-{ Quote: "This is correct :) If a piece of malware is sitting in an archive there is nothing it can do to your system. You would first have to extract the file from the archive, where it will then be found :)

Other antivirus products do scan through archives to protect gateway email servers primarily but for a consumer it is largely unnecessary." }-it makes sense:)

DiabloNova writes: "Rustock.C revelation since beginning was just a question of faith"
(c) unknown person from wasm.ru

We always was interested in non trivial malware samples especially these, which wants to do some kicking before death.

This one for example
http://www.virustotal.com/ru/analisis/6cfa2dd68356c376f7610a89278ab1b4

This malware acting as virus, moreover it is with rootkit component built-in. In addition this **** protected by THEMIDA (yes this one rumored as ultimate prot).

This sample we got was merged with trivial crack for trivial program. Are you still consider cracks safe to use? ;) Unfortunately there now the same **** as everywhere, and cracks now become one of the main methods to deliver malwares right directly to you :) So guys and girls use only trustworthy cracks downloaded only from trustworthy sites/peoples. But even this doesn't give any guarantees of course. Better of course to buy progs, but we all are adult enough, isn't? ^^

So wtf this virus is doing. First victim of this Dodelka (it is actual name of malware by the way) was, oh my god - virtual machine service responsible for drag-n-drop operations. What a lose. Actually its not simple infected this executable, this malware fully replaced it with itself. This causes numerous bugs. Next malware copies itself to the system32\drivers folder under name hldrrr.exe, extracts in the same folder driver named srosa.sys (also packed by some ****). Driver loaded and fun begins.

srosa.sys (looks like static name) sets callback on images loading. And here the most interesting part. This malware included the huge blacklist of the different security software and even malware competitors.

This list located inside srosa.sys driver and takes more than 50% of the driver body (some items in UNICODE listed even twice).

Here just a little example of available in blacklist software and numerous components of softwares (firewalls, HIPS, antirootkits, antiviruses):

vsdatant.sys
sandbox.sys
safemon.sys
filtnt.sys
bdfndisf.sys
Vba32PP3.exe
vba32ldr.exe
Vba32ifs.exe
Vba32ECM.exe
TrojanHunter.exe
TrojanGuarder.exe
SysSafe.exe
Sysinfo.exe
SpybotSD.exe
SDTrayApp.exe
scanner.exe
SCAN32.EXE
SAVScan.exe
Rootkit_Detective.exe //McAfee Antirootkit
RootkitBuster.exe //TrendMicro Antirootkit
RkUService.exe //We will shred some light on this later
RKUnhooker.exe //here we are! Oh thanks for listing us in your malware! :)
RavMon.exe
ProcessViewer.exe
PrevxSetup.exe
prevsrv.exe
PQMAGIC.EXE
PAVARK.exe //Panda Antirootkit
OUTPOST.EXE
MalwareRemoval.exe
KAVSvcUI.EXE
KAVSvc.exe
KAVStart.exe
KavPFW.exe
KAVPF.exe
kavmm.exe
KAV.exe
IceSword.exe //PJF's IceSword Antirootkit
hookAnalyzer.exe
HiJackThis_v2.exe
HijackThis.exe
GIANTAntiSpywareMain.exe
F-StopW.EXE
F-Sched.exe
F-PROT95.EXE
drweb32.exe
defensewall.exe
DarkSpy105.exe (CardMagic's/Wowocock's DarkSpy Antirootkit)
CureIt.exe
ClamTray.exe
ClamScan.exe
blackice.exe
bdss.exe
avp32.exe
avgnt.exe
avgserv.exe
Autostartexplorer.exe
Anti-Trojan.exe
amon.exe
ashAvSrv.exe
a2HiJackFree.exe
nod32krn.exe
NAVW32.EXE
zonealarm.exe
avgarkt.sys (AVG AntiRootkit driver)
gmer.pdb (string inside GMER Antirootkit)
AVZ Driver //AVZ related ****, probably from version info block
AVZGuard Driver
AVZ Monitoring Driver
rootkit.avz

Full list of software is about 40Kb of text (both ANSI and UNICODE).

What's happening when one of the blacklisted software is trying to start? Fully unknown, simple not tested with all this huge list, but regarding to several antirootkits mentioned above and DrWeb32 antivirus this malware did the following:

It modified PE header and changed CPU type architecture to be invalid (in our case 256). After this Windows loader was unable to load these images (including drivers) because of non supported CPU type. So even if your antivirus/antirootkit is able to find this malware (in theory) it doesn't means that it will help, because this malware will simple prevent your programs from working. As it did in case of Drweb32 and newly installed after malware Rootkit Unhooker v3.8

Okay wtf RkUService.exe is doing in this list?
But RKU executable name is always random after installation, how it can be prevented? Answer is very simple, after installation installer drops RkUService.exe inside RKU folder and executes it. Exactly this small tool doing all RkUnhooker.exe name randomization, after this installer deletes this small tool. Since RkUService.exe was prevented from launch RKU wasn't automatically renamed and malware was able to prevent it start. However if you have RKU already installed BEFORE malware it will be unable to prevent RKU.

Imagine - you paid for AV your money, you have downloaded all the available antirootkits, antitrojans, freeware malware removal tools and you can't manage with this infection at all because nothing from this is not working. Drama for your money.

It our test this malware successfully killed IceSword, DarkSpy, RootkitBuster, GMER v1.14 and Rootkit Detective aka Rootkit Defective.

However this malware tricks was completely useless against VX variant of the RKU, from which we gathered almost all information about Dodelka.

Except prevention of work of the antimalware tools this Dodelka also contains several surprises inside, some of them specially for antirootkits.

One of them numerous bugs inside rootkit filters, which is slowing down infected computer scanning.

This rootkit sets several inline hooks, this report generated by RKU engineering variant with tracer turned on.

Rootkit Unhooker report generator v1.1
==============================================
Rootkit Unhooker ER
version: 0.8 (based on VX 4.5 engine)
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600 (Service Pack 2)
==============================================
Code Hooks scanning...
==============================================
Mismatch inside c:\windows\system32\ntoskrnl.exe found
Beginning 2 level tracing (Settings: Tracer level Medium)
==============================================
Tracing: 1 level...
==============================================
Tracing complete at 1 level, hooks confirmed
==============================================
ntoskrnl.exe-->NtQueryKey, Type: Inline - RelativeJump 0x8056F473-->F8021974 [srosa.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x8056F76A-->F8020E36 [srosa.sys]
ntoskrnl.exe-->NtOpenFile, Type: Inline - RelativeJump 0x805715E7-->F8020A8C [srosa.sys]
ntoskrnl.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8057164C-->F802096E [srosa.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057459E-->F801C33E [srosa.sys]
ntoskrnl.exe-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x80574DAD-->F80210DC [srosa.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80575527-->F801C564 [srosa.sys]
ntoskrnl.exe-->NtSetInformationFile, Type: Inline - RelativeJump 0x80579E7E-->F801C43C [srosa.sys]
ntoskrnl.exe-->NtQuerySystemInformation, Type: Inline - RelativeJump 0x8057CC27-->F802128E [srosa.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x805801FE-->F8020B8C [srosa.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80597430-->F801C77E [srosa.sys]
ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8059D6BD-->F801C97E [srosa.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x805A6B26-->F8021684 [srosa.sys]
ntoskrnl.exe-->NtDeleteFile, Type: Inline - RelativeJump 0x805D8CF7-->F801C3EC [srosa.sys]
==============================================
End of report
==============================================

But report of the public 3.8 RKU LE showing the following strange behaviour.

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.341.552
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
ntoskrnl.exe+0x00005032, Type: Inline - RelativeJump 0x804DC032 [ntoskrnl.exe]
ntoskrnl.exe-->NtQueryKey, Type: Inline - RelativeJump 0x8056F473 [ntoskrnl.exe]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x8056F76A [ntoskrnl.exe]
ntoskrnl.exe-->NtOpenFile, Type: Inline - RelativeJump 0x805715E7 [ntoskrnl.exe]
ntoskrnl.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8057164C [ntoskrnl.exe]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057459E [srosa.sys]
ntoskrnl.exe-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x80574DAD [ntoskrnl.exe]
ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80575527 [ntoskrnl.exe]
ntoskrnl.exe-->NtSetInformationFile, Type: Inline - RelativeJump 0x80579E7E [srosa.sys]
ntoskrnl.exe-->NtQuerySystemInformation, Type: Inline - RelativeJump 0x8057CC27 [srosa.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x805801FE [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80597430 [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8059D6BD [ntoskrnl.exe]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x805A6B26 [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteFile, Type: Inline - RelativeJump 0x805D8CF7 [ntoskrnl.exe]

As you see many of the hooks have ntoskrnl.exe as hooker address. Why this happening? Lets look in memory on this hooks.

NtDeleteValueKey

80597423: call 804E2AD2
80597428: retn 0C
8059742B: jmp F801C77E
==========================
Actual function body
NtDeleteValueKey
==========================
80597430: jmp 8059742

Where first instruction is jump back to the jump to the rootkit driver handler. RKU LE was unable to decide who exactly here is "hooker". However as you see with tracer such kind of hooking isn't a problem at all. Additionally this doesn't prevents RKU LE from removal of this hooks, since mismatch is determined.

These hooks responsible for hiding rootkit process, rootkit files, registry keys (including startup location) and preventing malware removal.

Removal of this malware isn't trivial and requires a complex work, because antirootkit can't determine exactly all components of this malware since some of them doesn't use rootkit technologies so you have a good chances for reinfection even after successful removal. The best approach here - eradicate malware hooks, LoadImage notify routine, determine malware files (it is simple since all them are the same excluding driver) and kill them all. And don't forget before using antimalware tools rename them to something innocent - blahblah.exe for example, because nobody can't guarantee that malware doesn't knows your av/fw etc. Who need surprises? =)

Why we named this malware Dodelka? Because of this
c:\reliz2\dodelka\hlhl_vista_flesh\driver PDB string inside rootkit driver.

and because we really like to call this exactly "Dodelka" which means in translation from Russian - "additional work". As you see Vista mentioned, but we didn't tried this malware on Vista.

What about RKU LE we of course can't leave this tricks with our programs inside malware blacklist, so future version will contain our surprises for crapware coders (they will have to create something new).

No, I won't give you malware sample nor engineering variant of RKU.

CSI and Edge detect all variants of Rustock including Rustock.c when the system is already infected or if it tries to load ;)

-{ Quote: "CSI and Edge detect all variants of Rustock including Rustock.c when the system is already infected or if it tries to load ;)" }-




Great !

TCSP

Rustock.C is far more interesting than Beagle rootkit ;) Many rootkits are much more interesting than Beagle rootkit :)

-{ Quote: "There are two levels of being disabled in Edge - you can enter Install Mode (which is the default) or you can completely disable Edge if you click the dropdown box. Install Mode will just disable the age/spread/advanced heuristics but leave on the main protection of Edge." }-
Well, you live and learn...;D Best read the excellent online help again (note to myself)!

Currently using the trial version of Prevx Edge. Are there any known compatibility problems with Kaspersky AV, Outpost Pro Firewall or Ghost Security (AppDefend & RegDefend). I am planning on adding Prevx Edge to my upfront prevention as it appears no further versions of Ghost Security will be forthcoming. I just opened the trial version of Prevx Edge and everything appears to be running smoothly so far with the above programs also running. I added it to AppDefend's list of permissible programs on my computer. I know from the threads it has very good rootkit detection. How is it at detecting/preventing keyloggers?

