{QUOTE-> Is 0 bytes the same as "null" bytes? Cause that's a technique that Neil at PCMag is using to create a "modified" sample of malware to see if it passes security software without any fuzz when testing them. <-QUOTE}

No, that is different. These files actually have no content whatsoever (i.e. - open notepad, don't type anything, and click Save As ;D)

{QUOTE-> sure, do it. :thumb:

just hope its not wasting your time with junk, maybe prevx got 100% :) <-QUOTE}

Not a waste of time at all :) We definitely did miss some of these, just looking as to why and improving our rules to find them in the future :)

sure, id love to know.

but you dont need to convince me with your product :)

for those that know, my setup did used to be drweb + prevx, but vista arrived and beta was all there was, but edge arrives, and i can 'finally' continue to use my subscriptions :)

anyway, when your done with this, i wouldnt mind a private word with you, for some support :D

...so let me know :)

{QUOTE-> Not a waste of time at all :) We definitely did miss some of these, just looking as to why and improving our rules to find them in the future :) <-QUOTE}


good, so it can improve the product further hopefully :)

ive not had my laptop back long, as its been away for repair and already got back into sending samples away. *tut tut*

also, been a seriously bad week for me.

1. crap week at work (more than usual)
2. victim of credit card fraud
3. dog ripped up my trainers, had to buy a new pair
4. lost my bank card TODAY, had to cancel it before anyone used it.
5. .... 5 days for a new card to arrive. *sigh*

next week had better be a better one. :)

After seeing all the comments I've just tested PrevX Edge using the Virus samples from my AntiVirus shodown videos.

In the test 8 out of 10 threats were detected when running each virus which was a good result. I noticed that some of the warning pop up's displayed the virus name which I assume is coming from PrevX online database. Normally I try and test all security products without internet or malware database. This tests the real core of a security product because it demonstrates how good zero-day (new virus) protection a program can offer.

I disabled network connections as this scenario could easily be replicated by:

a, Loss of network connection e.g. wireless.
b, A virus blocking network connection.

I then re-ran my samples and not one threat was detected. I have performed this same test with other popular products e.g. Threatfire, Drivesentry, Rising and Twister which still protect the system. I even put up PrevX Edge Heuristics settings to maximum with the same results!

After doing some research the driver is from CSI and hooks a number of kernel APIs and also calls into the filter manager. I assume this is a client version of CSI which is a basic scanner hence why it's 800kb. I can see no evidence of any heuristic / behavioral engine (e.g. Threatfire ) or any pro-active protection. In summary it offers no security if you're not online or malware has blocked network access and you would be crazy to run it standalone.

I will upload the latest video for PrevX Edge to my YouTube channel in the next few days.

~interact

{QUOTE-> After seeing all the comments I've just tested PrevX Edge using the Virus samples from my AntiVirus shodown videos.

In the test 8 out of 10 threats were detected when running each virus which was a good result. I noticed that some of the warning pop up's displayed the virus name which I assume is coming from PrevX online database. Normally I try and test all security products without internet or malware database. This tests the real core of a security product because it demonstrates how good zero-day (new virus) protection a program can offer.

I disabled network connections as this scenario could easily be replicated by:

a, Loss of network connection e.g. wireless.
b, A virus blocking network connection.

I then re-ran my samples and not one threat was detected. I have performed this same test with other popular products e.g. Threatfire, Drivesentry, Rising and Twister which still protect the system. I even put up PrevX Edge Heuristics settings to maximum with the same results!

After doing some research the driver is from CSI and hooks a number of kernel APIs and also calls into the filter manager. I assume this is a client version of CSI which is a basic scanner hence why it's 800kb. I can see no evidence of any heuristic / behavioral engine (e.g. Threatfire ) or any pro-active protection. In summary it offers no security if you're not online or malware has blocked network access and you would be crazy to run it standalone.

I will upload the latest video for PrevX Edge to my YouTube channel in the next few days.

~interact <-QUOTE}

Hello,
Your test is fundamentally incorrect with how infections can enter. First, you would have to be connected to the internet to contract the infection in the first place, so, before the infection would run, Edge would scan it (using the internet connection you just had open to download the infection).

Therefore, if the internet is actually active for the infection to come through, Edge would be able to scan. All of our scanning takes place within our community database, which is hosted completely online, so, it does require an internet connection.

Also, you don't need to hook SSDT entries to monitor behaviors or protect the system :) We use the minifilter framework which is the Microsoft-specified approved way to hook into system behavior.

Please let me know if you need any clarification.

{QUOTE-> No, that is different. These files actually have no content whatsoever (i.e. - open notepad, don't type anything, and click Save As ;D) <-QUOTE}

I obviously suppose you still changed the extension to *.bat or something and checked through "edit" on those files, regardless of what it was originally?

Out of curiosity I entered an unused key that I won from Castlecops 5th Birthday prize giveaway in 2007, and guess what!....I now have a Prevx Edge key,.....How cool!

However, what does this mean ?......"Register for your My Prevx Web Console Now"

{QUOTE-> I obviously suppose you still changed the extension to *.bat or something and checked through "edit" on those files, regardless of what it was originally? <-QUOTE}

We have internal tools to analyze the files :) I was giving an example of what kind of 0 byte file I saw in the archive of samples.

{QUOTE-> Is 0 bytes the same as "null" bytes? Cause that's a technique that Neil at PCMag is using to create a "modified" sample of malware to see if it passes security software without any fuzz when testing them. <-QUOTE}

As already said by PrevxHelp, that's different.

I don't know exactly the technique used by Neil, but I think he's just adding/changing some unused bytes of malwares to null byte. By doing so, he checks if the signature used by some antimalware solutions are just based on full body checksum (like MD5). If so, the antimalware software would not find anymore the malware, because it's a "new variant" (different checksum)

PH, there is a little bug involving tray icons. When rebooting from one snapshot to another, it killed my FD-ISR tray icon. And we cant have that.;)

{QUOTE-> PH, there is a little bug involving tray icons. When rebooting from one snapshot to another, it killed my FD-ISR tray icon. And we cant have that.;) <-QUOTE}

That's odd... it actually killed the FD-ISR tray icon without killing the program? ???

I'll take a look at it ;D

{QUOTE-> Out of curiosity I entered an unused key that I won from Castlecops 5th Birthday prize giveaway in 2007, and guess what!....I now have a Prevx Edge key,.....How cool!

However, what does this mean ?......"Register for your My Prevx Web Console Now" <-QUOTE}

The My Prevx Web Console is a way to centrally manage and view all of your computers registered to any of our products.

There are still a few more things to be completed in it, but it is an easy way to overview a number of computers at once :)

{QUOTE-> The My Prevx Web Console is a way to centrally manage and view all of your computers registered to any of our products.

There are still a few more things to be completed in it, but it is an easy way to overview a number of computers at once :) <-QUOTE}

Well, that then does not apply to me, since I only have one computer.....poor me! ;D

P.S. Can you provide me with the link to download the progam, thanks!.....save me going looking for it.:)

{QUOTE-> Well, that then does not apply to me, since I only have one computer.....poor me! ;D

P.S. Can you provide me with the link to download the progam, thanks!.....save me going looking for it.:) <-QUOTE}

Here you go: http://info.prevx.com/downloadedge.asp :)

{QUOTE-> Here you go: http://info.prevx.com/downloadedge.asp :) <-QUOTE}

Ta!:thumb:

{QUOTE-> Normally I try and test all security products without internet or malware database. This tests the real core of a security product because it demonstrates how good zero-day (new virus) protection a program can offer.
<-QUOTE}

That could be a wrong idea. Most security companies, antivirus developers are moving to community database technologies (F-Secure DeepGuard 2.0, Norton Community Watch, Panda's Collective Intelligence, McAfee Artemis and so on) in what is called "in-the-cloud" technology.

There's a reason why they are moving to these new technologies: because this "new" technology can really improve your detection rate and it can help you in catching up zero-day threats and new malwares.

By cutting off internet connection, you're cutting off a a large number of detections, because almost all security suites are now starting to use these community technologies.

Hmmmmm they are "Starting" to use these new technologies. Correct me if I am wrong but isn't here a program called Prevx that has been using this technology for several years now. ;D

{QUOTE-> Hmmmmm they are "Starting" to use these new technologies. Correct me if I am wrong but isn't here a program called Prevx that has been using this technology for several years now. ;D <-QUOTE}

It looks so ;D :)

{QUOTE-> Hmmmmm they are "Starting" to use these new technologies. Correct me if I am wrong but isn't here a program called Prevx that has been using this technology for several years now. ;D <-QUOTE}

Never heard of it.

EDIT: Ohhh right! Yes :) We have :) Ironically, I think other AVs finally realizing that the community approach is completely necessary for protecting users will end up helping us more. We were a bit "ahead of our time" when we first came out with it and received a lot of backlash with users thinking our approach was impossible... In a couple years, everyone will have to download 20gb of definition updates if they stay with the same model :) This way we host it all online ;)

{QUOTE-> That could be a wrong idea. Most security companies, antivirus developers are moving to community database technologies (F-Secure DeepGuard 2.0, Norton Community Watch, Panda's Collective Intelligence, McAfee Artemis and so on) in what is called "in-the-cloud" technology.

There's a reason why they are moving to these new technologies: because this "new" technology can really improve your detection rate and it can help you in catching up zero-day threats and new malwares.

By cutting off internet connection, you're cutting off a a large number of detections, because almost all security suites are now starting to use these community technologies. <-QUOTE}

The point of cutting the internet connection was to simulate a real-world situation, i.e. where you get infected and the infection either kills the connection or you have to use "SAFE mode without networking" to gain control of the system. The use of an online database is part of a prevention strategy, not a disinfection strategy.

