-{ Quote: "Beta 3.0.1.48 - If one has a password protecting access to the settings, then when one right-clicks the tray icon and selects "Configure Protection" the password dialog box is hidden underneath the main configuration dialog window. Thus, if one clicks "Settings" or "Configure" nothing appears to happen. If one looks at the Task Bar the "Password Required" button is there but, it does trick you for a minute....ya might want to have the password dialog box pop-up on top of the main dialog window....;)

galileo" }-

Good catch :) We'll force the password window to the top. Thanks!

-{ Quote: "Joe,
I am currently running 46, have not had an automatic update and if I click 'check for updates' it tells me I have the latest version. And yes, I do have 'Automatically download and apply updates' ticked.
When I ran CSI before Edge was released it always updated automatically, but Edge has never updated automatically or responded to the 'Check for updates' request - it always says I am up to date no matter if I am running a released version or a beta, I have always had to download and install manually.
Another personal bug particular to my machine?" }-


me too.
don't run automatic, just manualy

-{ Quote: "me too.
don't run automatic, just manualy" }-

To everyone who has had upgrade "issues" today - these were caused because of the false positive we had earlier with the MBR scan. We decided to wait to put out a new Beta for upgrade until we fixed this new functionality.

We will have the new version out by the morning and you all should return to upgrading automatically again :)

-{ Quote: "Are you updating manually or by clicking "Check for updates"? Also, are you using a limited user account? Updating "should" take place silently, but there are a few cases where it wouldn't.

Our goal is to make everything as seamless as possible :)" }-

Only automatic. I recall 46 and 47 not being quiet ("Status" appearing), while 48 possibly could be quiet - didn't notice what then. I'm running a default (admin) account on WinXP SP3.

ok thank you for reply

i have again question.
Are you make webpage or in program the option for send sample ?
and date for many language ?

thank you.

-{ Quote: "ok thank you for reply

i have again question.
Are you make webpage or in program the option for send sample ?
and date for many language ?

thank you." }-

I guess you mean for extra attention, cause all information that's new to the db is sent automatically. ;)

-{ Quote: "ok thank you for reply

i have again question.
Are you make webpage or in program the option for send sample ?
and date for many language ?

thank you." }-

We are still planning to have a website to send samples but for now, you can PM me and I'll forward them onto the research team :)

More languages are coming soon also ;)

-{ Quote: "We are still planning to have a website to send samples but for now, you can PM me and I'll forward them onto the research team :)

More languages are coming soon also ;)" }-

Is direct-submission to you not planned for the software as well?

Aha! Here we go again... updating to 49 showed the Status-popup once again.

-{ Quote: "To everyone who has had upgrade "issues" today - these were caused because of the false positive we had earlier with the MBR scan. We decided to wait to put out a new Beta for upgrade until we fixed this new functionality.

We will have the new version out by the morning and you all should return to upgrading automatically again :)" }-

I am running the beta, 3.0.1.48, and when manually updating receive the message; "Prevx 3.0 update failed. Try again later".

Any news on the new version?

Hi Joe

Running .49 and am puzzled as BOTH 'Scanning and Detection' & 'Realtime Infection Monitoring' Configure optiosn point to 'Setting' when I would have thought that the latter should point to 'Tools'. ???

Am I losing it or what? ;)

Also, I think that the colour impact of the latest build seems to be toned down...washed out...which I do not think is good.

Other than that the build seems to be working well so far! ;D

-{ Quote: "Hi Joe

Running .49 and am puzzled as BOTH 'Scanning and Detection' & 'Realtime Infection Monitoring' Configure optiosn point to 'Setting' when I would have thought that the latter should point to 'Tools'. ???

Am I losing it or what? ;)

Also, I think that the colour impact of the latest build seems to be toned down...washed out...which I do not think is good.

Other than that the build seems to be working well so far! ;D" }-

The Configure buttons are currently just placeholders :) We haven't yet changed the colors, so this is the same as it has been but we are going to be changing them to be stronger/less washed out :)

Also, for everyone who has asked before - you can now click on the text "Total Scan Statistics:" and it will let you reset your front screen statistics :)

Beta 3.0.1.48: Scan Scheduler has an option for scanning at next bootup if the machine was powered-off at the scan time. Many machines use "Suspend" mode rather than powered-off. The Windows task scheduler provides an option to "Wake the computer to run this task"...can you add such an option to the Prevx Scan Scheduler...?...???

...no auto-update to 3.0.1.49 yet 9:09 AM EST...

galileo

-{ Quote: "Beta 3.0.1.48: Scan Scheduler has an option for scanning at next bootup if the machine was powered-off at the scan time. Many machines use "Suspend" mode rather than powered-off. The Windows task scheduler provides an option to "Wake the computer to run this task"...can you add such an option to the Prevx Scan Scheduler...?...???" }-

Yes, we should be able to :) I'll add it to the list :)

-{ Quote: "I am running the beta, 3.0.1.48, and when manually updating receive the message; "Prevx 3.0 update failed. Try again later".

Any news on the new version?" }-

If you try now, are you still receiving the error if when manually updating?

-{ Quote: "Aha! Here we go again... updating to 49 showed the Status-popup once again." }-

Just to clarify - did you upgrade by clicking "Check for updates" or did it update automatically?

-{ Quote: "If you try now, are you still receiving the error if when manually updating?" }-

Is auto-update functioning in the 3.0.1.48 build...?

galileo

-{ Quote: "If you try now, are you still receiving the error if when manually updating?" }-
Yes, just tried.

-{ Quote: "Is direct-submission to you not planned for the software as well?" }-

Yes, but it may be easier to just have a web based form. Our software automatically sends up data about samples so if there is a new threat emerging, chances are we know about it.

Web-based submission is useful for the "one-off" types of threats but if we do add it into the product, it will probably just be a link in the product to the web form.

Joe,
bld 46 still telling me I have the latest version. I have it set for a routine scan in 20 mins, I'll see what happens then.

-{ Quote: "Joe,
bld 46 still telling me I have the latest version. I have it set for a routine scan in 20 mins, I'll see what happens then." }-

Could you try once more now? :)

Build 40 is telling me I have the latest version. What's up?

-{ Quote: "The Configure buttons are currently just placeholders :) We haven't yet changed the colors, so this is the same as it has been but we are going to be changing them to be stronger/less washed out :)

Also, for everyone who has asked before - you can now click on the text "Total Scan Statistics:" and it will let you reset your front screen statistics :)" }-

Hi Jo

Understood. Thanks for the clarification.

However, with .49 I have had a reocurrence of the legitimate MBR modification (by RollBack Rx in this case) being detected as a Rootkit activity, as detailed in the following post:

http://www.wilderssecurity.com/showpost.php?p=1441413&postcount=3237

Any chance that this could be corrected as under .48? ;D

.48 upgraded successfully to .49 :thumb:

Still no go here; stuck on .48.

-{ Quote: "Could you try once more now? :)" }-

Just clicked 'Check for updates' - tells me a new version is available - I clicked yes to install, activity down at the task bar from prevx as usual - BUT, the tray icon has now disappeared and clicking on the shortcut is producing no response - it's dead :(
Start > all programs > Prevx gets no response either. Cannot start it.
I'm going out for about 15 mins or so, I'll see what you recommend when I get back. My instinct is to uninstall, clean up any registry entries and try a fresh install - would that be a good idea? :-\

-{ Quote: "Just clicked 'Check for updates' - tells me a new version is available - I clicked yes to install, activity down at the task bar from prevx as usual - BUT, the tray icon has now disappeared and clicking on the shortcut is producing no response - it's dead :(
Start > all programs > Prevx gets no response either. Cannot start it.
I'm going out for about 15 mins or so, I'll see what you recommend when I get back. My instinct is to uninstall, clean up any registry entries and try a fresh install - would that be a good idea? :-\" }-

Could you first try just rebooting? If that doesn't solve it, then yes, you'll want to uninstall/reinstall :-\

-{ Quote: "Hi Jo

Understood. Thanks for the clarification.

However, with .49 I have had a reocurrence of the legitimate MBR modification (by RollBack Rx in this case) being detected as a Rootkit activity, as detailed in the following post:

http://www.wilderssecurity.com/showpost.php?p=1441413&postcount=3237

Any chance that this could be corrected as under .48? ;D" }-

We're looking at this now, but this isn't a FP :) Rollback Rx does indeed obscure the MBR, we're just scanning more generically now which is finding it (rather than relying on another sign of an infection).

I'll let you know once we have a workaround :)

-{ Quote: "Still no go here; stuck on .48." }-

I've sent you a PM :)

I've sent you an email, Joe ;)

-{ Quote: "Could you first try just rebooting? If that doesn't solve it, then yes, you'll want to uninstall/reinstall :-\" }-

Reboot solved the problem, now running 49. Got so used to Edge just installing I never thought of rebooting :-[
Will have to wait and see if I get the next update automatically.

Hi Joe,
.49 upgrade went off automatically and transparently. Could you repost the meanings of the scan log codes? Can't find where I saved them previously. Thanks; Ed.

-{ Quote: "Hi Joe,
.49 upgrade went off automatically and transparently. Could you repost the meanings of the scan log codes? Can't find where I saved them previously. Thanks; Ed." }-

The quick summary which covers most files is:

B = Bad
U = Unknown/not fully trusted
G = Good/trusted

There are other flags as well but they are primarily just used for internal purposes :)

-{ Quote: "Just to clarify - did you upgrade by clicking "Check for updates" or did it update automatically?" }-

Always auto - mentioned previously. :)

-{ Quote: "The quick summary which covers most files is:

B = Bad
U = Unknown/not fully trusted
G = Good/trusted

There are other flags as well but they are primarily just used for internal purposes :)" }-

Easy to remember and understand IMO. Non-computer-geek-language. :) ;D

-{ Quote: "Always auto - mentioned previously. :)" }-

I was using build 48 and did not see any auto-update happen. Manual update to build 49 worked smoothly and without any issues.

What is the trigger for the auto-update...?

-{ Quote: "I was using build 48 and did not see any auto-update happen. Manual update to build 49 worked smoothly and without any issues.

What is the trigger for the auto-update...?" }-

We check for auto updates after a clean scan completes - this way you don't receive random internet activity from us and we won't accidentally upgrade while you're in the middle of cleaning an infection :)

-{ Quote: "We check for auto updates after a clean scan completes - this way you don't receive random internet activity from us and we won't accidentally upgrade while you're in the middle of cleaning an infection :)" }-

Thank you for the answer. I am curious as to why the update occurs "after" rather than "before" a scan? At first blush it would seem that if a scan was about to begin, wouldn't one want to be using the latest "technology" (i.e. update)...?...:doubt:...just a thought...

galileo

-{ Quote: "Thank you for the answer. I am curious as to why the update occurs "after" rather than "before" a scan? At first blush it would seem that if a scan was about to begin, wouldn't one want to be using the latest "technology" (i.e. update)...?...:doubt:...just a thought...

galileo" }-

We initially had it this way, but it introduced an unnecessary step for the scan. The scan works in two phases which overlap, and the beginning of the scan doesn't require database access (usually) so performing an extra check at the beginning of the scan would trigger the user's firewall to complain. This way, we consolidate all of the database checking into one time slot so the user won't have to continually allow us to connect out (if their firewall has an "allow for x minutes" feature, for example).