-{ Quote: "Currently using the trial version of Prevx Edge. Are there any known compatibility problems with Kaspersky AV, Outpost Pro Firewall or Ghost Security (AppDefend & RegDefend). I am planning on adding Prevx Edge to my upfront prevention as it appears no further versions of Ghost Security will be forthcoming. I just opened the trial version of Prevx Edge and everything appears to be running smoothly so far with the above programs also running. I added it to AppDefend's list of permissible programs on my computer. I know from the threads it has very good rootkit detection. How is it at detecting/preventing keyloggers?" }-

Hello,
There are no known compatibility problems between these apps - one problem with Kaspersky, however, is that you have to uninstall Edge to install Kaspersky because they won't let both be installed at the same time but there is no reason for this :-\ So, if you have any problems getting them installed, just install Kaspersky first and then Edge over the top ;D

Edge is very good at detecting and preventing keyloggers and we have some new technology coming in the next weeks to improve this even more ;)

-{ Quote: "Hello,
There are no known compatibility problems between these apps - one problem with Kaspersky, however, is that you have to uninstall Edge to install Kaspersky because they won't let both be installed at the same time but there is no reason for this :-\ So, if you have any problems getting them installed, just install Kaspersky first and then Edge over the top ;D

Edge is very good at detecting and preventing keyloggers and we have some new technology coming in the next weeks to improve this even more ;)" }-

Okay, thanks for the very fast response. I already had KAV installed. No problems thus far.

Hello. I have a few questions about Prevx Edge. I have the full version installed and it is set to its standard settings, other than self protection which I have set to medium.

I have uninstalled my AV and now only have Prevx installed as my AM or AV protection.

Will Prevx protect me enough? Will it protect me from trojan droppers etc and all the thgings Avira blocked from various websites? Will Prevx ensure my pop email is safe?

Will it slow down my PC if I set heuristics to max?

Sorry for so many questions!

-{ Quote: "Hello. I have a few questions about Prevx Edge. I have the full version installed and it is set to its standard settings, other than self protection which I have set to medium.

I have uninstalled my AV and now only have Prevx installed as my AM or AV protection.

Will Prevx protect me enough? Will it protect me from trojan droppers etc and all the thgings Avira blocked from various websites? Will Prevx ensure my pop email is safe?

Will it slow down my PC if I set heuristics to max?

Sorry for so many questions!" }-

Hello,
We believe that Edge does provide enough security by itself but you can use it alongside another AV if you want - it is fully compatible with every major security solution (including Avira :)). Edge does not scan through POP Email but it will scan any file which comes through via email (i.e. an exploit or a trojan horse, etc.)

Your PC performance will not degrade at all if you set heuristics to max - all of the difficult calculations take place on our servers :) Please let me know if you have any further questions!

quick reply - I am impressed! What about protection from troja droppers etc?

I know I could stick Avira back on my PC, but I fancy running light as it were and I believe Prevx is the best against rootkits.

If I want maximum security settings with edge, please tell me how I should set the various settings.

thank you

-{ Quote: "quick reply - I am impressed! What about protection from troja droppers etc?

I know I could stick Avira back on my PC, but I fancy running light as it were and I believe Prevx is the best against rootkits.

If I want maximum security settings with edge, please tell me how I should set the various settings.

thank you" }-i am as fancy as you ;)

-{ Quote: "quick reply - I am impressed! What about protection from troja droppers etc?

I know I could stick Avira back on my PC, but I fancy running light as it were and I believe Prevx is the best against rootkits.

If I want maximum security settings with edge, please tell me how I should set the various settings.

thank you" }-

Yes, Edge blocks trojans, droppers, spyware, adware, rootkits, viruses, worms, etc. etc. ;D

Maximum settings in Edge can cause some false positives depending on what kind of software you use but in the "Heuristics Settings" screen, move all of the slider bars all the way to the right and then under "Protection Settings", ensure that the Master Boot Record scanning is enabled and you'll be good to go ;)

Thank you very much.

-{ Quote: "Fase Positive
When scanning with MBAM edge realtime (setting euristic High ; age Medium; Popularity Medium) say that this in a virus
c:\windows\system32\drivers\oanet.sys
but is a Online Armor safe file
Can control & fix? Thanks" }-

Joe you have a PM here & on your personal email, thanks !!

Other question Italian user said : have you ever think posibility to get on dowload on your site a real Trial for X days full 100% (at the endo of this X days it change on free)
It's typical Italian I know ;D but with a full X day trial user realy taste the power of Edge & buy it after this evaluation (sorry for my english )

-{ Quote: "quick reply - I am impressed! What about protection from troja droppers etc?

I know I could stick Avira back on my PC, but I fancy running light as it were and I believe Prevx is the best against rootkits.

If I want maximum security settings with edge, please tell me how I should set the various settings.

thank you" }- Every on Maximum is perfect if you don't change your software configuration, but if you change it, set on High euristic & medium for Age & Popularity
For Exmple I have FF3.2Alpha prerelease called Minefield, if I set Euristic Popularity & Age on maximum it genereate an allert about Minefiel FF (it update few time a day) in according with this rules 'cose is new & with less users.
This is why i set euristic on Hight but not maximum end Age-popularity on medium

-{ Quote: "Joe you have a PM here & on your personal email, thanks !!

Other question Italian user said : have you ever think posibility to get on dowload on your site a real Trial for X days full 100% (at the endo of this X days it change on free)
It's typical Italian I know ;D but with a full X day trial user realy taste the power of Edge & buy it after this evaluation (sorry for my english )" }-

(I responded about ~10 minutes ago to you via email FWIW ;D)

We've been discussing a full trial version but we're siding to not offer it because of the confusion it would cause and the complexity it introduces. However, we do offer a 7 day fully functional trial license on-demand to anyone asking for it so you can direct those users to us (via the inbox or PM'ing me or EraserHW :))

-{ Quote: "Joe you have a PM here & on your personal email, thanks !!
" }-
Joe is faster than speedy gonzales ;D thanks

-{ Quote: "Joe is faster than speedy gonzales ;D thanks" }-

¡Andale! ¡Andale! ¡Arriba! ;D

-{ Quote: "(I responded about ~10 minutes ago to you via email FWIW ;D)

We've been discussing a full trial version but we're siding to not offer it because of the confusion it would cause and the complexity it introduces. However, we do offer a 7 day fully functional trial license on-demand to anyone asking for it so you can direct those users to us (via the inbox or PM'ing me or EraserHW :))" }-

Ok thanks I talk about this privately with the 2 users will try a full.
Eraser is on the italian site also so no problem
Thanks Joe

-{ Quote: "¡Andale! ¡Andale! ¡Arriba! ;D" }-

;D
Joe 2 thinks (then I go to bed ;D )
1) on the top of the main windows i read for example Edge removed 100 infections at the moment (i use the italian edition and this allert is on my language but I think you understand), there is any posibility to erase this counter or only with uninstall? For example A-squared have this posibility

2) I know Eraser have more important think to do that translate EDGE, but there are 2 or 3 thinks not traslated on the Italian version.
I talk to Eraser about this missing and I think he solved the problem but if not....I'm here;D
I dont write but I understand english well
Sorry but I am the typical Italian thinkin' our language is understood everywhere and I didn't like study English >:( , only traveling around the world I know the truth unhappiness

-{ Quote: ";D
Joe 2 thinks (then I go to bed ;D )
1) on the top of the main windows i read for example Edge removed 100 infections at the moment (i use the italian edition and this allert is on my language but I think you understand), there is any posibility to erase this counter or only with uninstall? For example A-squared have this posibility

2) I know Eraser have more important think to do that translate EDGE, but there are 2 or 3 thinks not traslated on the Italian version.
I talk to Eraser about this missing and I think he solved the problem but if not....I'm here;D
I dont write but I understand english well
Sorry but I am the typical Italian thinkin' our language is understood everywhere and I didn't like study English >:( , only traveling around the world I know the truth unhappiness" }-

This is the second request for the feature to reset the counter, but right now the best way is just to uninstall/reinstall - it is on the todo list still but we have some more interesting features coming first ;D

Eraser actually is the one that translated Edge so let him know what isn't translated ;D He LOVES translating it, believe me ;D :shifty: ;D

Hi Joe,

I already sent to your mail, a Zipped file that is a false positive.
It´s name is TWAIN32.plg and it is a Plug-in for a graphic editor named Artweaver. I also uploaded it to VirusTotal and was clean.

Thanks

-{ Quote: "Hi Joe,

I already sent to your mail, a Zipped file that is a false positive.
It´s name is TWAIN32.plg and it is a Plug-in for a graphic editor named Artweaver. I also uploaded it to VirusTotal and was clean.

Thanks" }-

Fixed :)

-{ Quote: "Fixed :)" }-

Thanks a lot:D

-{ Quote: "
He LOVES translating it, believe me ;D :shifty: ;D" }-

:lurking: :lurking:

-{ Quote: ":lurking: :lurking:" }-

LOL, you guys not only deliver good support but also good comedy :thumb:

-{ Quote: "LOL, you guys not only deliver good support but also good comedy :thumb:" }-they should be in holywood:) did you see they are even making movies in youtube;D

-{ Quote: "they should be in holywood:) did you see they are even making movies in youtube;D" }-
haha nice one :thumb: ;D

-{ Quote: "haha nice one :thumb: ;D" }-
:) lol:)

To Prevx Help
a friend of mine trying Edge Pro on catching a Malware Collection (5.000 malware & Virus :D ) say to me this:
Edge find 255 infection maximum then he rescan e find other 255 and other 255 and so on till de end ..
is a bug ?Edge can't check more of 255 infection every scan so he need more scan to finish this test performing 5.000 virus?
Its correct ? Cause the counter on the main window every scan increase te total ammont +255 infections

Second posibility Edge find only 255 infection on 5000 then he restart (and this is not possible of course ;D;D ;D )
Thanks Joe

-{ Quote: "To Prevx Help
a friend of mine trying Edge Pro on catching a Malware Collection (5.000 malware & Virus :D ) say to me this:
Edge find 255 infection maximum then he rescan e find other 255 and other 255 and so on till de end ..
is a bug ?Edge can't check more of 255 infection every scan so he need more scan to finish this test performing 5.000 virus?
Its correct ? Cause the counter on the main window every scan increase te total ammont +255 infections

Second posibility Edge find only 255 infection on 5000 then he restart (and this is not possible of course ;D;D ;D )
Thanks Joe" }-

Edge limits detections to 255 to conserve on memory and perform as optimally as possible. If your computer is actually infected with > 255 infections, you have some major problems ;D

-{ Quote: "Edge limits detections to 255 to conserve on memory and perform as optimally as possible. If your computer is actually infected with > 255 infections, you have some major problems ;D" }-can that mean 1 infection found equal maybe 200 files infected with that file and maybe 255 infections maybe 1000 or more files corrpted,maybe,not sure;D man i need some coffee i guez8)

-{ Quote: "can that mean 1 infection found equal maybe 200 files infected with that file and maybe 255 infections maybe 1000 or more files corrpted,maybe,not sure;D man i need some coffee i guez8)" }-

It depends on the infection, but in the worst case, you would just have to click cleanup twice to clean 500 infections. From what I've seen, this is extremely rare :)