{QUOTE-> The point of cutting the internet connection was to simulate a real-world situation, i.e. where you get infected and the infection either kills the connection or you have to use "SAFE mode without networking" to gain control of the system. The use of an online database is part of a prevention strategy, not a disinfection strategy. <-QUOTE}

Then you can't talk about testing detection capabilities of an antivirus software :) You're talking about disinfection capabilities. If so, you can't either talk about testing detection of 0day threats :)

your situation would be correct as long as your AV had that piece of malware in its sig base and was updated, or you would be hosed that way to.Because you have no way of updating it to clean the infection.

{QUOTE-> The point of cutting the internet connection was to simulate a real-world situation, i.e. where you get infected and the infection either kills the connection or you have to use "SAFE mode without networking" to gain control of the system. The use of an online database is part of a prevention strategy, not a disinfection strategy. <-QUOTE}

In what way can an infection "kill" the connection?

When running Edge or CSI, it immediately checks the HOSTs file, LSP chain, and a number of other areas to identify if it can correctly reach the internet and it will prompt the user with a guide on how to repair it automatically if it can't.

I don't see why the user would be unable to use safemode with networking. It loads the same limited environment with just a couple extra drivers for the network support.

IMO, online databases for malware protection (like Prevx for instance ;D) are really the only feasible way of blocking new threats. Sure, you can block behaviors, but with that, you aren't blocking a threat - you are just blocking the side effect. You can also block things using definitions, however, that is ineffective for mutating infections. An online, community-facing database will give the AV company the means of monitoring threats on the global scale and apply definitions en-masse without the need for the delay of an update.

{QUOTE-> your situation would be correct as long as your AV had that piece of malware in its sig base and was updated, or you would be hosed that way to.Because you have no way of updating it to clean the infection. <-QUOTE}

Exactly :) We can update signatures in one second and have them apply to every computer using Edge. A normal AV has to write, upload, build, and send the definition, then every user has to download it (requiring an internet connection) and rescan their system.

With the necessary increased frequency of definitions and the growing popularity of broadband internet connections, it will shortly become impossible for an AV to function WITHOUT having the definitions hosted centrally.

But if your internet connection was disconnected, in that rare instance, a user could always have the infection removed once he/she is online again.

For example, many users are content (no complaints) to use several leading 'on-demand scans' to remove an infection after it has already bypassed the resident AV and been on the system.

{QUOTE-> But if your internet connection was disconnected, in that rare instance, a user could always have the infection removed once he/she is online again. <-QUOTE}

Yes, and, Edge will automatically recheck and clean any files which were missed as soon as the internet does reappear. If, for some reason, it can't connect to the internet to scan a file, it tracks the file so that it can clean up all traces of malware associated with it, should it happen to come back as bad.

And, if the internet is down, the file can't do anything malicious like steal identity, so, there is little to worry about :)

Something seems to have gone haywire during the install of Prevx Edge. My computer froze during the install process, I tried to kill the prevx.exe.Still my system was frozen, then I killed windows explorer.exe and that regained use of the system.

However, I have two instances of prevx.exe showing,see screenshot. Not sure whether the program is installed or running properly. There was no indication by an install wizard to show that the install was successful....It did not
ask for a reboot?

{QUOTE-> Something seems to have gone haywire during the install of Prevx Edge. My computer froze during the install process, I tried to kill the prevx.exe.Still my system was frozen, then I killed windows explorer.exe and that regained use of the system.

However, I have two instances of prevx.exe showing,see screenshot. Not sure whether the program is installed or running properly. There was no indication by an install wizard to show that the install was successful....It did not
ask for a reboot? <-QUOTE}

After installing, it should automatically start a system scan in a window in the bottom right corner. Two Prevx.exe instances are correct - it "should" start the scan, but could you try opening it from the shortcut in the Start > Programs > Prevx Edge folder?

Do you happen to have any security software installed which monitors behavior or could block drivers from loading? That could explain some of the odd behavior solved by killing Explorer, but, I'm not quite sure.

Let me know what you find with the shortcut :)

Incidentally, I got this when querying the WinPatrol database,after it thru up a warning during the install process > see screenshot.

Tarnak, I think it could be any number of your other applications which prevented or interferred with the install. That's a lot of layers!

You seem to have:
Rising AV
System Safety Monitor (another user reported this could be a problem?)
DefenseWall
Mamutu
SuperAntiSpyware
WinPatrol (as you just listed, this might have blocked installation)
and others...

{QUOTE-> Incidentally, I got this when querying the WinPatrol database,after it thru up a warning during the install process > see screenshot. <-QUOTE}

Ah ouch. This is definitely a false positive. I'll get in contact with WinPatrol and Sophos to see if we can get them to fix this. I'd bet that they're blocking it after it starts installing, and that could explain some of the strange behavior some of the users have been seeing.

Thank you for your report!

{QUOTE-> Hello,
Your test is fundamentally incorrect with how infections can enter. First, you would have to be connected to the internet to contract the infection in the first place, so, before the infection would run, Edge would scan it (using the internet connection you just had open to download the infection).

Therefore, if the internet is actually active for the infection to come through, Edge would be able to scan. All of our scanning takes place within our community database, which is hosted completely online, so, it does require an internet connection.

Also, you don't need to hook SSDT entries to monitor behaviors or protect the system :) We use the minifilter framework which is the Microsoft-specified approved way to hook into system behavior.

Please let me know if you need any clarification. <-QUOTE}

1, If you believe that threats can only cause damage while online then there is a serious hole in PrevX technology. PrevX Edge will not protect malware spread across a closed internal network or via removable drives. If other security products can pass my "fundamentally incorrect" (as you say) test then why cannot PrevX Edge?? I have tested saving viruses with PrevX connected to the net and it didn't detect the file I/O. This would then leave the user vulnerable if they executed the program later without network connection. For a user on the move using wireless internet then this is a serious hole which other security tools protect against.

2, In regards the driver I looked more closely at pxark.sys and discovered that it can be changed very easily which then prevents the GUI detecting any threats regardless of a network connection. The driver does hook a number of SDT entries which once unhooked leaves PrevX Edge as blind as a bat. After unhooking the SDT entries it's also simple to kill the GUI using terminate process even when self protection is enabled.

PrevX Edge appears to be a process monitor as seen in PrevX V2 with a bit of on demand (not real-time) scanner from CSI. I have found no evidence of any advanced behavior monitor technology or anti-root kit protection within PrevX Edge.

~interact

Tarnak...did you accidently install it as "Untrusted" with defensewall? I accidently did this during testing and things wouldnt run.

{QUOTE-> After installing, it should automatically start a system scan in a window in the bottom right corner. Two Prevx.exe instances are correct - it "should" start the scan, but could you try opening it from the shortcut in the Start > Programs > Prevx Edge folder? <-QUOTE}

I did go there, and trying opening the shortcut.....that is the reason(so I thought) that I ended up with 2 copies of Prevx.exe running.

{QUOTE-> Do you happen to have any security software installed which monitors behavior or could block drivers from loading? That could explain some of the odd behavior solved by killing Explorer, but, I'm not quite sure.

Let me know what you find with the shortcut :) <-QUOTE}

I have Mamutu and Anvir Task Manager which both thru up warnings, but I gave them pernission. I have screenshots of these if you wish to see them.

oh brother, bet the next post is a long one.::) ;D

{QUOTE-> I did go there, and trying opening the shortcut.....that is the reason(so I thought) that I ended up with 2 copies of Prevx.exe running.



I have Mamutu and Anvir Task Manager which both thru up warnings, but I gave them pernission. I have screenshots of these if you wish to see them. <-QUOTE}

It's possible that it hit a race condition while installing, causing it to not install properly. Could you try uninstalling completely and then reinstalling? This may solve it. If you can't uninstall, terminate both prevx.exe processes and then try again.

Still not sure what's wrong, but I think we're getting somewhere in finding it out :)

{QUOTE-> Tarnak...did you accidently install it as "Untrusted" with defensewall? I accidently did this during testing and things wouldnt run. <-QUOTE}

I think I gave it permission to run as trusted from the right click Context menu....but I will check!;D

{QUOTE-> 1, If you believe that threats can only cause damage while online then there is a serious hole in PrevX technology. PrevX Edge will not protect malware spread across a closed internal network or via removable drives. If other security products can pass my "fundamentally incorrect" (as you say) test then why cannot PrevX Edge?? I have tested saving viruses with PrevX connected to the net and it didn't detect the file I/O. This would then leave the user vulnerable if they executed the program later without network connection. For a user on the move using wireless internet then this is a serious hole which other security tools protect against.

2, In regards the driver I looked more closely at pxark.sys and discovered that it can be changed very easily which then prevents the GUI detecting any threats regardless of a network connection. The driver does hook a number of SDT entries which once unhooked leaves PrevX Edge as blind as a bat. After unhooking the SDT entries it's also simple to kill the GUI using terminate process even when self protection is enabled.

PrevX Edge appears to be a process monitor as seen in PrevX V2 with a bit of on demand (not real-time) scanner from CSI. I have found no evidence of any advanced behavior monitor technology or anti-root kit protection within PrevX Edge.

~interact <-QUOTE}

I'm sorry to say it, but, with all due respect, you are wrong. You are looking in the wrong place when trying to find how Edge monitors the system and I'm not going to divulge where you should be looking as that is proprietary information.

The driver hooks SSDT entries only for self protection, and there is currently a bug in self protection which interferes with the realtime monitoring, so, we highly recommend not using that feature. The rest of the monitoring takes place within the engine and within the other features of our driver.

Edge analyzes the harddisk, registry, and memory on a raw level to detect rootkits - I'm not sure why your tools are not seeing this within Edge, but they are mistaken - our rootkit detection is able to find and prevent literally thousands of different rootkits.

As for copying files across a network and then immediately disconnecting from the network - sure, this might be a bit of a vulnerable area if you are not immediately connected to the internet, however, as soon as you reconnect, Edge will find the threats and prompt to remove them. It is exactly the same as if an AV didn't have a definition for a threat and then downloaded a new update and rescanned. I don't see the real-world flaw here.

Is it possible to use prevx and only prevx?