Also, putting the update check inline with the database scanning allows us to save a trip to the database, cutting down on bandwidth/overhead/etc. :)

-{ Quote: "We initially had it this way, but it introduced an unnecessary step for the scan. The scan works in two phases which overlap, and the beginning of the scan doesn't require database access (usually) so performing an extra check at the beginning of the scan would trigger the user's firewall to complain. This way, we consolidate all of the database checking into one time slot so the user won't have to continually allow us to connect out (if their firewall has an "allow for x minutes" feature, for example).

Also, putting the update check inline with the database scanning allows us to save a trip to the database, cutting down on bandwidth/overhead/etc. :)" }-

...understood...:)

-{ Quote: "We're looking at this now, but this isn't a FP :) Rollback Rx does indeed obscure the MBR, we're just scanning more generically now which is finding it (rather than relying on another sign of an infection).

I'll let you know once we have a workaround :)" }-
Hi Joe

Thanks for the repsonse. Understand what you mean when you say this isn't an FP due to RB Rx obscuring the MBR...so what about the old approach when there was the options to Trust/Trust Always? Would that not work...together with the option to Clean Up? ;D

-{ Quote: "Hi Joe

Thanks for the repsonse. Understand what you mean when you say this isn't an FP due to RB Rx obscuring the MBR...so what about the old approach when there was the options to Trust/Trust Always? Would that not work...together with the option to Clean Up? ;D" }-

Yes, that works, however we would prefer to not hear a complaint from every Rollback Rx customer so we're going to work on preventing it automatically ;D

-{ Quote: "Yes, that works, however we would prefer to not hear a complaint from every Rollback Rx customer so we're going to work on preventing it automatically ;D" }-

I use Rollback Rx and have the same problem and know you are hard at it to get this fixed Thanks Joe! :thumb:

TH

-{ Quote: "Yes, that works, however we would prefer to not hear a complaint from every Rollback Rx customer so we're going to work on preventing it automatically ;D" }-
Hi Joe

That's cool if you guys (and gals?) can manage it.

;D

Couple of problems with .49
1) Can't right click scan files. "Scan with Prevx 3.0" is there in the context menu, but when I select it, it just tries to open the file. I can scan OK with avast! though, for example.
2) Did a full c:/ scan, since hadn't done it in a while. No malware reported. But immediately I got a message from the Prevx infection control center saying I had two worms. (attached) Ran another regular scan; no infections. I speculate that because this particular computer is using a beta license, all of the users of the license number get all of the messages, but ??? I have a copy of setacl.exe, but it is not at the location shown, for example. The two files named are not in the scan log at all.

-{ Quote: "Couple of problems with .49
1) Can't right click scan files. "Scan with Prevx 3.0" is there in the context menu, but when I select it, it just tries to open the file. I can scan OK with avast! though, for example.
2) Did a full c:/ scan, since hadn't done it in a while. No malware reported. But immediately I got a message from the Prevx infection control center saying I had two worms. (attached) Ran another regular scan; no infections. I speculate that because this particular computer is using a beta license, all of the users of the license number get all of the messages, but ??? I have a copy of setacl.exe, but it is not at the location shown, for example. The two files named are not in the scan log at all." }-

The right click scanner of Prevx 3.0 is different from the right click scanners of other software - we've developed ours to have no overhead at all (no library needs to be loaded in memory). The downside is that for some downloaded files, it may show the popup to open the file - if you answer the popup, it will just scan it, not actually open it, however.

If you could email me a scan log, I'll see why they're being flagged :)

OK; I'll email the scan log. But those files aren't there.

Essentially the scanner will only prompt to open the file if its been blocked by windows, right click on file and select properties then look at the bottom and see unblock, then CSI would scan the file with no prompts.

Atleast thats how it works here anyways. ???

I get the "open with" dialog for every file I try to scan. Probably time to uninstall and reinstall.

-{ Quote: "I get the "open with" dialog for every file I try to scan. Probably time to uninstall and reinstall." }-

Ah, this is a separate case - can you try just rebooting your computer? That should fix it.

Rebooting didn't fix it-I tried that first. Did an uninstall and reinstall (of v50 now) and that fixed the click scan problem. Probably just too many upgrade betas in a row-between Prevx and OA I have been up to my ass in betas this year :). But the learning scan decided actchk.exe was a worm this time, probably from the FP or whatever it was before, so I just let it clean it. And will get another copy from Acronis for if I ever need it, or just unquarantine it. No trigger on the other file, since it is not in the right place. Still think all of the betas on one license are pushed together for reporting, since have received other reports of programs that aren't even on my system.

-{ Quote: "Rebooting didn't fix it-I tried that first. Did an uninstall and reinstall (of v50 now) and that fixed the click scan problem. Probably just too many upgrade betas in a row. But the learning scan decided actchk.exe was a worm this time, probably from the FP or whatever it was before, so I just let it clean it. And will get another copy from Acronis for if I ever need it, or just unquarantine it. No trigger on the other file, since it is not in the right place. Still think all of the betas on one license are pushed together for reporting, since have received other reports of programs that aren't even on my system." }-

I managed to track down the ACTCHK.EXE file and it does indeed look malicious, found also by a handful of vendors on VT - not sure about the other file - I suspect it is something to do with the merging of licenses.

We will be investigating the right click problem further as well - thanks for the report :)

-{ Quote: "Yes, that works, however we would prefer to not hear a complaint from every Rollback Rx customer so we're going to work on preventing it automatically ;D" }-

hopefully there will be no issue with RollbackRx & PrevxEdge....

-{ Quote: "hopefully there will be no issue with RollbackRx & PrevxEdge...." }-

There won't be :) If you upgrade to 3.0.1.50, the newest beta, it corrects the detection of Rollback Rx's MBR hiding

Only question is are you dealing with my actchk.exe or some other user? V49 said no problem with it; upgraded to v50 and got malicious, like a DB had been updated based on earlier report. But certainly not a program that I mind keeping quarantined. And everything else seems to work now. Thanks for the usual instant support; Ed. :)

-{ Quote: "Only question is are you dealing with my actchk.exe or some other user? V49 said no problem with it; upgraded to v50 and got malicious, like a DB had been updated based on earlier report. But certainly not a program that I mind keeping quarantined. And everything else seems to work now. Thanks for the usual instant support; Ed. :)" }-

Did you by any chance reinstall in the middle? That would have caused your overrides to be removed (if you had one marking ACTCHK.EXE as a false positive).

Based on the timestamps in your image it is the same file, first marked in 2007. However, it is possible that the file simply doesn't load in your system and is just sitting idle and therefore isn't malicious or caught by Edge by default as it isn't interacting with your system in any way.

No, I updated afterward. BTW, I did a full scan of C;/ a few weeks ago and didn't get anything off these files, just a couple of other false positives you fixed. And I didn't/don't have any overrides on my end.

-{ Quote: "There won't be :) If you upgrade to 3.0.1.50, the newest beta, it corrects the detection of Rollback Rx's MBR hiding" }-

Works very well with Rollback Rx now Joe! Great work! :thumb:

TH

-{ Quote: "There won't be :) If you upgrade to 3.0.1.50, the newest beta, it corrects the detection of Rollback Rx's MBR hiding" }-

thanks and keep it up!

I'll wait for final version though.

Downloaded v3.0.1.50 and ran it through the paces. No problems. Thanks Joe for the Beta.

Got a minor remark I noticed on all the versions, that is if your settings are password protected, you can't press enter after you've typed in your password (have to click with your mouse on 'login')

Just received the update to 50 automatically after the bootup scan when I switched the machine on this morning, first time I have received an update automatically :thumb:
And I can now put RollbackRx on again now that problem has been solved :thumb:
Just itching for the fully configured *version two* now ;D

Ran actchk.exe against Jotti. You and one other consider it malware, so will just leave it quarantined until I need it some day, then add it back in as an exception. Looks like a packer detector to me. :)
Regards; Ed.

-{ Quote: "Ran actchk.exe against Jotti. You and one other consider it malware, so will just leave it quarantined until I need it some day, then add it back in as an exception. Looks like a packer detector to me. :)
Regards; Ed." }-

wow only 1 AV detected it, and its quite an unpopular AV, it looks like it wuld be a FP, but u never know i guess.

-{ Quote: "Ran actchk.exe against Jotti. You and one other consider it malware, so will just leave it quarantined until I need it some day, then add it back in as an exception. Looks like a packer detector to me. :)
Regards; Ed." }-

On VirusTotal 7 find it and we catch it because it was used by malware before :-\

Hello and thank you for the trial version.

I managed to read a few pages and them my eyes and brain went :wacko:

Could you tell me please if Prevx Edge during this advertised "Live Scanning" would detect malicious code/program/booytraps/whatever on a web page if you happen to make a visit and "NOT" click on anything?

If yes, would you get a warning?

Thank you and yes, I have some other.... err other simple questions to come :gack:

Webby

I'm having trouble uninstalling Prevx Edge from one of my machines. I get BSOD about page fault in non-paged area. I'm trying to uninstall so I can reinstall after reinstall of DefenseWall. I've tried uninstall in safe-mode and in various stripped down startup configurations but have gotten nowhere.

If there is a solution somewhere in this thread can someone point me there or can PrevxHelp otherwise assist?

I have an image of the system partition from 3/28/09 that I can restore which is clear of both DW and PE but I prefer not to resort to that.

Thanks

P.S. Actually, I can't enable CSI Scanner service in msconfig without getting BSOD on reboot - that's the simple root of why I want to uninstall PE.
P.P.S. Eh, looks like yamaneko's post # 2853 holds the answer?

Why does the right click scan menu, ver .50 bring up the "open with" window? Prevx does NO scanning. Am I missing something? Joe or anyone?

-{ Quote: "Why does the right click scan menu, ver .50 bring up the "open with" window? Prevx does NO scanning. Am I missing something? Joe or anyone?" }-

Here is the fix Pat!

http://www.wilderssecurity.com/showpost.php?p=1441274&postcount=3234

http://www.wilderssecurity.com/showpost.php?p=1440244&postcount=3151

Cheers,

TH

OK; I'll keep it quarantined. You don't seem to keep very good company, though. ;)
Update: Checked my other computer, and that file/location is unique to Ultimate, not found in Home Premium, so not as widely seen. And the other copy of Prevx (regular license) doesn't have to deal with it.

-{ Quote: "Here is the fix Pat!

http://www.wilderssecurity.com/showpost.php?p=1441274&postcount=3234

http://www.wilderssecurity.com/showpost.php?p=1440244&postcount=3151

Cheers,

TH" }-


That's a big BINGO! That did fix it and I thankee! :)

-{ Quote: "That's a big BINGO! That did fix it and I thankee! :)" }-

Thats what we do here is help each other ;) ;D

TH

Newest SpywareBlaster is being detected. See the attached screenie. How long will these FPs carry on - till the end of the beta? No offence... :-\

You can also uninstall the beta version and install the normal one, or does that also have the FP's?