-{ Quote: "It depends on the infection, but in the worst case, you would just have to click cleanup twice to clean 500 infections. From what I've seen, this is extremely rare :)" }-ah thanks alot,any way who wants to have 500+ infections in their pc's ;D

-{ Quote: "ah thanks alot,any way who wants to have 500+ infections in their pc's ;D" }-
LOL j. Sounds like someone waited a bit too long to address their security. ::)Maybe a reformat, then install Edge on the clean system...?
Yup ;D

A new version of opera has just been released, and when I launched it for the first time I had a prevx pop up. Had to use override. Anyway, it might be a good idea to consider opera.exe as a safe application :)

-{ Quote: "LOL j. Sounds like someone waited a bit too long to address their security. ::)Maybe a reformat, then install Edge on the clean system...?
Yup ;D" }-agree:thumb:

-{ Quote: "Edge limits detections to 255 to conserve on memory and perform as optimally as possible. If your computer is actually infected with > 255 infections, you have some major problems ;D" }-
Yes is true , but as i said it is a test, a folder contain 5000 infection, so he need 20 restart
Only as knowledge to be on the right way, I talk to my friend this
Thanks Joe, and for your information my pc is clean ;D i'm not so crazy

-{ Quote: "Yes is true , but as i said it is a test, a folder contain 5000 infection, so he need 20 restart
Only as knowledge to be on the right way, I talk to my friend this
Thanks Joe, and for your information my pc is clean ;D i'm not so crazy" }-

Well, to be completely honest, a test like this is not an accurate test of Edge or any other AV's real protection. This is testing merely the on-demand scanning which doesn't contain a vast majority of the heuristics, behavior monitoring, realtime analysis, or any of the important aspects which make Edge (and other AVs) actually able to block real threats.

Detecting something on-demand is no challenge at all. Detecting something on an infected computer with a dozen rootkits active and many infections, however, is exactly the challenge Edge was designed for :)

-{ Quote: "Well, to be completely honest, a test like this is not an accurate test of Edge or any other AV's real protection. This is testing merely the on-demand scanning which doesn't contain a vast majority of the heuristics, behavior monitoring, realtime analysis, or any of the important aspects which make Edge (and other AVs) actually able to block real threats.

Detecting something on-demand is no challenge at all. Detecting something on an infected computer with a dozen rootkits active and many infections, however, is exactly the challenge Edge was designed for :)" }-
I agree
on demand in not correct for testing an AV or antimalware, but is just a self made test of a friend , even it is non perfect as you said Edge was the best in this "test" ;D

Seems to have a lot of FPs even when heuristics are disabled. Attached is a logfile of the supposed FPs, which number more than twice the number of characters allowed in one post.

And I don't like how it just pauses at 98%, and when I try to cancel the scan, it says that it needs more time to analyze the infected files (something along the lines of that).

By the way, I downgraded within Prevx Edge itself to CSI. However, both have the same issue. The scan just hits 98% at about 2 minutes, then it stops and just pauses. In the picture the scanner is illustrated at 11 minutes. Right now, it is about 15 minutes in the scan and still stuck at 98%.

-{ Quote: "Seems to have a lot of FPs even when heruistics are disabled. Attached is a logfile of the supposed FPs, which number more than twice the number of characters allowed in one post." }-

That is quite odd - I'm discussing this with the research team now so we can resolve this issue.

prevx is running smooth with malware defender;)
good combo

-{ Quote: "Seems to have a lot of FPs even when heruistics are disabled. Attached is a logfile of the supposed FPs, which number more than twice the number of characters allowed in one post." }-

FWIW, all (except two) of these detections are heuristic detections because of unpopular files. Could you please let me know what OS and language you are using?

The 7k build of Windows 7.

Anyhow, the scan is still stuck at 20 minutes. I attempted to abort it about 5 minutes ago.

-{ Quote: "The 7k build of Windows 7." }-

Ah ok, being that its still in beta we don't have every language/build whitelisted. I'll get your FPs fixed and work on whitelisting so that your scans will run faster :)

Kind of overreaching there, right? Claimed Windows 7 compatibility on the product page, yet it yeilds all those FPs. Disinfect all and the system may not function properly.

-{ Quote: "Kind of overreaching there, right? Claimed Windows 7 compatibility on the product page, yet it yeilds all those FPs. Disinfect all and the system may not function properly." }-

Personally, I'm using Windows 7 on three systems here and have never experienced one FP and my scans take around 25 seconds.

I'm checking through the files in the database, and you are running into a one-off case somehow as all of these files are completely unique compared to any other Windows 7 user we have. What language are you using and where did you download the beta from?

I also use it on Win 7 Beta without problems!

TH

Can you run another scan? The FPs should be fixed now :)

Eh, already uninstalled. I'll check later.

Hello,

I just purchased a 2 PC license for EDGE (for a cheap ba%$#rd like me that's something but I digress) previously only purchasing SAS Pro. While I should've asked the questions before purchase I jumped in on faith based on what I've read.

I am trying to understand how EDGE works by using a 'community threat database', does that mean once some unlucky person or persons gets nailed is that malware then added to the EDGE database for other users? If not, then wouldn't simply using heuristics be enough?

I had been using Threat Fire free which also used a community database for the free version but once a license was purchased you no longer had to rely on the database (from what I understood anyways).

Am I correct that both programs are both attempting to do the same thing and if so why is EDGE better?

I'm also currently trying Dr. Web Security Space and would like to know which program (Dr. Web or EDGE) would intercept the various malware first regardless of how it's delivered as they both advertise protecting against basically the same things.

-{ Quote: "Hello,

I just purchased a 2 PC license for EDGE (for a cheap ba%$#rd like me that's something but I digress) previously only purchasing SAS Pro. While I should've asked the questions before purchase I jumped in on faith based on what I've read.

I am trying to understand how EDGE works by using a 'community threat database', does that mean once some unlucky person or persons gets nailed is that malware then added to the EDGE database for other users? If not, then wouldn't simply using heuristics be enough?

I had been using Threat Fire free which also used a community database for the free version but once a license was purchased you no longer had to rely on the database (from what I understood anyways).

Am I correct that both programs are both attempting to do the same thing and if so why is EDGE better?

I'm also currently trying Dr. Web Security Space and would like to know which program (Dr. web or EDGE) would intercept the various malware first regardless of how it's delivered as they both advertise protecting against basically the same things." }-

Hello,
Edge is different from other security products because it uses heuristics, blacklisting, whitelisting, and server-side analysis all within the server centrally. It's able to aggregate data from every user and analyze it centrally and then return a response which takes into account all of this information rather than just the data known to the local computer. I'm not sure what Threatfire does with their community database but I know some programs say they have a community database when they are just taking the answers from users (allow/block) and tallying them and then returning a response based on that. This is the complete opposite of how Edge works. Edge analyzes the characteristics/behaviors/etc. of a file from across the community and then returns a response irrespective of what users have said in the past (granted, user input is sent to us but it is entered into a manual queue and our researchers take care of them on a case-by-case basis :))

With our new centralized analysis in Edge, even the first user to ever see an infection is almost always protected. It isn't 100% perfect (if anyone says their product is 100% perfect they're lying ;D) and detection does get better as more users encounter a file/encounter behaviors of a file but the first sight detection is quite good in its own right.

With Dr. Web and Edge on the same computer, Dr. Web "may" see the infection first or Edge may see it first - it really depends how the file is accessed and where it loads. Edge focuses primarily on loading code which dramatically reduces its footprint and system impact and I believe Dr. Web scans every file on open regardless of its intent so Dr. Web may catch it earlier but only by a fraction of a second and either way, Edge would gain control of the file before the OS ever had a chance to give it control so you would always be protected :)

Let me know if that helps or if you need any further clarification!

-{ Quote: "Hello,
Edge is different from other security products because it uses heuristics, blacklisting, whitelisting, and server-side analysis all within the server centrally. It's able to aggregate data from every user and analyze it centrally and then return a response which takes into account all of this information rather than just the data known to the local computer. I'm not sure what Threatfire does with their community database but I know some programs say they have a community database when they are just taking the answers from users (allow/block) and tallying them and then returning a response based on that. This is the complete opposite of how Edge works. Edge analyzes the characteristics/behaviors/etc. of a file from across the community and then returns a response irrespective of what users have said in the past (granted, user input is sent to us but it is entered into a manual queue and our researchers take care of them on a case-by-case basis :))

With our new centralized analysis in Edge, even the first user to ever see an infection is almost always protected. It isn't 100% perfect (if anyone says their product is 100% perfect they're lying ;D) and detection does get better as more users encounter a file/encounter behaviors of a file but the first sight detection is quite good in its own right.

With Dr. Web and Edge on the same computer, Dr. Web "may" see the infection first or Edge may see it first - it really depends how the file is accessed and where it loads. Edge focuses primarily on loading code which dramatically reduces its footprint and system impact and I believe Dr. Web scans every file on open regardless of its intent so Dr. Web may catch it earlier but only by a fraction of a second and either way, Edge would gain control of the file before the OS ever had a chance to give it control so you would always be protected :)

Let me know if that helps or if you need any further clarification!" }-

Wow that was fast! I appreciate your explaination which was very helpful (not only to me but to prospective purchasers as well), along with your honesty in that NOTHING is 100%.

One thing I've noticed with the http scanning of Dr. Web is while not terrible I do notice a slight slowdown of page loads, not a deal breaker but noticeable. Sans an http scanning AV will EDGE protect against those type of 'drive by' threats, if so does it detect the threat the instant it starts to go into action so to speak?

-{ Quote: "Wow that was fast! I appreciate your explaination which was very helpful (not only to me but to prospective purchasers as well), along with your honesty in that NOTHING is 100%.

One thing I've noticed with the http scanning of Dr. Web is while not terrible I do notice a slight slowdown of page loads, not a deal breaker but noticeable. Sans an http scanning AV will EDGE protect against those type of 'drive by' threats, if so does it detect the threat the instant it starts to go into action so to speak?" }-

Yes, that is correct :) If an http driveby attack would try and touch the system at all, we would block it immediately :)

I just downloaded Edge to try it out briefly. Prevx Edge is detecting the program System Information for Windows (http://www.wilderssecurity.com/www.gtopala.com) (latest version) as a rootkit. MBAM, SAS, and VirusTotal all say the file is clean.

-{ Quote: "I just downloaded Edge to try it out briefly. Prevx Edge is detecting the program System Information for Windows (http://www.wilderssecurity.com/www.gtopala.com) (latest version) as a rootkit. MBAM, SAS, and VirusTotal all say the file is clean." }-

Hello,

please can you send me prevx log at falsipositivi [A-T] pcalsicuro [DOT] com?

Thank you for your help :)

-{ Quote: "Yes, that is correct :) If an http driveby attack would try and touch the system at all, we would block it immediately :)" }-

Excellent, thanks!

Joe can you say when you will have a File upload system setup on the Prevx Website?

TH

-{ Quote: "Joe can you say when you will have a File upload system setup on the Prevx Website?

TH" }-

I'm not sure at this point. However, I will check in tomorrow with the web team to see what progress has been made :)

-{ Quote: "Hello,

please can you send me prevx log at falsipositivi [A-T] pcalsicuro [DOT] com?

Thank you for your help :)" }-

Log sent. I hope I sent the right log ??? as I am unfamiliar with Edge.