I don't want to use AV's anymore and its an added bonus it has heuristics.

{QUOTE-> Is it possible to use prevx and only prevx?

I don't want to use AV's anymore and its an added bonus it has heuristics. <-QUOTE}

Yes, while you can always use another AV on top of it if you want, Edge will protect you against everything a normal AV will and more thanks to it's community database :)

However, of course, no AV is perfect and neither is Edge but for a vast majority of users, Edge will be more than adequate for protecting them against today's threats.

Thats all I am using now Coolio. I do have Returnil installed but only really use that for testing stuff. Given that my usual surfing is pretty tame, I feel well protected. And even if I do go "hunting", I am sure Edge will be able to handle it.

{QUOTE-> Thats all I am using now Coolio. I do have Returnil installed but only really use that for testing stuff. Given that my usual surfing is pretty tame, I feel well protected. And even if I do go "hunting", I am sure Edge will be able to handle it. <-QUOTE}
same here, Edge is good enough for me.

{QUOTE-> Yes, while you can always use another AV on top of it if you want, Edge will protect you against everything a normal AV will and more thanks to it's community database :)

However, of course, no AV is perfect and neither is Edge but for a vast majority of users, Edge will be more than adequate for protecting them against today's threats. <-QUOTE}
Thanks, also good job keeping up with all the answers. Even ones you shouldn't have to answer you do :).

Never seen a thread go to 12 pages in 2 days.

Except mybb's last post competition for money. They are up to 459 pages and still counting. A good way to see how many pages their forum script can handle :).

{QUOTE-> The driver does hook a number of SDT entries which once unhooked leaves PrevX Edge as blind as a bat. After unhooking the SDT entries it's also simple to kill the GUI using terminate process even when self protection is enabled. <-QUOTE}

This sentence leave me a bit astonished.

APIs hooked inside SSDT are hooked just for self-defence protection, and if you investigate a bit, you'll find that *a lot* of security softwares are using similar self-protection techniques.

It's totally secure? No, it isn't. If you know a bit about kernel developing, you'll find some ways to bypass it. But that's not a problem of us, it's a common problem. It's enough? Yes, it is. It'll prevent most known terminating process attacks.

Every security vendor knows that their security solutions could be bypassed in some way by someone, but that would mean 1 person out of 1.000.000.

There are other ways to protect our processes? Yes, there are. But they would mean tampering Windows kernel in a really low level, and that could result in a system instability.

By this way, we're preventing most common attacks and we assure you a system stability. Our hooks can be unhooked? Yes, sure...then what's the goal? When you're in kernel mode, and you're able to touch SSDT, why just unhooking our hooks? You've the power in your hands. If you're in kernel mode, you basically own the system.

{QUOTE->
By this way, we're preventing most common attacks and we assure you a system stability. Our hooks can be unhooked? Yes, sure...then what's the goal? When you're in kernel mode, and you're able to touch SSDT, why just unhooking our hooks? You've the power in your hands. If you're in kernel mode, you basically own the system. <-QUOTE}

Just because there have been too few analogies used thus far:

Malware loading into kernel mode and then only unhooking an AV's SSDT entry is like using a steamroller to squash an ant. At that point, it would have free reign over the entire system, so, why even bother terminating the AV :)

Hmmm....I have used a 14 cu yd loader bucket to terminate an ant.

But really, I don't think the internet is teaming with malware that can do this....if any even exists.

{QUOTE-> I'm sorry to say it, but, with all due respect, you are wrong. You are looking in the wrong place when trying to find how Edge monitors the system and I'm not going to divulge where you should be looking as that is proprietary information.

The driver hooks SSDT entries only for self protection, and there is currently a bug in self protection which interferes with the realtime monitoring, so, we highly recommend not using that feature. The rest of the monitoring takes place within the engine and within the other features of our driver.

Edge analyzes the harddisk, registry, and memory on a raw level to detect rootkits - I'm not sure why your tools are not seeing this within Edge, but they are mistaken - our rootkit detection is able to find and prevent literally thousands of different rootkits.

As for copying files across a network and then immediately disconnecting from the network - sure, this might be a bit of a vulnerable area if you are not immediately connected to the internet, however, as soon as you reconnect, Edge will find the threats and prompt to remove them. It is exactly the same as if an AV didn't have a definition for a threat and then downloaded a new update and rescanned. I don't see the real-world flaw here. <-QUOTE}

::) OK I've coded a program to do the following:

Inject code into a running process, map a system file in mem then inject code and finally write code directly to a system file on disk. This emulates a new threat which is not in your signature database. The three tests were not detected in real-time or via a scan. The target files were damaged and the files were not repaired these test were undertaken with and without an Internet connection.

~interact

{QUOTE-> ::) OK I've coded a program to do the following:

Inject code into a running process, map a system file in mem then inject code and finally write code directly to a system file on disk. This emulates a new threat which is not in your signature database. The three tests were not detected in real-time or via a scan. The target files were damaged and the files were not repaired these test were undertaken with and without an Internet connection.

~interact <-QUOTE}

Sure, no program is perfect - not making any claim that Edge is perfect at all. (Also, do you have heuristics enabled? I'd bet that Edge would have blocked it with heuristics on ;))

Ironically, I just came across a piece of malware which modifies dozens of system components and patches them with its own code, loads a rootkit and hides its service, then proceeds to collect personal information from the user and send it out.

I then proceeded to test it against identical system images of 20 odd AVs, all up to date, all with maximum heuristics enabled. None of them found it on demand, and none found it on access during the infection.

I then ran it against Edge (after making sure it was not already marked in our database to have it be a fair test) which blocked it before it installed, so, for good measure and out of curiosity, I allowed it to install, despite Edge's recommendation, and then Edge subsequently blocked the driver as it was attempting to load - citing first a 'Cloaked Malware' infection, followed by an "Age/Spread" violation (one of our heuristics) on the driver.

We can go back and forth all day, but, Edge provides real protection to users against real threats. It may not be 100%, but if you do happen find a program which blocks 100% of threats with no false positives, I will happily buy hundreds of licenses and use it on all of my computers and pass it out to everyone I know so that we can finally, once and for all, rid the world of malware!! :)

{QUOTE-> By cutting off internet connection, you're cutting off a a large number of detections, because almost all security suites are now starting to use these community technologies. <-QUOTE}

but isn't that what the guy is saying. malware will seek to neuter the protection by severing it's supply line (the network connection)?


Mike

{QUOTE-> but isn't that what the guy is saying. malware will seek to neuter the protection by severing it's supply line (the network connection)?


Mike <-QUOTE}thats where a hips program come to save you in real time by protecting your
host file:thumb:

{QUOTE-> but isn't that what the guy is saying. malware will seek to neuter the protection by severing it's supply line (the network connection) <-QUOTE}

Yes, that's true, and malware may start doing that, but at the same time, if the malware got thru a normal AV and then severed off the internet, the AV would be unable to update to download the newest definitions.

Therefore, I don't think this is an Edge-only issue. There are actually a great deal of pieces of malware which add AV update urls to the HOSTs file to block them from updating with varying success.

Also, if you have malware which is blocking you from connecting to the internet, you'll notice pretty quickly and start wondering what's going on. Users would generally then contact their AV company and, at least in our case, we will then work to manually fix their computer to remove the threat blocking us from "updating" our knowledge of the local PC.

{QUOTE-> thats where a hips program come to save you in real time by protecting your
host file:thumb: <-QUOTE}

Edge also does fix the HOSTs file if it detects malicious changes to it that could block Edge or other popular AVs from scanning :)

{QUOTE-> Edge also does fix the HOSTs file if it detects malicious changes to it that could block Edge or other popular AVs from scanning :) <-QUOTE}
sounds good:thumb:

go to sleep. are you paid hourly?;)

{QUOTE-> go to sleep. are you paid hourly?;) <-QUOTE}

Haha I'm not :) And this doesn't even count as overtime :) This is just me caring about our products < /sentimental>

I will have to go to the UK and get you a raise. i can be pretty persuasive. :D

{QUOTE-> Thats all I am using now Coolio. I do have Returnil installed but only really use that for testing stuff. Given that my usual surfing is pretty tame, I feel well protected. And even if I do go "hunting", I am sure Edge will be able to handle it. <-QUOTE}

well i am almost there. i can't do with out Defensewalls protection from attack vectors, and a firewall. :thumb:


Mike

I might put defensewall back on when Ilya gets the new skinning engine but as far as firewalls just Winders and the Router is all I need. My thoughts are that if it can't execute it can't infect and if it can't infect it can't call home.

{QUOTE-> Yes, that's true, and malware may start doing that, but at the same time, if the malware got thru a normal AV and then severed off the internet, the AV would be unable to update to download the newest definitions.

Therefore, I don't think this is an Edge-only issue. There are actually a great deal of pieces of malware which add AV update urls to the HOSTs file to block them from updating with varying success.

Also, if you have malware which is blocking you from connecting to the internet, you'll notice pretty quickly and start wondering what's going on. Users would generally then contact their AV company and, at least in our case, we will then work to manually fix their computer to remove the threat blocking us from "updating" our knowledge of the local PC. <-QUOTE}

or i would simply restore that snapshot from an archive or failing that for some reason, nuke the whole set from a fresh image i take 2 times a day.

nothing is perfect. i recall the days when unless you were skilled at manually removing infections your only option was to reformat. malware has evolved and so has anti-malware tools. Edge is an outside the box paridigm produced by forward thinking software engineers and coders, backed by phenomenal resources and infrastructure. there is no other company like Prevx, there is no other product like Prevx Edge, so some folk just need to get over themselves.

Edge. have you slobberknocked your malware today? ;D


Mike

{QUOTE-> OK I've coded a program to do the following:

Inject code into a running process, map a system file in mem then inject code and finally write code directly to a system file on disk. This emulates a new threat which is not in your signature database. The three tests were not detected in real-time or via a scan. The target files were damaged and the files were not repaired these test were undertaken with and without an Internet connection.

