This article can also be found in the Premium Editorial Download "Information Security magazine: What's your biggest information security concern?."
Download it now to read this article plus other related content.
REVIEWED BY PETER GIANOCOUPOULOUS
Price: Starts at $19 per seat for 10 seats
Malware continues to assault our corporate desktops and laptops with rapidly emerging and varying threats. In this climate, behavioral detection tools like Prevx1 offer an extra layer of protection in the crowded endpoint security market.
Prevx1's "signatures" are based on how malware behaves--not on an exact pattern match used in conventional products--which helps it detect variants and new malware threats.
Policy Control C
Prevx1 offers pretty standard policy controls. Various settings can be tweaked on the client side to fine-tune the detection of malware and its management, including when and how the agent scans the host system and how to handle specific events.
The user can specify the protection mode of software (Basic, Pro or Expert) and manage any discovered suspect executables, including uploading them to the Prevx Web portal for analysis.
Installation is a breeze. Prevx1 consists of a protection agent that sits on each desktop. The agents communicate with a Prevx1-hosted Web console that shows the administrator the status of the PCs in the organization with a list of detected suspect .dlls and .exes.
Additionally, the administrator can define and apply policies to all the managed PCs in the environment, although we were disappointed that it's an all-or-nothing proposition. While this may be acceptable for smaller shops, larger firms will find this too limiting. We'd like to see the ability to create and manage multiple profiles for different classes of managed devices. We would also like to see the ability to initiate mass scans or cleanups from the console; it's a fairly standard requirement for a product of this sort.
We used the Spycar test suite (www.spycar.org) to evaluate Prevx1's heuristic protection capabilities, as well as samples of known malware.
Although, at its highest setting, Prevx1 matched or exceeded the behavioral detection capabilities of the traditional antispyware products we tested in our May issue, we were disappointed that a product designed to detect malware-like behavior didn't do better. Companies considering behavior-based detection as an extra layer of defense need to justify the additional expense and management overhead.
In its default mode, Prevx1 stopped only 23 percent of attacks. We were able to increase the effectiveness to 53 percent by putting the agent into Expert mode and working through the numerous pop-ups asking "Do you want to block this action?" Furthermore, users will generally stick to the default settings rather than deal with what Prevx1's numerous pop-up queries actually mean.
Prevx1 detected 100 percent of the known spyware with which our test system was infected, clearly labeling the suspect files and placing them in quarantine.
While the console Web portal is somewhat useful for a high-level overview of what's installed in your organization, it is really too simplistic for anything other than SMB or home markets.
Enterprise customers require far more in-depth information and statistics for compliance and SLA support. At a minimum, we'd like to get detailed alerts when infected systems are discovered, as well as remediation details (time to clean, for example). It would also be handy to save the reports as discrete documents like HTML or .pdf, so that they can easily be distributed.
Prevx1 could be usable for the SMB market, but it will require significant improvement in management and detection capabilities before it can be considered a serious contender for enterprise deployments.
Testing methodology: We ran the Spycar test suite via Internet Explorer 6, and applied known malware specimens on a fully patched Windows 2003 test system protected by Prevx1.
This was first published in December 2006