-{ Quote: "Newest SpywareBlaster is being detected. See the attached screenie. How long will these FPs carry on - till the end of the beta? No offence... :-\" }-I just got that too as I just now reinstalled with Beta .49 - I right clicked them and reported as false positive.

THANKS to yamaneko's post #2853, I was able to get the problem I posted above resolved.:thumb:

Update to .50 went without a hitch.

-{ Quote: "You can also uninstall the beta version and install the normal one, or does that also have the FP's?" }-

Ofc I can, but that's not the issue of mine - it's the FPs, even if the beta is the cause.

-{ Quote: "Ofc I can, but that's not the issue of mine - it's the FPs, even if the beta is the cause." }-
Thats' why it's called beta. If you know what beta usually stands for, you should already have the answer to your own question :)

Based on the fact that Spyware Blaster 4.2 was just released a day or two ago and considering what it does to IE, I'm not surprised or in the least disappointed that it causes FP in Prevx.

-{ Quote: "Thats' why it's called beta. If you know what beta usually stands for, you should already have the answer to your own question :)" }-

Oh, don't worry, I've beta tested lots of software and know what it's. (:) :) :) :))

Let me take an example... TF, which is also proactive based, didn't produce ANY FPs when they'd their new 4.0 beta up - yes, can you believe it, another beta product I was part of, what a surprise! :D (No, I definitely don't know what it's.)


Don't worry, underestimation is just one of my biggest weak-points when it's aimed at me.


I'm not saying it's not acceptable - but it's something which should not be happening anyway. :-\

-{ Quote: "Newest SpywareBlaster is being detected. See the attached screenie. How long will these FPs carry on - till the end of the beta? No offence... :-\" }-

Please, can you try scanning again? :)

Thank you

-{ Quote: "Please, can you try scanning again? :)

Thank you" }-

Removed the detection override which was FP for the SB detection, and it seems to be fixed.

Thx, Eraser! :)

Just a general question... so, after the beta, Edge will simply be called Prevx (3.0), just like it was Prevx 2.0 before?

-{ Quote: "Got a minor remark I noticed on all the versions, that is if your settings are password protected, you can't press enter after you've typed in your password (have to click with your mouse on 'login')" }-

We have this as a security feature to prevent any keyboard automation, but I'll see if we can have it accept an enter key for the dialog :)

-{ Quote: "Just a general question... so, after the beta, Edge will simply be called Prevx (3.0), just like it was Prevx 2.0 before?" }-

Yes :) the protection will be called "Edge Realtime Protection" but the product will be Prevx 3.0.

A note on the false positives - new versions of security software tend to cause false positives because they do root themselves deep into the system/modify areas that normal programs don't. We have exactly the same thing happen against us from a great deal of companies (ESET, Kaspersky, Panda, and eSafe generally have false positives on new releases of CSI and Edge).

The only way around this is to whitelist them once they're released as, in most cases, they look identical to malware.

-{ Quote: "Hello and thank you for the trial version.

I managed to read a few pages and them my eyes and brain went :wacko:

Could you tell me please if Prevx Edge during this advertised "Live Scanning" would detect malicious code/program/booytraps/whatever on a web page if you happen to make a visit and "NOT" click on anything?

If yes, would you get a warning?

Thank you and yes, I have some other.... err other simple questions to come :gack:

Webby" }-

If the page contains exploits which try and infect your computer, Edge will block them immediately but we don't have HTTP scanning because it is a largely unnecessary feature which slows down browsing without providing much real additional protection at all.

Hope that helps :)

-{ Quote: "Yes :) the protection will be called "Edge Realtime Protection" but the product will be Prevx 3.0.

A note on the false positives - new versions of security software tend to cause false positives because they do root themselves deep into the system/modify areas that normal programs don't. We have exactly the same thing happen against us from a great deal of companies (ESET, Kaspersky, Panda, and eSafe generally have false positives on new releases of CSI and Edge).

The only way around this is to whitelist them once they're released as, in most cases, they look identical to malware." }-

Yes, I can understand that. So this also means you can't simply whitelist whole applications, like SpywareBlaster, which are being detected? Does for example TF not detect it because it's purely looking at its behavior first?

-{ Quote: "Yes, I can understand that. So this also means you can't simply whitelist whole applications, like SpywareBlaster, which are being detected? Does for example TF not detect it because it's purely looking at its behavior first?" }-

It really depends on the software and how significant the update is. Technically every AV/AS/etc. app should trigger an alert but we have measures in place to prevent it in most cases. I'm not sure why TF would not detect it, but security software almost always has an identical behavioral "footprint" to malware - hooking low-level system services, loading drivers, preventing its processes from being terminated, accessing the disk at a low/raw level, traversing the file system/accessing programs, etc. all of which are frequently done by malware.

We generally don't whitelist whole programs automatically by choice because it can lead to false negatives if the digital certificate is compromised or if the program does turn out to harbor malicious code so we usually just let the database sort it out automatically after getting enough behavioral data :)

Another note on my previous post - the age of a program is taken heavily into consideration as well as the popularity of it, so, when a new version of a program is released, or a beta version (which many users here use frequently), we tend to have more FPs against it just because it isn't an official release and isn't used by the whole userbase.

A program that has been seen by a very small handful of people that modifies core system areas is hard to automatically trust so we take a suspicious stance in many cases :)

-{ Quote: "Another note on my previous post - the age of a program is taken heavily into consideration as well as the popularity of it, so, when a new version of a program is released, or a beta version (which many users here use frequently), we tend to have more FPs against it just because it isn't an official release and isn't used by the whole userbase.

A program that has been seen by a very small handful of people that modifies core system areas is hard to automatically trust so we take a suspicious stance in many cases :)" }-

That is understandable!

TH

Here is the thing... TF works in a different way. It really checks "what is this program actually doing", even before it checks it against its black- AND whitelists.

Now-a-days I never experience FPs with it, but if there's real malware - oh boy does it detect it. ::) ;D

I mean, I saw it myself here when testing real malware, the first result at a torrent-site when searching for Norton crack. It was disguising itself as a real, working trial reset crack. That didn't lure TF at all - it would prompt me for every action it did when I clicked to still allow it. It was that persistent and detected new after new trace, keeping the ones it detected before in the same list. Registry entries, files, processes - being modified, deleted, created, everything. Prevx on the other hand didn't do a thing - but you probably already know which case I'm talking about. :) - And we both do know that Prevx did NOT detect it at first, even if the real-time protection was faulty at the time. TF excelled by looking at all the behavior, it was catching every move and has yet to fail.

That's one reason I take TF before Prevx - it simply doesn't miss and doesn't produce FPs.

3.0.1.50 running smoothly here with all my signature apps. :thumb:

-{ Quote: "3.0.1.50 running smoothly here with all my signature apps. :thumb:" }-
wow thats a lot of heavy duty apps in realtime, ud probly be best if u dropped one of them :/

-{ Quote: "wow thats a lot of heavy duty apps in realtime, ud probly be best if u dropped one of them :/" }-

Doesn't look too bad to me - you should see that most of them are noted as on-demand.

-{ Quote: "Doesn't look too bad to me - you should see that most of them are noted as on-demand." }-

i know, but a lot of those realtime apps are pretty heavy duty with like OA Hips + FW, ASquared AV + AS + BB, Edge AND Defensewall

that seems like an awful lot

-{ Quote: "i know, but a lot of those realtime apps are pretty heavy duty with like OA Hips + FW, ASquared AV + AS + BB, Edge AND Defensewall

that seems like an awful lot" }-

Yeah, well I don't use a FW, nor HIPS, so I'm all good. ;D Properly configured Hardware FW and layered malware defense, which includes both BB and strong heuristics and incl. a light AV does the job for me. Saves me the hassle and keeps it light, but still effective.

Quick question here. I updated my license to add coverage for another computer. However, when i try to activate prevx on the new computer, i get an error that all licenses are in use. How long does it take for the system to update? I just updated about 20 minutes ago. I'll wait and try tomorrow. If not, what then?

-{ Quote: "i know, but a lot of those realtime apps are pretty heavy duty with like OA Hips + FW, ASquared AV + AS + BB, Edge AND Defensewall

that seems like an awful lot" }-

Yeah, I know. Why bring a knife to a fight when you can bring a Battleship instead. ;D :thumb:

-{ Quote: "Yeah, I know. Why bring a knife to a fight when you can bring a Battleship instead. :thumb:;D" }-

Good point ;D

-{ Quote: "Quick question here. I updated my license to add coverage for another computer. However, when i try to activate prevx on the new computer, i get an error that all licenses are in use. How long does it take for the system to update? I just updated about 20 minutes ago. I'll wait and try tomorrow. If not, what then?" }-

The prevx support on here will sort it out if the license doesn't work by tomorrow.

-{ Quote: "Quick question here. I updated my license to add coverage for another computer. However, when i try to activate prevx on the new computer, i get an error that all licenses are in use. How long does it take for the system to update? I just updated about 20 minutes ago. I'll wait and try tomorrow. If not, what then?" }-
Hi, the update should be instant - therefore either feel free to send myself of PrevxHelp your license key which we will investigate, or alternatively sign up to MyPrevx (https://my.prevx.com/registration.asp) which should allow you to manage your license key and delete off any old / inactive machines which the license might think it's still valid against.

Hi all,

PrevxHelp, the answer you posted on #3335 was well explained and understood.

Thank you.

Webby

Would there be any advantages to using this alongside Avira premium? as the website says it can work alongside any security software.

-{ Quote: "Would there be any advantages to using this alongside Avira premium? as the website says it can work alongside any security software." }-

I'm currently running Avira Premium and Prevx 3 on my XP Pro SP3 box. If you already are running Avira, you certainly can't go wrong adding Prevx, IMHO. Great one-two punch, and they work well together.

Ok thanks, might give it a go :)

A few questions:

1. Is there ANY way to give us quick access to the complete history of the threats that have been removed via the main screen? The log feature does not accomplish this (too many steps and time searching for log files IF they were saved). On the main screen where you have it showing 'Total infections cleaned:' would be a good place to link to the threat removal history (threat name, location it was detected at and how threat was dealt with).

2. When I do a manual scan the percentage goes to 23% and stays there for the remaining scan until it displays 98%, then it finishes. What can be done to accurately track the percentage throughout the entire scan? Is it a deal breaker, no, is it annoying for me, yep!

3. Is the threat database you maintain only populated by Prevx users or are you able to track threats in the wild from non-Prevx users?

4. How long will non beta users be at version .40?

Thanks!

-{ Quote: "A few questions:
4. How long will non beta users be at version .40?
Thanks!" }-

Beta version is at .50.

-{ Quote: "A few questions:

1. Is there ANY way to give us quick access to the complete history of the threats that have been removed via the main screen? The log feature does not accomplish this (too many steps and time searching for log files IF they were saved). On the main screen where you have it showing 'Total infections cleaned:' would be a good place to link to the threat removal history (threat name, location it was detected at and how threat was dealt with).

