{QUOTE-> I am sorry you feel this way but the charts will remain as long as vendors continue to use terminology like "total protection" in their product names and misrepresent their own detection to mislead users into thinking that they can use their product and be completely protected from all threats. We are taking a stance on this and are not going to change the graphs until the other vendors change their marketing or change the way that their products work - users should be encouraged to use more than one security product but the major vendors prevent this from happening conceptually when they CAN engineer their products to work nicely alongside other security products (we have!).

No protection is 100%, not us, not anyone and until we hear other vendors going around admitting that, we will have to continue to show the raw data about the threats to prove it is true.

And regarding Prevx's own detection rates - sure it is possible that other vendors are deciding not to post the results for their own reasons, but what if they don't want the world to see the truth behind results :doubt: <-QUOTE}
I can't believe that I really see this!!!

You (Prevx) seems like childs!
If the others do this I will make the same. Period!

Do you know what is professionalism, ethic and have own identity!!!???

You have a good product, with potential, but this behaviour is unaceptable from you or any other company.

{QUOTE-> I can't believe that I really see this!!!

You (Prevx) seems like childs!
If the others do this I will make the same. Period!

Do you know what is professionalism, ethic and have own identity!!!???

You have a good product, with potential, but this behaviour is unaceptable from you or any other company. <-QUOTE}

I know that it's misleading, and that applies to me as well. I dunno why it's there in the first place... :wacko: :dry:

{QUOTE-> Your statistics are in fact meaningless, and can only mislead the uninformed. Just because your product detected an infection does not mean other security software installed on customers' machines missed it. Putting aside for now the truth(?) that your product is reporting back to you what other software users have installed (in which case be very careful you are complying with laws in respective countries, and honouring your users' privacy), there's no way that your product can really know whether other security products 'missed' threats, completetly undermining your claimed reasons for publishing these statistics you compile. <-QUOTE}
I didn't thought about this, but you are completely right!!!

This is even worst! :thumbd:

{QUOTE-> You talk about 'truth', but what you talk of here is an irrelevance - how many of your competitors actually claim they provide 100% protection against threats? <-QUOTE}

Quite a few:
"McAfee Total Protection 2009"
"BitDefender Total Security 2009"
CA - "Total Protection Internet Security Suite" (http://shop.ca.com/malware/internet_security_suite.aspx)

and those are just in the product names. Total = complete = 100% = "you don't need anything else".


{QUOTE-> Your statistics are in fact meaningless, and can only mislead the uninformed. <-QUOTE}

I disagree - our statistics are based on real world data, unlike many other AV tests which are based on old samples or samples not actually affecting users.

{QUOTE-> Just because your product detected an infection does not mean other security software installed on customers' machines missed it. <-QUOTE}

This is true in > 99.999% of cases, so yes it does. Even if you were to apply a monumental false positive rate of 1% in this data, the statistics would remain the same. To put a 1% false positive rate into perspective, we scan about 30,000 files on each PC so we would be detecting 300 files on every PC as malicious. Or, on the other side, of our 6,000,000 users, 60,000 would be complaining of false positives.

And note: the charts are based on the data for THAT DAY - threats seen within the last 24 hour window, so 1% would be 1% per day, meaning 60,000 new people complaining every 24 hours... I suspect we would have been out of business years ago ;)

{QUOTE-> Putting aside for now the truth(?) that your product is reporting back to you what other software users have installed (in which case be very careful you are complying with laws in respective countries, and honouring your users' privacy) <-QUOTE}

Yes it is - and we clearly state this in our EULA and privacy terms. The information about what security product the user is using is very important to gauge our detection. For instance, if the user does not have any other security product installed, we automatically apply stronger heuristics as the user statistically has more of a chance of already being infected.

{QUOTE-> there's no way that your product can really know whether other security products 'missed' threats, completetly undermining your claimed reasons for publishing these statistics you compile. <-QUOTE}

The existence of a threat on a PC secured by that AV is proof that it is infected.

I'm surprised at the sudden "outrage" against these statistics but I think it would be worth interpreting them for what they are, and feel free to look through the filenames and information shown to see if there is anything which looks misleading. The simple fact is that we have found infections on these PCs and there really isn't any further way of interpreting it. No solution is 100% and we're trying to help convey that.

{QUOTE-> I can't believe that I really see this!!!

You (Prevx) seems like childs!
If the others do this I will make the same. Period!

Do you know what is professionalism, ethic and have own identity!!!???

You have a good product, with potential, but this behaviour is unaceptable from you or any other company. <-QUOTE}

I cant see what the problem is. The chart makes perfect sense to me and is not misleading in any way.

There is even an explanation there:

"The Security Vendor chart displayed above shows, in simple terms, a total count of malicious programs found yesterday by Prevx products on PCs protected by security products supplied by each of the vendors shown.

You should expect to see a higher number against the more popular security vendors because we see more of these users and consequently a higher number of malware infections."

They are simply stating facts and go to the trouble of explaining them in detail.

I cant see how anyone could have an isssue with this or fail to understand it - unless they have a hidden agenda?

It seems to me there are too many people in the business who dont like being confronted with facts and resort to accusations and insults when these facts dont fit with what they want.

{QUOTE-> I cant see what the problem is. The chart makes perfect sense to me and is not misleading in any way.

There is even an explanation there:

"The Security Vendor chart displayed above shows, in simple terms, a total count of malicious programs found yesterday by Prevx products on PCs protected by security products supplied by each of the vendors shown.

You should expect to see a higher number against the more popular security vendors because we see more of these users and consequently a higher number of malware infections."

They are simply stating facts and go to the trouble of explaining them in detail.

I cant see how anyone could have an isssue with this or fail to understand it - unless they have a hidden agenda?

It seems to me there are too many people in the business who dont like being confronted with facts and resort to accusations and insults when these facts dont fit with what they want. <-QUOTE}
:argh:

OK, I admit, I work for all the companies on the chart!!! Do me a favor...

I already explain, and very well, what is the issue and also make a constructive feedback on that.
I know my English isn't the best, but you can make a small effort and read it again... ;)

{QUOTE-> Quite a few:
"McAfee Total Protection 2009"
"BitDefender Total Security 2009"
CA - "Total Protection Internet Security Suite" (http://shop.ca.com/malware/internet_security_suite.aspx)

and those are just in the product names. Total = complete = 100% = "you don't need anything else".

<-QUOTE}

You are just playing word games. The same rubbishing of your own words is no more difficult for others to achieve, you know.

{QUOTE-> I disagree - our statistics are based on real world data, unlike many other AV tests which are based on old samples or samples not actually affecting users. <-QUOTE}
And so are many other statistics (based on real world data, that is). That doesn't make them right, and they are often - when they are used for marketing purposes, like yours, they are in fact nearly always - misleading. Intentionally so. It is how statistics are presented which gives them credibility and/or relevance, or conversely makes them as misleading as yours are. Often is it what is not said that is the most important. In your case you do not make it clear, for instance, that you are quite unable, in truth, to anywhere near prove that the threats were 'missed' by the stated security products. There are lots of reasons whey you can't prove it, such as other products not actually catching purported threats until the executable parts of them actually try to run, or whether indeed the threats you talk about are indeed 'threats': other vendors (and users) may feel what you are classifying a threat is wrong. Witness users here, even, criticising your detection of many of the NirSoft utilities. Also, just because your product sees the threat before another product does not necessarily maen the other product missed it: it may just be as simple as your product scanning the file(s) first. Indeed, in situations where your product was installed after another on a particular system may well just about guarantee that, completely undermining your statistics. I could go on. <-QUOTE}

{QUOTE-> Yes it is - and we clearly state this in our EULA and privacy terms. <-QUOTE}
Hiding behind an EULA is hardly a professional defence, and in no way make it right. I hope you are confident that you are complying with laws and respecting users privacy, because it is you that will suffer if you're not.

{QUOTE-> The existence of a threat on a PC secured by that AV is proof that it is infected. <-QUOTE}
And it could also be written as "The existence of a threat on a PC secured by PrevX is proof that it is infected". My statement is as true as yours.

{QUOTE-> I'm surprised at the sudden "outrage" against these statistics... <-QUOTE}
... and that is the most worrying thing of all. A vendor who sees its own marketing as 'the truth' and is shocked at people's responses is a vendor about to lose credibility and trust.

All in all, this feigned altruism of yours is really nothing more than a marketing attempt to rubbish the competition. If you consider your tactics while you've got the chance, you might make decisions that prevent you marching into very deep, hot water when one or more of your competitors hits back hard, especially when those competitors have a lot more resources than you do. Would it not be better to focus on how good you believe your product to be (and I do happen to think you have a good product) rather than how bad your competition is.

{QUOTE-> :argh:

OK, I admit, I work for all the companies on the chart!!! Do me a favor...

I already explain, and very well, what is the issue and also make a constructive feedback on that.
I know my English isn't the best, but you can make a small effort and read it again... ;) <-QUOTE}
Im sorry, really dont see your point or understand the isssue you have. I see some basic and true information clearly explained on a website and thats it.

Probably best to leave it at that.

{QUOTE-> You are just playing word games. The same rubbishing of your own words is no more difficult for others to achieve, you know. <-QUOTE}

We try as best as we can to convey a humble tone when talking about our products - could you please let me know what words you are referring to so that we can modify them?

{QUOTE-> And so are many other statistics (based on real world data, that is). That doesn't make them right, and they are often - when they are used for marketing purposes, like yours, they are in fact nearly always - misleading. Intentionally so. It is how statistics are presented which gives them credibility and/or relevance, or conversely makes them as misleading as yours are. <-QUOTE}

This is a fair point, and we have spent considerable effort deciding how to portray our statistics. What do you suggest we do to improve the legitimacy of our statistics? To raise a point made earlier in the thread - showing the statistics alongside the size of the userbases is not an effective means of improving the legitimacy, rather, it obscures the data more. Currently we are showing raw data - literally the raw numbers of infections seen. If we were to take userbase size into consideration, it would obscure and pollute the statistics. For instance, lets say fictional company X has 4 users and two of them have infections which we detect on their machine. It would look like company X is terrible as 50% of their users are infected. Alternatively, our logic of showing the number of infections would show 2 infected PCs, which is far less fear inducing and more logical to interpret. Again, we aren't trying to put product A against product B, we're trying to put products A and B against the threats.

{QUOTE-> Witness users here, even, criticising your detection of many of the NirSoft utilities. <-QUOTE}

Very good point to bring up - on VirusTotal, most of the NirSoft utilities are found by more than 20 vendors. However, today, we have taken the most recent versions of the NirSoft utilities and are now not detecting them anymore, even though most AVs are, as they aren't malicious by themselves.

{QUOTE-> Also, just because your product sees the threat before another product does not necessarily maen the other product missed it: it may just be as simple as your product scanning the file(s) first. <-QUOTE}

I don't think this is the case. A majority of our users come to our website by searching for a filename which they found on their system where they suspect it is infected. They then download our scanner to detect the file - if the file was indeed blocked/cleaned by another AV, this would not be the case. Also, and most importantly, we focus on real threats, not dormant files on the disk. Therefore, for us to find a file, it either needs to be hidden by a rootkit, have the ability to load on the next bootup, or be active in the system currently. The reported results online come only from the on-demand scanner and do not include realtime results so in the event that Prevx 3.0 identifies a file before the user's other AV and that AV would still have blocked it, it would not be counted down.

{QUOTE-> I could go on. <-QUOTE}
If you could please elaborate on other potential problems, I would like to see if we have solutions for them in place already or if we can do anything to implement them.

{QUOTE->
Hiding behind an EULA is hardly a professional defence, and in no way make it right. I hope you are confident that you are complying with laws and respecting users privacy, because it is you that will suffer if you're not. <-QUOTE}

We have contracts with many large corporations where privacy is a top priority. All of our code and storage is in line with the latest data protection acts and we are fully compliant throughout.

{QUOTE->
And it could also be written as "The existence of a threat on a PC secured by PrevX is proof that it is infected". My statement is as true as yours. <-QUOTE}

Indeed that is true, assuming the threat is actually infecting the system as it would be in order for us to detect it. Scanning a malware collection of x thousand files does not count against the scores unless those samples were actually active in the system.

{QUOTE-> ... and that is the most worrying thing of all. A vendor who sees its own marketing as 'the truth' and is shocked at people's responses is a vendor about to lose credibility and trust. <-QUOTE}

The problem is that the data is true. We aren't obscuring it in any way and we are reporting exactly what we are seeing.

{QUOTE-> All in all, this feigned altruism of yours is really nothing more than a marketing attempt to rubbish the competition. If you consider your tactics while you've got the chance, you might make decisions that prevent you marching into very deep, hot water when one or more of your competitors hits back hard, especially when those competitors have a lot more resources than you do. Would it not be better to focus on how good you believe your product to be (and I do happen to think you have a good product) rather than how bad your competition is. <-QUOTE}

Thank you for the compliment, and I do not feel that we are trying to "rubbish the competition". Frankly, it is a great way to see what product works best alongside Prevx. We've always made a strong point that incremental protection is the best idea for security - we <recommend> using other vendors alongside us and we've explicitly developed our products to work alongside them. If we were trying to bash the competition, we would offer competitive upgrades and show a ranking of how terrible every AV is, rather, we're showing that AVs are missing threats which we would have blocked. You can keep using your AV, but why not put us alongside, knowing there is a tangible benefit in doing so?

Although I agree with you, and I'm on your side, this statement:

{QUOTE-> Frankly, it is a great way to see what product works best alongside Prevx. <-QUOTE}

..is flawed, as indicated by the fact the results are dependant on numbers of users using anti virus X or Y.

Your statement is like saying, use whatever missed the least alongside Prevx, even though in all likely hood, the only indicator here is that a low amount of people use anti virus X or Y alongside prevx.

So to summarize, the statistics on the Home page are in no way an indicator of what works best with Prevx.

{QUOTE-> Your statement is like saying, use whatever missed the least alongside Prevx, even though in all likely hood, the only indicator here is that a low amount of people use anti virus X or Y alongside prevx. <-QUOTE}

Actually I look at it in the opposite way - the products missing more threats would be better paired with Prevx as we cover more of the gap to hopefully reach as close as possible to 100%. Granted, the counts are affected by userbase but that is just because we see more data from more PCs using both products - the count is of the number of actual infections, not infected users.

{QUOTE-> I cant see what the problem is. The chart makes perfect sense to me and is not misleading in any way. <-QUOTE}I agree 100%. The chart is easy to understand, & certainly wouldn't mislead anyone who (a) finished at least 3rd grade & (b) doesn't have an ax to grind.

Security programs that claim to offer "Total Protection" are engaging in puffery. There is (as yet) NO "total" protection.

{QUOTE-> Yes, very true. We've reassessed the Nirsoft programs and are going to be reclassifying them as Good. In the end, anything in an operating system can be used maliciously and Nirsoft's aren't all THAT bad, comparatively speaking :) <-QUOTE}

Thanks, if you had not done this I would have understood but I appreciate that you were open-minded enough to reconsider how Prevx views Nirsoft utilities.

{QUOTE-> I agree 100%. The chart is easy to understand, & certainly wouldn't mislead anyone who (a) finished at least 3rd grade & (b) doesn't have an ax to grind.

Security programs that claim to offer "Total Protection" are engaging in puffery. There is (as yet) NO "total" protection. <-QUOTE}
It seems you have some problem to understand what others say, because of something that you already mention... ;)

PrevxHelp understand what I said, but didn't agree because he/she have a different opinion and/or works for Prevx, and I just have to accept that, except with his/her non sense justification about what the others do or not...

sheesh. all of this back and forth. knida makes me glad i'm not bright enough to perform this very thorough marketing analysis and articulating. i bought and use P3 because it works, and works better with less bother than any other AM, AV i have used. not because of it's marketing prose/charts. silly me.


Mike

{QUOTE-> No protection is 100%, not us, not anyone and until we hear other vendors going around admitting that, we will have to continue to show the raw data about the threats to prove it is true. <-QUOTE}
PrevxHelp, I believe this is a classic “red herring.” No major security vendor of which I am aware claims that they offer “100% protection” against all threats. Therefore, the rationale for showing the raw data about “threats missed” is absent.

Contrary to your assertion, "McAfee Total Protection 2009" and "BitDefender Total Security 2009" do not claim to provide complete protection against all threats. The use of the word “total” in this context is obviously intended to mean “comprehensive” (i.e., including anti-virus, firewall, parental controls and backup capabilities). If you have evidence to the contrary, please do cite it.

No one other than an extremely naïve user would believe that any security product provides complete protection, whether or not the product overtly makes that claim. I really don’t think that Prevx needs to fight this fictitious battle.

{QUOTE-> What do you suggest we do to improve the legitimacy of our statistics? <-QUOTE}
PrevxHelp, I am glad you asked.

Add to the “Explain this chart” statements that (1) the “missed threats” statistics do not allow a reader to make an informed performance comparison between anti-virus vendors; that (2) Prevx also misses threats that the competition does not, to an extent that may be less, the same or more than others; (3) that the “missed threats” statistics are really “missed malicious files” and, as a consequence of the fact that a single malware infestation most likely encompasses multiple files, the malware risk is overstated; and (4) that no inferences may be made from these statistics, because they are not based on a random sample of the users of any of the companies.
Present the “missed threat” statistics by product (e.g., “Kaspersky Internet Security” or “Kaspersky Anti-Virus”) rather than by vendor (“Kaspersky”), since consumers use products and not “vendors.”
Report "missed threats" by the threat level (low, medium, high).
For each “missed threats” statistic reported, display the associated count of the number of PCs scanned.

I also recommend the display of a bit more humility. For example, edit the statement on your home webpage "Every day, popular security products are missing thousands of infections" to "Every day, popular security products -- including Prevx -- are missing thousands of infections."

Hopefully, you will find these recommendations to be beneficial.

{QUOTE-> The existence of a threat on a PC secured by that AV is proof that it is infected. <-QUOTE}
PrevxHelp, if a PC is protected by both Kaspersky Anti-Virus and ZoneAlarm firewall (for example) and Prevx detects a threat, then Prevx claims that Kaspersky has failed, even though the “fault” may reside with the firewall (i.e., with the intrusion prevention capability). Therefore, your logic appears suspect, unless the user is running an integrated security suite (e.g., “Kaspersky Internet Security”). Spm in post #4007 also notes other difficulties with your argument, too.

{QUOTE-> Hiding behind an EULA is hardly a professional defense <-QUOTE}
For more information about privacy considerations with Prevx, please see this thread (http://www.wilderssecurity.com/showthread.php?t=240084).

* * * * * * * * * * * * * * * * * * * *

PrevxHelp, if Prevx has absolutely no intention of modifying its perspective on the issue of the “missed threats” statistics on the company’s home webpage, please let us all know. We can "agree to disagree" and move on. Thank you.

{QUOTE-> sheesh. all of this back and forth. knida makes me glad i'm not bright enough to perform this very thorough marketing analysis and articulating. i bought and use P3 because it works, and works better with less bother than any other AM, AV i have used. not because of it's marketing prose/charts. silly me.


Mike <-QUOTE}
And that my friend is really, all, that, matters.;)

I do love this sort of situations... :D How so? Because, then, there I come in and reveal the true stage:

Quote from http://www.bitdefender.com/PRODUCT-2214-en--BitDefender-Total-Security-2009.html

{QUOTE-> BitDefender Total Security 2009 provides comprehensive proactive protection against all Internet security threats, along with system maintenance and backup, without slowing down your PCs. <-QUOTE}

For me "all" is the whole and not just the part.