-{ Quote: "I just downloaded Edge to try it out briefly. Prevx Edge is detecting the program System Information for Windows (http://www.wilderssecurity.com/www.gtopala.com) (latest version) as a rootkit. MBAM, SAS, and VirusTotal all say the file is clean." }-

Are you using the latest version of this software?

Anyway, the problem should be fixed. Please check again and let me know :)

Thank you

-{ Quote: "I'm not sure at this point. However, I will check in tomorrow with the web team to see what progress has been made :)" }-

Or even build it in my Prevx for licenced users. Or what is best!

TH

Speaking of MyPrevx, I was trying to manage my license (delete a host and reinstate another), but it won't let me. I constantly change from Vista to XP (and vice versa) on the same PC. Does that require me to have two separate licenses?

Thanks!

-{ Quote: "Speaking of MyPrevx, I was trying to manage my license (delete a host and reinstate another), but it won't let me. I constantly change from Vista to XP (and vice versa) on the same PC. Does that require me to have two separate licenses?

Thanks!" }-

Hello,
Yes, this would require two separate licenses - we limit license movements between PCs/OSs and we consider each OS install as a separate PC.

Joe I'm having trouble Right Clicking and scanning a single file it does a full system scan instead.

TH

-{ Quote: "Are you using the latest version of this software?

Anyway, the problem should be fixed. Please check again and let me know :)

Thank you" }-

I have the latest version of both System Information for Windows and Prevx Edge.

Yes, Prevx Edge now shows the file to be clean. What caused the FP? Heuristics?

Anyway, thanks for the fast response.

-{ Quote: "Joe I'm having trouble Right Clicking and scanning a single file it does a full system scan instead.

TH" }-

I reinstalled and it's working fine now ???

TH

-{ Quote: "Joe I'm having trouble Right Clicking and scanning a single file it does a full system scan instead.

TH" }-

Hmm, I just tried it here and it worked fine. Could you try rebooting and see if it still happens?

-{ Quote: "Hmm, I just tried it here and it worked fine. Could you try rebooting and see if it still happens?" }-
-{ Quote: " I reinstalled and it's working fine now ???

TH" }-

;D;D;D;D;D

not sure if it is a false one. Can you take a look, thanks.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2009-03-05 13:12:01 Romance (standaardtijd). Number of Scans: 156. Last Scan Duration: 2 minutes 26 seconds.
[D] c:\windows\system32\drivers\epfw.sys [PX5: 9286F525887A9E78FFE20190A0E7E1004CE241DA] Malware Group: Community.OuterEdge
[D] c:\program files\eset\eset smart security\drivers\epfw\epfw.sys [PX5: 9286F525887A9E78FFE20190A0E7E1004CE241DA] Malware Group: Community.OuterEdge

-{ Quote: "not sure if it is a false one. Can you take a look, thanks.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Thu 2009-03-05 13:12:01 Romance (standaardtijd). Number of Scans: 156. Last Scan Duration: 2 minutes 26 seconds.
[D] c:\windows\system32\drivers\epfw.sys [PX5: 9286F525887A9E78FFE20190A0E7E1004CE241DA] Malware Group: Community.OuterEdge
[D] c:\program files\eset\eset smart security\drivers\epfw\epfw.sys [PX5: 9286F525887A9E78FFE20190A0E7E1004CE241DA] Malware Group: Community.OuterEdge" }-

Fixed :) (well, it was fixed automatically ;))

-{ Quote: "Wow that was fast! I appreciate your explaination which was very helpful (not only to me but to prospective purchasers as well), along with your honesty in that NOTHING is 100%.

One thing I've noticed with the http scanning of Dr. Web is while not terrible I do notice a slight slowdown of page loads, not a deal breaker but noticeable. Sans an http scanning AV will EDGE protect against those type of 'drive by' threats, if so does it detect the threat the instant it starts to go into action so to speak?" }-

Please dont use my current setup, i have a patent on it however combining SAS,PxE n DrW would be a helluva setup ;) About the surfing slowdowns id report it with their support as your not alone while supposedly it is claimed that it isnt possible.

Hi Joe,

I try to scan MY Computer and it does not do a full scan any suggestions? Or even when I try to scan C drive or D drive it does not do a full Drive scan.

TH

-{ Quote: "Hi Joe,

I try to scan MY Computer and it does not do a full scan any suggestions? Or even when I try to scan C drive or D drive it does not do a full Drive scan.

TH" }-

Hmm :doubt: It should, I'll look into it ;D

I'm using it on Vista 32bit ATM

Also if I try to scan an empty Recycle Bin it does a regular scan.

Hi Joe

Getting a little bored here as 3.0.1.17 is working so well on my rig.;) Any news on the new features you mentioned a little while back? Hopefully available soon in beta so that we can flex our testing skills again? ;D

-{ Quote: "Also if I try to scan an empty Recycle Bin it does a regular scan." }-

I haven't been able to reproduce any of these problems, however, could you use the Advanced Scan > Custom Scan menu to run a custom scan? That should be working properly still (AFAICT at least ;D)

-{ Quote: "Hi Joe

Getting a little bored here as 3.0.1.17 is working so well on my rig.;) Any news on the new features you mentioned a little while back? Hopefully available soon in beta so that we can flex our testing skills again? ;D" }-

They are still in development ;D With OS support ranging from Windows NT4, through Windows 98 to Windows 7 and all 64bit OSs and then having to maintain compatibility with every other security product, development takes a while, as does testing :) We have a load of new features coming down the road but they're all still baking in the proverbial Prevx oven :)

As soon as they're completed enough for a beta test, I will distribute links/instructions ;D

-{ Quote: " We have a load of new features coming down the road but they're all still baking in the proverbial Prevx oven :)

As soon as they're completed enough for a beta test, I will distribute links/instructions ;D" }-

Patiently (at the moment) awaiting the call to testing ;D

-{ Quote: "They are still in development ;D With OS support ranging from Windows NT4, through Windows 98 to Windows 7 and all 64bit OSs and then having to maintain compatibility with every other security product, development takes a while, as does testing :) We have a load of new features coming down the road but they're all still baking in the proverbial Prevx oven :)

As soon as they're completed enough for a beta test, I will distribute links/instructions ;D" }-come on hurry up i have some coffee but i need some baking bread;)

-{ Quote: "I haven't been able to reproduce any of these problems, however, could you use the Advanced Scan > Custom Scan menu to run a custom scan? That should be working properly still (AFAICT at least ;D)" }-

Yes that works fine to do a full system scan!

-{ Quote: "come on hurry up i have some coffee but i need some baking bread;)" }-

;D ;D

it is working fine here with defensewall and sandboxie;)

-{ Quote: "...but they're all still baking in the proverbial Prevx oven :)

As soon as they're completed enough for a beta test, I will distribute links/instructions ;D" }-
Well, I for one am looking forward to tasting that cake! Mmmmmmmmh!:P

-{ Quote: "I haven't been able to reproduce any of these problems, however, could you use the Advanced Scan > Custom Scan menu to run a custom scan? That should be working properly still (AFAICT at least ;D)" }-

-{ Quote: "Yes that works fine to do a full system scan!" }-

I did a clean reinstall and still can't do a full scan by right clicking My Computer or the Drives but Custom Scan works fine!

TH

-{ Quote: "Ah ok, being that its still in beta we don't have every language/build whitelisted. I'll get your FPs fixed and work on whitelisting so that your scans will run faster :)" }-

Impressed. Did you use an automated process?

-{ Quote: "Impressed. Did you use an automated process?" }-

Yes :) Our database allows us to do quite a lot of things automatically - a vast majority of our analysis/malware research/whitelisting/etc. takes place almost completely without human intervention.

i get this when dealing with acronis true image secure zone

-{ Quote: "i get this when dealing with acronis true image secure zone" }-

This is because Acronis is modifying the master boot record while restoring - you'll probably want to disable Edge when imaging your system in this case (as the warning is legitimate).

-{ Quote: "This is because Acronis is modifying the master boot record while restoring - you'll probably want to disable Edge when imaging your system in this case (as the warning is legitimate)." }-

Acronis aside, that screenie is the cleanest way of reporting potential malicious activity and yet informative enough - i especially like the "Possible"

-{ Quote: "This is because Acronis is modifying the master boot record while restoring - you'll probably want to disable Edge when imaging your system in this case (as the warning is legitimate)." }-

ok,thanks will do

-{ Quote: "This is because Acronis is modifying the master boot record while restoring - you'll probably want to disable Edge when imaging your system in this case (as the warning is legitimate)." }-
Hi Joe

One quick question on this which I think I know the answer to but given its nature I thought it best to have confirmed! This alert (as originally posted by brihy1) relates to Acronis True Image. By taking the 'Trust Always' options only Acronis True Image will always be trusted when modifying the MBR not any program doing so ????

Only have ATI to which I have said yes and no other program that would do this to try it out with.

Silly question to some perhaps but my view is that there is no such thing as a silly question if you have the slightest doubt. ;)

Cheers




Baldrick ;D

Hi Joe

Apologies for the bombardment...hope that you are well?

Have sent you by PM a Scan log of an Edge detection which I believe to be an FP...when running the latest version of GMER (v1.0.15.14827). As I trust this Rootkit detection program I Trusted it but I suspect that something has changed with the program as I noted a considerable reduction in the size of the executable for the last time I installed & ran it.

Let us know what you think!

Regards

Baldrick ;D

Fixed the GMER FP :) It was flagged because it dropped a randomly named driver into the temporary directory which acted upon system structures.... hard to NOT determine that as malicious heuristically :)

-{ Quote: "Hi Joe

One quick question on this which I think I know the answer to but given its nature I thought it best to have confirmed! This alert (as originally posted by brihy1) relates to Acronis True Image. By taking the 'Trust Always' options only Acronis True Image will always be trusted when modifying the MBR not any program doing so ????" }-

The MBR modification warning doesn't work exactly like the other warnings (and we're going to be changing this soon). Clicking Trust Always will trust that copy of the MBR to enter the system but it won't allow Acronis to continue to make the change to the MBR if it changes it to something different in the future.

We will be making the MBR warning more logical by having "Trust Changes" instead of "Trust Always" - hope that helps! :)

-{ Quote: "Fixed the GMER FP :) It was flagged because it dropped a randomly named driver into the temporary directory which acted upon system structures.... hard to NOT determine that as malicious heuristically :)" }-i have malwarebytes and prevx edge heuristics on high;) is that good i dont have any antivirus just prevx and malwarebytes real time on:)in wife's pc thanks

-{ Quote: "i have malwarebytes and prevx edge heuristics on high;) is that good i dont have any antivirus just prevx and malwarebytes real time on:)in wife's pc thanks" }-

its better then havin just say norton, you could even do with just Edge but along with MBAM its a killer

-{ Quote: "The MBR modification warning doesn't work exactly like the other warnings (and we're going to be changing this soon). Clicking Trust Always will trust that copy of the MBR to enter the system but it won't allow Acronis to continue to make the change to the MBR if it changes it to something different in the future.

We will be making the MBR warning more logical by having "Trust Changes" instead of "Trust Always" - hope that helps! :)" }-
Hi Joe

Thanks for the clarification. I was just worried that accepting these changes by Acronis would allow other by other programs...which is not the cae. I think that the proposed change in the message will clarify exactly what Edge is proposing/recommending, etc.,

Nice one! ;D

I uninstalled Prevx Edge and the Windows Action Center (W7) shows that Edge is working and up to date.

