Prevx SafeOnline Help

Overview
Prevx SafeOnline consists of multiple, interrelated protection engines that protect both the data the user enters into the browser and the data coming back from the Internet, preventing even completely unknown, Zero-day threats from stealing the user's identity or credentials.
The core protection lies in the ability to block keyloggers, screen scrapers, man-in-the-browser attacks, session hijackers, clipboard grabbers, and a number of other threats commonly installed by trojans like SilentBanker, Bancos, Zeus, Torpig, and Curtwail onto thousands of PCs daily. Rather than focusing on being able to identify the threats themselves, SafeOnline works to isolate the browser from the rest of the system even if unknown threats exist that try to steal data from the user. System level malware generally attempts to read data from the browser but Prevx introduces a layer in-between the browser and the rest of the operating system, tricking the threats into thinking that they have successfully read and transmitted the user's credentials outside of the system when they have not. Unlike other solutions, Prevx SafeOnline works with the user's existing browser, without requiring the use of a specialized browser so there is no need for the user to change their browsing habits - protection is applied seamlessly and silently in the background.
In addition to protecting the user if they have already been infected from a malicious website, SafeOnline analyzes web traffic and website visitations to block access to known phishing targets and to clean poisoned DNS entries if detected. The Prevx Community Database cross-references website addresses worldwide to ensure that the end user is visiting a known and trusted destination, and, if a malicious website is found, the user is warned and disinfection will automatically take place to correct the entries that redirected the browser.
Prevx SafeOnline
Users that currently have Prevx 3.0 v3.0.1.65 installed will not be automatically upgraded to include SafeOnline in v3.0.5.x. To enable SafeOnline manually, open the Prevx 3.0 interface by clicking Start > All Programs > Prevx 3.0 > Prevx 3.0 and then click Configure next to SafeOnline Browser Security and click the Off button to turn it on.
Protection will automatically be populated for Prevx-configured domains, including Prevx, CleverBridge, and government/military websites. Users can change the configuration of these websites as wanted or add one additional custom website in the free version. The registered version of SafeOnline allows the user to make as many configuration changes as desired and add any new websites to the protection
Prevx SafeOnline User Guide Expand All | Collapse All
In the following sections, we will assist you in using Prevx SafeOnline. If you have any further questions, feel free to contact us by visiting our Support Inbox.
Prevx SafeOnline Browser Tab
Overview
Prevx SafeOnline integrates into Internet Explorer, Chrome, Firefox, and Opera by rendering a small tab above the address bar in each of these browsers. It does not use a browser addon so if the user wishes to remove SafeOnline from their browser, they will need to disable it directly from within Prevx.
The browser tab has three states: Blue, Green with a Checkmark, Green with a Padlock
Blue
The website is not being actively protected. This is the default state for all non-Prevx-configured domains in the free version and the default state for HTTP domains in the registered version of SafeOnline
Green with a Checkmark
The website is being protected but it is not an HTTPS website, which means that the communication between the local PC and the server is not secured via an SSL certificate which could mean that the data may be eavesdropped on from a third party in the middle of the communication
Green with a Padlock
The website and session are being fully protected by Prevx and by an SSL certificate. This is the highest level of protection and provides security over the local data and remote data sent to the destination server.
Prevx SafeOnline Browser Tab Clip Window
Overview
When clicking on the browser tab, Prevx shows a small window which describes the website that the user is currently visiting and offers them options to configure protection or add additional protection to the domain or session.
Host Name
This is the primary domain name which is serving the website the user is currently visiting. Some phishing websites try and obscure the host name by showing additional name components which can fool the user into thinking they are on the legitimate website.
IP Address
This is the IP address which the visited website is currently being resolved to.
IP Verification
Prevx cross references the IP address within its database against the user's DNS server to ensure that the DNS has not been poisoned. If it has, the user is prompted with a warning that allows them to correct their DNS settings or configure a new DNS server.
Additionally, if a man-in-the-middle attack using the HOSTs file or similar techniques is detected, Prevx will warn the user and prompt them to revert the malicious changes. Similar warnings are shown for covertly configured proxies and browser addons which are redirecting traffic elsewhere.
IP Verification will read Verified by Prevx if the IP address has been correctly resolved and matches the destination website as seen within the Prevx database. Verified by Prevx does not necessarily mean that the website is legitimate - the intention of this feature is to prove that the user is currently on the website which they think they are on. If the destination website is a partner of Prevx, the verification will read Verified by Domain Owner.
It is also possible for less popular websites to read: IP to be verified shortly which means that the website has not yet been verified through the Prevx servers but this is not an indication of malicious activity. Verification can take some time for certain websites that use technology that spreads load across multiple servers, so verification may vary based on the popularity and format of the website.