~interact <-QUOTE}

Thats cute but whats the point?

Id say its fair that little test can be used to make allmost anything look silly.

Anyone who would tune a heuristic to that level will spend the next 24 hrs..sorry...24 yrs...repairing False Positives.

Yes,the internet is vital but it also effects each and every known antivirus when it pertains to new threats.

Speaking of new threats,if anyone has ever had a conversation with a real heuristic engineer in any AV company,they will tell you all,stringing server side crypted malware with a preset determination is close to impossible and is totally impossible to treat globally,again,all day repairing slews of False Positives.

Basically speaking,the best youll ever see is 90% detection rates and this speaks nothing for onboard real time protection because it does not implement any preset rules that were allready in tact.

Detection Rates and AV Testing in general is conceptually misleading at best,it does not ever reflect the true capacity and any defense system or resident antivirus product.

{QUOTE-> Ta!:thumb: <-QUOTE}

don't be so lazy lol..:isay:

so can prevx edge be used as a stand alone or with or other anti viruses, every time i used to run prevx along side bit defender amd i had a problem bit defender support always blamed prevx , they told me only to use 1 securtiy product

i have a licence for prevx csi, yet when i try to download prevx edge and run it only csi runs strange??

{QUOTE-> so can prevx edge be used as a stand alone or with or other anti viruses, every time i used to run prevx along side bit defender amd i had a problem bit defender support always blamed prevx , they told me only to use 1 securtiy product <-QUOTE}

oops sorry just read some more on this so now i know its answer, and also i unistalled csi and put edge on and edge worked, will my csi licence work for edge

{QUOTE-> I'm afraid your doubts may be fundamental problems.

1) It does require internet access, however, you can use CSI Enterprise which centralizes the scanning on one computer in your network. I believe that would be a better approach for you. We are working on "Edge Enterprise" but it is going to take a bit to get everything fully implemented.

2) We have not tested on WINE, but CSI may work better than Edge under WINE as Edge runs primarily from a system driver, which WINE won't emulate properly.

Please let me know if you do have problems with CSI on WINE (if you try it) as we may be able to work around them by using less of the Windows API. <-QUOTE}
I would prefer real-time protection of Edge over on-demand CSI. And the novice friendly approach is ideal, since its not me monitoring the machine on a daily basis. I don't want a central scanning option, would like it better if the clients themselves could scan themselves. Since you are working on Edge Enterprise, may I recommend adding an option for offline db or making server(s) act as proxy repository, just like Enterprise AV software.

I thought CSI and Edge would be same :-[ Guess, CSI would be better on Wine, will check it out on any old linux machine I find around on Monday.

Thanks again :thumb:

{QUOTE-> 160 detected on scan
157 remaining

42 files remaining after behaviour-based checks.

so, is that around 87% detection?

which, for malware from the past couple of months, isnt too bad, even better if some of the files remaining turn out to be clean.

even though my test is not professional in any way, i do like to check certain things on my machine myself, so no need to hear "this test is ****, or this test is BS", i did this for myself, and just thought id share it on here.

i'll PM the prevx guys and see what they can do, they may just turn out to be false alarms.

----

id also like to hear their opinion on best possible settings for the heuristics, ive noticed quite a few False Alarms with the settings set to 'high' or 'maximum'

----


chris. <-QUOTE}
ok, back from sleep.

i left the 42 undetected samples on my machine, by this i mean the ones that prevx could not detect by both the scanner, or behaviour-based detection.

so, while joe has to check the 157 the scanner missed, im still curious to know about the completely un-detected samples.

so, when i arrived back to my laptop this morning, a ran a scan with EDGE and it found some more infections and cleaned those, quite a few malware downloaders, but mainly malicious stuff.

so, from the 42 completely undetected samples, currently remains 24, of which 5 are zero-byte.

does he have more to check? ... i have no idea.

but it should be said, no software is perfect, however.. support is lightning quick and samples are being added very quickly indeed.

feels really good to get back to my drweb and prevx setup that im sooo used to.

i have run edge on my system and it found this surely a false positve

yeah, most likely.

right click it and report as FP

Are you guys running it just with or without a AV or also with a firewall?

{QUOTE-> Are you guys running it just with or without a AV or also with a firewall? <-QUOTE}
my setup is purely what my signature says, with only a hardware firewall in the router.

but, id have no problem what-so-ever using Prevx EDGE on its own,

{QUOTE-> {QUOTE-> PH, there is a little bug involving tray icons. When rebooting from one snapshot to another, it killed my FD-ISR tray icon. And we cant have that.;) <-QUOTE}That's odd... it actually killed the FD-ISR tray icon without killing the program? ??? <-QUOTE}I did not have a single problem when using FD-ISR and Px Edge together here (the only bothering is that I cannot exclude the possibly huge FD-ISR's cache directory ["C:\$ISR"] from automatic Edge's system scanning, but Prevx support told me that this exclusion feature is now on their TO DO list).

BTW, the FD-ISR icon is simply there to give the user an optional easy access to the GUI, so not having this icon present in system tray won't impaire FD-ISR fontionality in any way ;) , I personnaly prefer to simply use a PowerPro's hotkey to fastly start the GUI when needed.

{QUOTE-> Are you guys running it just with or without a AV or also with a firewall? <-QUOTE}
running without firewall. One nice combo I found is Edge and Sandboxie. Working very well together.

@webbit

{QUOTE-> i have run edge on my system and it found this surely a false positve <-QUOTE}

Please rescan and let me know the outcome.

{QUOTE-> This is odd, as we have had no reports of slow scans/interference from other users. Would you be willing to have one of our engineers (or myself) analyze your system remotely? The only case we've seen this happen in is when the system is infected with a rootkit at a low level - might be worth checking it out.

Please PM me if you're interested :) <-QUOTE}

Just PM about this.

I must say that complete scan takes usually long time, and even when I abort the scanning it takes ~1 minute to stop.

The only scan that doesn't take too long is the quick scan with optimizing.

I have thousands of files in my PC so can this be the reason?

I have rootkit analyzers but never found one.

{QUOTE-> ok, back from sleep.

i left the 42 undetected samples on my machine, by this i mean the ones that prevx could not detect by both the scanner, or behaviour-based detection.

so, while joe has to check the 157 the scanner missed, im still curious to know about the completely un-detected samples.

so, when i arrived back to my laptop this morning, a ran a scan with EDGE and it found some more infections and cleaned those, quite a few malware downloaders, but mainly malicious stuff.

so, from the 42 completely undetected samples, currently remains 24, of which 5 are zero-byte.

does he have more to check? ... i have no idea.

but it should be said, no software is perfect, however.. support is lightning quick and samples are being added very quickly indeed.

feels really good to get back to my drweb and prevx setup that im sooo used to. <-QUOTE}

Hi there,

have you already sent us all the samples? (Even the 19 undetected ones?) :)

A little curious why those are included in samples if they're actually not containing anything. ;D

{QUOTE-> i have a licence for prevx csi, yet when i try to download prevx edge and run it only csi runs strange?? <-QUOTE}

If I've understood your problem, your license allow you to just use CSI and not Edge features.

If I haven't understood, sorry :) If you could better explain your problem, then it would be really useful :) Thank you :)

{QUOTE-> A little curious why those are included in samples if they're actually not containing anything. ;D <-QUOTE}

That's why I've written 19 samples instead of 24 ;D If 5 are zero bytes files, they shouldn't considered

i have an un-registered CSI licence too, and no idea what to do with it due to the fact i use EDGE. :-\

and wasn't CSI the same price as prevx 2.0? ... surely, they (I) should be allowed to swap to an EDGE licence.

{QUOTE-> i have run edge on my system and it found this surely a false positve <-QUOTE}

What does the report at its page (at Prevx) say about its behaviour?

If it's a downloaded game it could as well have malware included to at the same time infect systems where it's present.

NIS is not alerting you about it, right?

I just did a deep scan with optimizing letting it go until the end.

It took 2 minutes and didn't found nothing. The system was responsive without problems.

It seems that using optimizing scanning makes some difference.

{QUOTE-> That's why I've written 19 samples instead of 24 ;D If 5 are zero bytes files, they shouldn't considered <-QUOTE}

No, no - I meant in the first place. :D I saw your message and understood why you wrote as you did. ;)

{QUOTE-> Hi there,

have you already sent us all the samples? (Even the 19 undetected ones?) :) <-QUOTE}

of course, and a few more too that i found today.

and the 19 remaining are the samples that are undetected completely (scanner+behaviour), i havnt checked the amount of undetected from the scanner.

ive noticed quite a few have already been fixed.

{QUOTE-> of course, and a few more too that i found today.

and the 19 remaining are the samples that are undetected completely (scanner+behaviour), i havnt checked the amount of undetected from the scanner.

ive noticed quite a few have already been fixed. <-QUOTE}

Ok, perfect :)

Thank you :)

{QUOTE-> i have an un-registered CSI licence too, and no idea what to do with it due to the fact i use EDGE. :-\

and wasn't CSI the same price as prevx 2.0? ... surely, they (I) should be allowed to swap to an EDGE licence. <-QUOTE}

also, i have an old Prevx 2.0 licence that the 'licence validator' correctly recognises as an un-registered Prevx 2.0 licence, however... i cant swap this for an EDGE licence, which is weird.

any answer? :)

{QUOTE-> Ok, perfect :)

Thank you :) <-QUOTE}

no problem :)

{QUOTE-> If I've understood your problem, your license allow you to just use CSI and not Edge features.

If I haven't understood, sorry :) If you could better explain your problem, then it would be really useful :) Thank you :) <-QUOTE}

Hi

Thanks for your valued support on here by the way, do you work 7 days a week??

I have csi installed and a working licence, yet i have tried to download and install edge , but when i click on the install icon for edge all that starts up is csi.

{QUOTE-> What does the report at its page (at Prevx) say about its behaviour?