-{ Quote: "I uninstalled Prevx Edge and the Windows Action Center (W7) shows that Edge is working and up to date." }-

Could you try rebooting your computer or running:

sc stop wscsvc

followed by

sc start wscsvc

The Security/Action Center in Windows is a highly unreliable feature. I'm using Windows 7 here and have never had Edge stick around after uninstalling/reinstalling but I know our testers that work with multiple other AVs frequently have residual AVs sitting in the security center for no apparent reason after being completely uninstalled :blink:

-{ Quote: "its better then havin just say norton, you could even do with just Edge but along with MBAM its a killer" }-thanks,my wife is safe again;D

I have a quick question. Is there anyway to use Edge to clean out a PC that isn't connected to the internet? :)

-{ Quote: "I have a quick question. Is there anyway to use Edge to clean out a PC that isn't connected to the internet? :)" }-

There is not. Edge does require an internet connection to clean a computer but if the internet isn't working for some reason, Edge will run diagnostics to correct the HOSTs file/LSP chain/driver stack/etc. so in most cases Edge will restore the internet if it stopped working because of malicious reasons :)

-{ Quote: "There is not. Edge does require an internet connection to clean a computer but if the internet isn't working for some reason, Edge will run diagnostics to correct the HOSTs file/LSP chain/driver stack/etc. so in most cases Edge will restore the internet if it stopped working because of malicious reasons :)" }-
Now that is way cool! Is there any visible sign that this is or has taken place...like a notification or something? Presumably if one disables the internet connection for some legitimate reason Edge will not re-establish it as it will find nothing when its run its diagnostics? ???

If there is currently no notification it may be a good idea to include something along those lines, perhaps switchable on or off, for those more technical users who would like to be aware.

Come to think about it the provision of a log feature record salient internal activities might be a good idea and an entry therein re. the internet diagnostics being run would fit in...I think?

Anyway...just a thought...as usual! ;)

-{ Quote: "Now that is way cool! Is there any visible sign that this is or has taken place...like a notification or something? Presumably if one disables the internet connection for some legitimate reason Edge will not re-establish it as it will find nothing when its run its diagnostics? ???

If there is currently no notification it may be a good idea to include something along those lines, perhaps switchable on or off, for those more technical users who would like to be aware.

Come to think about it the provision of a log feature record salient internal activities might be a good idea and an entry therein re. the internet diagnostics being run would fit in...I think?

Anyway...just a thought...as usual! ;)" }-

If the internet connection is disabled physically (i.e. unplugging it) Edge will only complain that it is offline but if the internet is broken because of an LSP chain issue, Edge will show a message to the user saying:

"Prevx Edge has detected modifications in your internet configuration which may have been caused by malicious software.
An invalid entry has been injected into your LSP Chain with the filename:
c:\maliciousfile.dll

Would you like Prevx Edge to automatically repair this issue?"

It will then correct the file and entry and then reboot the system and continue to scan :) If there is a malicious HOSTs file entry blocking access to Prevx or to any other popular security vendor's website, Edge will show this warning:

"WARNING: A malicious entry was found in the HOSTs file which may interrupt the functionality of Prevx Edge. This entry contains the data:
[127.0.0.1 www.symantec.com]
Do you want to remove this entry now?"

Edge will then correct the entry and restore your access to those websites :)

This check occurs just as the scan starts regardless of if you are licensed or not. We don't log this into the cleanup log at the moment, but it would definitely be a good candidate for it :)

-{ Quote: "If the internet connection is disabled physically (i.e. unplugging it) Edge will only complain that it is offline but if the internet is broken because of an LSP chain issue, Edge will show a message to the user saying:

"Prevx Edge has detected modifications in your internet configuration which may have been caused by malicious software.
An invalid entry has been injected into your LSP Chain with the filename:
c:\maliciousfile.dll

Would you like Prevx Edge to automatically repair this issue?"

It will then correct the file and entry and then reboot the system and continue to scan :) If there is a malicious HOSTs file entry blocking access to Prevx or to any other popular security vendor's website, Edge will show this warning:

"WARNING: A malicious entry was found in the HOSTs file which may interrupt the functionality of Prevx Edge. This entry contains the data:
[127.0.0.1 www.symantec.com]
Do you want to remove this entry now?"

Edge will then correct the entry and restore your access to those websites :)

This check occurs just as the scan starts regardless of if you are licensed or not. We don't log this into the cleanup log at the moment, but it would definitely be a good candidate for it :)" }-so meaning that prevx edge will also detect malware that affect your internet connection?that's good :thumb:

Hi Joe

As ever many thanks for the (i) very prompt and (ii) very complete answer. I suspect that most users did not know about this feature. :thumb:

That all sounds very good to me including the possible future logging of this in the Cleanup Log. I believe that this is under used at the moment and that could be of interest to the more technical user so perhaps a Preference entry to allow selection of the level of detail shown (not recorded) would allow the user to customise to their own preference ???

I know that Prevx wants to keep Edge as light and compact as possible so this may just be seen as a possible 'bloat' feature...but as always, worth suggesting I think. ;)

-{ Quote: "If the internet connection is disabled physically (i.e. unplugging it) Edge will only complain that it is offline but if the internet is broken because of an LSP chain issue, Edge will show a message to the user saying:

"Prevx Edge has detected modifications in your internet configuration which may have been caused by malicious software.
An invalid entry has been injected into your LSP Chain with the filename:
c:\maliciousfile.dll

Would you like Prevx Edge to automatically repair this issue?"

It will then correct the file and entry and then reboot the system and continue to scan :) If there is a malicious HOSTs file entry blocking access to Prevx or to any other popular security vendor's website, Edge will show this warning:

"WARNING: A malicious entry was found in the HOSTs file which may interrupt the functionality of Prevx Edge. This entry contains the data:
[127.0.0.1 www.symantec.com]
Do you want to remove this entry now?"

Edge will then correct the entry and restore your access to those websites :)

This check occurs just as the scan starts regardless of if you are licensed or not. We don't log this into the cleanup log at the moment, but it would definitely be a good candidate for it :)" }-Thank you for the detailed clarification.
I'm seriously thinking about buying this but since I format a lot and since the licenses don't work the second time I don't think I'm the right kind of person for it. :)

-{ Quote: "Thank you for the detailed clarification.
I'm seriously thinking about buying this but since I format a lot and since the licenses don't work the second time I don't think I'm the right kind of person for it. :)" }-

We never mind resetting your license :) (just out of curiosity, how often is "a lot" ;D - 5 times a day might be a bit too much IMO but less than that should be fine ;D)

Hi Joe,
Edge just seems to get better and better. After your explanation above re: offline scanning etc and the detailed warnings Edge will give I wonder just what else is in there we are not aware of yet. Yesterday I got a pop-up when testing Edge against the Ultimate Keylogger giveaway. Extremely detailed leaving no doubt about what to do - unlike many HIPS that leave you scratching your head with their uninformative pop-ups. All we need now is for Edge to give us secure Sandboxed browsing :shifty: and we will nearly there ;D
Also, in the previous long thread leading up to the release of Edge when it was referred to as P3 the question was asked if P3/Edge would have a Firewall included. I seem to remember that although the answer was no you mentioned that it wasn't a problem as P3/Edge would always alert the user to any rouge program trying to call home with confidential material. Could you expand/elaborate on this and explain what kind of pop-ups/warnings the user would be likely to see.

-{ Quote: " All we need now is for Edge to give us secure Sandboxed browsing :shifty: and we will nearly there ;D " }-

You will be surprised at how accurate this is ;D

-{ Quote: "
Also, in the previous long thread leading up to the release of Edge when it was referred to as P3 the question was asked if P3/Edge would have a Firewall included. I seem to remember that although the answer was no you mentioned that it wasn't a problem as P3/Edge would always alert the user to any rouge program trying to call home with confidential material. Could you expand/elaborate on this and explain what kind of pop-ups/warnings the user would be likely to see." }-

Internet access is not malicious by itself (its rare that you DON'T see a program use the internet these days). Edge doesn't have an internet-specific warning but our server-side analysis picks apart exactly where a program will try and contact and we then return back a response automatically. Generally, you would receive a warning with a detection of: "Information Stealer", "Banking Info Stealer", "Targeted Information Stealer", or "Password Stealer" (and a handful of others) if Edge detects that a program could be doing malicious things with your data :)

maybe a stupid question but anyway,we(me and familly)are new to prevx technology and are very curious about prevx edge virus detention and removal,i know and already tested prevx edge agints spywares/rouges malware types and as now prevx edge really impress us,now what about viruses?that's my only question?does it really replace my antivirus?i have avira free untill i get a concrete answer:) is it safe with out avira?do i really need avira and prevx or just prevx will protects familly's pc in real time againts viruses thanks

-{ Quote: "maybe a stupid question but anyway,we(me and familly)are new to prevx technology and are very curious about prevx edge virus detention and removal,i know and already tested prevx edge agints spywares/rouges malware types and as now prevx edge really impress us,now what about viruses?that's my only question?does it really replace my antivirus?i have avira free untill i get a concrete answer:) is it safe with out avira?do i really need avira and prevx or just prevx will protects familly's pc in real time againts viruses thanks" }-

Edge's realtime virus (file infector) protection is extremely strong. We've developed algorithms which explicitly detect infected files and prevent them from entering/modifying other programs. However, file infector cleanup is a very horrible problem for any antivirus company because file infectors tend to damage programs beyond repair. Therefore, you will probably want to ensure that you have a backup of your system (even just a restore CD to replace the programs) regardless of what AV you use :)

Thankfully, file infectors are no where near as prevalent as other threats today ;D But if you do just want to use Edge without Avira, you will be adequately protected against file infectors/other threats, however, no protection is 100% so if you can spare the couple CPU %, it might be worth using both if you're in a high-risk situation :)

-{ Quote: "Edge's realtime virus (file infector) protection is extremely strong. We've developed algorithms which explicitly detect infected files and prevent them from entering/modifying other programs. However, file infector cleanup is a very horrible problem for any antivirus company because file infectors tend to damage programs beyond repair. Therefore, you will probably want to ensure that you have a backup of your system (even just a restore CD to replace the programs) regardless of what AV you use :)

Thankfully, file infectors are no where near as prevalent as other threats today ;D But if you do just want to use Edge without Avira, you will be adequately protected against file infectors/other threats, however, no protection is 100% so if you can spare the couple CPU %, it might be worth using both if you're in a high-risk situation :)" }-ah i see

-{ Quote: "ah i see" }-in my case i am running in familly pc prevx edge/avira free/spyware blaster/malwarebytes antimalware pro,i just wanted to know if avira is an extra in my pc;D

-{ Quote: "in my case i am running in familly pc prevx edge/avira free/spyware blaster/malwarebytes antimalware pro,i just wanted to know if avira is an extra in my pc;D" }-
jmonge, it is!

Personally I believe that a layered defense is the best approach and I believe (but correct me if I am wrong Joe) that the Edge's mission is to work the best within layers...as evidenced by the huge amount of attention paid to (and success at) making it work with other mainline security solutions...and that is where IMHO its strength is. You can run another security application that you are comfortable/happy to use and then also run Edge...so providing overlapping layers of security.

For me that is KIS & Edge...and boy do they work well together (with a little help from LinkScanner Pro, of course). ;D

-{ Quote: "jmonge, it is!