If Prevx does find that the website is being maliciously redirected between the user's browser session and the expected destination, SafeOnline will immediately warn the user and prevent them from browsing further after automatically correcting the source of the redirection.
SSL Status
When a website is configured to secure traffic with a SSL certificate, Prevx will identify it as Secured HTTPS Traffic. If not, there is a possibility of data leakage when transmitting it as the underlying communication to the destination server is not encrypted. Therefore, Prevx will show HTTP Traffic in blue rather than in green to denote a degree of insecurity.
Add Protection/Website Protected
Overview
Protection for any website can be added by clicking Add Protection. In the free version of SafeOnline, only one user-configured website can be added using this method but the registered version allows for unlimited configuration. By default, in the registered version, all HTTPS websites are already protected so the Add Protection button will change to Website Protected. Clicking on Website Protected will open the configuration for the domain to make any further configuration changes or add credentials to be secured.
Protection Status
Protection Status
The On/Off power indicator in SafeOnline shows the current status of the SafeOnline protection. To toggle protection off, click the power symbol next to the On text and to turn it back on, click the same button again. Full protection requires closing and re-opening the web browser to be fully enabled.
To disable protection temporarily without modifying the configuration, right click on the Prevx tray icon near the system clock and select Stop Protection. This will disable the antimalware protection and SafeOnline immediately.
On the front screen of Prevx 3.0, there will be a red cross icon next to SafeOnline Browser Security if disabled, or a green tick icon if enabled. When SafeOnline is currently being used on an actively secured domain, the icon will change to a padlock. If protection is set to Maximum, the user will see the padlock icon until the browser is closed to secure any persistent user data visible on screen.
Configuration Options
Configuration Options
The configuration within SafeOnline is broken into three parts - policy based configuration, domain based configuration, and per-domain credential protection. In the fully registered version of SafeOnline, Configuration for all HTTPS websites is automatically turned on, which provides set-and-forget functionality to the underlying protection of user data.
Configured websites are labeled by icons along the left side - a green icon means that the entry is a default entry created by Prevx or a partner of Prevx. A lock icon means that the entry contains secured credentials alongside it. A blue icon means that the entry has been manually added by the user. Further clarification is provided by the second column, where the type of policy is differentiated between its status as a Default Policy, Pre-Configured Policy, or User Configured domain.
Removing Policies
Removing Policies
If you no longer wish to have a policy configured for a specific domain, you can click the Remove button, which will prompt you if you are sure you want to remove it. After selecting Yes the removal takes place immediately and protection will be switched off for that domain.
The default policies for all HTTP/HTTPS websites cannot be removed but can be disabled, although it is strongly not recommended to do so.
Security Configuration
Security Configuration
SafeOnline allows for granular control over the level of protection on policies and domains. The highest protection level will provide the maximum defense against threats but it may impede usability for some users. Each movement down from Maximum to High to Medium, etc. provides incrementally less protection but the options are organized in a specific order to be held logically where each lower level disables only the least necessary protection components.
Maximum - Block malicious access to browser windows
This option prevents programs from seeing protected browser windows or interacting with them directly. It may prevent some screen reader programs from working properly so visually impaired users may wish to turn protection down to High instead of Maximum.
Maximum - Protect against screen grabbing attacks
This option prevents screen capture tools, screen video recorder programs, and the Print Screen from seeing or capturing screen data on protected websites. After navigating away from a protected website, the screen protection remains active until the browser window is closed to ensure that no personal information is still on screen. Therefore, it is recommended to turn the Security Configuration to High instead of Maximum if the user needs to frequently take screen captures of protected websites.
High - Block browser process modification attempts
This option prevents programs on the system from modifying the browser's memory. Browser processes are still allowed to be terminated but they cannot be directly modified, preventing programs from injecting code into the browser or modifying browser process memory to unsuspectingly change functionality.
High - Isolate untrusted browser addons from data
This function provides browser extrusion defense by allowing only trusted programs and modules to touch trusted data. If any modification is detected within a supposedly trusted program or if an untrusted program tries to access browser data, it will be blocked silently, but told that it succeeded, successfully thwarting man-in-the-browser attacks irrespective of the level that they are applied at.
This option could potentially have interaction side-effects with some security products or browser addons. If you experience any addons not functioning properly, please contact Prevx support.
Medium - Protect against URL grabbing attacks
This option prevents keyloggers or system monitoring tools from logging what website the user is currently visiting. If using child-protection software which monitors URLs is required, this function may need to be disabled for the monitoring software to work properly.
