references to “Pervex” [sic] (a pervert prevention system? :dubious: ) and the price of the discussed product is £4,000, not free as my original link.

I have 256MB of writable memory, called RAM. ALL programs outside of ROM execute from there.

If XP separates memory allocations into R/W and (R/W but non-execute) sections, this scheme might work. I don’t know if XP does, but if so, why hasn’t Symantec hopped on this bandwagon? Or Intel, putting the code in the CPU hardware? Or for that matter, why can’t a simple hook be built into the Opsys, like used to be in VAXes, to segegate mem allocations?

Outside of CPU internals, code would have to trap each opcode to (1) see if it was an execute-type instruction, and (2) if it was in or out of properly allocated RAM blocks. This would have considerable overhead outside of microcoding, not to mention exception handling.

Ever heared about the Zero Day attack?

What has happened so far, is that a vulnerability is first found by users/programers and then the hackers create an exploit of this vulnerability. The trend so far is that the time interval between finding a vulnerability and releasing an exploit is rapidly decreasing.

For example, the time between vulnerability identification and exploit release for W32.Blaster was only 26 days

Security profesionals believe that sometime soon, the hackers will find and exploit a vulnerability before users/programers. That is the zero day attack.

But even if the attack is not a real zero-day one, if the time interval is small, there will be not enough time to test and apply patches.

That’s why antivirus and security products are starting to abandon heuristics and signature-based methods as the main line of defense

They are? And what are they replacing it with? More ads for wishware?

You sound like an ad for the Prevx product. All puffery and lingo but no substance. So how does it work? Or does it work? Haven’t heard anyone yet say they have tried it or seen any unbiased reviews or trials.

It is built into the CPU. Each page of memory can be writable or unwritable, executable or unexecutable, and this is enforced by the CPU’s memory manager.

Modern operating systems load the “code” part of a program/library into a read-only page, and the “data” into a writable page. This is useful because if a page is read-only, you can share it between different processes without worrying about whether each process needs its own copy of the page - you can load a DLL into memory one time, and several processes can share it.

So if a program is trying to execute code that’s on a writable page, that means the page was intended for data. Most of the time, that means an attacker is tricking the program into executing some data as code, but there are cases where it’s legitimate: the Just-In-Time compilers for Java and .NET, as well as some emulators, translate foreign code to native code before executing it, and the native code they produce naturally has to be written to a writable page.

I’m familiar with what you are describing, Mr2001, although my intimate knowledge of the opcode level of CPUs is back a few years (decades, even). Even with the more limited range of instructions available in the older CPUs, I can see some ways to defeat the no-execute protection (transfer code from non-executable areas to more general areas, then execute from there, to simplify).

But there would have to be 100% cooperation between applications, system software and CPU calls for this to work. If it is all practical, why hasn’t WinTel developed this before now? Do they hope the problem will go away, or is this just a typical example of MS ignoring the obvious for as long as they can while milking the cash cows?

I am not advertising that product and I don’t know if it works. I am simply stating the current situation.

I’ve been at Infosecurity in London. The top concerns were patch management, zero day attacks and application security issues (like SQL injection).

All I know is that if the trends continue, you won’t be able to apply patches or update AV software fast enough. So there is a lot of research going on in software that will take action even if it hasn’t been updated. Hewlet Packard’s Virus Throttling employs such tactics. http://www.hpl.hp.com/techreports/2003/HPL-2003-69.html

Yes, that technique would work for a program like a JIT that needs to execute some code it has written to a data page… but a buffer overrun exploit can’t use it. Whatever data the server reads in from the network, including the worm, will be stored in a writable page, where it can’t execute. Any code that copies the worm to an executable page would have to be part of the original program.

I’m not sure what you mean. The memory management in the CPU and OS is basically transparent to applications. The only impact this has on apps is that if they generate code on the fly and expect to execute it, they have to copy it to another page or somehow mark the page as executable.

Windows XP SP2 will include it. It looks like MS’s implementation needs a feature that’s only found on high end CPUs, so I wonder how Prevx does it.

Maybe the gotchas are in the fine print. Their product does specify Win 2000 or XP only.

As far as my “cooperation” requirement, for the CPU to know that a block of mem was to be execute-free, it would have to be told so at allocation time. If that function wasn’t available when older software was written (or if software is written for a more generic CPU set) then I don’t see how this would work.

And if the CPU trapped something bad, it would have to integrate with the higher level code to handle it gracefully (at least at the OS level). Certainly a HCF (“halt & catch fire”) instruction isn’t much better than the malicious code it would be stopping.

In any case, I have my doubts about the Prevx package until someone tests it in the real world.

Ah. Well, the OS could just make all writable pages non-executable by default, since executing code from data pages is rare. It remains to be seen whether SP2 will break existing programs that generate code on the fly.

I don’t think it would be any less graceful than any other memory access violation - if you write to an invalid address or an unwritable page, the CPU signals an error, the OS raises an exception, and if the process doesn’t catch it, the OS terminates the process. The offending program will crash, but everything else will be safe.

From the URL I posted:

Unlike traditional intrusion detection systems (IDS), Pervx does not rely on predefined signatures to recognise attacks. Using signatures limits IDS systems to only recognising attack code that has been used before, so unknown attacks exploiting undocumented vulnerabilities can easily slip through the system. Instead, both Pervx’s IPS and Cisco’s Security Agent look for suspicious application behaviour by placing a small agent on each desktop that connects to a central management console that logs any attacks.

Note that it doesn’t say a single thing about this product doing ANYTHING to actually STOP bad software from doing bad things.
If I didn’t know better, I’d think that Pervx wasn’t designed to do ANYTHING except tell Mr. Fortune 500 Sysadmin “Hey, we have this here weird behavior on 2200 desktops”.
As I read the article with a critical eye, I kept wondering the question you asked. Why don’t they say how it helps?

Oh, and on another topic, Dog80, zero-day exploits aren’t theoretical. I’ve seen *nix remote exploits that were in the hands of *nix black hats months before there were patches, or even publications related to the existence of the vulnerability.
Perhaps you meant to confine your statements to Windows platforms? Even then, I seem to remember a couple of TCP/IP-stack-based Windows attacks from let’s say 97 or 98 that were zero-day.