If it's a downloaded game it could as well have malware included to at the same time infect systems where it's present.

NIS is not alerting you about it, right? <-QUOTE}


Was a game i got form a friend, not did a full scan of the file with norton and it did not detect anything

{QUOTE-> also, i have an old Prevx 2.0 licence that the 'licence validator' correctly recognises as an un-registered Prevx 2.0 licence, however... i cant swap this for an EDGE licence, which is weird.

any answer? :)
<-QUOTE}

You should be able to swap Prevx 2.0 license to Edge. If you got any errors, please send me your key by PM or open a ticket on Prevx Support and I'll check it :)

{QUOTE-> You should be able to swap Prevx 2.0 license to Edge. If you got any errors, please send me your key by PM or open a ticket on Prevx Support and I'll check it :) <-QUOTE}

Not quite sure if this includes Family/Bis licenses? Are you allowing mix and match for P2 and Edge or is it as I suspect all one or the other?

NB: FAO Joe-Ref the offline assist - many thanks and quick update: the legit h/w loads and works blazing fast on IntelP4 3GHz 1Gb RAM (14s for 7k+ files)as we'd all expect but the Mac Core2Duo is still somewhat problematic (from 2.5min to 25min!! for 7k+ files) but I beginning to suspect this is down to virtualised hardware/VMWare Fusion and constrained memory (740MB). McAfee is VirusScan+ but license is keyed to VMFusion so I can't (legally) port to other Intel test platform. (I'll look at installing some Demo's instead).
I assume delta between 165 & 172 Edge builds was just the Windows Explorer context?. More specific details later (offline) in week - Thks again.

{QUOTE-> Hi

Thanks for your valued support on here by the way, do you work 7 days a week??

I have csi installed and a working licence, yet i have tried to download and install edge , but when i click on the install icon for edge all that starts up is csi. <-QUOTE}

Please, can you uninstall your CSI, download Edge setup and then install it? After this, apply your CSI license.

You should have Edge installed in trial mode and CSI cleanup enabled.

Try this :)

Yep, we most of times work even on Sunday ;D Tonight I went sleeping at 5am ;D (PrevxHelp knows this ;D)

{QUOTE-> I left it for ~15 minutes, trying to gain control of the mouse and open the task manager (which I couldn't open). The whole system was jerky and unresponsive so I had to reset. <-QUOTE}

This morning, the same happened to me.

{QUOTE-> You should be able to swap Prevx 2.0 license to Edge. If you got any errors, please send me your key by PM or open a ticket on Prevx Support and I'll check it :) <-QUOTE}
ok, last night the licence validator said Prevx 2.0 un-registered, but unrecognised for an EDGE swap, and now it says it doesnt recognise the key at all.

also, one that last night said unregistered edge licence, now says expires jul 2009.

not a happy chappy.

Norton Removal Tool (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039) is not a rootkit... ;D

{QUOTE-> Norton Removal Tool is not a rootkit <-QUOTE}

Heh!

Ill have a peek,can you report it please.

Curious as to why that file would appear as hidden??

{QUOTE-> Yep, we most of times work even on Sunday Tonight I went sleeping at 5am (PrevxHelp knows this ) <-QUOTE}

What is sleep?

Please explain! :P

{QUOTE->
Curious as to why that file would appear as hidden?? <-QUOTE}

No idea, it's not hidden by any means, it's just sitting in a folder together with lots of other apps, has +A attribute, nothing else.


D:\Install\Security\Norton Removal Tool>attrib Norton_Removal_Tool.exe
A D:\Install\Security\Norton Removal Tool\Norton_Removal_Tool.exe

D:\Install\Security\Norton Removal Tool>


BTW - report where? </lazy> :)

{QUOTE-> BTW - report where? </lazy> :) <-QUOTE}Right-click on the entry line ;)

{QUOTE-> Right-click on the entry line ;) <-QUOTE}

Well LOL, too late... seems already fixed. ;D 8)

{QUOTE-> Please, can you uninstall your CSI, download Edge setup and then install it? After this, apply your CSI license.

You should have Edge installed in trial mode and CSI cleanup enabled.

Try this :)

Yep, we most of times work even on Sunday ;D Tonight I went sleeping at 5am ;D (PrevxHelp knows this ;D) <-QUOTE}


Yes done that and all is fine thanks, is prevx edge recognised by vista security centre as an anti virus

{QUOTE-> Norton Removal Tool (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039) is not a rootkit... ;D <-QUOTE}

and the heuristics were set where?

204037

When given those Alert boxes, how can we do to NOT clean them (test files) up?

I don't see any other choice than to push this "Cleanup Now" button. It seems to me that this box should also give us at least an alternative...

{QUOTE-> and the heuristics were set where? <-QUOTE}

Shrug... Default install with settings untouched... In fact, this was detected on the initial configuration scan, so no chance whatsoever to chance the settings. :D

{QUOTE-> 204037
When given those Alert boxes, how can we do to NOT clean them (test files) up?

I don't see any other choice than to push this "Cleanup Now" button. It seems to me that this box should also give us at least an alternative... <-QUOTE}
In the small window - click the "X" in the top right. Then in the main window you should be able to click "Back to Status Screen" if you don't want to cleanup :)

are there check boxes? i don't recall off-hand, and myself am experiencing a disappearing GUI.

{QUOTE-> Shrug... Default install with settings untouched... In fact, this was detected on the initial configuration scan, so no chance whatsoever to chance the settings. :D <-QUOTE}

By any chance, were you in the process of downloading the Norton Removal Tool when the scan was running? This is Edge's rootkit scanner generating a false positive, definitely something worth looking into.

EDIT: Disregard the rest of this message - I sorted it :) It won't happen again - thanks for the submission!

{QUOTE-> Shrug... Default install with settings untouched... In fact, this was detected on the initial configuration scan, so no chance whatsoever to chance the settings. :D <-QUOTE}

for that obvious of an FP, i would have guessed maxed out heuristics. sorry.

{QUOTE-> are there check boxes? i don't recall off-hand, and myself am experiencing a disappearing GUI. <-QUOTE}

I got your email and I'm not really sure what would have caused that to be honest ;D If you try rebooting and can get it again, that would be excellent.

There are a couple different malware alert screens, and if it doesn't have checkboxes on the screen, then clicking Cleanup Now will not immediately clean it up. (You are always given the option to deselect files)

{QUOTE-> Yes done that and all is fine thanks, is prevx edge recognised by vista security centre as an anti virus <-QUOTE}

We are in the process of adding this feature and will have it implemented in the next release :)

{QUOTE-> ok, last night the licence validator said Prevx 2.0 un-registered, but unrecognised for an EDGE swap, and now it says it doesnt recognise the key at all.

also, one that last night said unregistered edge licence, now says expires jul 2009.

not a happy chappy. <-QUOTE}

I'll contact you by PM to get this sorted :)

{QUOTE-> By any chance, were you in the process of downloading the Norton Removal Tool when the scan was running? This is Edge's rootkit scanner generating a false positive, definitely something worth looking into. If you want, could you save a scan log (even though it isn't found anymore) and I'll check it out to prevent it in the future :) <-QUOTE}

No, not downloading at all... the file has been sitting there for a couple of days already. Anyway, the only relevant line in the log is:


[R<R00000098>] C:\Install\Security\Norton Removal Tool\Norton_Removal_Tool.exe [PX5: 2A7925670038A6621085252C4F0F5C007832CB35] Malware Group: Caution.HiddenFile


Also, note that the location is incorrect in the log for whatever reason. It's D:\Install\... in fact, not C:\

{QUOTE-> of course, and a few more too that i found today.

and the 19 remaining are the samples that are undetected completely (scanner+behaviour), i havnt checked the amount of undetected from the scanner.

ive noticed quite a few have already been fixed. <-QUOTE}

I'm going to be analyzing your remaining samples shortly, just to check that they are malicious, and then I'll add them into the DB :)

{QUOTE-> i have run edge on my system and it found this surely a false positve <-QUOTE}

This definitely looks like a false positive - right clicking on Report FP will send it to the research team, but if you want it fixed immediately, click Tools and Settings > Save Scan Results and then send me a scan log - I'll get it corrected right away :)

{QUOTE-> In the small window - click the "X" in the top right. Then in the main window you should be able to click "Back to Status Screen" if you don't want to cleanup :) <-QUOTE}
Thanks for your reply, but I already know this way of doing it. :) I was just suggesting that it could might be a good idea to add an alternative choice for the user, other than by closing/ignoring those alert boxes.

{QUOTE-> Just PM about this.

I must say that complete scan takes usually long time, and even when I abort the scanning it takes ~1 minute to stop.

The only scan that doesn't take too long is the quick scan with optimizing.

I have thousands of files in my PC so can this be the reason?

I have rootkit analyzers but never found one. <-QUOTE}

The full scan is generally an unnecessary feature to use when realtime protection is enabled. We highly recommend just using the Deep Scan as it is nearly as thorough and takes far shorter to complete.

{QUOTE-> oops sorry just read some more on this so now i know its answer, and also i unistalled csi and put edge on and edge worked, will my csi licence work for edge <-QUOTE}

A CSI cleanup license will currently not work for Edge, as it is a cleanup-only license. I don't believe we have an upgrade from CSI Cleanup > Edge yet, and if you do want to install Edge, you have to first uninstall CSI or put an Edge license into CSI (it will convert it then as well).

{QUOTE-> Thanks for your reply, but I already know this way of doing it. :) I was just suggesting that it could might be a good idea to add an alternative choice for the user, other than by closing/ignoring those alert box. <-QUOTE}

Yes, that's true. A "cancel" button on there would be useful :) I'll add it to the infamous ToDo List ;D

hey Joe,

a reboot brought the GUI back. strange, but stuff happens. back to running keygens :argh:


Mike

{QUOTE->
I'll contact you by PM to get this sorted :) <-QUOTE}

good ;)

i think Marco might be dealing with it though.