The McAfee and CA products mentioned here do not state they protectsagainst all threats. http://uk.mcafee.com/root/offer/default.asp?id=125035&affid=0&cid=0&lpname=offer%5F12503%2Easp&qty=1&pfid=&bburl=&rd_cd=



:D


Regards

Lol, actually I think we covered this on page 12, or was it 23, or was it 36.:doubt:

Opinion is divided and I dont think there is any realistic chance of everyone being happy or us all finding common ground.

This has always been a constructive thread so lets just agree to disagree and move on.

Puss

{QUOTE->
Contrary to your assertion, "McAfee Total Protection 2009" and "BitDefender Total Security 2009" do not claim to provide complete protection against all threats. The use of the word “total” in this context is obviously intended to mean “comprehensive” (i.e., including anti-virus, firewall, parental controls and backup capabilities). If you have evidence to the contrary, please do cite it.
<-QUOTE}

I disagree - if interpreted that way, it would be more accurate to have their product named "McAfee Multi-Component 2009". Kaspersky and other vendors take the much smarter and more legitimate approach by naming their product "Internet Security". If you walk up to a number of random, non-security oriented, people on the street and ask them if they want "Internet Security" or "Total Protection" and ask why, I suspect they are going to choose "Total Protection" far more often because they think it will provide... total protection, and to the average user, that means it is going to protect against everything. McAfee has the tagline:

"Easy-to-use, all-you-need, auto-updating PC and Internet security!"[/B] (http://home.mcafee.com/AdviceCenter/Default.aspx?id=ad_cybercrime_OnlineThreat2009)

Note: "all-you-need", so apparently the 3,717 infections they missed today which we found don't matter :-\. Clearly this line is furthering the deception of "Total Protection", and then ironically right next to it they have a virus removal service for-pay... shouldn't "Total Protection" have prevented any threats from entering? :-\

{QUOTE-> No one other than an extremely naïve user would believe that any security product provides complete protection, whether or not the product overtly makes that claim. I really don’t think that Prevx needs to fight this fictitious battle. <-QUOTE}

You would be surprised and you clearly haven't spent time in an antivirus customer support inbox ;) The volume of users coming in on a daily basis in shock as to why their existing security product let a threat in which we found is staggering. Users tend to not pay for ineffective solutions, which is why we sell a guaranteed cleanup service - something with tangible, immediate benefit. Most of our users buy that and then add on realtime protection to get all of the benefits. The average user doesn't go shopping around online and picking random new AVs just to try out unless they have a reason - which is most likely the suspicion of something going wrong with their computer. Additionally, we recommend that if they want added protection, they should layer their security with another product as well because no solution is perfect. I've personally written these messages dozens of times to customers and you'd be surprised how many people had no idea their antivirus software was fallible until it was "too late".

As for the opposite case where a user of Prevx would go to another vendor for help - they wouldn't and don't. We do get users coming in periodically complaining that we didn't fully remove an infection or that something got past. We then fix their computer by adding signatures, improving the engine, or assisting them remotely and if for some reason none of these succeed, we will issue a refund. I don't think we have ever been unsuccessful in cleaning a PC - the only time I'm aware of when this won't work is when it is taking far too long to clean the PC (usually 4+ hours is the cutoff). Contrast this with other vendors that charge per-incident and you can see why users get aggravated.

{QUOTE-> Add to the “Explain this chart” statements that (1) the “missed threats” statistics do not allow a reader to make an informed performance comparison between anti-virus vendors <-QUOTE}

We aren't trying to make a comparison and no where do we state that we are... should we also add a disclaimer that the statistics don't predict lottery numbers or cure infectious diseases?

{QUOTE-> that (2) Prevx also misses threats that the competition does not, to an extent that may be less, the same or more than others; <-QUOTE}

This can be inferred from "Current security products are failing..." We are failing as well, assuming that everyone's goal is to protect against 100% of threats and we are a current security product.

{QUOTE-> (3) that the “missed threats” statistics are really “missed malicious files” and, as a consequence of the fact that a single malware infestation most likely encompasses multiple files, the malware risk is overstated; <-QUOTE}

It is generally not - each of the components are almost always individually malicious, otherwise there would be no reason to detect them. We don't detect side-effect files like shortcuts/dropped data files as individually malicious so this is avoided. In most cases, you can take a component of an infection and place it on another system without the rest of the infection and it will work quite well by itself, so, each component should be counted individually. Additionally, if we were to adjust the count to reflect this, as unless an infection completely removes all components of the threat - a combination of malicious files - we would have to count it as missing the entire threat, so a single file trace would cause an entire threat to be counted as missed.

{QUOTE-> (4) that no inferences may be made from these statistics, because they are not based on a random sample of the users of any of the companies. <-QUOTE}

This can also be inferred: "found yesterday by Prevx products" - obviously Prevx products aren't installed on every PC in the world (yet ;)) so it would be illogical to expect this to be a perfect random sampling from a vendor.

{QUOTE->
Present the “missed threat” statistics by product (e.g., “Kaspersky Internet Security” or “Kaspersky Anti-Virus”) rather than by vendor (“Kaspersky”), since consumers use products and not “vendors.”
<-QUOTE}

There are more than 4,500 different antivirus vendor + product + version entries in our database which we "dilute" down to this list. At some point we have to cut it off and we can only display so much information at once. If the user is using a product by X AV company, they are expecting it to protect their system regardless of if they are using the fanciest, most feature-full version. Therefore, if a threat exists on a system where a product from that company exists, we log it against the company because in the end, the company created that product to secure the user's PC and it didn't.

{QUOTE->
Report "missed threats" by the threat level (low, medium, high).
<-QUOTE}

The levels are dynamic and change depending on the number of users seeing an individual threat. We may be able to do this, but I suspect the overhead would be too great to re-query the current status of every threat found every time someone loaded the page.

{QUOTE->
For each “missed threats” statistic reported, display the associated count of the number of PCs scanned.
<-QUOTE}

This is falling outside the scope of the intent of the chart - the chart is made to show the number of threats found and is not made to interpret the data any further, otherwise we risk obscuring/polluting the data.

{QUOTE->
I also recommend the display of a bit more humility. For example, edit the statement on your home webpage "Every day, popular security products are missing thousands of infections" to "Every day, popular security products -- including Prevx -- are missing thousands of infections."
<-QUOTE}

We would do that, but it is redundant ;) "Every day, popular security products -- including a popular security product -- are missing thousands of infections." We don't exclude ourselves from the classification, otherwise we would be saying: "Every day, all other security products are missing thousands of infections".

{QUOTE->
PrevxHelp, if a PC is protected by both Kaspersky Anti-Virus and ZoneAlarm firewall (for example) and Prevx detects a threat, then Prevx claims that Kaspersky has failed, even though the “fault” may reside with the firewall (i.e., with the intrusion prevention capability). Therefore, your logic appears suspect, unless the user is running an integrated security suite (e.g., “Kaspersky Internet Security”). Spm in post #4007 also notes other difficulties with your argument, too.
<-QUOTE}

If the threat got past the firewall and past Kaspersky, then indeed it was Kaspersky which failed. If I lock my doors and a convict escapes from prison and breaks into my house, both the prison gates and my locked doors failed. If every user of X antivirus also uses Y firewall and Y firewall provides a tangible benefit to security, we would logically expect X antivirus' scores alone to be lower alone so by not differentiating within the chart when X antivirus being the ONLY line of defense, we are improving the scores of X antivirus if the user is using other security products which caught threats that X antivirus missed.

{QUOTE->
PrevxHelp, if Prevx has absolutely no intention of modifying its perspective on the issue of the “missed threats” statistics on the company’s home webpage, please let us all know. We can "agree to disagree" and move on. Thank you. <-QUOTE}

We honestly consider every suggestion made, but we have yet to see an actual point in need of changing.

{QUOTE-> yada-yada-yada
"yawn" <-QUOTE}

and double ditto....

I very much appreciate the extra layer of protection that Prevx 3 provides on top of my conventional security suite. It's a first-rate security product that well deserves its recent accolade from PC Mag. So, I wouldn't align myself with Pleonasm et al, whose criticisms you've answered very patiently.

It is, however, fair to say that the current Prevx home page emphasizes negative points about other products. Three headings that stand out are "Current security products are failing", "Threats missed by other security vendors" and "Latest threats bypassed by other security vendors". In crude terms, it does look like you're trying to sell your product by slagging off your competitors.

The PC Mag award should encourage you to promote Prevx in a more positive way. You're not just filling holes in other firm's AV protection: your cloud-based protection may well be the only way to deal with the exponential growth of malware that is likely to overwhelm conventional signature-based AV protection within a few years. Prevx won't just protect your users today but for many years in the future.

Perhaps, then, it's not the individual companies that you should single out in your barchart but the outdated technology that (I'm guessing) is common to all of them.

false one, have look, thanks
Prevx Scan Log - Version v3.0.1.65
Log Generated: 22/5/2009 08:57, Type: 1,8192
Windows XP Home Service Pack 3 (Build 2600) 32bit|1043
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 1, Pop: 1, Heu: 2 (Dir: 1)
Last Scan: Fri 2009-05-22 08:57:24 Romance (zomertijd). Number of Scans: 117. Last Scan Duration: 1 minute 55 seconds.
[B] c:\documents and settings\hoofdaccount\bureaublad\setupanydvd6553.exe [PX5: 9A5CBDD360AE1FEB107A48669C68BE008242765F] Malware Group: Medium Risk Malware

{QUOTE-> Lol, actually I think we covered this on page 12, or was it 23, or was it 36.:doubt: <-QUOTE}
Covered, uncovered, covered, uncovered.....it's that 'beating a dead horse' thing.
I wonder if those who wish to argue about silly things, are the ones who's using the AV's that allow Prevx to shine?:shifty:
I use it, love it, and will promote it!!;D ;D ;D

{QUOTE-> false one, have look, thanks <-QUOTE}

Fixed :) Thanks!

{QUOTE-> Perhaps, then, it's not the individual companies that you should single out in your barchart but the outdated technology that (I'm guessing) is common to all of them. <-QUOTE}

I agree, although it is hard to convey a point to users if we don't describe it in non-technical terms and with the way we have it structured now, we are able to break down the actual data to support our claims.

Also, if anyone is bothered by the vendor graphs, feel free to visit this alternate version of our website:

http://www.prevx.com/default.asp?hidethetruth=y ;D

{QUOTE-> http://www.prevx.com/default.asp?hidethetruth=y <-QUOTE}

-= Huh..? New website..?

-= Eh..? What is this "others" in the graph..? Specifically what antiviruses..?

-= And by the way, please input the exact date instead of the word yesterday since Global Time differentials is a big factor for considering the updated status of the graph..

-= Moreover, the graph stated that Symantec did not detect Image.exe a.k.a. fxinstaller [Reference (http://www.threatexpert.com/files/fxstaller.exe.html)] though it was actually detected since 2003..?

{QUOTE-> -= Eh..? What is this "others" in the graph..? Specifically what antiviruses..? <-QUOTE}

Others is all of the others that aren't categorized under a unique vendor name. We have other vendors in the graph as well like Norman, Sophos, and a handful of others but they aren't popular enough to be shown alongside the others in the main graph and "Others" doesn't include these vendors.

{QUOTE-> -= And by the way, please input the exact date instead of the word yesterday since Global Time differentials is a big factor for considering the updated status of the graph.. <-QUOTE}

We update them at least once per day but it varies so there isn't an exact answer. Generally, they are updated around midnight London time (UTC).

{QUOTE-> -= Moreover, the graph stated that Symantec did not detect Image.exe a.k.a. fxinstaller Reference (http://www.threatexpert.com/files/fxstaller.exe.html)] though it was actually detected since 2003..? <-QUOTE}

If you have an exact file of Image.exe which you are referencing I can analyze it for you, but I suspect this is a newer version using the same filename akin to the hundreds of svchost.exe infections and other popular infection names. Filenames are easy for users to understand at the surface level but are difficult to differentiate between when looking for specific data.

lol .....hidethetruth=y

{QUOTE-> There are more than 4,500 different antivirus vendor + product + version entries in our database which we "dilute" down to this list. At some point we have to cut it off and we can only display so much information at once. <-QUOTE}
PrevxHelp, I appreiate the point. To allow interested members of this forum community to reach their own conclusions in a transparent manner, I am requesting a simple dataset containing the “threats missed by other security vendors” for a single day to better understand the threat landscape. Specifically, would Prevx be willing to publically post a file (e.g., in CSV format) containing records with the following variables:


File Name (e.g., “PP10.EXE”)
Vendor (e.g., “Symantec”)
Vendor’s Security Product (e.g., “Norton Internet Security”)
Vendor’s Security Product Version (e.g., “16.5.0.134”)
Threat Level (e.g., low/medium/high, as classified on that day)
Malware Group (e.g., “worm,” “virus,” “adware,” etc.)
Times Seen (i.e., the count of the number of PCs scanned containing the malicious file name seen on that day, for the specified vendor’s security product)
Times Not Seen (i.e., the count of the number of PCs scanned on which the malicious file name was absent on that day, for the specified vendor’s security product)

Vendors should be limited to Avast, AVG, Avira, Eset, F-Secure, Kaspersky, McAfee, Microsoft, Panda, Symantec, and Trend (i.e., exclude “Other”).

Thank you for this consideration.

P.S.: Nice job on the “new website” (http://www.prevx.com/default.asp?hidethetruth=y)! :)

Hello,
While we appreciate the interest, it is unfeasible to fulfill every request for detailed information. We offer the data you have requested (and more) to partner antivirus companies many of whom are on the list on the homepage but we do not have a feed which is available for public display and we aren't considering dedicating the resources to create a feed like this. We have a lot to do to make our products as powerful as possible and it seems like a much better use of everyone's time if we focus on this (and I personally don't see the reason why this database would be helpful).

{QUOTE-> I personally don't see the reason why this database would be helpful <-QUOTE}
PrevxHelp, the one day dataset could be used to probe many questions that have arisen on this forum, including:


Do security suites (e.g., Kaspersky Internet Security) miss fewer threats than component solutions (e.g., Kaspersky Anti-Virus)?
Are there differences among anti-virus vendors in the number of “high risk” threats missed?
To what extent are the same threats missed by multiple anti-virus vendors?
How many users with “missed threats” are running an out-of-date version of an anti-virus vendor's product (i.e., not the most recent version)?
How do anti-virus vendors differ with respect to the mean number of threats missed (i.e., total threats missed divided by total PCs scanned)?

Wouldn’t making this data available contribute to your mission of promoting the fact that no one security solution provides “total protection”? If you’re already selecting and organizing the “missed threats” data to share with other anti-virus companies, then isn’t this request simply a subset of what is already being done? Note that a continuous daily feed isn’t being requested – just data for a single day.

Alternatively, if Prevx isn’t willing to provide the data, are you willing to accept requests for specific, well-formulated analyses of the data and then post the results of those queries?

{QUOTE->
Wouldn’t making this data available contribute to your mission of promoting the fact that no one security solution provides “total protection”? <-QUOTE}

I believe we have already proven this and that it is common knowledge amongst users who would understand the analyzed snapshot of data so we'd be "preaching to the choir" rather than providing any tangible benefit to general user knowledge.

{QUOTE-> Do security suites (e.g., Kaspersky Internet Security) miss fewer threats than component solutions (e.g., Kaspersky Anti-Virus)? <-QUOTE}

This would logically be true, assuming each component is designed to protect against different threats than other components so I'm not sure what additional knowledge would be gained by splitting the numbers. We don't detect hack attempts which a firewall would block and we don't look for spam which an antispam product would have found. We are looking directly at the anti-malware components of the suites which should be identical to the separate antivirus/antimalware components. The only time when this would be different would be, for example, in the case of an antispam component of a security suite blocking an infection from entering via an email but had that infection entered from other means, it would have never been interrogated by the antispam engine so differentiating between security suites and individual products focuses more on individual infection vector rather than the threat itself. If there was a crucial piece of technology to prevent malware in the suite, the company would logically put it in the antimalware offering - firewalls, antispam, antiphishing, parental controls, data backup, etc. are all additional features for different means.

{QUOTE-> Are there differences among anti-virus vendors in the number of “high risk” threats missed? <-QUOTE}

The risk level is highly subjective so we are unsure of the breakdown with these statistics and I doubt it would be useful anyway. Is a mass mailing worm which does nothing else more of a risk than an identity stealing application? Threat severity is a difficult area to measure and we're constantly changing the logic behind it so I wouldn't consider this a key aspect of the detection.

{QUOTE-> How many users with “missed threats” are running an out-of-date version of an anti-virus vendor's product (i.e., not the most recent version)? <-QUOTE}

This argument is non-relevant in that each new version of software should not invalidate previous versions. Just because a company releases a new product does not mean that users using the previous version of the product should be unprotected against today's threats. Regardless of the software version being used, the user is relying on their security solution to protect them and the presence of an infection proves that it has failed. If the model of the antivirus company prevents users from updating frequently enough to detect new threats then it is the antivirus company who is conceptually at fault, not the product version.

{QUOTE-> How do anti-virus vendors differ with respect to the mean number of threats missed (i.e., total threats missed divided by total PCs scanned)? <-QUOTE}

This figure is also meaningless because we aren't trying to sell our software to users who are perfectly protected already. If a user is coming to the Prevx website, they are not looking to remove their current security if it is working properly and hasn't failed them - they're either looking to add some additional layer of protection or to fix a threat which got past. Therefore, the number of clean PCs versus infected PCs is skewed because of the intent of the users coming to our website - a far-higher-than-normal percentage of users trying our products are indeed infected so the statistics would be unfairly skewed when compared to the normal population of users. We had these statistics on the charts ages ago and had a number of complaints because people thought we were fabricating them :-\

{QUOTE-> Alternatively, if Prevx isn’t willing to provide the data, are you willing to accept requests for specific, well-formulated analyses of the data and then post the results of those queries? <-QUOTE}

Currently we are only providing the samples to other vendors and are not interested in expending any further resources for this analysis being that the point of the charts is to show the individual infections, not to interrogate individual product versions or pollute their purpose with unnecessary additional data. We offer the charts and underlying data as-is and users should be able to take that and draw their own conclusions. As the title suggests: "Threats missed by other security vendors" is indeed what the charts show and we aren't trying to make any grander assumptions from that data.

Is it already possible to use Prevx in combination with McAfee again.

{QUOTE-> My interpretation of "Threats missed by other security vendors" on the Prevx home-page is that you simply cannot rely on black-listing technology alone.

Prevx will not be able to detect thousands of threats that Comodo AV etc detects and visa versa. By the way, interesting that Comodo isn't in that list. I suppose CIS has a classical HIPS, and anyone using that will just about never get infected haha!

That is actually really useful of Prevx to show malware that other vendors have missed. I wonder if those vendors can make use of it and add the undetected malware into their database faster? <-QUOTE}

Exactly :) Regarding Comodo - we only look at the product registered in the "antivirus" category in the security center so if they aren't registering themselves there, we wouldn't see them (and if they do, they might just not have enough users to be added into the main lists).

We have given a number of other AV vendors access to the data/samples and they use our lists of missed samples on a daily basis to add the new detections as quickly as possible :)

{QUOTE-> Is it already possible to use Prevx in combination with McAfee again. <-QUOTE}

We have been unable to reproduce the problems in-house and now we have had a large drop-off in the number of complaints so they may have solved it on their end. If you have a few CPU cycles and a bit of free time, it may be worth trying it again to see if they corrected it behind the scenes :)

New Prevx Edge user here. :) Really nice software, btw. And very "quiet" on my machines, even with heuristics set at maximum.