2. When I do a manual scan the percentage goes to 23% and stays there for the remaining scan until it displays 98%, then it finishes. What can be done to accurately track the percentage throughout the entire scan? Is it a deal breaker, no, is it annoying for me, yep!

3. Is the threat database you maintain only populated by Prevx users or are you able to track threats in the wild from non-Prevx users?

4. How long will non beta users be at version .40?

Thanks!" }-

A few answers ;D

1) You can view the cleanup history by clicking Tools > Undo Cleanup > View Cleanup Log. That is definitely a good idea to link the threats cleaned to the cleanup log :) We'll have that in the next version!

2) Could you clarify if the progress bar goes to 23% or 63% and then jumps to the end? At 63%, files are finishing being checked with the database. If your internet connection is fast, it will jump from 63% to 100% quickly, but if you have a lot of new files to analyze, it will hit the percentages in the middle as well. 23% is approximately after the rootkit scan finishes so it shouldn't be a bottleneck area, but if it is, let me know and I'll investigate further :)

3) The primary database is from our users but we have a large crawler system which looks for new malware and a system which analyzes submitted/collected files. We also get feeds from popular sample submission services which are analyzed centrally to proactively protect users even if a Prevx user hasn't seen the file yet.

4) We are planning a release within the next week - just finishing up some final features and improving everything :)

Let me know if you have any more questions!

-{ Quote: "We are planning a release within the next week - just finishing up some final features and improving everything :)" }-

Getting close now 8) ;)

me i have question...
only orevx make PX5 hash ? or who generate PX5 for my program that make ?

-{ Quote: "me i have question...
only orevx make PX5 hash ? or who generate PX5 for my program that make ?" }-

PX5 is a proprietary algorithm which we use that gives us a unique signature of a program. We have many many more signatures which are used "behind the scenes" but this one allows us to look at unique files to track down what other signatures are from the file :)

ok
there are software or other system for see the PX5 ?

-{ Quote: "ok
there are software or other system for see the PX5 ?" }-

No, its only used internally and we just show it in the log for malware reporting reasons :)

ok thank you....

i think bug or not in 3.0.1.50, i have not in my menu "scan with prevx...."


207774

bug or not ?

ps : this file it is messenger worm :

File IMG9371478991721141-GIF.EXE received on 04.11.2009 19:10:08 (CET)
Current status: finished

Result: 5/40 (12.50%

Prevx1 V2 2009.04.11 -


Additional information
File size: 98816 bytes
MD5...: d163bf2b8fca0c84504fedebb8b51136
SHA1..: 0f3765e061322f423d44927c1500b2ab31448b59
SHA256: 97e49dbdb12e60fd631c877a845525653e0daeb3905ac060e2c600ee605ed956
SHA512: b75d5688099bc7fb7b146bff0b86a97d04aeb77c1a2e3465a7bd09ad69d88084
350fa12ebba791a4107b70d61876e7e797045d89e2155c5b60d091d828f7b459
ssdeep: 3072:wEH+GiEs2SMylNOjyFbxJU5h1u1h+riPAz:wsehzRFM7riP8

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5d3c
timedatestamp.....: 0x3e800062 (Tue Mar 25 07:08:18 2003)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f74 0x9000 6.62 50bebbd725b0400e6006b223073d8f44
.data 0xa000 0x1bec 0x400 4.25 b67e6b028734fe3692a3080d8ebfe3b1
.rsrc 0xc000 0xe814 0xea00 6.81 e1f7eff97b1ed9a845890d2052418503

( 6 imports )
> ADVAPI32.dll: FreeSid, AllocateAndInitializeSid, EqualSid, GetTokenInformation, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA, RegCloseKey, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegQueryInfoKeyA
> KERNEL32.dll: LocalFree, LocalAlloc, GetLastError, GetCurrentProcess, GetModuleFileNameA, lstrlenA, GetSystemDirectoryA, RemoveDirectoryA, FindClose, FindNextFileA, DeleteFileA, SetFileAttributesA, lstrcmpA, FindFirstFileA, lstrcatA, lstrcpyA, _lclose, _llseek, _lopen, WritePrivateProfileStringA, GetWindowsDirectoryA, CreateDirectoryA, GetFileAttributesA, ExpandEnvironmentStringsA, IsDBCSLeadByte, GetShortPathNameA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcmpiA, GlobalFree, GlobalUnlock, GlobalLock, GetProcAddress, FreeResource, LockResource, LoadResource, SizeofResource, FindResourceA, CloseHandle, WriteFile, SetFilePointer, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, SetCurrentDirectoryA, GetTempFileNameA, ExitProcess, CreateFileA, LoadLibraryExA, lstrcpynA, GetVolumeInformationA, FormatMessageA, GetCurrentDirectoryA, GetVersionExA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, GetTempPathA, GetSystemInfo, CreateMutexA, SetEvent, CreateEventA, CreateThread, ResetEvent, TerminateThread, GetDriveTypeA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, SetUnhandledExceptionFilter, ReadFile, LoadLibraryA, GetDiskFreeSpaceA, MulDiv, EnumResourceLanguagesA, FreeLibrary, GlobalAlloc
> GDI32.dll: GetDeviceCaps
> USER32.dll: ExitWindowsEx, wsprintfA, CharNextA, CharUpperA, CharPrevA, SetWindowLongA, GetWindowLongA, CallWindowProcA, DispatchMessageA, MsgWaitForMultipleObjects, PeekMessageA, SendMessageA, SetWindowPos, ReleaseDC, GetDC, GetWindowRect, SendDlgItemMessageA, GetDlgItem, SetForegroundWindow, SetWindowTextA, MessageBoxA, DialogBoxIndirectParamA, ShowWindow, EnableWindow, GetDlgItemTextA, EndDialog, GetDesktopWindow, MessageBeep, SetDlgItemTextA, LoadStringA, GetSystemMetrics
> COMCTL32.dll: -
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

( 0 exports )

RDS...: NSRL Reference Data Set
-
packers (F-Prot): CAB


if you want link MP me.

Go to Settings - Basic Configuration.
Uncheck/save and check/save
Enable "Right clik" ....
It should solve problem I think.

yes thank you :)

hum

FP with :

Prevx Scan Log - Version v3.0.1.50
Log Generated: 11/4/2009 19:33, Type: 1,8192
Windows XP Professional Service Pack 3 (Build 2600) 32bit|1036
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 3, Heu: 3 (Dir: 1)
Last Scan: Sat 2009-04-11 19:33:13 Paris, Madrid. Number of Scans: 80. Last Scan Duration: 4 seconds.
[NF] (ACTIVE) c:\program files\ma-config.com\langues\languemc_fr.dll [PX5: D028F829A8D6FBA35EB10096F14DEF00F605D0E7]
[NF] (ACTIVE) c:\program files\ma-config.com\langues\languemc_fr.dll [PX5: D028F829A8D6FBA35EB10096F14DEF00F605D0E7]


ma-config.com it is website scan hardware for found a new driver :
used by :
http://www.touslesdrivers.com/index.php?v_page=29
and
http://www.ma-config.com/

virustotal : http://www.virustotal.com/fr/analisis/47b2e42f75660a59c43082d359a62395

-{ Quote: "FP with :" }-

Fixed :)

-{ Quote: "ps : this file it is messenger worm :

File IMG9371478991721141-GIF.EXE received on 04.11.2009 19:10:08 (CET)
Current status: finished

Result: 5/40 (12.50%

Prevx1 V2 2009.04.11 - " }-

For what its worth, we have detected this file for some months if it actually tried to infect you. I've added detection for it so that VT will find it, but Edge's protection would have completely protected you from it automatically :)

Hello all:D !
Thank you to PrevXHelp for the Beta link.
How is it that i can't configure Edge with this release? What i mean is that my settings are not kept. For example if i want Edge to scan automatically at every boot-up and untick the option "Do not show any window while scanning" , nothing happens after after rebooting...
Thanks,
Heco8)

-{ Quote: "Hello all:D !
Thank you to PrevXHelp for the Beta link.
How is it that i can't configure Edge with this release? What i mean is that my settings are not kept. For example if i want Edge to scan automatically at every boot-up and untick the option "Do not show any window while scanning" , nothing happens after after rebooting...
Thanks,
Heco8)" }-

Scans are staggered to keep system load low during bootup or when a large corporation is turning on all of their computers at once at the start of the day. The scan may start within about 1 hour of bootup and the scheduled scans start randomly within about 1 hour of the configured time as well. Registered users can override this, but we recommend that you don't just to keep system load low (trying to run a scan directly on bootup generally just makes everything much slower :))

good =D

[B] c:\documents and settings\arnaud\bureau\img9371478991721141-gif.exe [PX5: 844980E6008D2BCD8234012ADF52AB00F65AA56E] Malware Group: Medium Risk Malware

[G] (ACTIVE) c:\program files\ma-config.com\langues\languemc_fr.dll [PX5: D028F829A8D6FBA35EB10096F14DEF00F605D0E7]

-{ Quote: "Hi, the update should be instant - therefore either feel free to send myself of PrevxHelp your license key which we will investigate, or alternatively sign up to MyPrevx (https://my.prevx.com/registration.asp) which should allow you to manage your license key and delete off any old / inactive machines which the license might think it's still valid against." }-

Logged in to myprevx and saw a computer register that was not mine. Any ideas how it was accidentally registered? In any case, I deleted it and was able to activate my new pc. Thx for the quick help.

What is an "Age/Spread Criteria Violation Detected" ??

I've had a couple of these recently with supposedly innocent files, PrevX blocks the launching with this error dialog. What does it mean please?

NigelS

-{ Quote: "What is an "Age/Spread Criteria Violation Detected" ??

I've had a couple of these recently with supposedly innocent files, PrevX blocks the launching with this error dialog. What does it mean please?

NigelS" }-

This means that the file is suspicious enough to be below the threshold you have configured in the Heuristics Settings. If you receive "too many" of these, you can turn down your heuristic settings by clicking Settings > Heuristics Settings.

More information on what exactly the settings mean can be found at http://info.prevx.com/edgehelp.asp if you click on Edge Settings > Heuristics Settings

Let me know if you have any further questions with this :)

-{ Quote: "Scans are staggered to keep system load low during bootup or when a large corporation is turning on all of their computers at once at the start of the day. The scan may start within about 1 hour of bootup and the scheduled scans start randomly within about 1 hour of the configured time as well. Registered users can override this, but we recommend that you don't just to keep system load low (trying to run a scan directly on bootup generally just makes everything much slower :))" }-

But... i am a registered home user with a licence valid for 283 days! LOL

-{ Quote: "But... i am a registered home user with a licence valid for 283 days! LOL" }-

You should be able to then check the bottom box on the scheduler screen which reads:

"Start the scan exactly at the scheduled time (may cause a delay on a large network)"

That will eliminate the default delay :)

In which build is that weird coloring down and down to the left getting fixed? :P :D

And BTW... what's that teal or blue thing a little down to the right?