{QUOTE-> I'm going to be analyzing your remaining samples shortly, just to check that they are malicious, and then I'll add them into the DB :) <-QUOTE}
again, good :)

ive noticed here and there, that during new scans, my Prevx picks up on a couple more infected files every few hours when i re-check it. :thumb:

For those who are interested,

I purchased Prevx Edge(PE) 3.0 yesterday and tested it against the same 77 malware samples that I tested against Primary Response SafeConnect(PRSC) 3.5 beta. FYI, this 77 sample test set consists of a good variety of new and old malware(keyloggers, rootkits, trojans, viruses and worms);(ex. - stealth/obfuscated, ransomware, exploit, password-stealers/banking, botnet, SSDT kernel unhookers, MBR/low-level disk, system-modifying, security program disabling, rogue anti-virus/malware, file infector, autorun, downloader, etc...)

Under Vista 32 SP1 with UAC disabled and hardware DEP(OptOut) enabled, PE with default heuristic settings detected 62 out of 77 samples for a detection rate of over 80.5%. In contrast, PRSC 3.5 beta detected only 25 out of 77 samples for a detection rate of over 32.4%.

In conclusion, despite the impressive results of PE, it is my opinion that one still needs to run it alongside a sandbox and/or limited-user account(LUA) + Software Restriction Policy(SRP) for comprehensive protection.


Peace & Gratitude,

CogitoErgoSum

Hello :)

Thank you for your test. Could you test even higher heuristic settings? And, moreover, would you be able to share undetected samples with us so that we can better tune our heuristic engine?

Thank you :)

Hello Prevx,

Does Prevx Edge(PE) protect against buffer-overflows such as Prevx 2.0 does? Does PE have outbound network control such as Prevx 2.0 has? Until proven otherwise, I assume that it does not have the latter. Thanks in advance.


Peace & Gratitude,

CogitoErgoSum

{QUOTE->
ive noticed here and there, that during new scans, my Prevx picks up on a couple more infected files every few hours when i re-check it. :thumb: <-QUOTE}

That is automated research for you ;) I think Marco will be adding the rest in shortly if they don't all get automatically blocked by behavior in the meantime ;D

{QUOTE-> Hello Prevx,

Does Prevx Edge(PE) protect against buffer-overflows such as Prevx 2.0 does? Does PE have outbound network control such as Prevx 2.0 has? Until proven otherwise, I assume that it does not have the latter. Thanks in advance. <-QUOTE}

We detect threats employing buffer overflow exploits, but we do not have any network control. Network control duplicates functionality seen in free firewalls which we are compatible to run against, so, we recommend that if the user wants monitor/control outbound network access that they use one of those 3rd party firewalls.

Thank you for your test as well :) If you get a chance, send those samples over to Marco or myself and we'll get rules added into the database to block them :)

That's not too shabby for default settings tho. Try it again at Max/Med/Med on the sliders and see what happens if you have the time, Cognito. Thats what settings I have been using all along.

{QUOTE-> Hello :)

Thank you for your test. Could you test even higher heuristic settings? And, moreover, would you be able to share undetected samples with us so that we can better tune our heuristic engine?

Thank you :) <-QUOTE}

Hello EraserHW,

Yes, I will retest the missed samples with higher heuristic settings and would be more than willing to share the missed samples with Prevx. Where specifically do I need to send these samples? Thanks in advance.


Peace & Gratitude,

CogitoErgoSum

Just sent you a private message with e-mail address :)

{QUOTE-> Where specifically do I need to send these samples? <-QUOTE}

This will be sorted in the next 2-3 weeks hopefully, with a file submission site and support forum as well.

{QUOTE-> Another special thanks goes to everyone who has trusted and supported Prevx and our work always during these years ;) <-QUOTE}

Thanks! :)

Unfortunately :) I couldn't contribute in beta-testing, as Prevx Edge ran flawlessly for me! :thumb:

{QUOTE-> This will be sorted in the next 2-3 weeks hopefully, with a file submission site and support forum as well. <-QUOTE}
Do you work for prevx? If so you should request an orange name because its confusing now :).

I only had a few minor blips and PH was all over them like slime on a pond in no time. Edge was one of the most stable betas I ever tested.

{QUOTE-> I'm going to be analyzing your remaining samples shortly, just to check that they are malicious, and then I'll add them into the DB :) <-QUOTE}
i have some from i recieved today if you want them, to be honest... i'll probably just pass them onto you anyway, aswell as my drweb, which i usually do for samples i find.

{QUOTE-> i have some from i recieved today if you want them, to be honest... i'll probably just pass them onto you anyway, aswell as my drweb, which i usually do for samples i find. <-QUOTE}

We're always interested in new samples :) Marco would probably be more interested than myself, but if he is sleeping, send them to me and I'll take care of them ASAP.

{QUOTE-> We're always interested in new samples :) Marco would probably be more interested than myself, but if he is sleeping, send them to me and I'll take care of them ASAP. <-QUOTE}
ok, i shall try and send them through email, just let me know if you get them.

email is always dodgy, sometimes the file is to big to send and those dreaded mailer daemon messages arrive. lol

{QUOTE-> ok, i shall try and send them through email, just let me know if you get them.

email is always dodgy, sometimes the file is to big to send and those dreaded mailer daemon messages arrive. lol <-QUOTE}

Great :)

Also, I rescanned your files and everything that was actually malicious is found now.

(FWIW - Some of the remaining samples are garbage, so, you might want to remove them: malware 103, 107, 108, 166, 169, 248.)

{QUOTE-> Do you work for prevx? If so you should request an orange name because its confusing now :). <-QUOTE}

Yes he does, and another one of us should be coming here shortly as well :)

{QUOTE-> Great :)

Also, I rescanned your files and everything that was actually malicious is found now.

(FWIW - Some of the remaining samples are garbage, so, you might want to remove them: malware 103, 107, 108, 166, 169, 248.) <-QUOTE}
yep, i will remove those 6 garbage files.

just sent you another 30 or so from today (i forget the figure) :)

edit: and 5 from the bifrost set that i sent you were just detected now also.

awesome!

also, about the recent PM, it works fantastically, thanks.

Prevx folks,

Bug report:
1:Crashed last night when Threatfire network rule triggered. Event viewer logged,
"Faulting application prevx.exe, version 3.0.0.172, faulting module prevx.exe, version 3.0.0.172, fault address 0x00094e6b."

2:Crashed during boot this morning, no Threatfire sys. tray icon, yes, TF services still running. Event viewer logged,
"Faulting application prevx.exe, version 3.0.0.172, faulting module kernel32.dll, version 5.1.2600.5512, fault address 0x00009826."

Appears to have a conflict with TF.

Sys. Specs:
Intel P3600, 768mb ram
XPpro sp3, fully patched
Threatfire 4.0.0.8
Avira personal
PCtools FW+ 5.0.0.19
Iarsn Taskinfo
HTH
P
Edit: OK, seems to be the custom rules in TF,either the hosts, or network, trying to pin it down.

{QUOTE-> Prevx folks,

Bug report:
1:Crashed last night when Threatfire network rule triggered. Event viewer logged,
"Faulting application prevx.exe, version 3.0.0.172, faulting module prevx.exe, version 3.0.0.172, fault address 0x00094e6b."

2:Crashed during boot this morning, no Threatfire sys. tray icon, yes, TF services still running. Event viewer logged,
"Faulting application prevx.exe, version 3.0.0.172, faulting module kernel32.dll, version 5.1.2600.5512, fault address 0x00009826."

Appears to have a conflict with TF.

Sys. Specs:
Intel P3600, 768mb ram
XPpro sp3, fully patched
Threatfire 4.0.0.8
Avira personal
PCtools FW+ 5.0.0.19

HTH
P <-QUOTE}

Hello,
We are investigating this now and will report back shortly. Thank you for your information!

EDIT: I'm reproducing your setup as we speak to try and see if I can reproduce the crashes over here.

Hi All,

If you have any new samples that are undetected, or any FP's that you find, message them to me via PM and i'll get them sorted asap.

{QUOTE-> Hi All,

If you have any new samples that are undetected, or any FP's that you find, message them to me via PM and i'll get them sorted asap. <-QUOTE}
so, who's the one who now wants the samples?

all of you?

would be nice if there was an email.

{QUOTE-> Hello EraserHW,

Yes, I will retest the missed samples with higher heuristic settings and would be more than willing to share the missed samples with Prevx. Where specifically do I need to send these samples? Thanks in advance.


Peace & Gratitude,

CogitoErgoSum <-QUOTE}

Hello,

thank you for samples you sent me. I've had a look and I've added detections.

File you sent me inside unknown3.zip package is a clean one. It's the Windows 2000-KB823980-x86-ENU.exe, the Microsoft patch that addresses MS03-026 vulnerability (the one used by MSBlast)

Thank you :)

{QUOTE-> so, who's the one who now wants the samples?

all of you?

would be nice if there was an email. <-QUOTE}


You can send them to jacques [_at_] prevx.com for now, we are working on a proper submission system in the next week or two.

These will come straight to me and I can add them straight away.

I'll send them to Joe/Marco if they want them.

We will soon have the whole Prevx family here!!!! Thats good.

{QUOTE-> We will soon have the whole Prevx family here!!!! Thats good. <-QUOTE}

You see, some time ago someone was claiming we at Prevx didn't care about our users ;D

Hello EraserHW,

I retested PE against the 15 missed samples with advanced heuristics set to "high" and "maximum". Unfortunately, all 15 were not detected. On the other hand, when I set advanced heuristics back to "medium" and set age/popularity heuristics both to "medium", PE was able to detect 10 out of the 15 samples. Looking back at post #391, I am not sure if the 10 of 15 detection improvement was due to your signatures or the change in age/popularity heuristic settings .