If I could submit one small suggestion for the GUI... when right-clicking the Prevx icon in the systray, it would be nice if one of the resulting menu selections was the System Status page. That's where I like to start from. As it is now, I select Configure Protection and then Status.

Told you it wasn't a big deal! :)

{QUOTE-> New Prevx Edge user here. :) Really nice software, btw. And very "quiet" on my machines, even with heuristics set at maximum.

If I could submit one small suggestion for the GUI... when right-clicking the Prevx icon in the systray, it would be nice if one of the resulting menu selections was the System Status page. That's where I like to start from. As it is now, I select Configure Protection and then Status.

Told you it wasn't a big deal! :) <-QUOTE}

Just double click on the icon!

HTH,

TH

{QUOTE-> Just double click on the icon!
HTH <-QUOTE}
Absolutely that helps! Thanks for the heads up. Boy do I feel dumb. ;)

{QUOTE-> Absolutely that helps! Thanks for the heads up. Boy do I feel dumb. ;) <-QUOTE}

Hey that's OK, good thing I didn't say double left clicking LOL:argh:

TH

{QUOTE-> Others is all of the others that aren't categorized under a unique vendor name. We have other vendors in the graph as well like Norman, Sophos, and a handful of others but they aren't popular enough to be shown alongside the others in the main graph and "Others" doesn't include these vendors. <-QUOTE}

-= How is it possible that you could actually fit 2 or more antiviruses in one entry..???? It could be possible ONLY if all those antiviruses in the category of OTHERS have the same database of threats..

-= As far as what I am seeing now, the graph seems to be inaccurate and the flaw gives me a doubt towards the rest of the categories..

-= And I would like Prevx to consider Pleonasm's recommendation to give a more ACCURATE explanation of the graph by filling in the information about each AV..

{QUOTE-> This argument is non-relevant in that each new version of software should not invalidate previous versions. Just because a company releases a new product does not mean that users using the previous version of the product should be unprotected against today's threats. Regardless of the software version being used, the user is relying on their security solution to protect them and the presence of an infection proves that it has failed. If the model of the antivirus company prevents users from updating frequently enough to detect new threats then it is the antivirus company who is conceptually at fault, not the product version. <-QUOTE}

-= Previous versions lack features than the most recent have.. This could certainly affect the result.. So, in that case, you may say that since previous versions aren't a factor, your graph may actually display a comparison of Avast 3, Avira 7 Kaspersky 2008 and PrevX 3..? Every product should be considered fairly.. The most recent one will have more percent of advantage compared to the out-of-date ones & will surely make an INACCURATE database..:thumbd:

{QUOTE-> -= How is it possible that you could actually fit 2 or more antiviruses in one entry..???? It could be possible ONLY if all those antiviruses in the category of OTHERS have the same database of threats.. <-QUOTE}

I'm not sure I understand what you're saying - we can't possibly have a list of 4,500+ programs/versions on the homepage so we have to group the less-popular vendors together :)

{QUOTE->
-= As far as what I am seeing now, the graph seems to be inaccurate and the flaw gives me a doubt towards the rest of the categories.. <-QUOTE}

I still do not see how it is inaccurate or flawed - can you please elaborate?

{QUOTE->
-= And I would like Prevx to consider Pleonasm's recommendation to give a more ACCURATE explanation of the graph by filling in the information about each AV.. <-QUOTE}

This is beyond the scope and intention of the graph and I've explained it quite a few times in previous responses to Pleonasm.

{QUOTE->
-= Previous versions lack features than the most recent have.. This could certainly affect the result.. So, in that case, you may say that since previous versions aren't a factor, your graph may actually display a comparison of Avast 3, Avira 7 Kaspersky 2008 and PrevX 3..? Every product should be considered fairly.. The most recent one will have more percent of advantage compared to the out-of-date ones & will surely make an INACCURATE database..:thumbd: <-QUOTE}

So what you're saying is that if x antivirus company releases a new version, all other versions are ineffective? If I'm a paying user and have paid for a year of upgrades, I will have to then also buy the new software, every time they release a new version? In that case, AV companies should release a new version every week and require everyone to buy it fresh as the older versions are useless.

Also, if I'm the average home user, I'm clearly going to have to join a forum and spend hours a day keeping up with what antivirus company releases what new products/features... ???

Security software should be silent and I'm surprised this mentality of "only the newest is valid to compare" is around at all. If an AV requires a new feature to improve protection, the antivirus company should release it as an update to existing customers unless it is literally a completely different product but in that case, they should offer a free upgrade if it is a critical update to continue protecting against new threats. We've done this with Prevx2 and Prevx1 - if you are using either of them you can get a completely free upgrade to Prevx3. Why? Because you purchased our software to secure your computer and we weren't able to back-port all of the new protection so rather than try and squeeze in the protection into the previous version, we give you the new one for free (and we have shown a message to all existing Prevx2 users to upgrade to Prevx3).

When a user purchases an AV, they don't purchase protection against yesterday's threats up to the day that they bought the AV - they are purchasing a subscription for updates and it is the frequency of updates and conceptually flawed design which requires the clients to download updates which is causing AVs to fail to detect new threats, not that there is a new version out which can also fold your laundry and reprogram your DVD player while making lunch and driving your kids to soccer practice.

{QUOTE-> I'm not sure I understand what you're saying - we can't possibly have a list of 4,500+ programs/versions on the homepage so we have to group the less-popular vendors together <-QUOTE}

-= You just said: "but they aren't popular enough to be shown alongside the others in the main graph" therefore do what you say, exclude them.. In fact, it is better to do it that than make false statistics about the "Other" AVs for since, grouping them together simply put down the other AVs who do not actually missed the particular threat..

{QUOTE-> In that case, AV companies should release a new version every week and require everyone to buy it fresh as the older versions are useless. <-QUOTE}

-= You are again, playing with word games, by exaggerating such information.. There aren't any AV that develop newer versions every week.. That's why they are named as X Antivirus 2009, Y Security Suite 2009.. They are released yearly..

{QUOTE-> So what you're saying is that if x antivirus company releases a new version, all other versions are ineffective? <-QUOTE}

-= Playing another word game to exaggerate the thought.. I stressed about the lack of features [mainly engine updates] meaning, less feature, less percentage of detection.. I did not say "NO DETECTION" for you to say that they were ineffective..

{QUOTE-> Security software should be silent and I'm surprised this mentality of "only the newest is valid to compare" is around at all. If an AV requires a new feature to improve protection, the antivirus company should release it as an update to existing customers <-QUOTE}

-= They do, that's why they have update servers and that's why most AVs have a need to reboot after a certain update since those updates are not just mere detection signatures but for AV system updates.. For example updating from 3.09 to 3.1

{QUOTE-> If an AV requires a new feature to improve protection, the antivirus company should release it as an update to existing customers unless it is literally a completely different product but in that case, they should offer a free upgrade if it is a critical update to continue protecting against new threats. We've done this with Prevx2 and Prevx1 - if you are using either of them you can get a completely free upgrade to Prevx3 <-QUOTE}

-= Still, if you analyze the thought, you are no different from those paid subscription AVs who release AVs annually.. Why..? You also have a Yearly subscription license, the only difference is that the new editions aren't just released in a fixed "every new year".. Henceforth, if a year-long PrevX license expires, you have to buy a new one, same to buying a new annually released AV.. Therefore, no difference between your free AV upgrade and the annual licensed-released AVs..
http://www.prevx.com/buyoptions.asp

i'm not here to bash PrevX or theirs stats but i think the values in stats are extremely 'wrong' due to huge number of false positives ...

just let's look on analysis of some example system scanned today with PrevX 3.0.1.65

- all sandbox scanners reports clean, all online scanner AV services same, all online malware services same, all threat monitors same


false positives classified as High Risk:
fsum.exe
- from Slavasoft, http://www.slavasoft.com/fsum/
CRC32: 7634C61E
MD5: 8E685166C1EBA689E35967EE1E430F93
SHA-1: 7C414FDC9F3AFD80ED3C56AA250E1758A9142F8B

false positives classified as Medium Risk:
archpr.exe
CRC32: 52993105
MD5: 24E7161BA890C85371475A16ABD9A985
SHA-1: B5440074B8F17265F134C2D0039CC9672A56DF73

- from Elcomsoft, http://www.elcomsoft.com/products.html
- archive password recovery installed via valid install
- system contains valid uninstall keys and startmenu/icons which are unmasked thus 99% chance installed by owner
- there is even Infected Entry for normal shortcut
advance archive password recovery.LNK

vfind.exe
CRC32: 6BD964E1
MD5: 0E64A620DF8B48A9388EEB7114D9368D
SHA-1: BE09D612E941997DDBCC1D988DECB93987D0E6EC
- file associated with Combofix! , http://www.combofix.org/
just example of threat listing of this file
{QUOTE->
Total number of reports analysed 492,381
Number of cases that involved the file "vfind.exe" 18
Number of incidents when this file was found to be a threat 0
Statistical volume of cases when "vfind.exe" was a threat 0%
<-QUOTE}

everest_icons.dll
CRC32: C1ABB74C
MD5: 930D3E9A79B82856D187F5631CC7F1F2
SHA-1: 7EA22BB608616F11BDE42E50D406EB87544038D2

everest_xpicons.dll
CRC32: BA505F92
MD5: E90918AC4447B27E3AB7C3A3194CFAF0
SHA-1: B5D4D4A90C5D979C8AA663D7964F0ACE3A6095D5

- files from beta of Everest Ultimate , http://www.lavalys.com/products.php?ps=UE&lang=en&page=9

r_server.exe
CRC32: 631588FC
MD5: 6A413E4D338FB13E58916E3B8051DBBD
SHA-1: E351AF195E910C1E49A5BFA9A39B88F40F5C1582
- from Remote Administrator 2.1, archaic program btw.
- system contains valid uninstall keys and startmenu/icons which are unmasked thus 99% chance installed by owner
- there is even Infected Entry for normal shortcuts
Settings for Remote Administrator server.LNK
start remote administrator server.lnk
stop remote administrator server.lnk


uninstsw.exe
CRC32: 95057A82
MD5: 731727B1357CE4E527391CB2AC4BEDDE
SHA-1: BD74BC585302BB08875A15855EBD1B7717EA9DF5
some uninstall from very old program


from my quick look on the PrevX detection it seems that most or all false positives are based on the filename / path or who knows what detection method ...

also the worst example is
several of these files (maybe all) i reported in v2 (maybe v1) several times
and at some i was informed by PrevX staff that the false positive will be removed ...

so much for statistics and results ...
it's all relative and need to be taken with grain of salt

so when You apply this example from my point of view on these stats
then according to PrevX these samples now missed by my other security products are 100% bogus and false positives thus the stats are 100% bogus and false :)
of course that's not true and this is just extreme situation but i believe the FP rate on PrevX (after seeing hundreds of various computer results) is very high (not 1% like claimed by some staff around)

but this is just my personal experience and this may vary ...

so ...
anyone from PrevX wanna shine some light on this why so many FPs happens at all ?

{QUOTE-> Can I just clarify regarding Prevx. If you have no internet connection (say your ISP goes down for a few hours etc), is it true that Prevx has no way of obtaining its black-listing database? <-QUOTE}

I would also like to see an answer to this. Specially for on the road laptop users that are not always online.

Thank you.

{QUOTE-> Q: Do security suites (e.g., Kaspersky Internet Security) miss fewer threats than component solutions (e.g., Kaspersky Anti-Virus)?

A: This would logically be true, assuming each component is designed to protect against different threats than other components so I'm not sure what additional knowledge would be gained by splitting the numbers. <-QUOTE}
PrevxHellp, in that case, it is misleading to display the “missed threats” statistics by vendor rather than by vendors’ products, since the risk that Prevx is supposedly protecting against would be less (or negligible) for users of security suites. Shouldn't users have that information available so that they can make their own independent and informed decisions about the degree of incremental protection (if any) afforded by the adoption of Prevx? I believe that Prevx is afraid of disclosing the information that I have requested, for fear that it would reduce the perceived need for its product.

There are not many products per vendor, and so the argument that it would make the charts “too confusion” does not have merit, in my opinion.

{QUOTE-> Q: How many users with “missed threats” are running an out-of-date version of an anti-virus vendor's product (i.e., not the most recent version)?

A: This argument is non-relevant in that each new version of software should not invalidate previous versions. <-QUOTE}
PrevxHelp, the issue is not that a new version “invalidates” a previous version of a security product. If the “missed threats” statistics showed, for example, that users with out-of-date versions of Kaspersky Anti-Virus were at considerably more risk than those with the up-to-date version, then the obvious conclusion would be to update the Kaspersky tool rather than to buy Prevx. I believe this is why Prevx is afraid of disclosing the information that I have requested.

While there are many versions for each vendor’s product, the simply way to display the data would be to classify the “missed threats” in a binary manner (i.e., “up-to-date version” and “not up-to-date version”). Thus, the argument that it would make the charts “too confusion” does not have merit, in my opinion.

{QUOTE-> As the title suggests: "Threats missed by other security vendors" is indeed what the charts show and we aren't trying to make any grander assumptions from that data. <-QUOTE}
PrevxHelp, your statement is technically true: you are not making errors of commission. As has been suggested in this forum by myself and by other individuals, however, you may be making errors of omission.

Prevx has plainly demonstrated that it has no interest in reducing the possible misinterpretation of the “missed threats” statistics through the addition of simple, clarifying statements to the “Explain this chart” section on its home webpage. As a consequence, Prevx is complacent in perpetuating confusion, in my opinion. This is especially unfortunate, since the product could be effectively marketed through a professional description of its technological features and benefits, as is done by other security vendors. I wonder why Prevx is so hesitant to increase the likelihood that its "missed threats" statistics are properly interpreted.

{QUOTE-> i'm not here to bash PrevX or theirs stats but i think the values in stats are extremely 'wrong' due to huge number of false positives ...
false positives classified as High Risk: <-QUOTE}

Hello,
I've corrected each of the false positives and in total, all of them combined have only been seen by about 200 users so over the course of the last months that they have been falsely determined, they have only accounted for 200 detections and the vendor charts on the homepage are on a per-day basis so they accounted for less than 1/1000th of the detections today.

{QUOTE-> from my quick look on the PrevX detection it seems that most or all false positives are based on the filename / path or who knows what detection method ... <-QUOTE}

They aren't - the false positives are because many of these files exhibit semi-questionable behavior, and some of them contain similar structure to known threats. Regarding r_server.exe, that file is very commonly used by malware to remotely access the system and is found by 22/40 vendors on VirusTotal but we are reassessing it and for now we have marked it Safe.


{QUOTE-> also the worst example is
several of these files (maybe all) i reported in v2 (maybe v1) several times
and at some i was informed by PrevX staff that the false positive will be removed ... <-QUOTE}

I'm not sure why these weren't fixed before, but they are all quite low volume in comparison to other threats. For example, one of the false positives was triggered by a detection for Vundo which has caught 26,831 Vundo infections on 59,223 computers and has caught this file on accident. I checked through the other detections and indeed this appears to be the only false positive... not a bad trade off when you look at the whole picture.


{QUOTE->
of course that's not true and this is just extreme situation but i believe the FP rate on PrevX (after seeing hundreds of various computer results) is very high (not 1% like claimed by some staff around) <-QUOTE}

I strongly disagree, otherwise we would be completely out of business. If you put your reported FPs into perspective of our entire userbase, they represent 6 (or 7) files out of literally billions of files seen by millions of users, out of tens of millions of legitimate malicious detections. If we actually had a 1% false positive rate, we would have to produce thousands of false positives per day and the files you submitted have produced a little under 200 false positives in two years.

{QUOTE-> anyone from PrevX wanna shine some light on this why so many FPs happens at all ? <-QUOTE}

Indeed we try and avoid false positives at all possible measures, but when a file has only been seen on a few PCs and contains suspicious behavior, we tend to scrutinize it harshly. FPs are inherent in any heuristic-based system but I think we are well within the acceptable range.

{QUOTE-> Can I just clarify regarding Prevx. If you have no internet connection (say your ISP goes down for a few hours etc), is it true that Prevx has no way of obtaining its black-listing database? <-QUOTE}

This is correct (except that the database isn't blacklisting ;) Blacklisting is only a very small portion of the database :))

However, when offline, it is impossible for any other AV to update as well so you would be vulnerable using a standard signature model if a new threat was just released - but - it would be extremely difficult for that threat to actually affect you if you are indeed offline: you would have to actually get a brand new threat via USB key which someone would physically give you. You can either circumvent this by disabling autorun or wait a few weeks and we will have new technology implemented for localized USB malware protection when offline :)

{QUOTE-> -= You just said: "but they aren't popular enough to be shown alongside the others in the main graph" therefore do what you say, exclude them.. In fact, it is better to do it that than make false statistics about the "Other" AVs for since, grouping them together simply put down the other AVs who do not actually missed the particular threat.. <-QUOTE}

This is standard practice in graphs - when there isn't enough data for each item, they are grouped together, although I do understand what you mean, I think removing the "Other" category will cause a number of people to say: "why isn't X av included"? We avoid these questions by showing the other category as an encapsulation for the other products.

{QUOTE->
-= You are again, playing with word games, by exaggerating such information.. There aren't any AV that develop newer versions every week.. That's why they are named as X Antivirus 2009, Y Security Suite 2009.. They are released yearly.. <-QUOTE}

I was being hypothetical :) Yearly or weekly is doesn't make a difference to the average home user who would much rather completely forget about the product. If I purchase X Antivirus 2009 the day before X Antivirus 2010 comes out, did I just waste my money?

{QUOTE->
-= Playing another word game to exaggerate the thought.. I stressed about the lack of features [mainly engine updates] meaning, less feature, less percentage of detection.. I did not say "NO DETECTION" for you to say that they were ineffective.. <-QUOTE}

I see no reason why an antivirus company would not want to back-port their engine updates. It is in their best interest to protect their customers, otherwise if a threat gets through, there would be absolutely no way that the customer would ever upgrade. Therefore, if the customer is using the 2009 version and the AV company releases the 2010 product with some new protection module that blocks an additional 1% of threats, they will logically release it into the 2009 version as well to protect their existing customers to get the upgrade payment.

{QUOTE->
-= Still, if you analyze the thought, you are no different from those paid subscription AVs who release AVs annually.. Why..? You also have a Yearly subscription license, the only difference is that the new editions aren't just released in a fixed "every new year".. Henceforth, if a year-long PrevX license expires, you have to buy a new one, same to buying a new annually released AV.. Therefore, no difference between your free AV upgrade and the annual licensed-released AVs..
http://www.prevx.com/buyoptions.asp <-QUOTE}

We have the same subscription model as other AVs, but we provide the software updates which improve protection to previous users as well without charging. Users renewing their subscription don't have to re-purchase the entire fee, they are given a discount (and you can purchase multi-year licenses at a further discount as well).

{QUOTE-> PrevxHellp, in that case, it is misleading to display the “missed threats” statistics by vendor rather than by vendors’ products, since the risk that Prevx is supposedly protecting against would be less (or negligible) for users of security suites. Shouldn't users have that information available so that they can make their own independent and informed decisions about the degree of incremental protection (if any) afforded by the adoption of Prevx? I believe that Prevx is afraid of disclosing the information that I have requested, for fear that it would reduce the perceived need for its product. <-QUOTE}

There are not many products per vendor, and so the argument that it would make the charts “too confusion” does not have merit, in my opinion. <-QUOTE}

I believe you misunderstood my point - the use of an internet security suite doesn't provide any additional protection if the threat comes by a different means that the security suite doesn't protect against. If a threat comes in via a spam email, the suite may block it but if that same threat comes in via a USB key, the antimalware module would have to be used to block it.