-{ Quote: "In which build is that weird coloring down and down to the left getting fixed? :P :D

And BTW... what's that teal or blue thing a little down to the right?" }-

The background is a curve which continues onto the other side. Our graphic designer is working on improving it to make the GUI look less washed out so it should be better soon :)

-{ Quote: "The background is a curve which continues onto the other side. Our graphic designer is working on improving it to make the GUI look less washed out so it should be better soon :)" }-
Hi Joe

Whilst talking about presentation I personally believe that the literals on the main GUI should be in a slightly darker shade...to make them stand out a little more...that should remove some of the 'wash out' look. ;D

-{ Quote: "The background is a curve which continues onto the other side. Our graphic designer is working on improving it to make the GUI look less washed out so it should be better soon :)" }-

Please tell me when he's done so that I can comment on the result. :)

The continued numerous FPs still bother me.:dry:

-{ Quote: "The continued numerous FPs still bother me.:dry:" }-

You're not alone. ;D FPs in the stable version as well a number of times makes me unable to set it to total automatic operation which I like to have products on - that's, set it by my own will. :P :D

-{ Quote: "You're not alone. ;D FPs in the stable version as well a number of times makes me unable to set it to total automatic operation which I like to have products on - that's, set it by my own will. :P :D" }-

Its impossible to judge a program as a whole by the reports on a forum. I frequently fix the FPs reported to our customer service inbox and I know for a fact that Wilders users see more FPs than other users, most likely because of what types of software is used by people who frequent Wilders.

Many of the FPs reported here are not false positives at all, and a majority of the rest were caused because of people using maximum heuristics. The others can be attributed to the higher level of heuristics we have in place due to Conficker and the rest are legitimate FPs which every AV encounters.

I'm not sure what else to say about our false positives, but that they are disproportionately given more light because of posts here so it looks like there are more than there really are.

If we had a form to send in false positives, as many other vendors do, you would never hear about false positives to a forum (which I suspect is the case for other products).

Just my $0.02 :)

-{ Quote: "Its impossible to judge a program as a whole by the reports on a forum. I frequently fix the FPs reported to our customer service inbox and I know for a fact that Wilders users see more FPs than other users, most likely because of what types of software is used by people who frequent Wilders.

Many of the FPs reported here are not false positives at all, and a majority of the rest were caused because of people using maximum heuristics. The others can be attributed to the higher level of heuristics we have in place due to Conficker and the rest are legitimate FPs which every AV encounters.

I'm not sure what else to say about our false positives, but that they are disproportionately given more light because of posts here so it looks like there are more than there really are.

If we had a form to send in false positives, as many other vendors do, you would never hear about false positives to a forum (which I suspect is the case for other products).

Just my $0.02 :)" }-

Guess it's the currently raised bar then. ;D I whole-heartedly respect your comment, and think you're doing an excellent job fixing and replying to users reports. On the other hand I've not experienced any FPs with NIS09 in the late betas and the final, nor in the whole beta of new TF, or the final version ofc. ;)

-{ Quote: "A few answers ;D

1) You can view the cleanup history by clicking Tools > Undo Cleanup > View Cleanup Log. That is definitely a good idea to link the threats cleaned to the cleanup log :) We'll have that in the next version!

2) Could you clarify if the progress bar goes to 23% or 63% and then jumps to the end? At 63%, files are finishing being checked with the database. If your internet connection is fast, it will jump from 63% to 100% quickly, but if you have a lot of new files to analyze, it will hit the percentages in the middle as well. 23% is approximately after the rootkit scan finishes so it shouldn't be a bottleneck area, but if it is, let me know and I'll investigate further :)

3) The primary database is from our users but we have a large crawler system which looks for new malware and a system which analyzes submitted/collected files. We also get feeds from popular sample submission services which are analyzed centrally to proactively protect users even if a Prevx user hasn't seen the file yet.

4) We are planning a release within the next week - just finishing up some final features and improving everything :)

Let me know if you have any more questions!" }-

1. Woohoo, thanks for adding that feature, you guys ROCK!!!

2. It stops at 23% for a long time then jumps to 98%, the files are still being scanned and it shows them as they're being scanned but the percentage doesn't follow along. I'm using Win XP SP3 if that helps. My connection is 6Mbps and at 98% it begins checking the files which goes quickly.

3. Most excellent as I thought only Prevx users were contributing, very nice.

4. I know I know, good things come to those who wait:).

That's all for now.

About #3... are one of those sources like for example VirusTotal, even if that's, from what I know, based on users sending stuff in. ::)

-{ Quote: "About #3... are one of those sources like for example VirusTotal, even if that's, from what I know, based on users sending stuff in. ::)" }-

Yes, we get a feed from VirusTotal as do all of the other vendors on there as well, but that is from user submission (and a surprisingly large volume of samples as well).

Our primary crawling doesn't use VirusTotal but we use a web-crawler-based system and a large farm of computers internally which have Edge installed that report the data to our database. We use this and go hunting for new threats (and then our researchers always enjoy trying to infect themselves with the newest threats off of *ehm* less than wholesome websites ;D)

You can see some videos of our battles against some of these sites at: http://www.youtube.com/user/PrevxResearch

-{ Quote: "Its impossible to judge a program as a whole by the reports on a forum. I frequently fix the FPs reported to our customer service inbox and I know for a fact that Wilders users see more FPs than other users, most likely because of what types of software is used by people who frequent Wilders.

Many of the FPs reported here are not false positives at all, and a majority of the rest were caused because of people using maximum heuristics. The others can be attributed to the higher level of heuristics we have in place due to Conficker and the rest are legitimate FPs which every AV encounters.

I'm not sure what else to say about our false positives, but that they are disproportionately given more light because of posts here so it looks like there are more than there really are.

If we had a form to send in false positives, as many other vendors do, you would never hear about false positives to a forum (which I suspect is the case for other products).

Just my $0.02 :)" }-
Hi Joe

I suspect that you are correct in what you say as in the main I rarely get FPs as I am not really pushing the boudaries in terms of the software that I use or investigate (except some of the betas I test). Some of the brethern here at Wilders to push the boundaries...which is great for us all.

The main time I see FPs is just after a new build has been released and one previously fixed occassionally seems to reappear but other than that Prevx has been as quite as a mouse unless roused to do its job.

My £0.02 worth, ;D

-{ Quote: "
The main time I see FPs is just after a new build has been released and one previously fixed occassionally seems to reappear but other than that Prevx has been as quite as a mouse unless roused to do its job." }-

Very true - the one place where we could tend to have more FPs than other products is with beta software and they are almost always fixed automatically when the software is fully released. Wilders users tend to be on the bleeding edge of software updates and therefore get to be some of the first handful of people which encounter new software.

We never mind correcting FPs in beta versions, but it does become a bit tedious when a high volume of new software updates are released for certain programs that are seen by really very few people in the "wild". Therefore, we generally prioritize our whitelisting to full versions to provide the maximum benefit for our time.

And, to be the devil's advocate, many AVs detect our beta versions heuristically and always have - its generally standard practice to fix beta FPs only once the beta reaches a certain threshold of popularity, otherwise we'd have to go around knocking on the doors of developers asking them to send us their nightly builds ;D

-{ Quote: "
And, to be the devil's advocate, many AVs detect our beta versions heuristically and always have - its generally standard practice to fix beta FPs only once the beta reaches a certain threshold of popularity, otherwise we'd have to go around knocking on the doors of developers asking them to send us their nightly builds ;D" }-

That's very true - but not for the AVs that I personally trust! ;D :D For example... NOD32 would detect the new beta, so I uninstalled NOD. I'd experienced FPs with it before and went the same way back then. I don't think it's acceptable at all for final versions. We've seen too many cases were things have become seriously ugly because of FPs.

I've come across a couple of FPs, mainly due to installing portable programs. But I've installed say 30 portable programs, and of these two were flagged.

But when I think of the proportion of people installing these programs I'm interested in, most likely between 1-5000 downloads, and compare it to those who are also using prevx, there might be only say 1-4 instances of that program in the prevx community.

Compare it to the how many people in the overall community that are using your regular paid programs such as Microsoft Office, and common programs such as MSN, itunes, Winamp, and you've got say 1-100,000,000+ downloads, and say (depending on how many users that are in the prevx community), 1-1,000,000 instances of that program in the prevx community.

I can understand why prevx is labeling the programs I'm interested in as a suspicious or unknown program, as hardly any, or maybe only a few prevx users would even be using them.

Can I install Prevx Edge-licensed version- on DIFFERENT snapshots on the SAME computer?

The official Prevx support just gave me the standard answer of "Your Prevx EDGE 1 user license key is for use on 1 PC/ 1 Operating system only" which did not really answer my question.

-{ Quote: "Can I install Prevx Edge-licensed version- on DIFFERENT snapshots on the SAME computer?

The official Prevx support just gave me the standard answer of "Your Prevx EDGE 1 user license key is for use on 1 PC/ 1 Operating system only" which did not really answer my question." }-

It's probably not going to work. The activation is very very fickle. I've had it refuse to activate on an image restore of the same OS, same hard drive, same computer. Same with a reformat. It would come up that it can only be used on one computer. Even if the same computer but a new hard drive. Same copy of OS. It wouldn't activate. Luckily, Joe was able to reset my activations so I could get it to take. That's the only negative thing I have against Edge.

-{ Quote: "It's probably not going to work. The activation is very very fickle. I've had it refuse to activate on an image restore of the same OS, same hard drive, same computer. Same with a reformat. It would come up that it can only be used on one computer. Even if the same computer but a new hard drive. Same copy of OS. It wouldn't activate. Luckily, Joe was able to reset my activations so I could get it to take. That's the only negative thing I have against Edge." }-
Thanks for the reply, Threedog ;)

I hope that Joe sees this post and confirms the above.

He will see it. I don't think the man ever sleeps.

One thing I forgot to add is if I do an image with Prevx installed and then restore that image that every thing is ok. Don't know how it will work in your situation tho but Joe will have the answer.

Is there going to be a support forum on the Prevx site? This would be a good idea I think.

-{ Quote: "He will see it. I don't think the man ever sleeps.

One thing I forgot to add is if I do an image with Prevx installed and then restore that image that every thing is ok. Don't know how it will work in your situation tho but Joe will have the answer." }-
Just tried to activate my license key on another snapshot and everything went okay.

Just waiting for official confirmation that this is within the license terms :-X

Well, I certainly hope it is. It's not as if you can you both snapshots at the same time on the same machine.

Only problem I had was using FD-ISR to rebuild my wife's laptop from an empty snapshot, from the ground up: I sloppily gave the computer the same name but with one letter in the name lowercase instead of upper case. THEN I had an activation problem when I came to the Prevx install.

Even though I went to MyPrevx and activated the "old" machine and entered the "new" machine, I could never activate that snapshot until I went back and corrected the computer name to the same as that of the "old" computer.

What I need to know is how to remove version 3.1.0.0 from my system? I can't find a uninstaller. I tried Eset and liked it so much I bought it. When I did so I saw a quick message that Prevx was detected as a virus,(I think that is what it said) not sure.
I have gone into safe mode and tried to remove it and thought I did, yet it remains in several folders of my system.

