Prevx Pro 2005 v1.0 (Rev 2) and Prevx Home v2.0 (Rev 4) Readme File January 2005 (c)2005 Prevx. All rights reserved. This document provides late-breaking or other information that supplements the Prevx Pro 2005 and Prevx Home user documents. --------- CONTENTS --------- 1. WHAT'S NEW IN THIS RELEASE ----------------------------- Prevx Pro 2005 Only: 1.1 Event Management - Single events can be deleted from the History View 1.2 Rules Editor - Rules can be added offline via the View History screen 1.3 Report Mode - An option to view Report Mode Events can enabled via the Event message screen Prevx Home and Prevx Pro 2005: 1.4 Install changes - Installers have been unified 1.5 Help Contents - Help contents available from the Start menu 1.6 New Driver - The Prevx Driver optimized to reduce alerts 1.7 MD5 Checksum - Increased MD5 checksum routines implemented to improve malware detection 1.8 New Policies Additional policies deployed to increase security 1.9 Agent Optimization - Improved handling of Event information 1.10 Proxy Server - Support for Proxy servers 1.11 Knowledgebase - Prevx now detects malware and warns users 1.12 Security Settings Grouping - Security Settings are now grouped into a two-tier display 1.13 Get Advice - Issue relating to Get Advice now resolved 1.14 Report Mode Silent - Report Mode Events no longer be displayed as pop-ups. Events can be seen through View History 1.15 Icon Animation - System tray icon animated to show when Events are written 1.16 Suspend/Resume - Now available directly from the Management Console 1.17 Trusted install - Now available directly from the Management Console. This features is now password protected and the last used directory is remembered 1.18 Copy About screen - The 'About' information can now be directly copied to the Windows clipboard 2. HELP AND TROUBLESHOOTING --------------------------- 2.1 Getting Help 2.2 Frequently Asked Questions (FAQs) 2.3 Prevx user Forum 2.3 Using Multiple Monitors/Extended Desktop 2.4 Server Error RSUC200:2:10 when trying to update 2.5 Cannot Shut Down Prevx Home/Taskbar Icon Still Displayed 2.6 The Prevx Icon Show a Red Cross Appendices ----------------------------- App A. Security Settings Details 1. WHAT'S NEW IN THIS RELEASE ----------------------------- Prevx Pro 2005 Only: 1.1 Event Management Pro 2005 users can now delete single events from the History View. Currently, the only option is to remove all events. 1.2 Rules Editor Pro 2005 users can now add rules offline via the View History screen, enabling rules to be added directly from the History View screen. 1.3 Report Mode Pro 2005 users can enable Report Mode alerts to be viewed though the Event message screen. (Note: With this release, Prevx Home users will no longer be able to receive Report Mode Events. All Report Mode events are only sent to the History View. Pro 2005 users however, will be able to receive Report Mode Events). Prevx Pro 2005 and Prevx Home: 1.4 Installer Changes The installer process has been unified between Prevx Home and Prevx Pro 2005 to provide ease of upgrades between products. Both installers now have the same look and feel and both provide an optional desktop shortcut. 1.5 Helpfile Contents The product helpfile contents is now available directly from the Start menu. 1.6 New Driver The Prevx system driver has been updated with additional functionality to improve security. 1.7 MD5 Checksum Increased MD5 checksum routines have been implemented to improve malware detection. Prevx is able to determine mutating malware and detect malware that replaces legitimate programs. 1.8 New Policies Additional policies have been deployed to increase security. 1.9 Agent Optimization Improved handling of Event information has been implemented to provide more resilience and better performance of the Agent. 1.10 Proxy Server Support Prevx now supports Proxy servers for more secure access to the Internet. Future versions will allow a Proxy Server to be specified from the user interface (i.e. Management Console). However, this release only allows for a Proxy Server to be specified by manually editing the registry. WARNING: Always backup your registry before making any changes. It is recommended that editing the registry is only carried out by advanced users. If you are unsure about editing the registry, contact Prevx Technical Support. You will need to carry out the following steps: 1. Ensure that Prevx/Pro is not running. 2. Start Regedit and go to: HKLM\Software\Prevx\Prevx Pro \Components\MC\Settings 3. Add a new name 'ProxyServer' of type REG_SZ. The data value is the port number of your proxy server. 4. Add a new name 'ProxyPort' of type REG_DWORD. The data value is the name of your proxy server. This can be the machine name or the IP address. 5. Exit Regedit and restart Prevx Pro/Home. 1.11 Knowledge Base Prevx is now fully integrated with the PAWS database, and allows for malware identification at the point of the Event. This ensures that advice is more informative to enable the correct decision to be made by the user. 1.12 Security Settings Grouping Security Settings are now displayed as two-tier groupings to provide an easy view of the Security Settings implemented. This provides a more informative view and informs the user of the protection provided. 1.13 Get Advice An issue relating to Get Advice is now resolved, where previously the Advice page could fail to be displayed if the URL string was abnormally long. 1.14 Report Mode Silent Report Mode Events are no longer displayed as pop-ups. This means there is less distraction for minor Events. However, Report Mode Events continue to be logged in the Event History. Prevx Pro 2005 users are allowed to optionally see Report Mode Events as pop-up if they choose. For example, during new software installation, if the user wants to view the activity, this can be done by setting the option in Preferences page. Both Pro 2005 and Home allows the user to view Events in the History View. 1.15 Icon Animation The system tray icon shows a brief animation as an indication when Events are written to the History. 