If a user doesn't want the additional antispam/parental controls/backup/etc. features there should be no need to purchase an internet security suite as it wouldn't provide any additional protection against malware, which is what we are testing.

{QUOTE-> PrevxHelp, the issue is not that a new version “invalidates” a previous version of a security product. If the “missed threats” statistics showed, for example, that users with out-of-date versions of Kaspersky Anti-Virus were at considerably more risk than those with the up-to-date version, then the obvious conclusion would be to update the Kaspersky tool rather than to buy Prevx. I believe this is why Prevx is afraid of disclosing the information that I have requested. <-QUOTE}

The fact is that the instant that a user of a conventional AV downloads an update, their protection is out of date. There is simply no way to determine that an AV is "up to date" because the signature model is completely reactive. If the user is indeed out of date relative to the other users of that product, then the question remains as: WHY?! An antivirus program should be self managing and self updating automatically. The user shouldn't have to click "Update" every 10 minutes to get a new update, it should happen in the background. If for some reason masses of users are not updating to the newest signatures, I believe the antivirus companies should be extremely worried as it would outline a critical flaw in their updating which would make their model 100% ineffective, rather than just mostly ineffective. If it is malware doing the job behind the scenes preventing the AVs from updating, then I believe we have uncovered an even worse problem ;)

We are not afraid of disclosing this information, but I think the other vendors might be afraid of it :)

{QUOTE-> While there are many versions for each vendor’s product, the simply way to display the data would be to classify the “missed threats” in a binary manner (i.e., “up-to-date version” and “not up-to-date version”). Thus, the argument that it would make the charts “too confusion” does not have merit, in my opinion. <-QUOTE}

See my previous comment about the concept of being up to date.

{QUOTE->
Prevx has plainly demonstrated that it has no interest in reducing the possible misinterpretation of the “missed threats” statistics through the addition of simple, clarifying statements to the “Explain this chart” section on its home webpage. As a consequence, Prevx is complacent in perpetuating confusion, in my opinion. This is especially unfortunate, since the product could be effectively marketed through a professional description of its technological features and benefits, as is done by other security vendors. I wonder why Prevx is so hesitant to increase the likelihood that its "missed threats" statistics are properly interpreted. <-QUOTE}

Frankly, your posts and a very small number of other members of this forum are the only ones who have ever criticized the statistics. We have had no complaints into our customer service inbox and everyone we describe the charts to immediately understand our intentions. Even at the RSA conference, we showed the statistics to hundreds of people, many who were IT professionals looking to secure their corporate networks, and they understood exactly what we meant, many of them congratulating us on debunking the myths that AV protection is effective as they experience its flaws first hand on a day-to-day basis. The most common question was: "Can I see what threats were missed by these vendors?" And the answer to that is - "Yes, click the bar in the chart and it elaborates on the information by listing a summary of the threats found and the breakdown of each type."

Other vendors, many of whom are listed on the chart itself, are receiving the samples every day and adding the detections in their own products. We look to close the gap between the time the threat is released and the time conventional AVs find the threat so we have absolutely no problem giving this data to our competitors as we know our solutions are effective and that distributing the samples can only help reduce the volume of garbage which the malware authors create.

{QUOTE-> So what does the majority of the database consist of if it's not based on the black-listing concept?

For example, I consider heuristics to be a type of black-listing too. Even behaviour blockers employ the black-listing concept. That's why they can never practically be 100% in the real world (or even come close to it). Am I missing something here or have I interpreted something wrongly here? Thanks for clarifying. <-QUOTE}

Our approach is essentially the opposite of a blacklist in most cases. While we do have blacklisting and whitelisting components for one-off threats, most of our database is based around statistical models of program popularity and program behaviors. We correlate program behaviors collected from all users who have seen a program and centrally analyze them to find the intent of the program in question. We then also aggregate contextual information about the programs like what registry entries pointed to them and what files they have modified/created and from all of this information, our systems can automatically identify malicious behavior as a derivative of previous threats or identify brand new threats on the first sighting based on a dynamic profiling of the community. In addition to this centralized behavioral analysis, we use correlative algorithms which dissect a program's static structure and format to find similar programs in function at a binary level which allows us to find families of malware with single signatures rather than developing separate detection for each variant.

{QUOTE-> Also if my internet dies for a few hours (which occasionally happens to me...darn ISP!) and I've just downloaded some new files etc (that have hidden malware in them), Prevx would not be able to protect me when I execute them right? <-QUOTE}

:doubt: In a real world example, I don't really see this happening too often :) However our next release will be including on-the-fly analysis of the browser to automatically detect any malicious downloaded content which hasn't tried to load yet but the chances of a user downloading a program and not using it until their ISP is down is quite low :)

Additionally, in the event that it is down, we queue up the data to be checked so as soon as the connection is resumed, we will analyze the programs and then perform any removal as necessary if they are indeed found to be malicious.

{QUOTE-> Thanks for the description. In my opinion, it still sounds like a glorified black-listing concept. Don't get me wrong, Prevx sounds very powerful indeed and has developed the black-listing concept to new heights. The reason I say it is black-listing is because you still rely on gathering data and thus rely on signatures in order to detect a threat. For example, a brand new threat (with completely different behaviour or masked behaviour compared to anything before) that was released 2 seconds ago might be attacking me now. Luckily I don't rely solely on black-listing (in fact, I probably don't rely on it at all...I just like trying new programs out haha). Would that be fair enough to say? <-QUOTE}

Although we rely on gathering data, it isn't gathered to generate signatures in the conventional means. A brand new threat with completely new behavior can be stopped immediately - case in point: the Storm worm. We found the first variants immediately as they were released and the first user seeing the first infection was immediately protected. Granted, we can't stop ALL threats immediately just because we don't have enough data on them. However, our Age/Spread protection (in Settings > Heuristic Settings) are completely different from a blacklist or any other aspect of our protection. They look at the age of a program and the popularity of a program. If a program is suspicious in any way and is brand new and only seen by a small handful of users, this protection will block the program. This conceptually defeats polymorphic threats as they try and become unique on every PC.

In addition to this, our "heuristics" look at what actually happens on the PC as a program runs so although we might not catch new malware on the first instance, we're going to catch it soon after once we determine it isn't doing anything legitimate on the PC :)

All of our behavior monitoring and heuristics are highly dynamic so FPs are automatically corrected as programs are seen by a larger number of users and trusted by age. Also, nearly all of our signatures and heuristics are generated completely automatically - our research team merely tunes the underlying rules and algorithms as they see fit but rarely do any of our researchers mark individual threats as malicious; it simply is ineffective for new threats to detect a single sample as they constantly change.

How good is Prevx ? Pretty good in my opinion, but I don't just rely on it. Even Prevx says you should have a layered approach.( I think he said that in one of his posts.....to many look back and check.)

Case in point, yesterday SSM came up with this and I blocked it. End of story! Was it malicious or potentially so, I do not know. All I know is I had never seen that particular popup before. See screenshot attached.

{QUOTE-> How good is Prevx ? Pretty good in my opinion, but I don't just rely on it. Even Prevx says you should have a layered approach.( I think he said that in one of his posts.....to many look back and check.)

Case in point, yesterday SSM came up with this and I blocked it. End of story! Was it malicious or potentially so, I do not know. All I know is I had never seen that particular popup before. See screenshot attached. <-QUOTE}

Wow, would you look at that task bar! :o:o:o

{QUOTE-> Wow, would you look at that task bar! :o <-QUOTE}

A shocker! ;) I know, but I can't help myself. ;D

{QUOTE-> A shocker! ;) I know, but I can't help myself. ;D <-QUOTE}

I know what you mean. :)

{QUOTE-> http://img505.imageshack.us/img505/5579/24626929.png

Just ran Prevx and oh dear...can this be fixed please? Good to know my system is otherwise clean though haha!

By the way, Prevx runs successfully in Sandbox DefaultBox. Excellent way of testing this application! <-QUOTE}

Ditto, same result here too.

seems they fix it , for now no more this wierd FP hehe

Hi,

I have encounter some false positive with prevx.

I have attracted the scan log in this post. PLease fix it soon. :)

btw

how do i set prevx starting minimize after pc reboot?

{QUOTE-> How good is Prevx ? Pretty good in my opinion, but I don't just rely on it. Even Prevx says you should have a layered approach.( I think he said that in one of his posts.....to many look back and check.)

Case in point, yesterday SSM came up with this and I blocked it. End of story! Was it malicious or potentially so, I do not know. All I know is I had never seen that particular popup before. See screenshot attached. <-QUOTE}

That is not a malicious action ans is a FP by SSM - sethc.exe is a legitimate program from Microsoft which changes the system contrast for usability reasons. You should be able to start it on-demand by hitting ALT+Left Shift+PrintScreen.

We don't block this because it isn't malicious :)

{QUOTE-> http://img505.imageshack.us/img505/5579/24626929.png

Just ran Prevx and oh dear...can this be fixed please? Good to know my system is otherwise clean though haha!

By the way, Prevx runs successfully in Sandbox DefaultBox. Excellent way of testing this application! <-QUOTE}

I suspect this is caused because of the sandbox preventing Prevx from reaching the outside disk properly, which is why the FP is a rootkit detection FP. If you can send me a scan log I can get it corrected ASAP :)

{QUOTE-> Hi,

I have encounter some false positive with prevx.

I have attracted the scan log in this post. PLease fix it soon. :) <-QUOTE}

Hello,
I checked each of these files and they are not false positives - iedfix.c.exe is found by 15 vendors on VT and gaemon.des is definitely suspicious (and found by 6 vendors on VT).

{QUOTE-> btw

how do i set prevx starting minimize after pc reboot? <-QUOTE}

Prevx should automatically be minimized on bootup as long as the system is clean. If your status is infected after the sandboxie detection, you may want to run another scan to see if that clears it up :) Let me know!

10x prevx for fast help

i just wana ask this , if i set in "setting" all 3 bars to "medium"

1) does it mean i get more FP
2) does it mean it will popup more than the recommended tag?
3) do u recommended increasing it to more than the default?
10x

another FP goes for eaz fix :-[

{QUOTE-> Hello,
I checked each of these files and they are not false positives - iedfix.c.exe is found by 15 vendors on VT and gaemon.des is definitely suspicious (and found by 6 vendors on VT). <-QUOTE}

Hi PrevxHelp,

I have sent all the samples detected by prevx to avira and all come back clean.

{QUOTE-> Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00310434.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
25348611 IEDFix.C.exe 81 KB CLEAN <-QUOTE}

{QUOTE-> Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00310437.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
25277099 GameMon.des 2.66 MB CLEAN <-QUOTE}

So who is correct now. ??? I am confuse. :wacko:

{QUOTE-> We have been unable to reproduce the problems in-house and now we have had a large drop-off in the number of complaints so they may have solved it on their end. If you have a few CPU cycles and a bit of free time, it may be worth trying it again to see if they corrected it behind the scenes :) <-QUOTE}
It seems to be solved :) thank you.

Hi PrevxHelp. Great that you answer all questions coming up! :thumb:


I would like to test Prevx full, but i can't find a real trial version anywhere.
I currently use the free version. However, I would like to test all functions before I buy licenses for me and my family.

By the way: When will the Q3-update appear?
I hope it will increase the offline detection on a base level...

PS: What is the difference between a [B] and a [BP] tag in the logfile?

Would be great if you can explain the logfile completely...

{QUOTE-> Hi PrevxHelp,
I have sent all the samples detected by prevx to avira and all come back clean <-QUOTE}

I'm not sure :-\ This sample looks like a hoax/fake AV, as detected by a-squared, Antiy-AVL, Avast, Comodo, eSafe, eTrust, GData, K7, McAfee, panda, Sophos, Sunbelt, Trend, and ViRobot (and us :))

I tend to err on the side of all of these companies not being wrong ;D

{QUOTE-> 10x prevx for fast help

i just wana ask this , if i set in "setting" all 3 bars to "medium"

1) does it mean i get more FP
2) does it mean it will popup more than the recommended tag?
3) do u recommended increasing it to more than the default?
10x <-QUOTE}

Setting them to medium will only make a marginal impact on FPs - if you set them all to Maximum that is essentially a "paranoid" mode which will trigger on quite a few additional files (it basically provides intelligent whitelisting in that case). Setting them to medium, however, should improve detection as well so you may want to try that - if you do experience any FPs with it, let me know :)

{QUOTE->
another FP goes for eaz fix <-QUOTE}

A couple other users have reported this as well - we're working on solving it but I'm surprised its happening in the first place as the data seems to be trusted already in the database :blink: Can you PM/email me a log with the details on the file? :)

{QUOTE-> It seems to be solved :) thank you. <-QUOTE}

Fantastic! Thanks for letting us know :)

{QUOTE-> I'm not sure :-\ This sample looks like a hoax/fake AV, as detected by a-squared, Antiy-AVL, Avast, Comodo, eSafe, eTrust, GData, K7, McAfee, panda, Sophos, Sunbelt, Trend, and ViRobot (and us :))

I tend to err on the side of all of these companies not being wrong ;D <-QUOTE}

Then i think i will report those samples as false positive to those company that detect it and see what is their reply. :) Then i will get back to u here.

{QUOTE-> Hi PrevxHelp. Great that you answer all questions coming up! :thumb: <-QUOTE}

Any time :)

{QUOTE->
I would like to test Prevx full, but i can't find a real trial version anywhere.
I currently use the free version. However, I would like to test all functions before I buy licenses for me and my family. <-QUOTE}

Sure :) I've PM'd you a 7 day test license to try out all of the functionality. We have the default trial as just a free product with no realtime protection or cleanup which lets people try out all of the other functionality for free for as long as they want, rather than like a standard AV which completely prevents you from using it further after ~30 days.

{QUOTE->
By the way: When will the Q3-update appear?
I hope it will increase the offline detection on a base level... <-QUOTE}

We don't have a precise timeline yet as we are still deep in the middle of developing the additional functionality and we don't want to let anything out until it is really ready to be seen publicly. Offline detection is indeed an important area which we are adding in the next release, as well as secured web browsing, significantly enhanced behavior monitoring, and a faster communication to the centralized database for less overhead (as well as a number of other features behind the scenes :))

{QUOTE->
PS: What is the difference between a [B] and a [BP] tag in the logfile?

Would be great if you can explain the logfile completely... <-QUOTE}

The log file contains a number of flags which we use at customer support to help find threats easier. The B denotes a "Bad" file, and the P means "Packed". You'll see other determinations like U (unknown/currently being reviewed), and G (good + trusted) as well as some others like D (an age/spread heuristic detection) and H (a conventional pure heuristic detection).

The log contains the determination, filename, and "PX5" in each entry - the PX5 is a unique identifier which we use to locate a single file in our database.

Hope that helps! Let me know if you need anything else :)

must admit never saw such well done!!! support !! so kind and so professional !!
rely amazing such companies exist in those mad days :)

way to go prevx team!!

Hi PrevxHelp,

I googled IEDFix.c.exe on google and found out that it is indeed a false positive. :) U can learn more about it here. (http://forums.majorgeeks.com/showpost.php?p=1220540&postcount=2)

So maybe u can call ur virus analysis to re-analyses the sample again. ;D

{QUOTE-> Hi PrevxHelp,

I googled IEDFix.c.exe on google and found out that it is indeed a false positive. :) U can learn more about it here. (http://forums.majorgeeks.com/showpost.php?p=1220540&postcount=2)

So maybe u can call ur virus analysis to re-analyses the sample again. ;D <-QUOTE}

I'm not convinced :-\ Trying to determine the intent of a file by filename is not reliable, but: http://www.threatexpert.com/files/iedfix.c.exe.html

If you could send me the file itself I can analyze it :)

{QUOTE-> Any time :)



Sure :) I've PM'd you a 7 day test license to try out all of the functionality. We have the default trial as just a free product with no realtime protection or cleanup which lets people try out all of the other functionality for free for as long as they want, rather than like a standard AV which completely prevents you from using it further after ~30 days.



We don't have a precise timeline yet as we are still deep in the middle of developing the additional functionality and we don't want to let anything out until it is really ready to be seen publicly. Offline detection is indeed an important area which we are adding in the next release, as well as secured web browsing, significantly enhanced behavior monitoring, and a faster communication to the centralized database for less overhead (as well as a number of other features behind the scenes :))



The log file contains a number of flags which we use at customer support to help find threats easier. The B denotes a "Bad" file, and the P means "Packed". You'll see other determinations like U (unknown/currently being reviewed), and G (good + trusted) as well as some others like D (an age/spread heuristic detection) and H (a conventional pure heuristic detection).

The log contains the determination, filename, and "PX5" in each entry - the PX5 is a unique identifier which we use to locate a single file in our database.

Hope that helps! Let me know if you need anything else :) <-QUOTE}

Thanks very much!

I will try the full programm out and will give a feedback later this week.

Thank you that you've explained the logfile. That helps me a lot to understand how your product works.

I'm really looking forward to the Q3 release! :)

Very well done so far Prevx! Good Product (after the Q3 hopefully my first choice) and a very good support. My thumb's up!

{QUOTE-> Hi PrevxHelp,

I googled IEDFix.c.exe on google and found out that it is indeed a false positive. :) U can learn more about it here. (http://forums.majorgeeks.com/showpost.php?p=1220540&postcount=2)

So maybe u can call ur virus analysis to re-analyses the sample again. ;D <-QUOTE}

I've analyzed the file and it is indeed legitimate, however, I don't blame our engine or any of the dozen other engines for flagging it as this ;D It does quite a lot of suspicious system modification actions so I think this is one of the one-off cases where the file looks like a duck, sounds like a duck... and isn't a duck ;D

FP fixed! Thanks! :)

{QUOTE->
Very well done so far Prevx! Good Product (after the Q3 hopefully my first choice) and a very good support. My thumb's up! <-QUOTE}

Thanks! :) We appreciate all of the upward facing thumbs and the downward ones as well as it helps keep us on our toes to turn those thumbs around :)

{QUOTE-> FPs are inherent in any heuristic-based system but I think we are well within the acceptable range….

If you put your reported FPs into perspective of our entire userbase, they represent 6 (or 7) files out of literally billions of files seen by millions of users, out of tens of millions of legitimate malicious detections. If we actually had a 1% false positive rate, we would have to produce thousands of false positives per day.
<-QUOTE}
PrevxHelp, what exactly is the false positive rate for Prevx – and, what is the methodology for computing that rate?

I don’t agree that the false positive rate should be measured as the number of (a) files initially and incorrectly classified as malicious divided by (b) the total number of files on all users’ PC examined by Prevx, each measured over the same historical time period. This method of computation obviously minimizes the false positive rate.

In the case of a cloud-based tool such as Prevx, I believe the false positive rate should be quantified as the ratio of (c) the number of files initially and incorrectly classified as malicious to (d) the total number of new files classified as malicious, each measured over the same historical time period. This method of computation is more closely aligned with the “user experience.”