Personally I believe that a layered defense is the best approach and I believe (but correct me if I am wrong Joe) that the Edge's mission is to work the best within layers...as evidenced by the huge amount of attention paid to (and success at) making it work with other mainline security solution...and that is where IMHO its strength is. You can run another security application that yo are comfortable/happy to use and then also run Edge...so providing overlapping layers of security.

For me that is KIS & Edge...and boy do they work well together (with a little help from LinkScanner Pro, of course). ;D" }-

:thumb:

-{ Quote: "jmonge, it is!

Personally I believe that a layered defense is the best approach and I believe (but correct me if I am wrong Joe) that the Edge's mission is to work the best within layers...as evidenced by the huge amount of attention paid to (and success at) making it work with other mainline security solution...and that is where IMHO its strength is. You can run another security application that yo are comfortable/happy to use and then also run Edge...so providing overlapping layers of security.

For me that is KIS & Edge...and boy do they work well together (with a little help from LinkScanner Pro, of course). ;D" }-cool thanks

-{ Quote: ":thumb:" }-:thumb:

-{ Quote: "jmonge, it is!

Personally I believe that a layered defense is the best approach and I believe (but correct me if I am wrong Joe) that the Edge's mission is to work the best within layers...as evidenced by the huge amount of attention paid to (and success at) making it work with other mainline security solution...and that is where IMHO its strength is. You can run another security application that yo are comfortable/happy to use and then also run Edge...so providing overlapping layers of security.

For me that is KIS & Edge...and boy do they work well together (with a little help from LinkScanner Pro, of course). ;D" }-i also believe in security layers to protect familly identities:thumb: i tried to collect the best or near the best security softwares i can and prevx was one in my list;D

-{ Quote: "i also believe in security layers to protect familly identities:thumb: i tried to collect the best or near the best security softwares i can and prevx was one in my list;D" }-
May I return the :thumb: ...I think that it is the goal of the great Wilders community...which is what makes the forum the best (sorry...a slight digression off topic! ;) )

-{ Quote: "You will be surprised at how accurate this is ;D



Internet access is not malicious by itself (its rare that you DON'T see a program use the internet these days). Edge doesn't have an internet-specific warning but our server-side analysis picks apart exactly where a program will try and contact and we then return back a response automatically. Generally, you would receive a warning with a detection of: "Information Stealer", "Banking Info Stealer", "Targeted Information Stealer", or "Password Stealer" (and a handful of others) if Edge detects that a program could be doing malicious things with your data :)" }-

Answer a): :thumb: :shifty:

Answer b): That is just the kind of info I was looking for. *Intelligent* information. Not so and so wants to connect to the internet - allow - yes or no???

-{ Quote: "May I return the :thumb: ...I think that it is the goal of the great Wilders community...which is what makes the forum the best (sorry...a slight digression off topic! ;) )" }-yeah;)

-{ Quote: "This is because Acronis is modifying the master boot record while restoring - you'll probably want to disable Edge when imaging your system in this case (as the warning is legitimate)." }-
And if I temporaly disable the MBR check in SETTINGS--Portection Edge Setting (my Edge is in Italian and in English could be different sorry but I think you know this feature ;D ) , this work or not? Could be easiest.

-{ Quote: "And if I disable the MBR check in SETTINGS--Portection Edge Setting (my Edge is in Italian and in English could be different sorry but I think you know this feature ;D ) , this work or not? Could be easiest." }-

Yes :) That will definitely stop it from warning :)

-{ Quote: "Yes :) That will definitely stop it from warning :)" }-
:thumb:

Along the same lines, has anyone tested Edge with Rollback Rx? That modifies the MBR (I believe) to provide a pre-boot UI for restoring previous snapshots. I wouldn't want Edge interfering with that, but on the other hand I would want to be warned if something malicious modified the MBR.

Thanks

-{ Quote: "Along the same lines, has anyone tested Edge with Rollback Rx? That modifies the MBR (I believe) to provide a pre-boot UI for restoring previous snapshots. I wouldn't want Edge interfering with that, but on the other hand I would want to be warned if something malicious modified the MBR.

Thanks" }-

I have Prevx Edge and Rollback Rx installed here.
No apparent problems.
I have not needed to rollback to an earlyer snapshot since installing Prevx though.
Will check this out maybe tomorrow and make sure there are no problems with this.
Sure hope not.

Possible fp, got this alert after my monthly defrag when trying to run something trusted in DefenseWall: c:\windows\system32\dwall_ext.dll.
Cheers.

-{ Quote: "Possible fp, got this alert after my monthly defrag when trying to run something trusted in DefenseWall: c:\windows\system32\dwall_ext.dll.
Cheers." }-

Hello,
Could you click Tools and then Save Scan Results and send me a scan log? Thanks ;D

-{ Quote: "I have Prevx Edge and Rollback Rx installed here.
No apparent problems.
I have not needed to rollback to an earlyer snapshot since installing Prevx though.
Will check this out maybe tomorrow and make sure there are no problems with this.
Sure hope not." }-
I have RB Rx installed and rollback to a prior snapshot on a regular basis (due to best testing software like Edge, etc.). Have not noticed or reported any issues as a result.

In terms of the modification of the modification of the MBR and how Edge reacts see previous posts in this thread:

http://www.wilderssecurity.com/showpost.php?p=1418717&postcount=2346

http://www.wilderssecurity.com/showpost.php?p=1419133&postcount=2352

This refers to modification by Acronis True Image, but I think shed light?

Cheers


Baldrick;D

-{ Quote: "I have RB Rx installed and rollback to a prior snapshot on a regular basis (due to best testing software like Edge, etc.). Have not noticed or reported any issues as a result.
" }-

Thanks for the info. :thumb:

To Joe:
Question about the detection override:
from your guide I read: "If you select a file when adding the file to detection overrides, you can configure Edge to Block this file, Always trust this file, or Trust this file once. If you are using the Edge Evaluation, the only options available are to Block this file and to Ignore this file. Once applied, the detection override comes into effect immediately.

For the Pro version everything clear I block the execution of the file, or I trust it once or everything (even in the scanning)
But for the free is not clear what is block (with ignore I think the folder was not scanned), if the evaluation can't block a malware, what is means, can you explain?
Thanks

-{ Quote: "To Joe:
Question about the detection override:
from your guide I read: "If you select a file when adding the file to detection overrides, you can configure Edge to Block this file, Always trust this file, or Trust this file once. If you are using the Edge Evaluation, the only options available are to Block this file and to Ignore this file. Once applied, the detection override comes into effect immediately.

For the Pro version everything clear I block the execution of the file, or I trust it once or everything (even in the scanning)
But for the free is not clear what is block (with ignore I think the folder was not scanned), if the evaluation can't block a malware, what is means, can you explain?
Thanks" }-

That is a help file mistake ;D The actual options available during the trial are "Detect" and "Ignore". You can add detection for any file if you want, or you can ignore it :)

Good catch ;D

-{ Quote: "That is a help file mistake ;D The actual options available during the trial are "Detect" and "Ignore". You can add detection for any file if you want, or you can ignore it :)

Good catch ;D" }-
Yes but detection of what?
For example if I have Kis is better say to Edge Ignore Kis (you know haw kis is dificult with other security software) but detect what is exacly, if i put a folder or exe on the the tabs choosing detect, what Edge doing? only scan this folder every time I start the scan?
Thanks for the info

-{ Quote: "Yes but detection of what?
For example if I have Kis is better say to Edge Ignore Kis (you know haw kis is dificult with other security software) but detect what is exacly, if i put a folder or exe on the the tabs saynd detect, what Edge doing? only scan this folder every time I start the scan?
Thanks for the info" }-

If you put a single file as a detection override and set the override to Detect, Edge will detect the file regardless of what our database says - it will say it is a "Manually Added Infection".

-{ Quote: "If you put a single file as a detection override and set the override to Detect, Edge will detect the file regardless of what our database says - it will say it is a "Manually Added Infection"." }-
Ahhh thanks my speedy gonzales ;D
in the pay override is a set of instruction on Edge behavior (block, or let exe running)
on the free this view is different and override is only a catch control
Ok thanks, naw is clear

anybody using Prevx Edge with KIS2009 and SandboxIE on board?

I may have spoken too soon - since installing KAV, I experience problems rendering certain pages in firefox only on certain sites; facebook, wilders, etc. I have excluded things down to the point of knowing it is KAV and nothing to do with Edge or SBIE. Of course this is not the KAV forum, but wanted to answer the question completely...

*************************************************************************************************************************


Yes, I use Edge with both SBIE and KAV2009. Was using Avira until yesterday.

No problems with Edge and SBIE since Edge was released. So far, no issues with KAV since yesterday.

Just had to uninstall Edge, install KAV then reinstall Edge.

Mark.

(Just realized you had said KIS - sorry)

Don't know why, but Cyberlink Powerdvd doesn't seem very popular with anti-malware apps. Various anti-malware programs report different false positives.

Prevx Edge reported the following files as medium risk malware:

CLHBMixer_HBD.ax
DXRender.dll
dxRenderV.dll
vc1dsse2.dll

206975

-{ Quote: "Don't know why, but Cyberlink Powerdvd doesn't seem very popular with anti-malware apps. Various anti-malware programs report different false positives.

Prevx Edge reported the following files as medium risk malware:

CLHBMixer_HBD.ax
DXRender.dll
dxRenderV.dll
vc1dsse2.dll

206975" }-

Could you email me a scan log? I'll see why they're being flagged :)

-{ Quote: "Could you email me a scan log? I'll see why they're being flagged :)" }-

Done! :)

-{ Quote: "Done! :)" }-

The reason why these files are being flagged by a lot of security products is that they use a highly controversial runtime encryption program on top of them which is used primarily by malware authors. The files are indeed clean and I've corrected the FPs :)

hi prevxhelp,any news on betas?updates/or upgrades for prevx edge?thanks
if you guys do please dont change the simplicity of this app please;D

-{ Quote: "hi prevxhelp,any news on betas?updates/or upgrades for prevx edge?thanks
if you guys do please dont change the simplicity of this app please;D" }-

We're still deep in the development phase of the next versions :) Updates will be coming soon :)

-{ Quote: "We're still deep in the development phase of the next versions :) Updates will be coming soon :)" }-cool;) ,that's good news:)

-{ Quote: "The reason why these files are being flagged by a lot of security products is that they use a highly controversial runtime encryption program on top of them which is used primarily by malware authors. The files are indeed clean and I've corrected the FPs :)
" }-

Thx for the info. :)

Apparently Cyberlink isn't bothered by this, which I find a bit strange..

But thx (again) for the real quick service! :)

Euuh lol, now some other files are detected:

206976

:P

-{ Quote: "Euuh lol, now some other files are detected:

206976

:P" }-do you have the herustic on high?

-{ Quote: "do you have the herustic on high?" }-

yes, i have.

-{ Quote: "yes, i have." }-some times i get alot of false positive in heuristic on high but i dont mine;D as long i know what i am doing,now in wife's pc i use the recomended which is medium i belive:)she never get a false positive like i do i have it on high;)

I re-scanned with medium heuristics, but the false positives remain. :P

-{ Quote: "I re-scanned with medium heuristics, but the false positives remain. :P" }-ahh??? did you submit the file for inspection?just in case you never know;D

Way too many false positives. Even explorer.

The previous 4 I did, the 4 after that I didn't.