Any help to remove this program?

*edit* sorry forgot to include this in my post. I tried the removal tool but it was for the 2.0 version. It didn't seem to work for 3.0.

If there is no entry for Edge in the Add/Remove programs you can uninstall it with the commandline:

"c:\program files\prevx\prevx.exe" /prop UNINSTALL=Y

But their uninstaller (http://info.prevx.com/download.asp?grab=csiuninstalltool) has always worked for version 3 when I have used it.

The false positive with prevx has ben reported previously (http://www.wilderssecurity.com/showthread.php?t=238817&highlight=prevx) so I am surprised it has not been fixed yet.

Hello all,
I suspect that different snapshots WILL be OK to change between, as long as they are snapshots of the same original operating system. If for some reason you can't install properly, let me know and I'll see what we can do to help you out :)

Also, you should be able to always uninstall from the Control Panel, but in the event that it doesn't work, Blackcat's post is the correct troubleshooting progression :)

Thanks for reporting back.

Yes it is just a simple backup snapshot of my original setup.

running a backup with macrium reflect free prevx edge gets disabled?
running prevx edge,windows firewall
vista basic

-{ Quote: "running a backup with macrium reflect free prevx edge gets disabled?
running prevx edge,windows firewall
vista basic" }-

I'm not sure why it would and I'm unfamiliar with macrium reflect free, but I'll forward it onto our QA team to see if they can find anything :)

Hi all


I have good news :) . Last week I run Kaspersky, MBAM, DrWeb and Prevx, and only DrWeb and Prevx founded an infection on a file (I dont remember now wich virus was it). So, imagine how difficult is to defeat MBAM and Kaspersky, and this time Prevx did it :thumb:


Just a little reccomendation: Why don´t you contact with another ASAP sites and show Prevx to them? It would be an inteligent strategy to make Prevx more know in the Malware Removal Comunity :thumb:

Still getting this FP with a file at VT:

Prevx1 V2 2009.04.13 Medium Risk Malware Downloader

I thought prevx uses an online database, and I am wondering why my local prevx edge tells me the file is clean...

Hi Joe

v3.0.1.52 has just appeared via auto update. Update was smooth as ever. Apart from link changes cannot see much difference with .50.

Any information available re. the changes between .50 > .52 ;D

Updated to 52 after start up scan, very smooth - just a couple of seconds :)
So that seems to be my automatic update problem out of the way :thumb:

finding utorrent as bad?

-{ Quote: "v3.0.1.52 has just appeared via auto update. Update was smooth as ever." }-
-{ Quote: "Updated to 52 after start up scan, very smooth - just a couple of seconds :) " }-
+2...same here...

galileo

-{ Quote: "finding utorrent as bad?" }-

Probably a FP, but it would be useful to see the scan results (PM sent :)) to double check.

The changelog in this build is: an improvement in the automatic updater, fixed a few minor bugs with the install logic, passwords are now accepted by hitting "Enter" on the query dialog, Total Infections Cleaned is now linked to the cleanup log (if you've cleaned infection), and a handful of changes to features not yet enabled ;D

-{ Quote: "Still getting this FP with a file at VT:

Prevx1 V2 2009.04.13 Medium Risk Malware Downloader

I thought prevx uses an online database, and I am wondering why my local prevx edge tells me the file is clean..." }-

The scanner used on VT is different than the local scanner so it may perform marginally differently. They all do talk to the database, but they speak different "languages" based on what data they collect and because the VT scanner can only scan for a certain duration and can't see any behaviors, it has to function differently.

We have corrected the results for this file, however.

Is there anywhere on the main Prevx website where we can check the latest version number?

-{ Quote: "Probably a FP, but it would be useful to see the scan results (PM sent :)) to double check." }-

log sent

-{ Quote: "Is there anywhere on the main Prevx website where we can check the latest version number?" }-

Not currently, but the live version number is 3.0.1.40 and the newest beta version is 3.0.1.52 :)

Dont blame joe on these last few FPs, those were all on me :(

Nice of him to fix them so quickly tho. ;)

I did a re-format of my computer, and get the "may only be used on one PC" again. I could see this on a new computer, but this computer is not new, so why do I get it? Is there a way to just activate the code I have?

-{ Quote: "I did a re-format of my computer, and get the "may only be used on one PC" again. I could see this on a new computer, but this computer is not new, so why do I get it? Is there a way to just activate the code I have?" }-

If you sign up for an account on http://my.prevx.com you can enter in your license key and then go to the Manage PCs screen where you can remove the old computer from your license, which will let you then use your "new" computer on your license (reformatting changes the license data so it is effectively a new computer).

-{ Quote: "If you sign up for an account on http://my.prevx.com you can enter in your license key and then go to the Manage PCs screen where you can remove the old computer from your license, which will let you then use your "new" computer on your license (reformatting changes the license data so it is effectively a new computer)." }-

Thanks - makes it easier for sure.

-{ Quote: "and a handful of changes to features not yet enabled ;D" }-

This week or next :shifty: 8)

Seriously, if your license says for "1 PC", it should also be that. If I understand this correctly, you can't use the same license on two OS:s of the same PC. Avira have done things correctly - their license really is for 1 PC. My first choice, Norton, also got this wrong - they got for 1 OS, not 1 PC which it should be, cause that's what they say. Another reason for me to switch from them.

Identify by MAC adress, whatever - just make it right.


If I'm wrong in this case, sorry for going on. ;D

-{ Quote: "Seriously, if your license says for "1 PC", it should also be that. If I understand this correctly, you can't use the same license on two OS:s of the same PC. Avira have done things correctly - their license really is for 1 PC. My first choice, Norton, also got this wrong - they got for 1 OS, not 1 PC which it should be, cause that's what they say. Another reason for me to switch from them.

Identify by MAC adress, whatever - just make it right.


If I'm wrong in this case, sorry for going on. ;D" }-

There is just no way to perfectly identify 1 PC, which is why we choose to use 1 OS. It does create an annoyance when moving between PCs or reformatting, but for the time being, there really isn't a way around it :-\

Okay. Unfortunately I don't know how Avira does it... Personally I think you should write "OS" instead of "PC", even if I know it's probably so that every average Joe should understand it better - as those probably also never run more than one OS.

EDIT: Hang on... "no way to perfectly identify 1 PC"? A MAC adress is only duplicated incase someones spoofs to hack themselves inside somewhere - it's completely unique. I bet it would be your best way of identifying usage of licenses.

-{ Quote: "There is just no way to perfectly identify 1 PC, which is why we choose to use 1 OS. It does create an annoyance when moving between PCs or reformatting, but for the time being, there really isn't a way around it :-\" }-

See if you can get the policy reviewed, as to me it seems a little heavy-handed. Just my feedback.

-{ Quote: "Okay. Unfortunately I don't know how Avira does it... Personally I think you should write "OS" instead of "PC", even if I know it's probably so that every average Joe should understand it better - as those probably also never run more than one OS.

EDIT: Hang on... "no way to perfectly identify 1 PC"? A MAC adress is only duplicated incase someones spoofs to hack themselves inside somewhere - it's completely unique. I bet it would be your best way of identifying usage of licenses." }-

MAC addresses can be changed on-demand to whatever you want so they could either steal someone else's license or make their license invalid. Or, malware can do it to every user frequently and then we would have an absolute nightmare on our hands.

The problem is that a "PC" is really hard to define... is it the harddrive, is it the CPU, etc? Going off of hardware itself (CPU, etc.) causes FPs when hardware changes occur (as seen by Microsoft's WGA). However, a PC is probably best defined by the harddrive, but not all harddrive vendors expose a unique serial number to the OS (i.e. RAID arrays introduce a huge complexity in this identification - you'd need to literally write unique code for each vendor which would take a great deal of research/development effort) so there isn't a 100% way to get at a unique identity for the harddrive.

We have large corporate customers and although they are unlikely to abuse our licensing, if they had bought 10,000 PCs from the same vendor, with duplicate OS images on each, there is very little we can do to differentiate the individual computers so we have to use the best data we can get at.

We are doing preliminary research on a merged technique to reduce the number of complaints/allow multi-OS installations (as a significant majority of our customer service complaints are all license related :-\) but it is a tricky area to modify as it immediately affects every user.

A '1 OS' license is the correct metrics currently but you are correct that the average user will be confused by this. Frankly, the number of users using multiple OSs is actually relatively low, especially with the use of virtual machines becoming more accepted by the community of users that likes multiple OSs.

-{ Quote: "See if you can get the policy reviewed, as to me it seems a little heavy-handed. Just my feedback." }-

I agree but I can say that I have reinstalled many times and now I have a 3 User License in which I have only 3 pc's to manage,I always have to contact support to remove the old that I can install the new which they do without issue but it feels that I'm pestering them, I'm sure there is a better way to manage this Issue!

TH

-{ Quote: "The continued numerous FPs still bother me.:dry:" }-

I agree, its a major issue


Draco

What f/p's? As a more regular user of Edge, I haven't personally encountered 'numerous' f/p's. Frankly, I've had more false alarms from my resident AV so far than from Edge.

Edit: And those AV f/p's are result of me using higher than normal heuristics.

-{ Quote: "I agree but I can say that I have reinstalled many times and now I have a 3 User License in which I have only 3 pc's to manage,I always have to contact support to remove the old that I can install the new which they do without issue but it feels that I'm pestering them, I'm sure there is a better way to manage this Issue!

TH" }-

If you look at post 3420: http://www.wilderssecurity.com/showpost.php?p=1445252&postcount=3420 I outline some instructions on how to reset your license/remove a computer, but we aren't pestered by your requests! ;D

-{ Quote: "If you look at post 3420: http://www.wilderssecurity.com/showpost.php?p=1445252&postcount=3420 I outline some instructions on how to reset your license/remove a computer, but we aren't pestered by your requests! ;D" }-

Yes I have done that but now I cannot makes any changes myself anymore because I did it so many times and there is some kind of limit! I have to contact support to remove old so that I can install the new on a clean reinstall on the same PC. It is a Issue with most users here only like you said we do try allot of different products and sometimes it messes our systems and we do a clean install.

Question: If I make an image with Prevx Edge installed and activated would that solve the problem?

-{ Quote: "Yes I have done that but now I cannot makes any changes myself anymore because I did it so many times and there is some kind of limit! I have to contact support to remove old so that I can install the new on a clean reinstall on the same PC." }-

Ah ok :-\ In that case, feel free to send me your license if you need it reset or just use the support inbox ;D

-{ Quote: "What f/p's? As a more regular user of Edge, I haven't personally encountered 'numerous' f/p's. Frankly, I've had more false alarms from my resident AV so far than from Edge.

Edit: And those AV f/p's are result of me using higher than normal heuristics." }-

U d0 have a p0int lordpake...

-{ Quote: "Ah ok :-\ In that case, feel free to send me your license if you need it reset or just use the support inbox ;D" }-

Yes that is what I do and support has always done it without a problem :thumb:

Question: If I make an image with Prevx Edge installed and activated would that solve the problem?