{QUOTE-> I've analyzed the file and it is indeed legitimate, however, I don't blame our engine or any of the dozen other engines for flagging it as this ;D It does quite a lot of suspicious system modification actions so I think this is one of the one-off cases where the file looks like a duck, sounds like a duck... and isn't a duck ;D

FP fixed! Thanks! :) <-QUOTE}

Wow u analyzed it pretty fast. :thumb:

Thank for confirming that it is indeed a false positive. ;D

{QUOTE-> In the case of a cloud-based tool such as Prevx, I believe the false positive rate should be quantified as the ratio of (c) the number of files initially and incorrectly classified as malicious to (d) the total number of new files classified as malicious, each measured over the same historical time period. This method of computation is more closely aligned with the “user experience.” <-QUOTE}

On a daily basis, we find around 20,000-30,000 new malicious programs (these are new infections, not just infected files from a file infector as we drop those before they reach the central database to reduce the pollution in the database with unnecessary data). As for the number of actual detections we perform every day, I'm not sure but it is quite high - the 20-30k is new detections of new threats. Across our entire community, we fix on average between 5 and 10 incorrectly identified files every day, as reported to our customer support inbox/Wilders/other AV vendors/ISVs.

It is a holiday in the US and the UK this weekend so the volume is a bit lower in the support inbox than normal, but so far this weekend (since Friday) we have had three FPs reported to the inbox and then the unusually-large handful reported by a few users here at Wilders (and one to me by email :)).

Note that in the past (> 2 years ago or so) we had a much higher volume of FPs every day, well over 10x what we have now but we have significant measures in place to prevent them today and have done a great deal of optimizing on our engines for accuracy.

Hi,

My Prevx Edge is still detecting Kaspersky version 9 on installation. I just sent the scan log.

did anyone test Prevx 3 real time protection against the malware discussed in the thread "some test" (htaaa.exe, stop2.exe etc.)? did it block all malware?

{QUOTE-> Hi,

My Prevx Edge is still detecting Kaspersky version 9 on installation. I just sent the scan log. <-QUOTE}

Fixed :)

{QUOTE-> must admit never saw such well done!!! support !! so kind and so professional !!
rely amazing such companies exist in those mad days :)

way to go prevx team!! <-QUOTE}

Yes Joe is fantastic in support here,so why do you keep the FP picture link in your siggy line?

TH

{QUOTE-> Hello,
I've corrected each of the false positives and in total, all of them combined have only been seen by about 200 users so over the course of the last months that they have been falsely determined, they have only accounted for 200 detections and the vendor charts on the homepage are on a per-day basis so they accounted for less than 1/1000th of the detections today.
<-QUOTE}

all but one :)

everest_icons.dll
CRC32: C1ABB74C
MD5: 930D3E9A79B82856D187F5631CC7F1F2
SHA-1: 7EA22BB608616F11BDE42E50D406EB87544038D2

still reported as medium threat

{QUOTE-> all but one :) <-QUOTE}

Sorry about that! Fixed now :) Thanks ;D

got a question , Prevx wrote on there site this


"Here's a list of recent viruses, spyware, rootkits and other forms of malware Prevx 3.0 found on PCs that other products completely missed"


that mean all vendors names in the chart missed the malware after full deep scan and previx pick it up and clean?

10x

{QUOTE->
that mean all vendors names in the chart missed the malware after full deep scan and previx pick it up and clean? <-QUOTE}

Yes - the infections listed were found on computers protected by other security products and the presence of those infections found by our scanner (which focuses on malware which is active or can become active via a registered boot entry or is obfuscated by a rootkit) shows that the infections were in the system and not just idle on disk :)

{QUOTE-> as reported to our customer support inbox/Wilders/other AV vendors/ISVs. <-QUOTE} what is about the rightclick menue: "report as a false postive"? Is that reported to your Lab?

{QUOTE-> what is about the rightclick menue: "report as a false postive"? Is that reported to your Lab? <-QUOTE}

Yes, this will send a report to us but you may want to send me a PM or contact us through our customer service inbox if you experience a FP as the "report as a false positive" feature is abused in massive volume by malware authors trying to get their creations automatically allowed.

{QUOTE-> Yes - the infections listed were found on computers protected by other security products and the presence of those infections found by our scanner (which focuses on malware which is active or can become active via a registered boot entry or is obfuscated by a rootkit) shows that the infections were in the system and not just idle on disk :) <-QUOTE}

so that mean i can use ONLY prevx instead my anti virus?

{QUOTE-> so that mean i can use ONLY prevx instead my anti virus? <-QUOTE}

You can, but we always recommend using a layered approach. Prevx doesn't protect against 100% of threats so we've engineered it to work alongside all major security products so that you can layer up your defenses to give you the best chance possible to achieving as close to 100% as you can :)

Question, you state that Prevx checks the security center for presence of an anti-virus. Do you also use this information to make sure it's up-to-date? I realize this information cannot be obtained about the build/version of the anti-virus, but I'm sure it's obtainable about whether the signatures are < a month old (if I remember right).

{QUOTE-> Question, you state that Prevx checks the security center for presence of an anti-virus. Do you also use this information to make sure it's up-to-date? I realize this information cannot be obtained about the build/version of the anti-virus, but I'm sure it's obtainable about whether the signatures are < a month old (if I remember right). <-QUOTE}

Our logic is based around the fact that it is the job of the antivirus program itself to keep up to date and not necessarily update the security center with every new version/update. There really isn't a valid reason for an AV to not be up to date and in the end it is the fault of the AV model of having to download every new signature update to detect new threats (so users are immediately out of date after updating).

If a user is using an AV with signatures that are more than a month old... they aren't using that AV anymore ;D Threats today tend to live for less than 48 hours - an AV which doesn't update on a less than an hourly basis is virtually useless against new threats.

{QUOTE-> Our logic is based around the fact that it is the job of the antivirus program itself to keep up to date and not necessarily update the security center with every new version/update. There really isn't a valid reason for an AV to not be up to date and in the end it is the fault of the AV model of having to download every new signature update to detect new threats (so users are immediately out of date after updating).

If a user is using an AV with signatures that are more than a month old... they aren't using that AV anymore ;D Threats today tend to live for less than 48 hours - an AV which doesn't update on a less than an hourly basis is virtually useless against new threats. <-QUOTE}

That doesn't sound very logical to me, you state you already have code in place for querying what anti-virus is there yet you don't query whether it's updated and just go on an assumption? Do you realize the massive amount of people that buy computers with 30 day trials of security, or just buy a year and forget about the fact it expires?

{QUOTE-> That doesn't sound very logical to me, you state you already have code in place for querying what anti-virus is there yet you don't query whether it's updated and just go on an assumption? Do you realize the massive amount of people that buy computers with 30 day trials of security, or just buy a year and forget about the fact it expires? <-QUOTE}

Yes, but this is the root of the problem - the people think they are secured and they aren't. We aren't assuming it is updated, but we don't factor in the state because the program should always be updated and protecting if the user is under the impression that it is. In the case of people starting with trials or subscriptions and letting them lapse, it is a fault of user education on the part of the AV vendor which is just as bad as letting a piece of malware through.

Users can't be expected to read up on the newest technology and click "Check for updates" on an hourly basis to ensure they are using the latest protection - that's what they are paying the security company to do for them.

(Also, from what I've seen, vendors do not put their entries in the Security Center until the user has configured the AV when purchasing a computer with the AV installed from the OEM.)

So, full Programm is working great on Vista. But i expected less RAM usage. It's 7.100K for me.

FullScan of all drives testet for the first time. Thx for the full working trial! ;)


Some possible False Positives: (Advanced Heuristics ist Max, Age Heur is High and Popularity is High)

WinRar default.sfx: http://www.virustotal.com/analisis/5687078d38cf33f1a6ed9761fff16f516678f3ee6ba0f342b71370470ecde77e-1243205049

WinBuilder Tool drv_index.exe: http://www.virustotal.com/analisis/99c8251e379539666eb3cac37f796084c859e233d0cb743b902a02f39fefd4c1-1243205274


Winbuilder VistaPE Core ftpserver.exe: http://www.virustotal.com/analisis/65f2d8510bddcd2b47cd1ed28113718ca24aebe56a4c1a93d43e0b55719b2969-1243205526


False Positives:

gmer's MBRfix: http://www.virustotal.com/analisis/e3154798bee30d09a6b190106d0ac7e430d85f2f5e79179b46bae6f978cb1513-1241494251



PS: It would be great if it would be possible to see the whole filename in the "Scan Result" section even if it is very long... ;)

{QUOTE-> So, full Programm is working great on Vista. But i expected less RAM usage. It's 7.100K for me.
<-QUOTE}

RAM usage varies and we do hold a lot of data in memory to improve performance so in the end its a tradeoff of CPU cycles versus RAM usage and CPU cycles are what really matter to performance.

I've sent you a PM about the FPs - most likely due to heuristics being maximum but I'll get them sorted ASAP :)

{QUOTE-> PS: It would be great if it would be possible to see the whole filename in the "Scan Result" section even if it is very long... ;) <-QUOTE}

I agree :) Currently the GUI isn't very friendly for trying to display long filenames but if you want the full filename, you may want to just save a scan log to get all of it :)

i am with you on the sj100 , weird there is no direct comparisons between Prevx and other anti virus

maybe prevx help will direct us to such place

cheers

{QUOTE->
Wow! Harsh words haha. How can you assume that it's the AV vendor's fault? I think it's 100% the user's fault. I also think it's Prevx's fault (or the goverment's or God's) for not educating AV vendors to educate the user properly...haha joking joking. I hope you can see my point though. <-QUOTE}

Take this analogy: if you go to the doctor's office, they tell you what vaccines to get to keep "updated" against the newest viruses, they don't expect the patients to read up on what new strains are going around, they just tell you to come back every year and schedule an appointment for you to do so. You pay the doctor (or your insurance company does) and then everything is taken care of - no further "user education" needed.

However, the point which I'm criticizing with AV vendors is that funkydude was saying that many users received an AV with their computer from the OEM and his point was that many of them continue just using the 30-90 day trial alone without purchasing it, thinking they are protected. In this case, the error is in the hands of the AV vendor, leading the user into a false sense of security when they are using nothing more than a trial. An AV needs to be updated multiple times per hour to have any chance of keeping up with the newest threats. An AV which warns when its signatures are one month outdated is completely useless, unless you go around inserting boot sector infecting floppy disks ;D

{QUOTE-> Erm, I am not paying Avira a cent haha! Their free version is excellent and exactly suits my needs. Regardless, I don't think the user is "paying the security company to do this and that for them". Instead, the user is generally paying the company to use a particular product which works well for him/her. <-QUOTE}

Free AVs are out of the scope of my complaints ;D However, you are looking at this from a techie perspective :) The average home user doesn't have any idea what a particular security product should do to work well for them - they just want to go to a store, pick up a box, open it, put the CD in their computer, and be done with it. Security is not interesting to a vast majority of home users and they want it to be a transparent process, as it should be.

{QUOTE-> I personally think that in theory, other "black-listing and/or behaviour blocker" vendors could do the same thing and put up thousands of malware present on systems missed by Prevx. <-QUOTE}

While this is in theory possible because we don't prevent all threats, we have a policy of guaranteeing cleanup on all systems, otherwise we issue a refund immediately if one of our engineers can't correct it. Other AVs usually charge significant amounts of money for these services, but we do this because we know we're going to catch a vast majority of what is infecting the computer and therefore we're going to be effective in cleanup so that we rarely have to use the manual cleanup. Therefore, based on real world examples of threats seen by real users, I think we are extremely effective.

{QUOTE-> Until I see direct comparisons between Prevx (for example detection rates of a sample of 500,000 malware) and all the major AV vendors, I will find it hard to be convinced that Prevx is better or even as good as others. <-QUOTE}

I don't see us entering in a comparison like this simply because these tests are categorically and fundamentally flawed. Old malware does not affect users - threats today last only a few hours/days at the most, and these tests with hundreds of thousands of samples are completely illogical. Sure it is technologically possible for an old threat to maybe show a popup on the screen or delete a file, but would you rather be protected against an ancient virus from 1993 or Conficker or XP Antivirus 2009 spreading to 10+ million PCs today? The fact that a number of companies can score 99+% in these tests essentially proves how useless they are because it is completely false that those AVs are finding 99+% of threats actually affecting users. If this were the case, we would not have any where near the volume of malware problems we have today and there probably wouldn't even be a purpose for Prevx as you could just use the other vendors and be nearly perfectly protected.

There are many samples which we simply do not bother detecting (old DOS samples, ancient samples which won't run on today's computers, garbage/corrupted files, non-malicious joke programs, etc.) which are almost always included in these massive comparison tests, resulting in unfairly poor scores to some companies.

Frankly, detecting a large volume of samples is not hard at all. If we were given a collection of 500,000 samples to add detection for (and in most of these comparison tests, the missed samples are given after you take the test), our automated analysis and server-side sandboxing could analyze each of the samples and add intelligent signatures for all of them in about 36 hours but I suspect it would not improve our products 1%.

For instance, we've taken some samples from these tests before when considering whether it would be an accurate assessment of our products and we checked our database to see how many users had actually seen these samples in the real world (which is the unique view that Prevx has which other companies do not). Unsurprisingly, a high percentage of the samples were seen by a staggering... 2 users - one being the initial test, the other being our researcher when scanning the file to check with the database.

Until "conventional" AV testing organizations design tests which can properly assess today's infections, we are going to have to rely on organizations like PCMag.com (http://www.pcmag.com/article2/0,2817,2346861,00.asp) and mirzos from remove-malware.com (http://www.youtube.com/watch?v=AAx6Y2MW_uA&feature=fvst) to perform accurate tests as they should be performed - with today's malware, using new infections in the correct context on an infected system.

Sorry for the rant :) I've made some of these points before, but its a holiday in the US/UK today so I'm assuming more people may be reading this thread so I might as well give them something to read for a little while :)

Let me know your thoughts on this!

PrevxHelp, could you update regarding a support ticket i put in on the 23rd May. via your support centre.

Or would it be better to do it on here?

Many thanks.

;)

{QUOTE-> PrevxHelp, could you update regarding a support ticket i put in on the 23rd May. via your support centre.

Or would it be better to do it on here? <-QUOTE}

Can you PM me your email address? It will be a miracle if I can hunt and peck to find the right one without an email address ;D

Thanks, done. :)

False positive:

Filename: efhgjjfg.sys
File size: 241152 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: b9d3d8e976855e2a5d0173c1d2d20a5d
SHA1: cc0cef0a408fb15cf72806dd99aafafcbd178dae

Scan at Jotti was negative. I believe this is part of Malware Defender.

{QUOTE->
Scan at Jotti was negative. I believe this is part of Malware Defender. <-QUOTE}

Can you PM me the entry from the scan log? It is most likely a FP and was flagged because of it being a suspicious, system-accessing driver with random filenames.

{QUOTE-> If a user doesn't want the additional antispam/parental controls/backup/etc. features there should be no need to purchase an internet security suite as it wouldn't provide any additional protection against malware, which is what we are testing. <-QUOTE}
PrevxHelp, it is an empirical question whether a security suite minimizes the number of "missed threats" detected by Prevx - and, it is a question that could be answered if Prevx was willing to provide a simple copy of its “missed threats” data to the forum community for independent examination. I still don't really understand the reason why Prevx is unwilling to be transparent and forthcoming with this information.

{QUOTE-> Q: PrevxHelp, the issue is not that a new version “invalidates” a previous version of a security product. If the “missed threats” statistics showed, for example, that users with out-of-date versions of Kaspersky Anti-Virus were at considerably more risk than those with the up-to-date version, then the obvious conclusion would be to update the Kaspersky tool rather than to buy Prevx. I believe this is why Prevx is afraid of disclosing the information that I have requested.

A: The fact is that the instant that a user of a conventional AV downloads an update, their protection is out of date. <-QUOTE}
PevxHelp, I believe I may not have clearly communicated what I meant by “up-to-date.” I was not referring to whether the most recent anti-virus signatures have been installed, but whether the user has the most recent version of the application installed (e.g., version “16.5” of Norton Internet Security rather than the prior “16.0” version).

With this clarification in mind, does the Prevx “missed threats” data support the hypothesis that that users with an out-of-date version of a security product were at considerably more risk than those with the up-to-date version?

{QUOTE-> Even at the RSA conference, we showed the {“missed threats”} statistics to hundreds of people… <-QUOTE}
PrevxHelp, can you kindly post a copy of the Prevx presentation from the RSA conference? I am interested in learning more. In advance, thank you for sharing.

{QUOTE-> On a daily basis, we find around 20,000-30,000 new malicious programs <-QUOTE}
PrevxHelp, is this number (a) the count of unique malicious files found or (b) the count of the number of instances of all malicious files found on all PCs that have been scanned on that day? If the latter, then what is the former?

{QUOTE-> Until "conventional" AV testing organizations design tests which can properly assess today's infections, we are going to have to rely on organizations like PCMag.com … to perform accurate tests as they should be performed <-QUOTE}
PrevxHelp, what makes the PC Magazine anti-virus methodology “valid,” but the methodologies used by organizations such as AV Comparatives “invalid”?

For the “infected system” case, PC Magazine installed the product “on a dozen test systems infested with a wide variety of malware samples including viruses, Trojans, worms, adware, spyware, and scareware (rogue security software)” and measured detection/removal rates. For the “clean system” case, PC Magazine exposed an uninfected PC to various classes of malware and measured detection/prevention rates.

{QUOTE-> We aren't assuming it is updated, but we don't factor in the state because the program should always be updated and protecting if the user is under the impression that it is. <-QUOTE}
PrevxHelp, I find it disappointing that in every case in which there is latitude in how the “missed threats” statistics are complied, Prevx always chooses the option that will make its product look superior to the competition. In my opinion, this is not “fair & balanced” coverage of the (obvious) issue that all security products (including Prevx) fail to be 100% effective.

I clearly understand that companies will always do their best to highlight their own products' strengths. However, when you are doing so and simultaneously "disparaging" the competition, I think Prevx has the ethical responsibility to go out of its way to ensure a "fair & balanced" treatment of the information that minimizes all potential misinterpretation.

This is confusing. I have never had a problem after Prevx took a look at the false positive. But KIS's klif.sys is still detected by my Prevx - I have to tell it to ignore. Is there something wrong with my Prevx? I have heuristics to high and apply after age/popularity detection. :-\

{QUOTE-> This is confusing. I have never had a problem after Prevx took a look at the false positive. But KIS's klif.sys is still detected by my Prevx - I have to tell it to ignore. Is there something wrong with my Prevx? I have heuristics to high and apply after age/popularity detection. :-\ <-QUOTE}

Hmm... its possible that Kaspersky is mutating their driver every time they write it to disk. If you could please send me an updated scan log, I'll ensure it is taken care of with a more intelligent signature to prevent the FP :)

{QUOTE-> Can you PM me the entry from the scan log? It is most likely a FP and was flagged because of it being a suspicious, system-accessing driver with random filenames. <-QUOTE}

PM with single file scan sent.

Same FPs with KIS 2010; my first with Prevx.

{QUOTE-> PrevxHelp, it is an empirical question whether a security suite minimizes the number of "missed threats" detected by Prevx - and, it is a question that could be answered if Prevx was willing to provide a simple copy of its “missed threats” data to the forum community for independent examination. I still don't really understand the reason why Prevx is unwilling to be transparent and forthcoming with this information. <-QUOTE}

It can be assumed that it would be marginally less, assuming the security suite protects against the types of threats we look for. Using the same example I've said before - if a threat is trying to enter from a spam email and the antispam component blocks the email containing a sample which the AV engine would not have blocked had the sample run, then the suite would provide additional protection. However, if the threat came in from other means which would not have gone through the spam filter (i.e. USB) then the detection would be the same. This case of spam blocking is likely one of the only cases where the suite would show a benefit.

Looking at it economically, it would take far too much effort with essentially no return to produce the data for public inspection and we have far too many other important things to be working on. Although we take all suggestions into consideration, we are a small company with a massive number of users so we prefer to put the rest of the user's best interest above the requests of a single non-user.