Peace & Gratitude,

CogitoErgoSum

so now we have prevx edge and which intergrates csi, and we also have prevx 2, so if you put both on your computer you would have awesome protection!!?? Am i correct

{QUOTE-> so now we have prevx edge and which intergrates csi, and we also have prevx 2, so if you put both on your computer you would have awesome protection!!?? Am i correct <-QUOTE}

Well, you can use Edge and Prevx2 on the same computer, but there is a lot of overlap between the two. However, if you do use the more advanced features of Prevx2, they are an excellent compliment to Edge's user-friendly protection :)

{QUOTE-> Hello EraserHW,

I retested PE against the 15 missed samples with advanced heuristics set to "high" and "maximum". Unfortunately, all 15 were not detected. On the other hand, when I set advanced heuristics back to "medium" and set age/popularity heuristics both to "medium", PE was able to detect 10 out of the 15 samples. Looking back at post #391, I am not sure if the 10 of 15 detection improvement was due to your signatures or the change in age/popularity heuristic settings .


Peace & Gratitude,

CogitoErgoSum <-QUOTE}

Advanced Heuristics are best applied during a real infection on an infected user's computer. Age/Popularity will work at any time and I'd believe they are what accounted for the increase in detection :)

{QUOTE-> You can send them to jacques [_at_] prevx.com for now, we are working on a proper submission system in the next week or two.

These will come straight to me and I can add them straight away.

I'll send them to Joe/Marco if they want them. <-QUOTE}
ok, just sent in some more.

been a boring day, :P

i have them both running on xp at the moment ,although only on csi licence for edge and they seem to be running ok, what sort of overlap do they have and could they conflict with each other

{QUOTE-> i have them both running on xp at the moment ,although only on csi licence for edge and they seem to be running ok, what sort of overlap do they have and could they conflict with each other <-QUOTE}

They overlap in some of the more simplistic definitions in the database, however, the new behavior protection in Edge will be additional on top of P2. In some cases, P2 may block malware before Edge or Edge may block it before P2 - it is a bit of a hit and miss as to which one will get to the file first, but in the end, the system will remain stable regardless of who gets to the file first :)

I'd think that the only conflict they would run into would be with self protection, however, currently Edge conflicts with itself in self protection so I'd recommend not using that just yet :)

xp is my trial software os, vista is my main one, so is edge ready to use yet, it seem not by your last post

{QUOTE-> xp is my trial software os, vista is my main one, so is edge ready to use yet, it seem not by your last post <-QUOTE}

It is ready to use on both XP and Vista - there are just some minor bugs (as there are in every software :) hence the need for an updater! :))

Sorry if this has been addressed in the thread. Does Prevx Edge support Vista x64? Will it run under WOW64?

Thanks!

{QUOTE-> Sorry if this has been addressed in the thread. Does Prevx Edge support Vista x64? Will it run under WOW64?

Thanks! <-QUOTE}

Edge does not currently support Vista x64 or XP x64 and it won't work correctly under WOW64. We are adding this, but it is a slow and grueling process.

{QUOTE-> It is ready to use on both XP and Vista - there are just some minor bugs (as there are in every software :) hence the need for an updater! :)) <-QUOTE}


will continue to use both on my xp partition, to move them onto my vista partition to test them will require a new licence

Nod32 AntiVirus just killed prevx.exe as a trojan Gen something. I Had to restore from quarantine added it to exclusions and summited FP to eset.

{QUOTE-> Nod32 AntiVirus just killed prevx.exe as a trojan Gen something. I Had to restore from quarantine added it to exclusions and summited FP to eset. <-QUOTE}

Thanks for letting us know. We'll get in contact with ESET to correct it.

Your very welcome

Found this on Vista so went an manually removed it hope it wasnt a FP

http://www.prevx.com/filenames/X1629387885946727714-0/RAPIDUI2EEXE.html

Hey Prevx Guys,

after have fun this weekend with detection of EDGE, tonight.. ive really put its removal to the test, with my infecting.

EDGE removed 'most' after a few reboots,

scan > remove > reboot > scan > remove > reboot which as you know happens automatically.

however, there is one file that keeps popping up, i reboot as requested and it pops up once again. (i aint sure which of the viruses has done this, but if you have managed to add detections for the samples ive sent this weekend, its one of those, so i would like better removal if possible)

also, my IE is still plagued by a few re-directions on certain well known websites.

204047

and here is what is left in IE, with its re-directions.

204048

overall, removal isnt too bad, but needs to be improved in my opinion, or maybe its just that one file it cant remove and detections need improving.

i shall see how it progresses.

thanks for reading.

Forgive me for my stupidity here, but I have to ask. Been off line most of day and have just gone through all of todays posts. It seems that all I see are where people are sending in samples of malware to Prevx, to be what, added?

This is a zero day threat product so I am kind of confused as to why all this back and forth sending of malware samples. Maybe I dont understand the premise of what zero day protection means, and if so, PrevxHelp I apologize.

But this reminds me of a AV swap meet. Just my 2 cents.:)

{QUOTE-> Forgive me for my stupidity here, but I have to ask. Been off line most of day and have just gone through all of todays posts. It seems that all I see are where people are sending in samples of malware to Prevx, to be what, added?

This is a zero day threat product so I am kind of confused as to why all this back and forth sending of malware samples. Maybe I dont understand the premise of what zero day protection means, and if so, PrevxHelp I apologize.

But this reminds me of a AV swap meet. Just my 2 cents.:) <-QUOTE}

The sample that we're getting from CSJ are actually quite old (1+ year) and have been seen by virtually no users in the entire Prevx community. Also, as they are not real infections (they are just samples in a folder), they are out of context which makes their behaviors/relationships different.

Hope that explains it :)

{QUOTE-> Found this on Vista so went an manually removed it hope it wasnt a FP

http://www.prevx.com/filenames/X1629387885946727714-0/RAPIDUI2EEXE.html <-QUOTE}

That isn't a positive detection or a negative detection - it says it is currently being reviewed so we don't have a definitive answer on it just yet. You can send me the file if you want and I'll take a look at it :)

{QUOTE-> Hey Prevx Guys,

after have fun this weekend with detection of EDGE, tonight.. ive really put its removal to the test, with my infecting.

EDGE removed 'most' after a few reboots,

scan > remove > reboot > scan > remove > reboot which as you know happens automatically.

however, there is one file that keeps popping up, i reboot as requested and it pops up once again. (i aint sure which of the viruses has done this, but if you have managed to add detections for the samples ive sent this weekend, its one of those, so i would like better removal if possible)

also, my IE is still plagued by a few re-directions on certain well known websites. <-QUOTE}

Thank you for your analysis! If you could, can you send me a scan log from the infected machine so I can see if we are missing something? Sometimes an infection may slip through, and that could be what is re-dropping the malware you see in each removal attempt. That file could then be reinfecting other files, and then you get into the loop you see here.

If you were to have gone through the process a couple more times, Edge will generally detect that something isn't working right and then pop up a screen saying "Cleanup Failed - Please contact Prevx Support" where one of our researchers will analyze the infection manually and see why it isn't being cleaned properly.

We also don't "clean" IE currently, but we are developing an additional tool which will give users the ability to fix these kinds of settings.

{QUOTE-> The sample that we're getting from CSJ are actually quite old (1+ year) and have been seen by virtually no users in the entire Prevx community. Also, as they are not real infections (they are just samples in a folder), they are out of context which makes their behaviors/relationships different.

Hope that explains it :) <-QUOTE}
thanks PH.:)

{QUOTE-> Hello EraserHW,

I retested PE against the 15 missed samples with advanced heuristics set to "high" and "maximum". Unfortunately, all 15 were not detected. On the other hand, when I set advanced heuristics back to "medium" and set age/popularity heuristics both to "medium", PE was able to detect 10 out of the 15 samples. Looking back at post #391, I am not sure if the 10 of 15 detection improvement was due to your signatures or the change in age/popularity heuristic settings .


Peace & Gratitude,

CogitoErgoSum <-QUOTE}

Ok, I totally forget about reply :) Sorry :)

You can see if they have been detected by signature or heuristic when Edge advise you that a new threat has been blocked. If it says the name of the malware, then it has been detected by signature. If it says something like "Age/Spread Criteria..." then it has been detected by one of the heuristic engines.

Although there is a lot to like about Edge, one thing I did not like is that it takes a very long time to launch any application bevause it is being scanned and set to prevx. I do not like at all. It took nearly a minute and a half to launch Opera since I installed Edge. :(

{QUOTE-> Although there is a lot to like about Edge, one thing I did not like is that it takes a very long time to launch any application bevause it is being scanned and set to prevx. I do not like at all. It took nearly a minute and a half to launch Opera since I installed Edge. :( <-QUOTE}

The files aren't being sent to us - but they have to go through an initial authenticating process. If you open Opera again, does it open faster? (It should open substantially faster after the first time).

Please let me know what you experience :)

Hi,

I just bought Prevx Edge and I'm a little worried. I increased heuristics to high and get no alerts on the tests here:

http://www.wilderssecurity.com/showthread.php?t=218451

http://personalfirewall.comodo.com/cltinfo.html

Is it because these tests are trusted?

{QUOTE-> Hi,

I just bought Prevx Edge and I'm a little worried. I increased heuristics to high and get no alerts on the tests here:

http://www.wilderssecurity.com/showthread.php?t=218451

http://personalfirewall.comodo.com/cltinfo.html

Is it because these tests are trusted? <-QUOTE}

Like other AV companies, we don't work to detect leaktests, rather, we detect real malicious software employing techniques like the ones in leaktests.

Leaktests have fundamentally different behavior from normal malware, so, while they are a valid test for a firewall or behavior blocker, they are not a valid test for most antivirus programs (unless the company explicitly creates a definition to block them).

We would personally much rather focus on blocking real threats ;D

Yes, but it would be nice if I could see it working on one of these tests. It would build confidence. I don't want to test with real malware. Now I'm debating if the purchase was worth it.

Hmmmm....you are wondering about your purchase because it won't pass a test for firewalls. Try the eicar test. It will make Edge throw up an alert if you want to see Edge at work without using real malware.