-{ Quote: "Way too many false positives. Even explorer.
" }-

Never had any explorer false positives myself. :P

-{ Quote: "Never had any explorer false positives myself. :P" }-me neither;D

-{ Quote: "me neither;D" }-

ditto

i remenber like when it was in beta,i tested this app and like it,even if it fail one of the rogues i trew at it but reported to prevx help and it was added to the jail list very fast;) i love alot i bought 2 copies one for me and one for my wife and kids so they play on line with peace on mind;)

-{ Quote: "Euuh lol, now some other files are detected:
206976
:P" }-

The other false positives are also fixed now. :)

-{ Quote: "The other false positives are also fixed now. :)" }-
man that was really fast with others vendors you will probably wait 3 bussines days;D

-{ Quote: "man that was really fast with others vendors you will probably wait 3 bussines days;D" }-

I submitted some Powerdvd false positives to Sunbelt about a week ago, I'm still waiting for them to fix it. ::)

-{ Quote: "I submitted some Powerdvd false positives to Sunbelt about a week ago, I'm still waiting for them to fix it. ::)" }-you see,told ya;D

Prevx Support is the best I ever seen!

-{ Quote: "Prevx Support is the best I ever seen!" }-
says who.8)

I am ready to see the FP issue calm down.

-{ Quote: "says who.8)

I am ready to see the FP issue calm down." }-

Zero FP's with Prevx Edge so far here. ;D

-{ Quote: "says who.8)

I am ready to see the FP issue calm down." }-

You're also only seeing one side of the detections :) Many of the FPs reported here have been detected by 5+ other AV engines as well, and that's just on VirusTotal - the rest are virtually all heuristic based and compared to a behavior blocker which shows 10-20 popups for every program installed, I think one or two heuristic detections every few months when installing new programs is relatively reasonable :)

did not mean it did but, when you see the minimal correction of FPs in the software, well then, the boys have it just about dialed in perfectly. You know.

-{ Quote: "did not mean it did but, when you see the minimal correction of FPs in the software, well then, the boys have it just about dialed in perfectly. You know." }-

Yes, true, but then a new infection comes around which uses a slightly different technique and then the battle starts over, which is why the news of AVs blocking extremely popular files like explorer.exe or user32.dll (which exist on literally every computer) tend to pop up once in a while :)

-{ Quote: "says who.8)

I am ready to see the FP issue calm down." }-

Me and only me and others Too! *puppy*

Hi,
today I have an alert from Prevx Edge about the file schannel.dll, found in System32 directory. This machine runs Win Vista 32bit, english, SP1. The strange thing is that if I do a manual scan Edge does not detect the threat. But once every 30 minutes alerts me about the schannel.dll file.

The file scanned online and locally with other security software (a-squared, MBAM, SAS, Clamav, Avast) appears clean.

Thanks.

-{ Quote: "Hi,
today I have an alert from Prevx Edge about the file schannel.dll, found in System32 directory. This machine runs Win Vista 32bit, english, SP1. The strange thing is that if I do a manual scan Edge does not detect the threat. But once every 30 minutes alerts me about the schannel.dll file.

The file scanned online and locally with other security software (a-squared, MBAM, SAS, Clamav, Avast) appears clean.

Thanks." }-

Hello,
Could you save a scan log by clicking Tools > Save Scan Results and then send me the line from the file which includes schannel.dll (or the whole file if you want :)). I'll see what is triggering the warning :)

Hi,
thanks for the reply. Please inform me on how to send you the file.
In any case the only line that has to do with schannel.dll is the following:

[G] (ACTIVE) c:\windows\system32\schannel.dll [PX5: AD2D6B260015D573186404B9EAAE1D00DBA92559]

-{ Quote: "Hi,
thanks for the reply. Please inform me on how to send you the file.
In any case the only line that has to do with schannel.dll is the following:

[G] (ACTIVE) c:\windows\system32\schannel.dll [PX5: AD2D6B260015D573186404B9EAAE1D00DBA92559]" }-

Hmm... are you still receiving the warnings? It looks like the file was automatically trusted in our database some hours ago.

Here is a screenshot of the alert:
http://img15.imageshack.us/my.php?image=pedgeschannelscrshot.jpg

Please note that doing a regular manual scan shows that I'm clean...then the alert returns. Maybe this explains why in the scan results log I don't see something strange or a report about schannel.dll

-{ Quote: "Hmm... are you still receiving the warnings? It looks like the file was automatically trusted in our database some hours ago." }-

Yes the alert still appears. About once every 30 minutes. Even after a scan with edge that has shown that I'm clean.

-{ Quote: "Here is a screenshot of the alert:
http://img15.imageshack.us/my.php?image=pedgeschannelscrshot.jpg

Please note that doing a regular manual scan shows that I'm clean...then the alert returns. Maybe this explains why in the scan results log I don't see something strange or a report about schannel.dll" }-

That is indeed strange ??? Could you click Settings > Detection Overrides > Add Override, then browse to the file and click the down arrow in the drop box and select Ignore this file, then click save.

This should prevent the warning from showing.

For now I'll leave the warning on. I want to monitor this more. Thank you for your replies.

-{ Quote: "For now I'll leave the warning on. I want to monitor this more. Thank you for your replies." }-

Well, the file is legitimate - it was just installed new because of an update within the last day or so which is what caused the initial warning. However, I'm not sure why the warning would be persisting when the file is scanned as clean. Let me know if you find anything else :)

Just some additional informations.

I've checked the md5 of the file schannel.dll on another pc running same OS and prevx edge and the md5 of the same file on the pc that shows the alert.
The two md5 hashes match. Note that on the other pc I have no alerts.

I know you've already told me ( and I actually knew it) that the file is legitimate. But checking if the two files are identical I believe was a necessary step.

For me this is absolutely a bug of prevx or ...best case... some kind of incompatibility that triggers the alert ( although I can't imagine how ).

I will keep this for a few more hours to see if something changes from your part, then I'll try to uninstall edge and reinstall.

Please let me know what you uncover - uninstalling/reinstalling will definitely fix it, but I don't think there's anything else we can do at this point as every record about the file blatantly says 'Good' :-\

New installation seems that has fixed the issue. No alerts till now ( 30 first minutes running the new installation ).

I had exactly the same alert, but I restored the file (after blocking it initially), or actually overwrote it (maybe windows had replaced the blocked one automatically), and no alert since then.

Hello all,
Just wanted to let you all know that we just completed a complex new module on the database which will dramatically reduce the number of false positives. This change is, by far, the widest reaching false positive reduction improvement we've ever implemented. It comes after a great deal of analysis over the data from the first 3 months of Edge being "in the wild". We've engineered this improvement so that it will not affect protection but only false positives - especially the ones reported here frequently with the age/spread warnings.

I do enjoy fixing false positives quickly, but I'm sorry to say I won't have to do it as often now :( I'm still here, of course, if you need any other assistance or if you do experience a FP which escapes our new "trap" for them ;D

Please let me know if you have any questions or comments!

Hi Joe

Just got what I believe is an FP re. Drivermax.exe, which I have just downloaded but as far as I can tell is legitemate Driver scanning & updating software (from innovative-sol.com).

Do you need me to PM you a scan log?

Cheers


Balders

Yes please :)

-{ Quote: "Hello all,
Just wanted to let you all know that we just completed a complex new module on the database which will dramatically reduce the number of false positives. This change is, by far, the widest reaching false positive reduction improvement we've ever implemented. It comes after a great deal of analysis over the data from the first 3 months of Edge being "in the wild". We've engineered this improvement so that it will not affect protection but only false positives - especially the ones reported here frequently with the age/spread warnings.

I do enjoy fixing false positives quickly, but I'm sorry to say I won't have to do it as often now :( I'm still here, of course, if you need any other assistance or if you do experience a FP which escapes our new "trap" for them ;D

Please let me know if you have any questions or comments!" }-


As Easter would say,"This is outstanding."
This is the next step for a product to strive for and Prevx has done it. Some AV vendors are still trying, after many years. Why is this so important? Because of the short time frame that Prevx has accomplished this in. I can now say with all my heart, Prevx Edge has proved that it is the one most valuable product on the market. It has set a new bench mark for all other Malware products to shoot for.:thumb:

Joe, you will still be needed,8) but I am totally impressed with what Prevx has now accomplished. The corks should be popping.

-{ Quote: "Joe, you will still be needed,8) but I am totally impressed with what Prevx has now accomplished. The corks should be popping." }-

Thanks ;D The final impact of the changes should be affecting all users within the next couple hours so we have some fun times ahead :)

tell PWD he still owes me a slight improvement in the tray icon. He knows what to do.:dry:

-{ Quote: "tell PWD he still owes me a slight improvement in the tray icon. He knows what to do.:dry:" }-

It's already in, just waiting for the next version currently :)

Is it in beta so that I can test it? ;D

-{ Quote: "Is it in beta so that I can test it? ;D" }-

Not for a while still :) We have a lot of features in development at the moment :)

-{ Quote: "Not for a while still :) We have a lot of features in development at the moment :)" }-
new features?

-{ Quote: "new features?" }-

Keeping quiet on them for a little while still, but they will be revealed soon ;D

-{ Quote: "Keeping quiet on them for a little while still, but they will be revealed soon ;D" }-ok;) :) ;)

Does Threatfire complement Prevx Edge? Or are they redundant?

-{ Quote: "Does Threatfire complement Prevx Edge? Or are they redundant?" }-

They do have overlap but it does complement Edge if you are interested in more granular reporting of detections :)

-{ Quote: "They do have overlap but it does complement Edge if you are interested in more granular reporting of detections :)" }-cool:)

Threatfire is old school technology. Wait till you see what Prevx is going to roll out in the near distant future. It should, or will put a end to all of this side by side comparision. ;)

;D -{ Quote: "Threatfire is old school technology. Wait till you see what Prevx is going to roll out in the near distant future. It should, or will put a end to all of this side by side comparision. ;)" }-;D ;D

-{ Quote: "Threatfire is old school technology. Wait till you see what Prevx is going to roll out in the near distant future. It should, or will put a end to all of this side by side comparision. ;)" }-
Can haaaaaaaaaaaaaaaaaaardly wait! :o

-{ Quote: "Threatfire is old school technology. Wait till you see what Prevx is going to roll out in the near distant future. It should, or will put a end to all of this side by side comparision. ;)" }-

It allready has for me

I have tried Prevx Edge a couple of times and always noticed a bit of a drag on my system. I had it running along with DefenseWall and Avira 9 Suite Beta. Any conflicts with these?

@Joe
What's all this about?
http://www.theregister.co.uk/2009/03/12/bbc_botnet_probe/
Bloggged anywhere ?
Looks to me like the BBC took a few liberties ??
Need to be Careful who you cooperate with ??

All those endusers who had their screensavers taken over must not have been running PrevX eh.

-{ Quote: "I have tried Prevx Edge a couple of times and always noticed a bit of a drag on my system. I had it running along with DefenseWall and Avira 9 Suite Beta. Any conflicts with these?" }-

I'm not aware of any conflicts with those, however I may be able to optimize your installation if you send me a scan log - I'll PM you my email address to see if I can find anything wrong :)

-{ Quote: "I have tried Prevx Edge a couple of times and always noticed a bit of a drag on my system. I had it running along with DefenseWall and Avira 9 Suite Beta. Any conflicts with these?" }-

I have Prevx Edge and DefenseWall running here w/o any problems.
Those two plus Malware Defender. Never tried Avira 9 Suite Beta.