{QUOTE-> PevxHelp, I believe I may not have clearly communicated what I meant by “up-to-date.” I was not referring to whether the most recent anti-virus signatures have been installed, but whether the user has the most recent version of the application installed (e.g., version “16.5” of Norton Internet Security rather than the prior “16.0” version).

With this clarification in mind, does the Prevx “missed threats” data support the hypothesis that that users with an out-of-date version of a security product were at considerably more risk than those with the up-to-date version? <-QUOTE}

My answer still stands - the only logical choice for an antivirus company to make when releasing new protection is to release it to existing users using older versions as well, otherwise the chance of the user's protection failing is clearly higher and if it were to fail against a new threat, the user would surely not come back to that company for protection in the future. AV companies make the most money from renewals, not one-time purchases (which is why any company with a "lifetime" license is bound to fail as soon as they saturate the market) so it is in their best interest to protect their users as best as possible.

{QUOTE-> PrevxHelp, can you kindly post a copy of the Prevx presentation from the RSA conference? I am interested in learning more. In advance, thank you for sharing. <-QUOTE}

I don't have a copy of the presentations used but we just had the website open with the filename information displayed for part of it (if that is what you are referring to).

{QUOTE->
PrevxHelp, is this number (a) the count of unique malicious files found or (b) the count of the number of instances of all malicious files found on all PCs that have been scanned on that day? If the latter, then what is the former? <-QUOTE}

It is the former - the latter is far higher.

{QUOTE->
PrevxHelp, what makes the PC Magazine anti-virus methodology “valid,” but the methodologies used by organizations such as AV Comparatives “invalid”?

For the “infected system” case, PC Magazine installed the product “on a dozen test systems infested with a wide variety of malware samples including viruses, Trojans, worms, adware, spyware, and scareware (rogue security software)” and measured detection/removal rates. For the “clean system” case, PC Magazine exposed an uninfected PC to various classes of malware and measured detection/prevention rates.
<-QUOTE}

The samples used and the means of testing the protection/detection are what make the PC Magazine review representative of today's threats, rather than the on-demand tests of AV Comparatives. Running an on-demand scan of a few hundred thousand files does not show how well a product protects against new threats. I responded with more verbosity in this post: http://www.wilderssecurity.com/showpost.php?p=1473523&postcount=4111

{QUOTE->
PrevxHelp, I find it disappointing that in every case in which there is latitude in how the “missed threats” statistics are complied, Prevx always chooses the option that will make its product look superior to the competition. In my opinion, this is not “fair & balanced” coverage of the (obvious) issue that all security products (including Prevx) fail to be 100% effective.
<-QUOTE}

At every point, I don't see where we incorrectly say that we are better than the competition. We say that we protect where the others fail... because we do. We've made it very clear as to how we gather the data and why it is logically correct.

{QUOTE-> I clearly understand that companies will always do their best to highlight their own products' strengths. However, when you are doing so and simultaneously "disparaging" the competition, I think Prevx has the ethical responsibility to go out of its way to ensure a "fair & balanced" treatment of the information that minimizes all potential misinterpretation. <-QUOTE}

I don't see it as disparaging the competition - I see it as highlighting a flaw in the other products which they aren't admitting to. Sure, they mention that their protection isn't 100% in their EULAs but in every place where a user would actually see, they tout their products as the best and that they lead their users to a false sense of security and prevent them from actually improving their security by breaking compatibility with other security products.

I've spent hours of my time responding to these inquiries which I could have been using to improve our products further and we are just continuing to go in a circle. To summarize the discussion:

> Our vendor charts show threats which the other vendors miss. That is all they are meant to do and that is all that they do. There is no need to interpret them further and we won't interpret them further behind the scenes because that obscures the meaning.

> We detect threats that other vendors miss

> We are logically included in the statement "Every day, popular security products are missing thousands of infections"

> Prevx scans for active infections, not for infections in archives or dormant in subfolders on the disk so logically if we detect an infection and another AV is active on the system, it allowed that threat through

> Out of 20,000+ unique detections per day, far less than 1% are false positives so the statistics are not terribly skewed because of them

> Older/outdated antivirus software is not a problem for AV companies and makes no difference on the charts, being that they must logically try as hard as possible to keep backward compatibility with new technology to protect their users better to reduce complaints and fuel renewals

> Internet security suites have functions which can block a fraction more samples, but in the end they ARE still letting thousands of threats through, just as their anti-malware counterparts are

> On-demand, massive collection AV testing is flawed by concept and most new products today cannot be adequately assessed in this manner (and obviously AVs aren't catching 99% of threats in the true wild)

Please let me know if I've missed any or if there are any other points which need to be settled :)

{QUOTE-> PM with single file scan sent. <-QUOTE}

Fixed - the FP was indeed caused because of heightened heuristics and is corrected now :)

{QUOTE-> Same FPs with KIS 2010; my first with Prevx. <-QUOTE}

Could you send me the log entry referencing the file by clicking Tools > Save Scan Results? I suspect they've updated their driver which is causing us to complain about it as kilf.sys (and most other AV drivers) perform virus-like behavior on the system so unless we whitelist them, we tend to FP on new builds (and vice versa with them on us ;D)

{QUOTE-> Fixed - the FP was indeed caused because of heightened heuristics and is corrected now :) <-QUOTE}

Thanks Joe, as always to your prompt followup.

Just did a scan with Prevx and no threats detected this time; now that was a fast fix 8)

Threats were picked up previously by Prevx after a full scan by KAV.

{QUOTE-> Just did a scan with Prevx and no threats detected this time; now that was a fast fix 8)

Threats were picked up previously by Prevx after a full scan by KAV. <-QUOTE}

Although I enjoy taking credit for things I actually do, I can't take credit for this one ;D Can you still send me a scan log just so I can double check that everything is fixed? It is possible that Kaspersky is dropping/deleting their driver every time they scan, which could cause an intermittent FP.

{QUOTE-> Although I enjoy taking credit for things I actually do, I can't take credit for this one ;D Can you still send me a scan log just so I can double check that everything is fixed? It is possible that Kaspersky is dropping/deleting their driver every time they scan, which could cause an intermittent FP. <-QUOTE}
The last CLEAN log or do you want me to scan with KAV again and then send that log?

{QUOTE-> The last CLEAN log or do you want me to scan with KAV again and then send that log? <-QUOTE}

Yes, the last clean log should probably have some information which can at least lead me down the right path to find out what happened :)

Log sent. Thanks.

{QUOTE-> Although we take all suggestions into consideration, we are a small company with a massive number of users so we prefer to put the rest of the user's best interest above the requests of a single non-user. <-QUOTE}

{QUOTE-> I've spent hours of my time responding to these inquiries which I could have been using to improve our products further and we are just continuing to go in a circle. <-QUOTE}

Amen and amen! :)

After a reboot and a KAV update, same 2 "threats" picked up as before.

I will send new log to you.

{QUOTE-> Amen and amen! :) <-QUOTE}

+1 :thumb: :thumb:

{QUOTE-> Amen and amen! :) <-QUOTE}
:thumb: :thumb::thumb:

{QUOTE-> After a reboot and a KAV update, same 2 "threats" picked up as before.

I will send new log to you. <-QUOTE}

Fixed now :) Thanks for the report - they just released a new driver version, v8.3.0.253 and modifies the system suspiciously as AVs tend to do (us included ;D) which is why we flagged it. It should all be sorted now. Thanks!

Thanks, Joe. Yes I scanned 3 times in the last 5 minutes and all is well here now.

Great, fast help as usual.

Support here, by pm and from the main website has been superb and overall the best I have received from any security vendor over many years.

Let's hope that some members here will allow you to devote more time to real problems rather than explaining Company policy.

I have never used Prevx before but just did so on my Vista x64 machine. After installing and running its check, Prevx 3.0.1.65 is saying WERFAULT.EXE in c:\windows\system32 is "high-risk cloaked malware."

I know this .EXE is past of Microsoft's error-reporting service, so I am disinclined to think much of Prevx's determination. Is the problem that Microsoft is using WERFAULT in a malware-like fashion, or that my version is in fact some other file masking as a Microsoft .EXE? I cannot tell from the error...

{QUOTE-> I don't have a copy of the {RSA} presentations used but we just had the website open with the filename information displayed for part of it (if that is what you are referring to). <-QUOTE}
PrevxHelp, I’m not sure I understand your reply. To clarify, I was requesting a URL to download the slides used at your RSA presentation(s) -- or, a link to a YouTube video of the presentation(s), if available. Can you kindly share the content? If you don't have it handy, can you kindly pass along this request to one of your colleagues?

Thank you.

{QUOTE-> Amen and amen! :) <-QUOTE}:thumb: :thumb: :thumb: :thumb:

As Blackcat noted, the support given by Prevx is fast, friendly, & effective. I sent them an email question. Moments later, my computer signaled a reply. I figured it was the usual automated answer such as: "We got your support request & we're working on it." I was amazed to see that the message from Prevx was, instead, a complete and well-supported reply to my inquiry. 5-star service IMO!

{QUOTE-> PrevxHelp, I’m not sure I understand your reply. To clarify, I was requesting a URL to download the slides used at your RSA presentation(s) -- or, a link to a YouTube video of the presentation(s), if available. Can you kindly share the content? If you don't have it handy, can you kindly pass along this request to one of your colleagues?

Thank you. <-QUOTE}

I don't have them and we don't have them on our website because they are made in a format which requires explanation alongside each slide so they wouldn't be useful alone (we had presentations at set times throughout the week).

{QUOTE->
I know this .EXE is past of Microsoft's error-reporting service, so I am disinclined to think much of Prevx's determination. Is the problem that Microsoft is using WERFAULT in a malware-like fashion, or that my version is in fact some other file masking as a Microsoft .EXE? I cannot tell from the error... <-QUOTE}

I've sent you a PM with some instructions which will help me determine the intent of the file :) WERFAULT.exe is indeed most often legitimate but there could be a number of reasons why it isn't - system file patching, file infector, malware using legitimate-looking filenames to get past the watchful eye, etc.

{QUOTE-> I've spent hours of my time responding to these inquiries which I could have been using to improve our products further and we are just continuing to go in a circle. <-QUOTE}
PrevxHelp, I do concur. While it is apparent that we have an “irreconcilable difference of opinion,” I do wish to publically praise your continued engagement in the debate. Support personnel from other anti-virus vendors might have dismissed the issues long ago, and so you do deserve kudos for documenting and sharing your point of view.

{QUOTE-> PrevxHelp, I do concur. While it is apparent that we have an “irreconcilable difference of opinion,” I do wish to publically praise your continued engagement in the debate. Support personnel from other anti-virus vendors might have dismissed the issues long ago, and so you do deserve kudos for documenting and sharing your point of view. <-QUOTE}

Thank you :)

{QUOTE->
I know this .EXE is past of Microsoft's error-reporting service, so I am disinclined to think much of Prevx's determination. <-QUOTE}

I've corrected the FP - we had a a couple issues with Vista SP2 x64, which is where these files originated from. They're now corrected :) Thanks for the report!

New scan log with the Kaspersky FP sent. :)

To everyone with Kaspersky FPs: We've found the root cause of it and have now corrected it :) Prevx and Kaspersky should now return to playing nicely together.

Getting again FP's with PX 3 (but NOT at VT with PX 3 ?????).
Check http://www.delphifreeware.com/downloads/hfs.exe
Nothing wrong with that file, flagged at VT by eSafe and CAT-QuickHeal, as suspicious file, nothing else.
Hoiw come that my local PX 3 ALAYS flag it when I start it and VT not???

Try again please. FP should have been fixed.

This is because VirusTotal implements a basic version of Prevx with only a basic heuristic check while Prevx 3.0 implements full heuristic engine.

@PrevxHelp,

2 false positives:
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\rpcss.dll

Windows Vista x64 with Service Pack 2

{QUOTE->
Windows Vista x64 with Service Pack 2 <-QUOTE}

Thanks :) We're in the process of whitelisting Vista x64 SP2 which is the root of the recent complaints. These FPs will be fixed shortly along with the others from x64 SP2 :)

Just wanted to say that the Kaspersky FP has been fixed. Thanks!

Edge detects Combofix as "High Risk Spyware".
How should I proceed?

P.S.

Edge installed fine on another system. Must be a hardware problem.

{QUOTE->
Edge installed fine on another system. Must be a hardware problem. <-QUOTE}

Good to hear :) We haven't had any other complaints still so I'm not sure what would be going wrong :-\

I've sent you a PM with further instructions as well :)

Is Prevx considered a firewall? Or should I run this program along with a firewall?

{QUOTE-> Is Prevx considered a firewall? Or should I run this program along with a firewall? <-QUOTE}

I consider it an anti-malware/behavior blocker (heuristics). I use it as a supplement to my anti-virus. I don't consider it as a firewall and run a separate firewall program.

OK so it offers real time protection but it is good to still use a firewall.

{QUOTE-> OK so it offers real time protection but it is good to still use a firewall. <-QUOTE}

I think so, but that is only my opinion. If Prevx caught everything you might not need one. I don't think Prevx will though. No application is 100%. You could use the built in Windows firewall. Prevx +firewall +something like Sandboxie, DefenseWall or Malware Defender might be all you need. Each person's security needs/expertise is different.

{QUOTE-> I think so, but that is only my opinion. If Prevx caught everything you might not need one. I don't think Prevx will though. No application is 100%. You could use the built in Windows firewall. Prevx +firewall +something like Sandboxie, DefenseWall or Malware Defender might be all you need. Each person's security needs/expertise is different. <-QUOTE}

:thumb: :thumb: Exactly :)

In general hardware firewalls ( Routers )typically provided by NAT routers, keep malicious traffic from ever reaching your computer whereas software firewalls, such as the Windows firewall, discard malicious traffic after it has actually arrived at your computer.

But you don't need both.

If you have a router with NAT enabled, then there's no need to enable the Windows firewall. In fact, you can tell the new Windows Security Center that you'll manage your firewall yourself.

{QUOTE-> Router + Windows Firewall is fine. <-QUOTE}

Especially in Windows 7 which has quite a nice firewall IMO :)

You think it's better then the one in Vista? Because, as far as I know, there aren't that much difference between those two. You can block both incoming and outgoing traffic and you can make several exceptions and custom settings.

However, I'm not all up to date on this subject so I might have missed something :).

{QUOTE-> If you have a router with NAT enabled, then there's no need to enable the Windows firewall. <-QUOTE}
Except if you have more advanced configurations. Let's say you make a VPN with Hamachi (not uncommon these days), or let family or neighbours use your connection. In that case you still might want to add an extra layer of security to your PC. Otherwhise everything that gets behind the router get's unlimited access.

{QUOTE-> You think it's better then the one in Vista? Because, as far as I know, there aren't that much difference between those two. You can block both incoming and outgoing traffic and you can make several exceptions and custom settings.

However, I'm not all up to date on this subject so I might have missed something :). <-QUOTE}

I haven't played with the Vista firewall much but in Windows 7 it does have quite a lot of configuration available, most of it via an MMC snapin. I'd be surprised if Vista does have this granular of functionality, but it may indeed - it is nearly exactly the same as configuration in Windows 2008 at the advanced levels, and gets progressively more advanced if you want to dig deeper:

http://ibuymobile.co.uk/reviews/wp-content/uploads/2009/02/win7_firewall.jpg

http://www.intelliadmin.com/images/Windows%207%20Firewall%20Settings.jpg

http://www.windows7update.com/images/Windows7-Windows-Firewall-with-Advanced-Security.jpg

http://www.dedoimedo.com/images/computers/2008/windows-7-firewall.jpg

http://img14.imageshack.us/img14/3907/firewallp.png

The firewall in Win7 is nice yes but on my pc the gui is very slow and sluggish. Too bad...

Looks interesting!

I'm certainly going to look into that. Thanks.

(too much things, too less time ;D)

http://www.prevx.com/freescan.asp

Where can I find some more detailed informations about

Realtime and zero-day / zero-hour protection
and
Blocks known and unknown infections with advanced heuristics

What is the realtime protection?

Regarding "advanced heuristics", the free versions also offers heuristics
settings, so what the difference to the paid version here?

{QUOTE-> http://www.prevx.com/freescan.asp

Where can I find some more detailed informations about

Realtime and zero-day / zero-hour protection
and
Blocks known and unknown infections with advanced heuristics

What is the realtime protection?

Regarding "advanced heuristics", the free versions also offers heuristics
settings, so what the difference to the paid version here? <-QUOTE}

Hello,
You can find out more information about what the heuristic settings mean and how to configure stronger zero-day protection by visiting: http://info.prevx.com/edgehelp.asp and clicking Settings > Heuristics Settings

The heuristics in the free/paid version are the same except that the free version doesn't clean/block threats - it will only identify them when they are present.

Let me know if you have any other questions! :)

Just got this Joe:

209260

Just so you know...

(Heuristics maxed and default Age + Popularity)

philby

{QUOTE->
(Heuristics maxed and default Age + Popularity) <-QUOTE}

I suspect it will fix itself, but I've sent you a PM on where to send a scan log if wanted :)

Sent - thanks.

philby

{QUOTE-> Just got this Joe:

209260

Just so you know...

(Heuristics maxed and default Age + Popularity)

philby <-QUOTE}
I got a similar alert yesterday identifying geswall.sys as a threat. Same heuristics settings. I added it to Detection Override, but I guess I should mention it.
--> Edit in: I looked into the matter closer and see that the GeSWall driver in question was one sent to me by the developer to fix an install issue I was having. If it worked (it did) the plan was to include it into the next release. So it is a driver that was used between official version releases. That would explain the Prevx detection, I think.

{QUOTE-> I suspect it will fix itself <-QUOTE}
How does that work? Thanks. :)

I just remembered something about Prevx that I think needs changing...

The "System is Secure" notification in the system tray mouseover and in the main programme window shpuld really say "no threats found" or something similar. Prevx does not really know that the system is secure as it does not detect everything and so cant say it is secure - if you follow....

Puss

{QUOTE-> I just remembered something about Prevx that I think needs changing...

The "System is Secure" notification in the system tray mouseover and in the main programme window shpuld really say "no threats found" or something similar. Prevx does not really know that the system is secure as it does not detect everything and so cant say it is secure - if you follow....

Puss <-QUOTE}
Not so, if no threats are found then as far as Prevx is concerned, System is secure. I mean if you use, 'no threats found" well it cant say that either as there is always one threat. THE USER ;D

{QUOTE-> Not so, if no threats are found then as far as Prevx is concerned, System is secure. I mean if you use, 'no threats found" well it cant say that either as there is always one threat. THE USER ;D <-QUOTE}

Sorry, trjam, Im correct. Your statement sums it up "....as far as Prevx is concerned, System is secure" - indeed, this is 100% true - but the message does not say "as far as Prevx is concerned, System is secure", it says, "system is secure" - If a system is infected with siomething that Prevx does not detect, the system will by definition not be secure, but Prevx will still say "system is secure" and in so doing, will be wrong. If on the other hand, Prevx says "no threats found" - this is 100% true in the case when the system really has no malware AND in the case when the system is infected with malware that Prevx does not detect (ssince the ststement is still true that there have been no threats found,

Puss

{QUOTE-> Sorry, trjam, Im correct. Your statement sums it up "....as far as Prevx is concerned, System is secure" - indeed, this is 100% true - but the message does not say "as far as Prevx is concerned, System is secure", it says, "system is secure" - If a system is infected with siomething that Prevx does not detect, the system will by definition not be secure, but Prevx will still say "system is secure" and in so doing, will be wrong. If on the other hand, Prevx says "no threats found" - this is 100% true in the case when the system really has no malware AND in the case when the system is infected with malware that Prevx does not detect (ssince the ststement is still true that there have been no threats found,

Puss <-QUOTE}
Apples to Oranges my friend. Apples to Oranges. ;)

/Humor=ON
It is so very ironic, indeed. The Prevx utility reports that the “system is secure,” which is equivalent to saying it that it has provided “total protection.”