1.16 Suspend/Resume This feature allows the user temporarily suspend all Prevx protection and then resume again afterwards either manually or when Prevx is restarted. This feature is now directly available from the Management Console. Previously this was only available by right-clicking the system tray icon. 1.17 Trusted Install This feature allows the user to install new software that is 'trusted' without triggering any Events, whilst still maintaining full Prevx protection against any other attempts to breach Prevx security. This is now available directly from the Management Console. Previously this was only available by right-clicking the system tray icon. This feature is now password protected to ensure that no one can install software on an unattended computer. Additionally, the last directory used for a software installation is now remembered for the next installation. 1.18 Copy About screen The 'About' information can now be copied to the Windows clipboard. This information is useful to Prevx Technical Support with help for troubleshooting. HELP AND TROUBLESHOOTING ------------------------ 2.1 Getting Help An electronic help file is provided with the product and is available by clicking HELP at the bottom of the Management Console screen. 2.2 Frequently Asked Questions (FAQs) FAQs are provided in the helpfile, but for the latest up-to-date FAQs, check the Prevx website (www.prevx.com). 2.3 Prevx Forums (Castlecops) Prevx, in association with Castlecops now have forums for information on the Prevx products, security they provide and other areas of interest. If you have any questions relating to the products or need some advice why not visit the forum located at: http://castlecops.com/forum146.html (General Prevx) http://castlecops.com/forum147.html (Prevx Pro 2005 and Prevx Home) 2.4 'Unable to determine remote configuration. Server Error RSUC200:2:10' when trying to update. Some users have reported that they receive this error message when trying to update Prevx Pro 2005 or Prevx Home. This is caused McAfee Privacy Services (which part of their Anti-Spam product) is preventing Prevx from updating. To allow Prevx to update, you have to add the Prevx URL to the McAfee Privacy Services 'Allow List': 1. Start McAfee Privacy Services. 2. Ensure you are logged in as Administrator. 3. Click the Options Tab and then the Allow List tab. 4. Type in the Prevx URL as follows: prevx.com (Note: Do NOT use the www. prefix). 5. Click ‘Add’ to save. 6. Exit McAfee Privacy Services. Prevx Pro 2005/Prevx Home can now access the Prevx webservers. 2.5 Prevx Home Icon Missing in Taskbar If you cannot see the Prevx Home icon in the Windows Taskbar, you may have the 'Hide Inactive Icons' feature turned on. Expand the Taskbar to display all icons. For information on the Windows Taskbar, consult your Windows documents. 2.6 Prevx Home Has Been Shut Down but the Icon is Still Showing You may have closed the Console, rather than shut down Prevx Home. 2.7 The Prevx Icon Shows a Red Cross If you have a red cross displayed on the Prevx taskbar icon, it means that security settings have not yet been loaded or Prevx Home protection has been turned off. - To receive [the latest] security settings, click UPDATE. - To enable protection, right-click on the icon and select ENABLE SECURITY SETTINGS. Appendices ---------- App-A Security Settings Details: Run-Keys (Standard) v00.5 The modification is that previous policy title ‘Run-Keys’ was changed to ‘Run-Keys (standard)’ due to more run-keys policies which will be released and have distinctive titles. Run-Keys (Windows Initialization), v00.0 A new policy of Run-keys. Run-Keys (User Shell Folders) ver A new policy of Run-keys OCX Files in Systems Areas v00.0 Prevents ActiveX Control (*.ocx) files in the disk root directory and Windows directory from being created or modified. OCX Files in Download Areas v00.0 Prevents ActiveX Control (*.ocx) files in the Downloaded Program Files directory (and its subdirectories) from being created or modified. OCX Files in Program Areas v00.0 Prevents ActiveX Control (*.ocx) files in the Program Files directory from being created or modified. Screen Saver Logon v00.0 Stops unauthorized modification of the registry key referring to the default SCR file of Screen Saver Logon. This Registry key could be exploited by malicious codes to escalate attackers' privilege. Run-Keys (Services) v00.0 Prevents unauthorized Registry keys being added to the registry relevant with systems services, which are widely used by the payload of malware to survive system's reboot. HTML Help Control (Execution) v00.0 The Microsoft HTML Help Service may be abused by malicious programs. HTA Files in Systems Areas v00.0 Prevents HTML Application (*.hta) files in the disk root directory and Windows directory from being created or modified. HTA Files in Download Areas v00.0 Prevents HTML Application (*.hta) files in the Downloaded Program Files directory (and its subdirectories) from being created or modified. HTA Files in Program Areas v00.0 Prevents HTML Application (*.hta) files in the Program Files directory from being created or modified. Hosts File Location v00.1 Prevents malware from hooking the network Hosts File by modifying this Registry key to redirect the default path to the location of a forged Hosts file. INI File Mapping v00.1 Prevents Ini File Mapping of system.ini and win.ini in Registry from being modified by malware. Policy Enforcement (Registry Tools) v00.1 Prevents Registry Tools (Regedit) from being disabled by malware. Policy Enforcement (Task Manager) v00.1 Prevents Task Manager and Task Manager button (Ctrl+Alt+Del) from being disabled by malware. WSH Files in Systems Areas v00.1 Prevents Windows script host control (*.wsh) files in the disk root directory and Windows directory from being created or modified. WSH Files in Download Areas v00.1 Prevents Windows script host control (*.wsh) files in the Downloaded Program Files directory (and its subdirectories) from being created or modified. WSH Files in Program Areas v00.1 Prevents Windows script host control (*.wsh) files in the Program Files directory from being created or modified. ------------- END OF README -------------