-{ Quote: "Yes that is what I do and support has always done it without a problem :thumb:

Question: If I make an image with Prevx Edge installed and activated would that solve the problem?" }-

Yes, I believe that will work. It does depend on what kind of image/how it actually images, but I think that would work :) (always worth trying anyway ;D)

-{ Quote: "Yes, I believe that will work. It does depend on what kind of image/how it actually images, but I think that would work :) (always worth trying anyway ;D)" }-

I will and let you know! ;)

A quick note to anyone perusing our blog - the newest post: http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html refers to protection released later this week, but if you're using the beta, you already have this additional scanning/cleanup/protection active :)

-{ Quote: "A quick note to anyone perusing our blog - the newest post: http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html refers to protection released later this week, but if you're using the beta, you already have this additional scanning/cleanup/protection active :)" }-

Will the new release have fewer FPs?

I'm glad Prevx at least doesn't give their users a problem when they re-format or switch computers.

-{ Quote: "Will the new release have fewer FPs?

I'm glad Prevx at least doesn't give their users a problem when they re-format or switch computers." }-

Yes, this release fixes the MBR FPs we were having in a previous beta on the agent side and we're going through all of the FP reports from the last month as we speak to try and track down what caused them :)

It happened about the time you cranked your hueristics up for Conficker it seems.

-{ Quote: "MAC addresses can be changed on-demand to whatever you want so they could either steal someone else's license or make their license invalid. Or, malware can do it to every user frequently and then we would have an absolute nightmare on our hands.

The problem is that a "PC" is really hard to define... is it the harddrive, is it the CPU, etc? Going off of hardware itself (CPU, etc.) causes FPs when hardware changes occur (as seen by Microsoft's WGA). However, a PC is probably best defined by the harddrive, but not all harddrive vendors expose a unique serial number to the OS (i.e. RAID arrays introduce a huge complexity in this identification - you'd need to literally write unique code for each vendor which would take a great deal of research/development effort) so there isn't a 100% way to get at a unique identity for the harddrive.

We have large corporate customers and although they are unlikely to abuse our licensing, if they had bought 10,000 PCs from the same vendor, with duplicate OS images on each, there is very little we can do to differentiate the individual computers so we have to use the best data we can get at.

We are doing preliminary research on a merged technique to reduce the number of complaints/allow multi-OS installations (as a significant majority of our customer service complaints are all license related :-\) but it is a tricky area to modify as it immediately affects every user.

A '1 OS' license is the correct metrics currently but you are correct that the average user will be confused by this. Frankly, the number of users using multiple OSs is actually relatively low, especially with the use of virtual machines becoming more accepted by the community of users that likes multiple OSs." }-

I still don't get this... with the MAC adress I only mean the physical adress being the real unique online-identity to every system, with the exception of spoofing and changing packets. If it's gone that far we've come a long way in the process. Please tell me if I've missed something in what I think is facts... I'm only here to learn new things. :)

-{ Quote: "I still don't get this... with the MAC adress I only mean the physical adress being the real unique online-identity to every system, with the exception of spoofing and changing packets. If it's gone that far we've come a long way in the process. Please tell me if I've missed something in what I think is facts... I'm only here to learn new things. :)" }-

I'm no expert on MAC addresses, but as far as I know, you can change it at will and there isn't a way to actually identify the original address once changed. I may be wrong with this, but from what I've heard from a few different sources, MAC addresses are not reliable for software licensing.

MAC adress, or the physical adress, is called just that - the "physical" adress, because it's attached to the network device of a PC. It literally can't be changed. However, it CAN be spoofed - say in order to hack someones network - and by spoofing it change the packets that are sent so that the router, or whatever is used, thinks the packets are valid and will let them through, but the MAC adress will always remain the same, even for that PC.

When you've come that far in a hacking process, and that's the only case I know of "spoofing" a MAC adress, you really wanna hack that location, cause it takes time. The real physical adress, which is unique, can never be "changed".

-{ Quote: "...I may be wrong with this, but from what I've heard from a few different sources, MAC addresses are not reliable for software licensing." }-
-{ Quote: "...When you've come that far in a hacking process, and that's the only case I know of "spoofing" a MAC adress, you really wanna hack that location, cause it takes time. The real physical adress, which is unique, can never be "changed"." }-
It would seem that the real issue here is protection of Prevx's licensing versus the user's ease of use. In the interest of parsing the two, how probable is it that any meaningful percentage of the paid user base would a) actually spoof/hack their MAC address for the purpose of a Prevx license and/or b) actually be interested/sophisticated enough to find out how to spoof/hack their MAC address...?

Assuming that the percentage of likely paid users is suitably small (i.e. the potential revenue loss would be suitably small), then would it not be reasonable to make a judgment on the side of licensing on the basis of something as simple as the MAC address...?...or perhaps a hash composed of MAC, HD, or other hardware item address/serial number...Thus, simplifying the use of Prevx on one "machine" (i.e. hardware "set" so to speak) rather than attempting to monitor on a more sophisticated level that only results in a relatively small percentage of the paid user base actually being stopped from illegal use but, results in all users having potential reinstall or multiple OS issues...???...just some thoughts....::)

galileo

-{ Quote: "Yes, I believe that will work. It does depend on what kind of image/how it actually images, but I think that would work :) (always worth trying anyway ;D)" }-

It works very well using an Image on a clean Disk and no problems as Prevx 3.0 stays activated :thumb:

TH

-{ Quote: "

Question: If I make an image with Prevx Edge installed and activated would that solve the problem?" }-

Yes Triple, that WILL work. Have restored at least 3 times using TrueImage and upon boot up, everything was just as it was before. NO hiccups! ;)

EDIT: OOPS, ya beat me to it.

-{ Quote: "The changelog in this build is: an improvement in the automatic updater, fixed a few minor bugs with the install logic, passwords are now accepted by hitting "Enter" on the query dialog, Total Infections Cleaned is now linked to the cleanup log (if you've cleaned infection), and a handful of changes to features not yet enabled ;D" }-

Wow that was fast implementing my request for the infections cleaned link!

-{ Quote: "Wow that was fast implementing my request for the infections cleaned link!" }-

We take all suggestions very seriously ;D

-{ Quote: "We take all suggestions very seriously ;D" }-

thats a good thing to hear :)

-{ Quote: "We take all suggestions very seriously ;D" }-

my suggestion is release the new version before my trial expire this thursday. ;)

Why is the button "View Threats" always initiate a new scan instead of showing me the threats it found?

-{ Quote: "Why is the button "View Threats" always initiate a new scan instead of showing me the threats it found?" }-

@PrevxHelp

I tend to agree with the above comment as well. A "View Threats" button would intuitively lead one to think that it would present a "review" or a "log" of what threats had been found as of that moment....i.e. before another scan. It would seem - IMHO - that given that a "Scan" button already exists, one would assume that there is/was a difference between "Scan" and "View Threats". Initiating a scan upon clicking the "View Threats" is not what one would expect...albeit from my limited perspective...:argh:

galileo

The View Threats button "should" lead to a screen which lists the threats. Could you let me know what build you're using so I can try and track down what might be wrong?

-{ Quote: "The View Threats button "should" lead to a screen which lists the threats. Could you let me know what build you're using so I can try and track down what might be wrong?" }-

This behavior was occurring under the 3.0.1.50 build (sorry, I should have noted that in my post) - I have not had any threat issues show up as yet under the 52 or 53 builds.

galileo

Damn Joe, thread need a bump.:dry:

-{ Quote: "Damn Joe, thread need a bump.:dry:" }-

Well, I was waiting to see if anyone would complain about the newest build, 3.0.1.55, with the new, less washed-out GUI ;D

well then, that is a good thing. Also reports of FPs are down and that is good. Edge burped, it was time.:thumb:

-{ Quote: "Well, I was waiting to see if anyone would complain about the newest build, 3.0.1.55, with the new, less washed-out GUI ;D" }-

Is the right click scanning working now with the new beta 3.0.1.55?
With 3.0.1.52 it was not.
Also I assume the FP's associated with Rollback Rx are fixed ???

-{ Quote: "Is the right click scanning working now with the new beta 3.0.1.55?
With 3.0.1.52 it was not.
Also I assume the FP's associated with Rollback Rx are fixed ???" }-

Yes and yes :)

-{ Quote: "Yes and yes :)" }-

Thanks :thumb:

-{ Quote: "Yes and yes :)" }-

Are the GUI changes there? ;D

-{ Quote: "Are the GUI changes there? ;D" }-

Yes :) The odd color is now toned down and it looks better all around IMO :)

-{ Quote: "Yes :) The odd color is now toned down and it looks better all around IMO :)" }-

Cool, it looks awesome - tell the creator that. ;D Only thing I don't get is the thing on the right, if you know what I mean..? Is that also a part of it, which just goes behind the main-content of Prevx?

Looks much better now. Running perfectly on my system, no FPs in ages.

Chit, I just got infected. I went to the F-Secure blog and visited the site they showed. Yeah it lead to porno but I ran a scan afterwards and it showed nothing. Now when I try to go somewhere, or actually this is the 3rd time I have tried to post this, I get this

http://billingpayment.net/pp/?id=226

This sucks as F-Secure is what is loaded. Damn, I cant even fathom this.:thumbd:

-{ Quote: "Looks much better now. Running perfectly on my system, no FPs in ages." }-
+1 :thumb:

.55 sitting here quietly minding the shop...as they say. ;D No new or old FPs as far as I can make out so far, even when tying to force them. ;D

Can't wait for the beta with the new functionality the promise of which Joe has been torturing us with for the last few week. :doubt: ;D

-{ Quote: "+1 :thumb:

.55 sitting here quietly minding the shop...as they say. ;D No new or old FPs as far as I can make out so far, even when tying to force them. ;D

Can't wait for the beta with the new functionality the promise of which Joe has been torturing us with for the last few week. :doubt: ;D" }-

The large set of new functionality is still a few weeks away :-\ The Prevx 3.0 release (of 3.0.1.55) is scheduled for tomorrow then we're going to continue developing through the new features :)

They're getting close, but we don't want to release anything unfinished :)

-{ Quote: "Cool, it looks awesome - tell the creator that. ;D Only thing I don't get is the thing on the right, if you know what I mean..? Is that also a part of it, which just goes behind the main-content of Prevx?" }-

The right blob is a continuation of the curve behind the main content which starts at the bottom and continues up, reaching a maximum mid-way through the Security Status area and falls/shrinks as it reaches the right side.

I hope that helps, trying to describe partially obscured non-regular Beizer curves layered behind a rounded rectangle isn't exactly my area of expertise ;D

ok, here is what Edge just found. I can assure you one is the Twitter worm.

-{ Quote: "Chit, I just got infected. I went to the F-Secure blog and visited the site they showed. Yeah it lead to porno but I ran a scan afterwards and it showed nothing. Now when I try to go somewhere, or actually this is the 3rd time I have tried to post this, I get this

http://billingpayment.net/pp/?id=226

This sucks as F-Secure is what is loaded. Damn, I cant even fathom this.:thumbd:" }-
The problem is these rogues change so frequently that AMs find it hard to keep up.