Oh, dear. Someone at Prevx hasn't looked at the "missed threats" statistics on the Prevx home webpage, to learn that no security tool provides "total protection." :)

/Humor=OFF

P.S.: Norton Internet Security, in contrast, reports that “no viruses, spyware or other risks were found” as a summary status message following a successful scan.

{QUOTE-> It is so very ironic, indeed. The Prevx utility reports that the “system is secure,” which is equivalent to saying it that it has provided “total protection.” <-QUOTE}

I agree - We had overlooked this point and we will change the text in the next version.

Thanks for the watchful eyes!

{QUOTE-> Apples to Oranges my friend. Apples to Oranges. ;) <-QUOTE}

My observation is not open to debate nor can it be a matter of opinion - it is an indisputable statement of fact and logic. It must be a case of you missing the point / failing to understand properly, else you would not make the comments you have.

Puss.

{QUOTE-> I looked into the matter closer and see that the GeSWall driver in question was one sent to me by the developer to fix an install issue I was having. If it worked (it did) the plan was to include it into the next release. So it is a driver that was used between official version releases. That would explain the Prevx detection, I think.
<-QUOTE}

Yes, this would indeed cause the warning :) A brand new suspicious driver which modifies the system generally results in a warning from Prevx :)

{QUOTE-> How does that work? Thanks. :) <-QUOTE}

Our database automatically classifies programs and being that you were one of the first users to see this driver, it most likely did not have a full picture of what the file actually did so it would automatically correct the detection after filling in the missing pieces.

{QUOTE-> /Humor=ON
It is so very ironic, indeed. The Prevx utility reports that the “system is secure,” which is equivalent to saying it that it has provided “total protection.”

Oh, dear. Someone at Prevx hasn't looked at the "missed threats" statistics on the Prevx home webpage, to learn that no security tool provides "total protection." :)

/Humor=OFF

P.S.: Norton Internet Security, in contrast, reports that “no viruses, spyware or other risks were found” as a summary status message following a successful scan. <-QUOTE}

I respectfully disagree. Only the individual who wrote it for Prevx knows what the true interpretation means.:dry: You cant just assume anything Pleonasm. If a person tells me a color is blue, does that mean it is true blue, or one of many shades of blue that were left out in his statement. It is all left up to interpretation.

{QUOTE-> My observation is not open to debate nor can it be a matter of opinion - it is an indisputable statement of fact and logic. It must be a case of you missing the point / failing to understand properly, else you would not make the comments you have.

Puss. <-QUOTE}
I am over 50, I can miss any fact I choose to.8)

I'm not involved with marketing at all (thankfully! :)) but would anyone have any objections to "System is Protected"? or "Protection is Active"

{QUOTE-> I'm not involved with marketing at all (thankfully! :)) but would anyone have any objections to "System is Protected"? <-QUOTE}
As long as the word blue is left out.

It sounds good Joe. As always, you are listening to your fan base.

{QUOTE-> I'm not involved with marketing at all (thankfully! :)) but would anyone have any objections to "System is Protected"? or "Protection is Active" <-QUOTE}

"Protection is Active"

"Protection is active"

Otherwise, those inclined to do so will question whether Prevx can really claim that the "system is protected".

philby

{QUOTE-> I'm not involved with marketing at all (thankfully! :)) but would anyone have any objections to "System is Protected"? or "Protection is Active" <-QUOTE}

Either would be okay - but I would think something like "no threats detected" would be more logical / make a better statement "system is protected" is possibly a bit meaningless in the true sense of the ststement -do you mean in absoloute terms protected (Impossible!) or to the best of the systems ability to determine / provide protection?

"Protection is Active" also seems to be a bit vague? I would prefer a statement along the lines that Prevx has not found anything - or perhaps "system is protected by Prevx"

Anyway, Im off to have a couple of bottles of Leffe and watch an old black and white horror or scifi film!

Night all.

Puss

{QUOTE-> "Protection is active"

Otherwise, those inclined to do so will question whether Prevx can really claim that the "system is protected".

philby <-QUOTE}

However, the system is indeed protected - we aren't saying that we're protecting against everything, we're just saying that we are protecting it (from the threats which we protect against).

{QUOTE->
Anyway, Im off to have a couple of bottles of Leffe and watch an old black and white horror or scifi film!

Night all.

Puss <-QUOTE}
what the hell is a Leffe,:doubt: Boy, you need to get yorself a good ole Nascar Budweiser. Lol :thumb:

{QUOTE-> Either would be okay - but I would think something like "no threats detected" would be more logical / make a better statement "system is protected" is possibly a bit meaningless in the true sense of the ststement -do you mean in absoloute terms protected (Impossible!) or to the best of the systems ability to determine / provide protection? <-QUOTE}

The only problem with "No Threats Detected" is that people wouldn't think there is any actual protection enabled - just detection.

{QUOTE->
"Protection is Active" also seems to be a bit vague? I would prefer a statement along the lines that Prevx has not found anything - or perhaps "system is protected by Prevx" <-QUOTE}

IMO "System is Protected by Prevx" is a bit redundant being that the GUI says Prevx all over it. I personally think that "System is Protected" is the best balance between stating that we are protecting the system (which we are indeed doing) and saying that we are protecting against everything (which we are indeed NOT doing :))

{QUOTE->
Anyway, Im off to have a couple of bottles of Leffe and watch an old black and white horror or scifi film! <-QUOTE}

Enjoy! Thanks again for the suggestions :)

{QUOTE-> My observation is not open to debate nor can it be a matter of opinion - it is an indisputable statement of fact and logic. <-QUOTE}
Retadpuss, truer words were never written. The statement “system is secure” leaves little to the imagination, and is exceedingly straightforward. (Not a case of “shades of blue,” in my opinion.)

{QUOTE-> I'm not involved with marketing at all (thankfully! ) but would anyone have any objections to "System is Protected"? or "Protection is Active" <-QUOTE}
PrevxHelp, "Protection is Active" would be fair statement.

{QUOTE-> what the hell is a Leffe,:doubt: Boy, you need to get yorself a good ole Nascar Budweiser. Lol :thumb: <-QUOTE}

Leffe, Stella and so on.

http://thebrewclub.com/2008/11/30/beer-review-leffe

{QUOTE-> I'm not involved with marketing at all (thankfully! :)) but would anyone have any objections to "System is Protected"? or "Protection is Active" <-QUOTE}
"Prevx Protection is Active" works well, if you feel you must alter what is there now.

I actually think "System is Secure" is fine, inasmuch as it pertains to Prevx software, and everyone viewing those words knows it pertains only to Prevx. It is a given. That is, how could "Prevx v3.0.1.65 - System is Secure" pertain to anything else?

For example, most Wilders members use more than one security application, right? Any one of these apps might think the system is infected, or not secure. And they are of course free to make that claim. But in doing so, we don't see an AV program going into any disclaimer-type detail when it finds what it thinks is an infection.... "as far as Kaspersky is concerned, System is infected". That's ridiculous. As ridiculous as it is to suggest that Prevx stating the system is secure should be accompanied by a qualifier.

"System is Secure" is fine and 99.9% of the folks reading that understand it for what it is saying.

{QUOTE-> ...Anyway, Im off to have a couple of bottles of Leffe ... <-QUOTE}mmmmm, lekker!
En voor ik, Duvel ook!:P

Sorry, folks, just the odd American spoiled by a Flemish wife and Belgian beer.:lurking:

You know what is confusing for me?
When it detects something, it shows the screen attached (they are FP, but anyway).

The red button "View Threats" does not show the detected threads, it will just rescan again! I had NO way to see WHAT it had detected...

{QUOTE->
The red button "View Threats" does not show the detected threads, it will just rescan again! I had NO way to see WHAT it had detected... <-QUOTE}

That indeed sounds like a bug - we'll look into what is causing this shortly :)

{QUOTE-> You know what is confusing for me?
When it detects something, it shows the screen attached (they are FP, but anyway).

The red button "View Threats" does not show the detected threads, it will just rescan again! I had NO way to see WHAT it had detected... <-QUOTE}

Sadly I think "Rescan for threats" is a little too long to be written out on that tiny space, cause that's exactly what it does - check if the threat(s) is/are still present. ;)


Funny thing is, it's being stated a number of times that only a few users here are going to see these FPs - yet the reports only continue rapidly. :o ::)

Now, in the new version, except for a bunch of new features being integrated, can we (or more like I...) expect less FPs and a faster process when it comes to new files or data? Oh wait... my mistake... (okay, lol, not really to be fair ;D) it's also when it just scans in real-time when there's a threat. I experienced this when testing around with some malware in evaluation mode. (God, I wish it would have that same seemingly automatic operation by default with that kind of small window reporting. ::))

It's definitely not a micro- - or millisecond for that part, and I still don't believe that it would be my connection. My location? Now THAT would be pretty lame. It does indeed have to be program- or server-wise in some way... :ouch:

{QUOTE-> Sadly I think "Rescan for threats" is a little too long to be written out on that tiny space, cause that's exactly what it does - check if the threat(s) is/are still present. ;)


Funny thing is, it's being stated a number of times that only a few users here are going to see these FPs - yet the reports only continue rapidly. :o ::)

Now, in the new version, except for a bunch of new features being integrated, can we (or more like I...) expect less FPs and a faster process when it comes to new files or data? Oh wait... my mistake... (okay, lol, not really to be fair ;D) it's also when it just scans in real-time when there's a threat. I experienced this when testing around with some malware in evaluation mode. (God, I wish it would have that same seemingly automatic operation by default with that kind of small window reporting. ::))



It's definitely not a micro- - or millisecond for that part, and I still don't believe that it would be my connection. My location? Now THAT would be pretty lame. It does indeed have to be program- or server-wise in some way... :ouch: <-QUOTE}
your whole post is jibberish.:dry:

{QUOTE->
Funny thing is, it's being stated a number of times that only a few users here are going to see these FPs - yet the reports only continue rapidly <-QUOTE}

All of the recent reports have been either from a beta operating system or from other security software which we inherently will detect if they release a new version (and they do the same against us).

{QUOTE-> Now, in the new version, except for a bunch of new features being integrated, can we (or more like I...) expect less FPs and a faster process when it comes to new files or data? Oh wait... my mistake... (okay, lol, not really to be fair ;D) it's also when it just scans in real-time when there's a threat. I experienced this when testing around with some malware in evaluation mode. (God, I wish it would have that same seemingly automatic operation by default with that kind of small window reporting. ::)) <-QUOTE}

A majority of the features which we are adding are behind the scenes rather than actual new features for the user. You will definitely experience less FPs and more detections as we are now collecting significantly more behaviors and data while optimizing the actual structures which we send them up.

The protection is being re-engineered from the ground up - massive changes starting in the drivers all the way through to a the communication to the database.

Although the product will look the same, the feel will be significantly different - much for the better :) The reason for all of these changes is that about a month ago we had a breakthrough in behavior monitoring which has made everything much easier to work with, while actually improving system performance even though we're doing more behind the scenes.

As well as these changes, we're adding offline support and more granular control over local protection. The secure browser should also be in this next release as well which includes keylogger, screengrabber, clipboard stealer, etc. protection around the browser as well as seamless malware protection from the browser into the rest of the OS (built upon our new behavior monitoring). Also, when monitoring behaviors, we will also be saving the state of the system as an untrusted program runs so we can quickly undo any change which a program makes if we do find that it is malicious.

On top of these there are some dozens more of behind-the-scenes improvements, all which will be shipped out to existing users as soon as they're done and tested :)

All around it is quite a large volume of changes which is why they're taking a while to complete ;D

{QUOTE-> your whole post is jibberish.:dry: <-QUOTE}

... and again it's only personal experience. You can't decide when it comes to that, even if you wanted to. :what:

{QUOTE->
All around it is quite a large volume of changes which is why they're taking a while to complete ;D <-QUOTE}

Our hamsters who are developing Prevx went on strike because they want better food and nicer cages :-\

{QUOTE-> All of the recent reports have been either from a beta operating system or from other security software which we inherently will detect if they release a new version (and they do the same against us).



A majority of the features which we are adding are behind the scenes rather than actual new features for the user. You will definitely experience less FPs and more detections as we are now collecting significantly more behaviors and data while optimizing the actual structures which we send them up.

The protection is being re-engineered from the ground up - massive changes starting in the drivers all the way through to a the communication to the database.

Although the product will look the same, the feel will be significantly different - much for the better :) The reason for all of these changes is that about a month ago we had a breakthrough in behavior monitoring which has made everything much easier to work with, while actually improving system performance even though we're doing more behind the scenes.

As well as these changes, we're adding offline support and more granular control over local protection. The secure browser should also be in this next release as well which includes keylogger, screengrabber, clipboard stealer, etc. protection around the browser as well as seamless malware protection from the browser into the rest of the OS (built upon our new behavior monitoring). Also, when monitoring behaviors, we will also be saving the state of the system as an untrusted program runs so we can quickly undo any change which a program makes if we do find that it is malicious.

On top of these there are some dozens more of behind-the-scenes improvements, all which will be shipped out to existing users as soon as they're done and tested :)

All around it is quite a large volume of changes which is why they're taking a while to complete ;D <-QUOTE}

I really appreciate your post, Joe - it's most informative. ;) I can see why the FPs occured now as I can only imagine what a pain in the butt all the released Win7 builds must be. ;D I definitely believe that this will be improved. :)

It will still be different compared to a sandbox, right? That's, you would be able to seemlessly install new software, even if malware is restricted to have any kind of access to your system?

I SO hope that it'll be browser independent or that you will still support Opera, cause we users of the web-browser sure miss out on a lot. ;D

Overall the improvements sounds most impressive, and I really hope that I'll have the opportunity to have a trial-key and a beta to participate in. :)


Best of luck!

{QUOTE-> Our hamsters who are developing Prevx went on strike because they want better food and nicer cages :-\ <-QUOTE}

HAHA ;D - that sure made me LOL. :D

{QUOTE-> I really appreciate your post, Joe - it's most informative. ;) I can see why the FPs occured now as I can only imagine what a pain in the butt all the released Win7 builds must be. ;D I definitely believe that this will be improved. :) <-QUOTE}

indeed :) Between Win7 and Vista SP2 we've had around 50k new Microsoft files come into the database, all having been seen by a small number of users so its a nightmare for FPs because a file existing in a system folder which is parading as a legitimate system file tends to be quite suspicious :-\

{QUOTE-> It will still be different compared to a sandbox, right? That's, you would be able to seemlessly install new software, even if malware is restricted to have any kind of access to your system? <-QUOTE}

Correct :)

{QUOTE-> I SO hope that it'll be browser independent or that you will still support Opera, cause we users of the web-browser sure miss out on a lot. ;D <-QUOTE}

Yes :) The protection is actually application independent but for now we're focusing on browsers (you could apply it to Microsoft Word if you wanted to prevent any program from reading the keystrokes typed into your document :))

{QUOTE-> Overall the improvements sounds most impressive, and I really hope that I'll have the opportunity to have a trial-key and a beta to participate in. :) <-QUOTE}

Of course!

{QUOTE->
Yes :) The protection is actually application independent but for now we're focusing on browsers (you could apply it to Microsoft Word if you wanted to prevent any program from reading the keystrokes typed into your document :))
<-QUOTE}

About that... does the user have to make those settings, or is it handled by the software on its own? Maybe I just got confused by your message. ;D

{QUOTE-> About that... does the user have to make those settings, or is it handled by the software on its own? Maybe I just got confused by your message. ;D <-QUOTE}

We're still deciding exactly how we'll roll out the protection - we don't want existing users to be confused by new dialogs/functions so we may end up automatically enabling the new features only for new users installing fresh (of course you can just tick the configuration boxes to enable it, but we want to make everything as seamless as possible).

Please add a proper detection for UPX or PECompact compressed exe files.
EVERY time I run a UPX or PECompact compressed file (I thought its just my file, but ANY), it trigger an alarm and prevent me from running it, but ONLY once. When I start it again, it works.

This happen with ANY downloaded file which is UPX or PECompact compressed... and most shareware authors compact their exe today...

And in my situation, is even more disturbing. Every time I compress my delphi applications after compiling them, I cannot run them for the first time...

It looks for me that prevx first just block it, and AFTER that analyse the file, which should be the other way around...

You can check 2 of my applications:
Alternate Data Streams Scan Engine - http://www.delphifreeware.com/downloads/ads.exe
Hidden File Scanner - http://www.delphifreeware.com/downloads/hfs.exe

Does not help to fix it for this 2 programs, because when I compile them again in a while, it will be again detected.

Ok, please, can you compile again files and send me a log file when Prevx detect them? :) I've sent you by PM my email address :)

What detection are you receiving with these files and what are your heuristic/age/popularity protection settings?

We don't just block every PECompact/UPX exe as this would be a huge volume of programs. I suspect you are either using very unpopular software which is being caught conceptually by age/spread protection or you just have some other characteristic in your software which is causing us to catch it.

The solution to this would be, as I've said many times before, to digitally sign your software as virtually all legitimate software developers do today :-\

{QUOTE-> We're still deciding exactly how we'll roll out the protection - we don't want existing users to be confused by new dialogs/functions so we may end up automatically enabling the new features only for new users installing fresh (of course you can just tick the configuration boxes to enable it, but we want to make everything as seamless as possible). <-QUOTE}

As well as secure ofc. :D I can see that the new FPs reported indeed seem to be some kind of security softwares. ;)

{QUOTE-> Ok, please, can you compile again files and send me a log file when Prevx detect them? :) I've sent you by PM my email address :) <-QUOTE}

Sent email. Thanks.

{QUOTE-> What detection are you receiving with these files and what are your heuristic/age/popularity protection settings?

We don't just block every PECompact/UPX exe as this would be a huge volume of programs. I suspect you are either using very unpopular software which is being caught conceptually by age/spread protection or you just have some other characteristic in your software which is causing us to catch it.

The solution to this would be, as I've said many times before, to digitally sign your software as virtually all legitimate software developers do today :-\ <-QUOTE}

The settings are all on default, I never touched them...

The log shows this:
[29/5/2009 19:28] The file [D:\Own\d2007\ADS Scanengine\ads.exe] has been blocked because it contains a threat of type [Community.OuterEdge] - Identity: 5AA9ABA30058BB23AE5C063223C8740010F08754

They are plain delphi 2007 programs, just compressed with upx or pecompact2 to reduce their size.

And about the digital ID, its far too expensive to get a digital ID. Consider this are all freeware application, I do not make any money with them...
And the requirements are just plain stupid to get a digital ID... I was already talking to comodo regarding this.

{QUOTE-> The settings are all on default, I never touched them...

The log shows this:
[29/5/2009 19:28] The file [D:\Own\d2007\ADS Scanengine\ads.exe] has been blocked because it contains a threat of type [Community.OuterEdge] - Identity: 5AA9ABA30058BB23AE5C063223C8740010F08754

They are plain delphi 2007 programs, just compressed with upx or pecompact2 to reduce their size.