-{ Quote: "@Joe
What's all this about?
http://www.theregister.co.uk/2009/03/12/bbc_botnet_probe/
Bloggged anywhere ?
Looks to me like the BBC took a few liberties ??
Need to be Careful who you cooperate with ??

All those endusers who had their screensavers taken over must not have been running PrevX eh." }-

Don't believe everything you read ;D The BBC's demo did NOT take down our website :) We allowed them to attack a small demo website which we put up - it actually has no relation to our website at all, but its reasonable that the true attack destination got confused.

I'm not sure what the users were actually using but the actual botnet was acquired by the BBC ~6 months ago, I believe, so they couldn't have been using Edge ;D (and also, we heuristically detect the backdoor trojan used in the attack so we would have blocked it anyway :))

(Also, FWIW, the BBC changed their desktop background, not screensaver, to report the infection)

EDIT: Minor text edits :)

Hi there.

As I said before, I´ll use Prevx to fix my client´s malware problems, so I´ll inform you of every problem/bug etc. I find.


Here´s the first one: Is it OK to run it in safe mode, or it is better to run it in normal mode? Because I run it on a client´s PC and just before finishing the SCAN, it appeared the error: "Windows has been detected and..."

It is recommended that you install first in "normal mode" but you can then boot into safemode (with networking) and use CSI from there. Installing from safemode introduces some challenges and there is a chance that the installation won't complete because of how Windows manages safemode itself.

I suspect that the warning you are receiving is from an infection on the system. You may be able to prevent this from happening by enabling Self Protection within CSI by clicking Settings > Self Protection and then set it on the Maximum level.

-{ Quote: "I'm not aware of any conflicts with those, however I may be able to optimize your installation if you send me a scan log - I'll PM you my email address to see if I can find anything wrong :)" }-

Joe has already got things optimized!!!!! My laptop is now running great...I can't tell Prevx is there. Great support.:thumb:

-{ Quote: "Joe has already got things optimized!!!!! My laptop is now running great...I can't tell Prevx is there. Great support.:thumb:" }-

Great to hear :) Let me know if you need anything else!

-{ Quote: "I have tried Prevx Edge a couple of times and always noticed a bit of a drag on my system. I had it running along with DefenseWall and Avira 9 Suite Beta. Any conflicts with these?" }-the problem here was not defensewall it was avira;D so avira bye bye:)

-{ Quote: "It is recommended that you install first in "normal mode" but you can then boot into safemode (with networking) and use CSI from there. Installing from safemode introduces some challenges and there is a chance that the installation won't complete because of how Windows manages safemode itself.

I suspect that the warning you are receiving is from an infection on the system. You may be able to prevent this from happening by enabling Self Protection within CSI by clicking Settings > Self Protection and then set it on the Maximum level." }-
by setting edge to the max it will help remove malware faster or what?

-{ Quote: "by setting edge to the max it will help remove malware faster or what?" }-

Some infections try to load and kill Edge, so if you are running into problems when cleaning infections, self protection tends to help :)

-{ Quote: "Some infections try to load and kill Edge, so if you are running into problems when cleaning infections, self protection tends to help :)" }-well i didng know that thanks alot

-{ Quote: "the problem here was not defensewall it was avira;D so avira bye bye:)" }-

You might want to try the combo again as it is working very well for me now since Joe optimized things a bit.:thumb:

-{ Quote: "You might want to try the combo again as it is working very well for me now since Joe optimized things a bit.:thumb:" }-thanks;) do you have the beta 9 of avira or just the version 8?thanks again

So CIS, Prevx Edge, and Threatfire I guess is the ultimate prevention setup right now for Vista 64-bit at little cost. ;)

-{ Quote: "So CIS, Prevx Edge, and Threatfire I guess is the ultimate prevention setup right now for Vista 64-bit at little cost. ;)" }-is it?i know prevx is good at blocking malware in vista but TF mm never tried in vista i dont know;D,it will be nice if the TF developers change the allow/kill option soon:)

-{ Quote: "is it?i know prevx is good at blocking malware in vista but TF mm never tried in vista i dont know,it will be nice if the TF developers change the allow/kill option soon" }-

Actually, full 64-bit support for TF is coming or is already here - and you know what? The TF staff has officially confirmed that the deny option IS coming, planned before or sometime this summer!!! :D EDIT: Seeing that you posted in that very topic makes me confused why you're talking like this. ;D

-{ Quote: "It allready has for me" }-

Not completely confirmed for me yet - simply not sure about some detections I've been experiencing from other main-security of mine, but sometime I hope I'll get to a point where I know. ;)

-{ Quote: "Actually, full 64-bit support for TF is coming or is already here - and you know what? The TF staff has officially confirmed that the deny option IS coming, planned before or sometime this summer!!! :D EDIT: Seeing that you posted in that very topic makes me confused why you're talking like this. ;D" }-

Great news about the deny option! Because I quarantined a svchost action recently (was modifying sysnative which seems normal, but wanted to be sure) and had to do a system restore.

-{ Quote: "Not completely confirmed for me yet - simply not sure about some detections I've been experiencing from other main-security of mine, but sometime I hope I'll get to a point where I know. ;)" }-

If you have any detections you're questionable about, feel free to send them to me and I'll check them out :)

-{ Quote: "Hmm... are you still receiving the warnings? It looks like the file was automatically trusted in our database some hours ago." }-

Just curious... if this is an automatic process, why is it detected in the first place? Is it because the database looks at the behavior analyzed and when it's deemed completely legit and safe it gets whitelisted? Are you often personally involved in the process at all? ;D

-{ Quote: "If you have any detections you're questionable about, feel free to send them to me and I'll check them out :)" }-

Prevx still detects temp files from the new AntiVir beta - I don't have the log now, but has this been reported?

-{ Quote: "Just curious... if this is an automatic process, why is it detected in the first place? Is it because the database looks at the behavior analyzed and when it's deemed completely legit and safe it gets whitelisted? Are you often personally involved in the process at all? ;D" }-

No one actually clicked anything to determine the file - the file changed from being "new/suspicious" to "good" after enough data was gathered :) (And note: the new change we've rolled out over the last day or so will prevent almost all of these FPs from happening in the future ;))

-{ Quote: "Prevx still detects temp files from the new AntiVir beta - I don't have the log now, but has this been reported?" }-

I'm not aware of it - could you make a log so I can see why they're being detected?

-{ Quote: "Joe has already got things optimized!!!!! My laptop is now running great...I can't tell Prevx is there. Great support.:thumb:" }-
That is how most if us are finding using the Edge...don't know its there and SUPERLATIVE support! ;D

-{ Quote: "I'm not aware of it - could you make a log so I can see why they're being detected?" }-

The log does have some of the entries after all - it detects them as Community.OuterEdge. I'll send the log file now so I don't forget - what post had your e-mail address to send?

-{ Quote: "The log does have some of the entries after all - it detects them as Community.OuterEdge. I'll send the log file now so I don't forget - what post had your e-mail address to send?" }-

I PM'd you my email address - note that "Community.OuterEdge" in the log does not necessarily mean that Edge blocked/detected the files, just that they have that characteristic.

-{ Quote: "I PM'd you my email address - note that "Community.OuterEdge" in the log does not necessarily mean that Edge blocked/detected the files, just that they have that characteristic." }-

It did block before, though, something about the age/spread again.

I sent you the log.

-{ Quote: "No one actually clicked anything to determine the file - the file changed from being "new/suspicious" to "good" after enough data was gathered :) (And note: the new change we've rolled out over the last day or so will prevent almost all of these FPs from happening in the future ;))" }-

Aww... this still makes me scratch my head (or not actually - why screw with my hair, I'm just thinking, LOL! ;D)... How can it determine that if mostly good things are being done, but suspicious things like accessing or modifying in sensitive areas is happening, a file or similar is indeed safe - just as an example? :-\

EDIT: Hmm... this is interesting... I downloaded the first crack for Norton I saw on a torrent site to test, opened it and here's the result: Prevx scans the file first for a while, returns no alert. Then TF pops-up (you're next! ;D) with a VERY HIGH rating. It's trying to copy an executable file to a sensitive area. I open the details and take a screenshot of the windows - this is refering to my "Not completely confirmed for me yet" post. :) :P

I obviously chose to kill and quarantine it. Take a look at it and see what you think. ;)

-{ Quote: "Aww... this still makes me scratch my head (or not actually - why screw with my hair, I'm just thinking, LOL! ;D)... How can it determine that if mostly good things are being done, but suspicious things like accessing or modifying in sensitive areas is happening, a file or similar is indeed safe - just as an example? :-\

EDIT: Hmm... this is interesting... I downloaded the first crack for Norton I saw on a torrent site to test, opened it and here's the result: Prevx scans the file first for a while, returns no alert. Then TF pops-up (you're next! ;D) with a VERY HIGH rating. It's trying to copy an executable file to a sensitive area. I open the details and take a screenshot of the windows - this is refering to my "Not completely confirmed for me yet" post. :) :P

I obviously chose to kill and quarantine it. Take a look at it and see what you think. ;)" }-

No protection is 100% - whether this file is actually malicious or not is yet to be determined, all that Threatfire is warning on is copying a file into the system directory... which isn't anything too out of the ordinary. If you want, send me the file and I'll analyze it to see if it really is malicious or not :)

-{ Quote: "No protection is 100% - whether this file is actually malicious or not is yet to be determined, all that Threatfire is warning on is copying a file into the system directory... which isn't anything too out of the ordinary. If you want, send me the file and I'll analyze it to see if it really is malicious or not :)" }-it is a crack so maybe it is malicius;D

-{ Quote: "it is a crack so maybe it is malicius;D" }-

Symantec would certainly think so, but seeing the file would be more helpful ;D

-{ Quote: "Symantec would certainly think so, but seeing the file would be more helpful ;D" }-yeap;) agree ofcourse

It sure is common Symantec detects all sorts of cracks and keygens - testing it has shown that, but this is TF detecting through behavior, though I ofc get your point. :) Should I send it to you by e-mail?

Yes definitely :)

Sent ;)

I just bought :
5 PC 3 years Prevx Edge
and when i activate it it shows Expiration 365 Days only ???
???
is it a bug or what do i have to do ???
thanks

Could you try running a scan and see if it corrects it to your 3 years duration? If it doesn't, let me know and I'll see what's going on :)

That was Quick and it worked lol :o
Thanks!

-{ Quote: "Sent ;)" }-

I checked out the file and it is indeed malicious, but the reason why Edge didn't grab it is because you were the first user to see this variant and Threatfire blocked it before Edge had a chance to analyze the behavior at runtime.

There appears to be two other variants of this infection (which are a ~90% match to this file) - both of which are found as "Malware Dropper" already but they were released back in February. This seems like a relatively new infection - I've marked it "bad" for now and forwarded it to the research team to see if they have any thoughts on updating a rule for it :)

So, you're saying that Prevx would detect it after that through its Heuristics, which are set to default here; Medium. Did you get that result yourself?

-{ Quote: "So, you're saying that Prevx would detect it after that through its Heuristics, which are set to default here; Medium. Did you get that result yourself?" }-

Yes, I believe it would - I didn't actually test it as I'm a bit short on virtual machines at the moment but based on the way that it drops files, it does look like it would be found heuristically.