Medium - Protect sensitive clipboard data
Clipboard data, stored by hitting Control + C or right clicking on text and selecting Copy or Cut, can be siphoned off by malware or other threats to log user data transparently. Prevx filters read access to the clipboard by preventing untrusted programs from reading protected clipboard contents. Data copied while a secured website is active or data copied from a secured website takes place within a secured tunnel, preventing outside, untrusted programs from viewing the data.
In the rare event that a legitimate program which requires clipboard access is untrusted, please contact Prevx support so that we can correct the distinction.
Medium - Protect against keyloggers
Prevx protects against a wide range of keyloggers, including usermode keyloggers, kernelmode keyloggers, virtual input keyloggers, and polling keyloggers. All of these malicious techniques are secured against by Prevx's ability to create a discrete tunnel between the physical keyboard input and the secured destination program. No untrusted program running on the system will be able to access the keystrokes.
Some tools which duplicate keyboard input across multiple PCs may be incompatible conceptually with this aspect of Prevx's protection, which may make it necessary to disable this protection on certain domains.
Low - Detect and prevent man-in-the-middle attacks
Prevx cross-references the DNS entries from visited websites to automatically detect man-in-the-middle attacks. By using our centralized database, we can automatically build a clear picture of valid resolutions for a particular website and act accordingly when a website is found that is trying to portray itself as a legitimate website.
Other techniques like LSP chain modification and HOSTs file modifications are also automatically detected by Prevx and removed/avoided if necessary. Additionally, Prevx identifies any active proxy on the system to determine if traffic may be redirected or diverted to a different destination than the intended website.
Low - Protect cookies and saved website data
Prevx prevents untrusted programs from accessing stored user data, whether it is stored in cookies, the Windows Protected Storage, or saved passwords/form data. Protection is always applied unless all domains are set to Detection Only or Off.
Some antimalware programs may be unable to detect tracking cookies when Prevx protection is active as Prevx will block them from reading the potentially confidential data within the cookies.
Detection Only- Block phishing and known malicious websites
Prevx leverages its community intelligence to automatically block phishing domains and protect the user against known malicious URLs. This option is enabled by default for all users as an additional line of defense against new and fast spreading threats.
General Configuration Options
Security Configuration Off
This setting is not recommended in any case and can expose the user to credential leakage and infections because of the disabled protection allowing any website to be visited.
Configuration for all HTTPS websites
This configuration option allows a registered user to protect all HTTPS websites by default. This would automatically secure any banking transactions or sensitive data as legitimate websites are mandated to use HTTPS domains when dealing with highly sensitive information. Protection is applied first at the Default Policy level and then additional configuration is layered on top, so, adding a policy which says to protect https://www.prevx.com at the Medium level will override the default setting within the Configuration for all HTTPS websites
Configuration for all HTTP websites
Like HTTPS configuration, this policy applies to all HTTP domains. The default setting for registered users is Low protection to allow maximum usability if the user is not entering any confidential information.
Advanced Configuration
Advanced Configuration Options
Overview
Prevx offers some advanced configuration for SafeOnline, including the ability to force a scan to run whenever the user logs into a specific website and the ability to protect credentials and credit card details from phishing attacks.
Scanning Options
Run a quick scan while logging in - This option will cause a scan to automatically start when the selected website is visited.
Only scan if the last scan was greater than X minutes ago - This option allows for a better user experience by not triggering a scan on every website visit. The default and minimum setting is to wait five minutes between rescans, but it can be configured to only rescan once per day if wanted.
Allow access to the destination page only after the scan finishes - This option will show a modal dialog over the browser window until the scan finishes. It is possible to abort the scan but this option prevents access to the destination website.
Credential/Data Security
This function allows SafeOnline to lock credentials to specific domains and policies. By doing this, the user is prevented from accidentally leaking them to phishing website parading as a legitimate website
Data Caption/Type
This is an identifier and is not used within the protection. It allows the user to differentiate between multiple configured passwords/credentials for management purposes.
Value to Protect
This is the password, credit card number, or other piece of information to which SafeOnline will be securing access. The data itself is not stored within SafeOnline at all, but a strong cryptographic checksum of the data is, which prevents any possibility of credential insecurity.
Repeat Value
This is a duplicate of the Value to Protect, entered to ensure that the data is exactly what the user wants to protect.
Add/Remove
After selecting a domain or password, the user can remove them by clicking the Remove button or the minus button in the password list. This will immediately remove protection for the selected area.
Reset
Resetting the configuration will erase all user settings, including passwords and added domains, and download the newest list of domains to protect from the Prevx servers. The list will be automatically populated within the Prevx SafeOnline interface where it can be further configured modified by the user.