And about the digital ID, its far too expensive to get a digital ID. Consider this are all freeware application, I do not make any money with them...
And the requirements are just plain stupid to get a digital ID... I was already talking to comodo regarding this. <-QUOTE}

The warning which we are showing is correct - the file should have a Community.OuterEdge detection in this case. Very very rarely would an average user actually encounter software only ever seen by themselves. The file which you have pasted above is flagged because it is packed/encrypted and absolutely brand new - you were the first user to ever see it (and the only user still). Therefore, because of the age/spread heuristics, the file is logically flagged before any further data is gathered from the file.

You can circumvent this warning by not packing your software or by sending us download links when you release a new version - this is a common practice by software developers when dealing with AVs (we have to do it with every new release or update).

{QUOTE-> The warning which we are showing is correct - the file should have a Community.OuterEdge detection in this case. Very very rarely would an average user actually encounter software only ever seen by themselves. The file which you have pasted above is flagged because it is packed/encrypted and absolutely brand new - you were the first user to ever see it (and the only user still). Therefore, because of the age/spread heuristics, the file is logically flagged before any further data is gathered from the file.

You can circumvent this warning by not packing your software or by sending us download links when you release a new version - this is a common practice by software developers when dealing with AVs (we have to do it with every new release or update). <-QUOTE}

Sure I am the first user who "see" it. I guess every programmer is the first user...

That it is packed does not mean its malware. You cannot consider that a brand new packed program is malware, without analyzing / unpacking it, like other av scanner do.

And sending download links... I update at least 2-3 times a day my programs... I would have to hire somebody just for keeping you updated about new releases...

Look at the VT report here: http://www.virustotal.com/analisis/d99fe3ce845b39bf9e9dc9fd97e4ec65d922cf2a387b9416565a02d324d530c7-1243599386

...

Joe,
A question about the new Secure Browser/Sandbox feature.
If I am browsing with Firefox using the Secure Browser and I get a warning that I have malware etc. in the Sandbox - how is it cleaned up. Do I:
a) clean it up with Prevx as is done at the moment - or
b) just close the Secure Browser/Sandbox and its gone as it is with Sandboxie

.
PrevxHelp

Outstanding Prevx Customer Service :-))


I had hesitated to buy a license for Prevx because of my concerns about activation issues after reinstalling my OS.

Well, turns out my concerns were totally unjustified.

I had to reinstall Windows this AM.

Sent a message to PrevxHelp requesting a new license.

My license was reactivated within an hour :-)

(I suspect that if my request was made during normal business hours. the reactivation would have been done even sooner.)

Thanks

.

will prevx detects active hiden rootkits?thanks

{QUOTE->
That it is packed does not mean its malware. You cannot consider that a brand new packed program is malware, without analyzing / unpacking it, like other av scanner do. <-QUOTE}

We aren't saying its malware, we're saying it is blocked by the Age/Spread detection, which is correct.

{QUOTE-> will prevx detects active hiden rootkits?thanks <-QUOTE}

Yes, that's one of our strong points :) You can read about one of our more recent conquests from: http://prevx.com/blog.asp

{QUOTE->
My license was reactivated within an hour :-)

(I suspect that if my request was made during normal business hours. the reactivation would have been done even sooner.) <-QUOTE}

I indeed would have gotten it sooner but I've been stuck in a hotel with poor internet service ;D You can always write into our customer service inbox if I'm not responding fast enough as well, or with a license key issue like you had, you can sign up for MyPrevx (http://my.prevx.com) and use that interface to deactivate your current computer, which should allow you to enter it in a new computer.

Let me know if you need anything else :)

{QUOTE-> Yes, that's one of our strong points :) You can read about one of our more recent conquests from: http://prevx.com/blog.asp <-QUOTE}
thanks:thumb: i am running malware defender with prevx in one of my pc's and it is fast

{QUOTE-> …we're adding offline support and more granular control over local protection. <-QUOTE}
PrevxHelp, as a consequence of this enhancement, Prevx will now be able to be compared to other “non-cloud” anti-virus vendors using methodologies such as those employed by AV Comparatives – correct?

Thank you.

{QUOTE-> PrevxHelp, as a consequence of this enhancement, Prevx will now be able to be compared to other “non-cloud” anti-virus vendors using methodologies such as those employed by AV Comparatives – correct?

Thank you. <-QUOTE}

No, the offline support is only in as a backup in the event that the internet is unreachable (i.e. if an infection is blocking us from connecting). It does not have anywhere near the strength of the whole Prevx database and is just a list of simple signatures of known malicious programs.

{QUOTE->

And in my situation, is even more disturbing. Every time I compress my delphi applications after compiling them, I cannot run them for the first time...

<-QUOTE}

Have you tried adding your Delphi app's folder to the excluded list in Prevx's Detection Overrides?

That works for me when running console-mode apps created with a C++ compiler.

{QUOTE-> Joe,
A question about the new Secure Browser/Sandbox feature.
If I am browsing with Firefox using the Secure Browser and I get a warning that I have malware etc. in the Sandbox - how is it cleaned up. Do I:
a) clean it up with Prevx as is done at the moment - or
b) just close the Secure Browser/Sandbox and its gone as it is with Sandboxie <-QUOTE}

We've decided to centralize the sandboxing around cleanup rather than true sandboxing for usability reasons. This way the user won't be interrupted if they do want to keep the program and they will be able to remove it if wanted (so the answer is A ;D)

Is there any chance of a Prevx Forum here at Wilders?
When threads grow this long,it is near impossible
to see if ones queston or comment has not already
been "done to death" twenty pages back.

thanks

Ok, i have an issue that bugging me. I'm signed up on myprevx and i get email updates if one of my system is infected. Well, i keep getting a notice that one of my systems is infected. I look on the system and prevx says clean and the status doesnt show any cleaned threats in the last 60 scans. i just did a deep scan and it came back clean, but then i get another email saying my system is infected. Ideas? i've tried looking at the log, but its not entirely intuitive as it looks like a couple places it detects malware, but it doesnt say it cleaned anything and in the main screen it doesn't list any detected threats. i've included the beginning of the log where and the last line.


Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 4 (Dir: 1)
Last Scan: Fri 2009-05-29 10:10:44 US Mountain Standard Time. Number of Scans: 60. Last Scan Duration: 3 minutes 34 seconds.
[DN] (ACTIVE) c:\windows\system32\etdcoinst.dll [PX5: 8231E96B009B55F3069F03D7EEC2D700641EE0B9] Malware Group: Community.OuterEdge
[D] (ACTIVE) c:\windows\system32\btbigbmp.dll [PX5: CBAD643300FE9C7FE02F01413D1A7900694AD5A4] Malware Group: Community.OuterEdge

----------------------
Previously Detected Files:
[DN] (ACTIVE) c:\windows\softwaredistribution\download\593d5ddb620b1f1b4bef986c655fd062\sp2qfe\mswrd8.wpc [PX5: 7D4A2B01000D9F3144CD0444FAEE87007220EF06] Malware Group: Community.OuterEdge

Hello phxcobra,
Those lines in the log don't necessarily mean it was detected as infected. Could you please PM me your license key so I can try to see what is causing the warning?

{QUOTE-> Is there any chance of a Prevx Forum here at Wilders?
When threads grow this long,it is near impossible
to see if ones queston or comment has not already
been "done to death" twenty pages back.

thanks <-QUOTE}
This is indeed a great point as well as a great idea!!

{QUOTE-> This is indeed a great point as well as a great idea!! <-QUOTE}

What, you don't like scrolling through 170 pages of posts? ;D However, if anyone has any questions which they suspect have been hashed through already on the forum, feel free to PM me :)

Joe - Hoping you keep the new version as lite and compatible as Prevx 3 is now. It works well with my other security, does not slow down my machine as very early versions of Prevx did (a few years ago). It is a simple, eloquent security product. Hoping it stays that way.

{QUOTE-> Joe - Hoping you keep the new version as lite and compatible as Prevx 3 is now. It works well with my other security, does not slow down my machine as very early versions of Prevx did (a few years ago). It is a simple, eloquent security product. Hoping it stays that way. <-QUOTE}

Don't worry - if the new version was to hurt system performance or get larger than 1MB, I would be looking up at the guillotine being prepared to fall on my outstretched neck ;D

{QUOTE-> Is there any chance of a Prevx Forum here at Wilders?
When threads grow this long,it is near impossible
to see if ones queston or comment has not already
been "done to death" twenty pages back.

thanks <-QUOTE}

I agree 100% with this idea. The longevity of this thread and obvious interest in Prevx here at Wilders makes this a great idea...:thumb: ;D

I think a Prevx support forum on Wilders is a good idea, and in my opinion, one the Prevx folks should consider.

{QUOTE-> Yeah, that's a very good idea. This thread is even catching up to the "What is your security setup these days" haha. <-QUOTE}

Haha true ;D

"What is your security setup" was started Dec. 15, 2005 - 1261 days ago. This thread was started Nov. 13th, 2008 - 197 days ago. If measured from the start, the "What is your security setup" thread has an average of 3.85 posts per day (with 4855 posts as of now) and this thread has an average of 21.5 posts per day (with 4236 posts now).

Therefore, if the growth is completely constant from the start of each (which it obviously isn't but it would be too hard to snapshot the acceleration from a post-by-post basis ;D), we should catch up with the "What is your security setup" thread in 35.07 days ;D

{QUOTE-> Is there any chance of a Prevx Forum here at Wilders?
When threads grow this long,it is near impossible
to see if ones queston or comment has not already
been "done to death" twenty pages back. <-QUOTE}
I agree whole-heartedly that a Prevx Forum is much needed and would be awesome!
What has to be done in order for this to happen? :)

Another vote here for a Prevx forum. :thumb:

Lets break the record first :)

Hi :)
I´ve got two short suggestions.

1.) How about asking for a password before you´re allowed to completely remove Prevx from your system (if setting "password control" is enabled)? It would make sense to prevent from unauthorised access.
2.) It´s not possible to stop the realtime-protection beyond first reboot. It wasn´t easy to install the SP2 (Vista) without having troubles with FP´s**. How about offering an option where you can completely disable rt-protecion till you activate it again?

Apart from that I´m still very satisfied with this great software. There were some false positives after installing SP2 (Vista) with highest heuristics, but that´s my own risk** :) .

Edit: Sure. Here´s another vote for a Prevx forum 8) !!

Regards
Nightwatch

I agree, another vote for Wilders Prevx forum.:thumb:

{QUOTE->
1.) How about asking for a password before you´re allowed to completely remove Prevx from your system (if setting "password control" is enabled)? It would make sense to prevent from unauthorised access. <-QUOTE}

We don't do this because of the customer service nightmare that ensues when the user can't uninstall because they've forgotten their password ;D It happens surprisingly often and there isn't a way to recover the password if forgotten so we have allowed the uninstall function past the password protection only if the user is an administrator. If the user is a limited user account and password protection is enabled, they will be unable to uninstall it.

{QUOTE->
How about offering an option where you can completely disable rt-protecion till you activate it again? <-QUOTE}

We do have this option, albeit a bit non-visible. In the "Stop Protection" dialog where you have the options to suspend protection for 15 minutes, click the down-arrow and then scroll down to the bottom of the list and select the last entry named: "Remove Protection". This will completely remove realtime protection/monitoring and you can then reinstate it when wanted (it may need to perform a new learning scan, however).

{QUOTE->
Edit: Sure. Here´s another vote for a Prevx forum 8) !! <-QUOTE}

Thanks all for the votes :)

{QUOTE->
2.) It´s not possible to stop the realtime-protection beyond first reboot. <-QUOTE}
Sure it is. :)

Tools\ Suspend Protection\ drop down menu to choose length of time to disable\Stop protection

Then simply select Enable Protection to start it back up.

{QUOTE-> It happens surprisingly often and there isn't a way to recover the password if forgotten so we have allowed the uninstall function past the password protection only if the user is an administrator. <-QUOTE}
Thanks :) . That´s an comprehensible argument.

{QUOTE->
We do have this option, albeit a bit non-visible. <-QUOTE}
@PrevxHelp / Page42
Thanks for the screen an your description, but I still can´t find it :( .

This is the last choice when scrolling down (-> Enable on reboot) :
http://www.abload.de/thumb/prevx49hy.jpg (http://www.abload.de/image.php?img=prevx49hy.jpg)

There´s no option continuing disabled protection after first reboot. Or do I still miss it?

Regards,
Nightwatch

{QUOTE-> There´s no option continuing disabled protection after first reboot. Or do I still miss it? <-QUOTE}
I misunderstood your question. Now I understand. Good question. I wonder if "Remove Protection" does what you are looking for?

Edit In: I just noticed that PrevxHelp stated this above...
"scroll down to the bottom of the list and select the last entry named: "Remove Protection". This will completely remove realtime protection/monitoring and you can then reinstate it when wanted"

{QUOTE->
I wonder if "Remove Protection" does what you are looking for? <-QUOTE}
Hi :)
Jepp, that´s what I´m looking for. But the last entry here is "Enable on reboot". I don´t have this option "remove protection". I´m using Prevx 3.0 full version.

EDIT: Version 3.0.1.65


Regards,
Nightwatch

{QUOTE-> Have you tried adding your Delphi app's folder to the excluded list in Prevx's Detection Overrides?

That works for me when running console-mode apps created with a C++ compiler. <-QUOTE}

Sure I could, but what if the exe will get infected the moment I create it? I would not know about it and my clients will kill me when I send them an infected exe... why having an AV when I have to exclude so many folder (I am not talking about 1 folder, I have about 400+ application which I maintain).

Prevx should analyze the import table to figure out what api calls the program is doing. It would quickly figure out that no critical api's are used, no hooking and no nt... functions.

Sorry, but I don't get it why the programs are getting flagged just because they are compressed and seen only once by prevx, even there is no malware behavior, no critical apis used, no hook, no nt... api functions.

Its like somebody knock on my door, new in town, first seen by me, and I just shot him and get his identity after that... :)

{QUOTE-> We aren't saying its malware, we're saying it is blocked by the Age/Spread detection, which is correct. <-QUOTE}

I don't think so, because when I do not compress it, its still one time seen, and new, and its not detected...
I believe whatever is packed (good or bad), and is new, is blocked. This is NOT right in my opinion.
And PX is the ONLY scanner which block it. Maybe the other do a little analyzing in the background and decide after that either its bad or not...?

{QUOTE-> Please add a proper detection for UPX or PECompact compressed exe files.
EVERY time I run a UPX or PECompact compressed file (I thought its just my file, but ANY), it trigger an alarm and prevent me from running it, but ONLY once. When I start it again, it works.

This happen with ANY downloaded file which is UPX or PECompact compressed... and most shareware authors compact their exe today...

And in my situation, is even more disturbing. Every time I compress my delphi applications after compiling them, I cannot run them for the first time...

It looks for me that prevx first just block it, and AFTER that analyse the file, which should be the other way around...

You can check 2 of my applications:
Alternate Data Streams Scan Engine - http://www.delphifreeware.com/downloads/ads.exe
Hidden File Scanner - http://www.delphifreeware.com/downloads/hfs.exe

Does not help to fix it for this 2 programs, because when I compile them again in a while, it will be again detected. <-QUOTE}

Sorry, but here you will find more grief...

http://www.threatexpert.com/files/hfs.exe.html

{QUOTE-> Sorry, but here you will find more grief...

http://www.threatexpert.com/files/hfs.exe.html <-QUOTE}

That's not my file at all... if a malware is using the name hfs.exe that will sure not mean that I will rename my products...

{QUOTE-> That's not my file at all... if a malware is using the name hfs.exe that will sure not mean that I will rename my products... <-QUOTE}

I realise that;D

But I did a google search of that exe found by prevx and that is what I found .
What I'm trying to say is that another user downloading your product, having it scanned with prevx may come up with the same result, believing that your product is malware.
The problem is not all users would be aware of this thread;)

Like I said more grief..

... and you got another vote for a dedicated Prevx forum at Wilders here. ;) ;D

{QUOTE-> Hi :)
Jepp, that´s what I´m looking for. But the last entry here is "Enable on reboot". I don´t have this option "remove protection". I´m using Prevx 3.0 full version.

EDIT: Version 3.0.1.65


Regards,
Nightwatch <-QUOTE}

I had forgotten we added a check in here ;D If you are using maximum self protection, you can't remove the protection completely (so malware trying to click through the screens can't automatically remove the protection). Can you try setting self protection to medium and then clicking the list? :)

{QUOTE->
Sorry, but I don't get it why the programs are getting flagged just because they are compressed and seen only once by prevx, even there is no malware behavior, no critical apis used, no hook, no nt... api functions. <-QUOTE}

You aren't understanding the concept of Age/Spread detection. This check occurs before any other checks - if the program is less than x hours old and has been used by less than x users and we have even a hair of a suspicion about it (i.e. if it is packed), we will show an "Age/Spread Criteria Violation Detected" warning which is correct to show.

We were unable to have this protection in the past because our userbase wasn't large enough but now this is a very strong first line of defense on your system. Imagine a server-side polymorphic threat like Conficker or the Storm worm, changing itself so that it is different on every PC. AV companies have to manually create complex signatures to detect these files, however, we just invert the problem and say that users use software that other users use. The only time that this generates false positives in the real world is on security software, alpha/beta software, or software developers and for the "sake of the community" we aren't going to dilute the protection just because a small subclass of people run into FPs. Those people should know that if the program they are running is a test version, seen by a very small number of people, it has a high chance of being caught by something. With your freeware, once it is seen by "enough" people (this number is dynamic), it will be trusted past the Age/Spread detection automatically.

{QUOTE-> I had forgotten we added a check in here ;D If you are using maximum self protection, you can't remove the protection completely [...] <-QUOTE}
Hi!
No problem :) . Thanks! Setting self protection to "medium" works.

Regards,
Nightwatch

{QUOTE-> ... and you got another vote for a dedicated Prevx forum at Wilders here. ;) ;D <-QUOTE}

Are we voting? 8)

{QUOTE-> You aren't understanding the concept of Age/Spread detection. This check occurs before any other checks - if the program is less than x hours old and has been used by less than x users and we have even a hair of a suspicion about it (i.e. if it is packed), we will show an "Age/Spread Criteria Violation Detected" warning which is correct to show.

We were unable to have this protection in the past because our userbase wasn't large enough but now this is a very strong first line of defense on your system. Imagine a server-side polymorphic threat like Conficker or the Storm worm, changing itself so that it is different on every PC. AV companies have to manually create complex signatures to detect these files, however, we just invert the problem and say that users use software that other users use. The only time that this generates false positives in the real world is on security software, alpha/beta software, or software developers and for the "sake of the community" we aren't going to dilute the protection just because a small subclass of people run into FPs. Those people should know that if the program they are running is a test version, seen by a very small number of people, it has a high chance of being caught by something. With your freeware, once it is seen by "enough" people (this number is dynamic), it will be trusted past the Age/Spread detection automatically. <-QUOTE}

I understand your point of view, but understand also mine.
Anyway, I have based on your suggestion ordered a code signing certificate which is already validated and I just have to wait for their call on their next business day (whenever that is). Once I have all signed, how will PX behave, when it detects again the packed, but signed programs?

How does PrevX Edge handle the 'code red' type of malware.
The ones that execute in memory rather than writing to disc (cache) first.

{QUOTE-> I understand your point of view, but understand also mine.
Anyway, I have based on your suggestion ordered a code signing certificate which is already validated and I just have to wait for their call on their next business day (whenever that is). Once I have all signed, how will PX behave, when it detects again the packed, but signed programs? <-QUOTE}

We can trust your software by the signature - just send me a signed program once you have it and our researchers will add an exception for the Age/Spread detection for your signature :)