I recently tested Edge, MBAM, SAS, Avira and F-Secure against 10 rogues - all 10 installed and running on a system and also another test with them being installed whilst one of the AV/Ams was active. SAS only found 2 and removed them, MBAM found four, but destroyed the system trying to remove them, Avira got all of them and removed them all, F-Secure got six amd Edge got them all. Interestingly, Edge would allow some of them to install - and then find them. Other times, edge allowed them to install AND run. In all cases, Edge found them on a system scan and was able to remove them all.

In every case when Edge missed a rogue installing, Zemana detected it.

My advice would be:

1) Always run your browser in a sandbox (I use sandboxie) - If you use Vista, Always use UAC and use protected mode with IE (but Sandboxie is better)

2) Use a traditional HIPS like Zemana - it does catch things Edge misses.


If you want to go mad - use Returnil as well!

Does edge detect anything when you do a on demand scan?

Try rebooting and then doing a scan with Edge.

EDIT________________________________________________

@trjam - I see Edge has the blighter already!

-{ Quote: "ok, here is what Edge just found. I can assure you one is the Twitter worm." }-

After running through a cleanup, could you send me a scan log via email? I'll double check that we've cleaned everything up.

will do

-{ Quote: "The problem is these rogues change so frequently that AMs find it hard to keep up.

I recently tested Edge, MBAM, SAS, Avira and F-Secure against 10 rogues - all 10 installed and running on a system and also another test with them being installed whilst one of the AV/Ams was active. SAS only found 2 and removed them, MBAM found four, but destroyed the system trying to remove them, Avira got all of them and removed them all, F-Secure got six amd Edge got them all. Interestingly, Edge would allow some of them to install - and then find them. Other times, edge allowed them to install AND run. In all cases, Edge found them on a system scan and was able to remove them all." }-

Chances are that in this case, you may have been an early user to see them. We're working on keeping up with the rogues and adding detection for quite a few new ones every day so that could explain why it got past the first line of defense. Also, the rogues have changed their methodology to move away from actually installing malware and are now primarily using social engineering, which is jarringly effective :(

If you do see any which we don't find, let me or any other Prevx member know and we'll investigate. These rogue AVs unfortunately do require manual analysis in almost all cases but we're working on finding similarities between them (some of them are developed by the same people) to detect them more heuristically.

-{ Quote: "Chances are that in this case, you may have been an early user to see them. We're working on keeping up with the rogues and adding detection for quite a few new ones every day so that could explain why it got past the first line of defense. Also, the rogues have changed their methodology to move away from actually installing malware and are now primarily using social engineering, which is jarringly effective :(

If you do see any which we don't find, let me or any other Prevx member know and we'll investigate. These rogue AVs unfortunately do require manual analysis in almost all cases but we're working on finding similarities between them (some of them are developed by the same people) to detect them more heuristically." }-
I was stunned to see how many rogues there are - hundreds of them! Also, they change so frequently. One that Edge detected one week was undetected a week later (on install).

I will probably do another test in a few days and will let you know if any slip by. I will PM you a list of URLs for these rogues as well at some point, so your team can have a look.

-{ Quote: "I was stunned to see how many rogues there are - hundreds of them! Also, they change so frequently. One that Edge detected one week was undetected a week later (on install).

I will probably do another test in a few days and will let you know if any slip by. I will PM you a list of URLs for these rogues as well at some point, so your team can have a look." }-

Thanks :) It is quite incredible how popular they are... and how good some of them look compared to commercial AVs :P

Joe, 3.0.1.55 looking good here! ;D :thumb:

-{ Quote: "Joe, 3.0.1.55 looking good here! ;D :thumb:" }-

I agree looking real good! ;)

TH

Looking good here, too! ;D

-{ Quote: "Cool, it looks awesome - tell the creator that. ;D Only thing I don't get is the thing on the right, if you know what I mean..? Is that also a part of it, which just goes behind the main-content of Prevx?" }-
To help you envisage why it looks "weird", here's a screenshot of the background alone without the "content area" covering it :)
http://img2.imageshack.us/img2/2971/p3gui.jpg

I originally wanted the main content area to be semi transparent so that you could see the background faintly through it, but Joe was scared of breaking the 1MB boundary. He's the bane of my graphical existence! ;)

Why my version is 3.0140? :(

-{ Quote: "Why my version is 3.0140? :(" }-

3.0.1.55 is still beta.
3.0.1.40 is the last stable final release.

-{ Quote: "3.0.1.55 is still beta.
3.0.1.40 is the last stable final release." }-

thanks you so much... is it possible to test the beta?

-{ Quote: "thanks you so much... is it possible to test the beta?" }-Send PM to PrevxHelp

but he did say .55 should be released today to all.

All I have to say on PrevX Edge is that it's as good as any other blacklist scanner which ain't that good.

The virut samples I submitted a while back are detected now but would have gone through any and all blacklist scanners and destroyed any system at the time including Prevx.

Wanna see some detection rates of blacklists scanners?
http://www.malwarebytes.org/forums/index.php?showforum=30

-{ Quote: "All I have to say on PrevX Edge is that it's as good as any other blacklist scanner which ain't that good.

The virut samples I submitted a while back are detected now but would have gone through any and all blacklist scanners and destroyed any system at the time including Prevx.

Wanna see some detection rates of blacklists scanners?
http://www.malwarebytes.org/forums/index.php?showforum=30" }-

virut is a very difficult infection for any AV to handle - its a polymorphic file infector which has hundreds of variants.

Edge may be "as good as any other blacklist scanner" on this particular infection, (which is incorrect as Edge isn't a blacklist scanner, but regardless ;)) but nothing is 100% and a product can't be judged on a single sample.

Edge also has realtime protection which would most likely have blocked the infection - scanning a file ondemand is not an accurate assessment of Edge's abilities.

However, if you do still have a sample which gets past us, please let me or EraserHW know and we will investigate why and add protection :)

Fair go PrevxHelp, your app is like any other that uses blacklists and or heuristics.

Enough is enough, blacklists have no security at all.

Stop kidding yourself and most others as I really feel like classing blacklist scanners as rogue apps seeing they really can't keep anyone safe.

Want to be safe then Sandboxie, Returnil, Defensewall and or Shadow Defender are the way to go, along with images and data bakups to externals.

-{ Quote: "
Enough is enough, blacklists have no security at all.." }-

Hmm.... I tend to doubt that statement ;D But regardless, the security provided by blacklists (which we use only as a supplement to our other technology) is not 100% - we are all well aware of that - but neither is any other type of security.

You may want to unplug your computer and turn it off if you're looking for perfection :)

-{ Quote: "Hmm.... I tend to doubt that statement ;D But regardless, the security provided by blacklists (which we use only as a supplement to our other technology) is not 100% - we are all well aware of that - but neither is any other type of security.

You may want to unplug your computer and turn it off if you're looking for perfection :)" }-
ah ah, PrevxHelp, after about 2 gig of downloading/testing malware samples in the last twelve months, including those virut samples that went straight through your and all other blacklist scanners then I'll stick by my statement that if you want to be real safey then use the apps in my siggy or Defensewall and Shadow Defender!

And besides I have several installs on several hard drives each over several PC's and I still employ ghost images on all of em!:blink:

Edge 55 reports Online Armor GUI for the latest 3.5.0.8 beta as a threat-see attached. Should I just right click entried and report as false positive, or would you like to see something else. High heuristics picture added.

-{ Quote: "Edge 55 reports Online Armor GUI for the latest 3.5.0.8 beta as a threat-see attached. Should I just right click entried and report as false positive, or would you like to see something else. High heuristics picture added." }-

PM sent :)

Regarding sandboxie, returnil and shadow defender, awesome programs which all users can benefit from.

However, to keep a file, a user using those products still doesn't know if the file or install is safe.

Defensewall, another awesome product which stops ALL infections on a user's system. Thoroughly recommend it.

But if it's preventing malware doing harm to the 'user's system', and I might be wrong on this, as the user's system isn't being affected by files which could very well be malware, would it prevent a user copying malware files say to another user, eg 'here, my files are safe, here you go dad, install these files from my USB'.

In my opinion, you still need a blacklist, or whatever type scanner, to check the files, and ensure the files to be kept/saved are clean (when you're using sandboxie, returnil, shadow defender, or defensewall). Sure blacklist is not 100 per cent protection, but to me, it's better than having no blacklist scanner. :)

-{ Quote: "Edge 55 reports Online Armor GUI for the latest 3.5.0.8 beta as a threat-see attached. Should I just right click entried and report as false positive, or would you like to see something else. High heuristics picture added." }-

False positive fixed, and we fixed the signature which has been catching other OA betas as well so it shouldn't happen in the future :)

-{ Quote: "Regarding sandboxie, returnil and shadow defender, awesome programs which all users can benefit from.

However, to keep a file, a user using those products still doesn't know if the file or install is safe." }-

This is very true and I know that the developers of these products recommend that their solution be used alongside other security solutions as well. The reason is that its very hard to save users from themselves :) Once you do trust a program, it is allowed through. If you download a new program which you want to install and it doesn't work inside the sandbox/untrusted environment for some reason or if it requires driver installation, etc. you will be forced to take it out of the sandbox and install it onto the system.

Programs like the ones mentioned above will protect you very well if you know the answer to the questions they ask before they ask them. If you are an average, non-technical user you would not know how to answer the prompts correctly and most likely let something through which should have been blocked if you did want to use it.

Malicious software can come from legitimate vendors and from legitimate sources - one famous example being the Sony Rootkit. A user wanting to listen to their CDs would be forced to install a rootkit onto their system. After having bought a CD from a store, its generally assumed that it is legitimate so it would be allowed through a sandbox so that the CD would work properly and then the user would be infected.

"Blacklisting" solutions and all of the non-default-deny programs on the market all work on automating the decision process to appeal to a majority of the users. If every user cared enough to learn the ins and outs of computer security and kept up on the newest threats by reading forums like Wilders, we would have FAR fewer problems today. However, they don't and they won't because computer security should be silent and automatic rather than requiring research by the user - that's what they're paying the companies to do for them :)

Thanks Joe; rescanned and all is well again. :)

3.0.1.56 up and running. :thumb:

No more Prevx CSI - free malware remover? :-\ Only detect, but doesn't remove?

-{ Quote: "No more Prevx CSI - free malware remover? :-\ Only detect, but doesn't remove?" }-

CSI has only offered free cleanup for adware infections and the MBR rootkit but it detects other threats for free. We offer the cleanup as a service where we guarantee that we will remove all of the threats (and if we don't one of our engineers will assist you to clean it up) so we have to charge a small fee for it to remain economical :)

Prevx 3.0 is now officially released and v3.0.1.56 is available to the public :) Existing users will upgrade over the next day or two as we get confirmation that various AVs correct their FPs against our new build and that everything is working well for new users.

Please let me know if you have any questions about the transition or the new product!