{QUOTE-> Yes, but it would be nice if I could see it working on one of these tests. It would build confidence. I don't want to test with real malware. Now I'm debating if the purchase was worth it. <-QUOTE}

You can use the EICAR test virus, which is the only standardized antivirus test virus.

Also, I just downloaded the Zemana keyboard test and we do block/detect it as "Test Virus". Please let me know your results :)

This one will also make it throw up an alert.

http://www.grc.com/lt/leaktest.htm

I can start the Zemana test without an alert. What settings are you using?

Beat ya by a full minute there PH. Yer not keeping up the pace.

{QUOTE-> I can start the Zemana test without an alert. What settings are you using? <-QUOTE}

Its found by the default settings - it is found by blacklisting, not by heuristics. Can you try running a scan and see if it is found? Also, does the main screen of Edge show "Status: Secure"?

{QUOTE-> Beat ya by a full minute there PH. Yer not keeping up the pace. <-QUOTE}

Tsk tsk ;D I had to download the leaktest and run it!! ;D Fine, you win this battle...

The Zemana test is blocked here on default settings.

I got an alert when I downloaded Zemana from the site, but not when I ran the program that was already on my system.

Just installed the trial version and it flagged Vistumbler and JetAudio as rogue software. So no known conflicts with Outpost Security Suite and Threatfire?

{QUOTE-> Just installed the trial version and it flagged Vistumbler and JetAudio as rogue software. So no known conflicts with Outpost Security Suite and Threatfire? <-QUOTE}

There "may" be a conflict with Threatfire, but we're still investigating it. It seems to be more related to PC Tools Firewall.

Could you save a scan log (Tools and Settings > Save Scan Results) and send me the entries for the two files so I can correct the FPs? :)

{QUOTE-> I got an alert when I downloaded Zemana from the site, but not when I ran the program that was already on my system. <-QUOTE}

Is there any chance you clicked Trust Always on the file? Clicking this will cause it to not be detected at all. Also, which program exactly was on your system? It may be a different version than the one which we have added to the blacklist.

It ran a scan of my system programs at startup, but I didn't place it as trusted. If that had been an actual keylogger, would Prevx have detected the activity when it is started? I guess I can put back on PC Tools Firewall Plus for leak tests.

{QUOTE-> Although there is a lot to like about Edge, one thing I did not like is that it takes a very long time to launch any application bevause it is being scanned and set to prevx. I do not like at all. It took nearly a minute and a half to launch Opera since I installed Edge. :( <-QUOTE}
That may not sound like a long time but when your watching ,waiting for the browser to open seems like enternity.what about IE do you experience the same.

{QUOTE-> It ran a scan of my system programs at startup, but I didn't place it as trusted. If that had been an actual keylogger, would Prevx have detected the activity when it is started? I guess I can put back on PC Tools Firewall Plus for leak tests. <-QUOTE}

Yes, if it was an actual keylogger it would have blocked it, but it is possible that there is an incompatibility on your system, causing Edge to not function properly. On Zemana.com, can you click Security Test, and then download the KeyLogger Test Program and try running that? If that runs, then it means there is something wrong with your configuration. If you want, I can remotely diagnose your computer to see what's wrong and correct any problem. Please drop me a PM with your results/decision :)

Oh I just remembered - the test I'm referring to is a modified one with the digital signature removed for testing with Kaspersky. So it is not the same, but still should be detected?

{QUOTE-> That may not sound like a long time but when your watching ,waiting for the browser to open seems like enternity.what about IE do you experience the same. <-QUOTE}

I just tried side-by-side with Opera and a first Edge installation and it added 3 seconds onto the start time. I have a relatively fast internet connection, but that is a very significant difference from your test. Could you give me some details on your security configuration so I can help diagnose it better?

{QUOTE-> Oh I just remembered - the test I'm referring to is a modified one with the digital signature removed for testing with Kaspersky. So it is not the same, but still should be detected? <-QUOTE}

Ah :) Well, the signatures we have on these leaktests are plain signatures. Doing something like removing the digital signature critically changes the characteristics of the file and is most likely the cause for the dropped detection.

Just for sanity's sake, can you try downloading the original file to see if we still block that (just to make sure your setup is configured properly).

Yep, everything works fine with the actual test, so Prevx did its job there. :thumb:

{QUOTE-> I just tried side-by-side with Opera and a first Edge installation and it added 3 seconds onto the start time. I have a relatively fast internet connection, but that is a very significant difference from your test. Could you give me some details on your security configuration so I can help diagnose it better? <-QUOTE}
No No that was not my results, I was responding to Chevez.I however am only on trial which does not scan real time am i correct?

{QUOTE-> No No that was not my results, I was responding to Chevez.I however am only on trial which does not scan real time am i correct? <-QUOTE}

Oops :) Misquoted there :)

The trial has precisely the same system load and realtime scanning as the full version. If you want, I can get you a full trial license key which will enable the last bit of the features (malware blocking) but it is an identical load/impact as the trial version.

{QUOTE-> Yep, everything works fine with the actual test, so Prevx did its job there. :thumb: <-QUOTE}

Ok, perfect :) Thanks for letting me know!

{QUOTE-> Just installed the trial version and it flagged Vistumbler and JetAudio as rogue software. So no known conflicts with Outpost Security Suite and Threatfire? <-QUOTE}

We've corrected the false positives :) Please try rescanning and it will no longer detect those programs. (Like most of the false positives reported here, these were found under heuristics which were just a bit too touchy.)

{QUOTE-> Oops :) Misquoted there :)

The trial has precisely the same system load and realtime scanning as the full version. If you want, I can get you a full trial license key which will enable the last bit of the features (malware blocking) but it is an identical load/impact as the trial version. <-QUOTE}
Yes please thank you kindly.

Got the license thank you.Just a few notations here I rebooted and there is no system tray,However processes prevx exe is running.I did another scan and cam up with this which is part of FirstDefense PC Recue.

{QUOTE-> Got the license thank you.Just a few notations here I rebooted and there is no system tray,However processes prevx exe is running.I did another scan and cam up with this which is part of FirstDefense PC Recue. <-QUOTE}

This could be FD-ISR hiding part of itself from Edge. We can prevent this from happening if you click Tools and Settings > Save Scan Results, I can mark it as a trusted program globally.

Also, can you see if there are two prevx.exe processes running? There should be one under SYSTEM and one under your user account. If not, please let me know :)

{QUOTE-> This could be FD-ISR hiding part of itself from Edge. We can prevent this from happening if you click Tools and Settings > Save Scan Results, I can mark it as a trusted program globally.

Also, can you see if there are two prevx.exe processes running? There should be one under SYSTEM and one under your user account. If not, please let me know :) <-QUOTE}
Ok All I see is under apllication running under processes 1 exe and nothing in services Err.???

{QUOTE-> Ok All I see is under apllication running under processes exe and nothing in services Err.??? <-QUOTE}

Ok, this is definitely indicative of some incompatibility. I think NOD32 does have a false positive on us, but I'm not sure. Are you using any other security software than you currently have in your signature? We've seen similar problems from other users but so far there has been no readily reproducible reason as to why its happening.

Please let us know if you have any ideas or if you'd be willing to have one of our engineers analyze your system to help solve the potential incompatibility.

Thank you for your patience :)

Ok I just relized the monitoring was Disable,I Do not believe I stop it but I will keep and Eye if it stops again, then I will try it without Nod32 and see what happens.

{QUOTE-> Ok I just relized the monitoring was Disable,I Do not believe I stop it but I will keep and Eye if it stops again, then I will try it without Nod32 and see what happens. <-QUOTE}

Ok, please let me know what you find or any other information which could lead us to be able to reproduce it internally in the morning.

{QUOTE-> Ok, please let me know what you find or any other information which could lead us to be able to reproduce it internally in the morning. <-QUOTE}
Thanks again and will do.

{QUOTE-> Just installed the trial version and it flagged Vistumbler and JetAudio as rogue software. So no known conflicts with Outpost Security Suite and Threatfire? <-QUOTE}

I've been running it alongside Threatfire 4.0.0.8 with no troubles.

{QUOTE-> Ok, this is definitely indicative of some incompatibility. I think NOD32 does have a false positive on us, but I'm not sure. Are you using any other security software than you currently have in your signature? We've seen similar problems from other users but so far there has been no readily reproducible reason as to why its happening.

Please let us know if you have any ideas or if you'd be willing to have one of our engineers analyze your system to help solve the potential incompatibility.

Thank you for your patience :) <-QUOTE}
No just in signature is what security is on only.Sorry late response.

{QUOTE-> No just in signature is what security is on only.Sorry late response. <-QUOTE}

Could you possibly try rebooting your system? (or, have you rebooted since installation?)

So far, two users have had this problem completely resolved by simply rebooting. It might not be something this simplistic, but it is possible. Please let me know :)

Its ok at this time will post any further findings tommorow.Gets some sleep sir you must be tired from me alone.Have a good night.

{QUOTE-> The sample that we're getting from CSJ are actually quite old (1+ year) and have been seen by virtually no users in the entire Prevx community. Also, as they are not real infections (they are just samples in a folder), they are out of context which makes their behaviors/relationships different.

Hope that explains it :) <-QUOTE}
while they may seem old to you, these are active infections that I've got in the past few months, ones that prevx misses.

Not real infections? ... Double click a few and see for yourself the havoc on your machine.

it's really not my job to make sure it's in context for you.

{QUOTE-> while they may seem old to you, these are active infections that I've got in the past few months, ones that prevx misses.

Not real infections? ... Double click a few and see for yourself the havoc on your machine.

it's really not my job to make sure it's in context for you. <-QUOTE}

Yes, I know that you were actually affected by them, but the fact remains that they are quite old (our database may have just seen them before you ran into them) but of course we do know that they are real infections (and we are now detecting them as such :))

Saw a false positive on the online updater for the known desktop weather program WeatherPulse. I'll try heuristics on medium and see if I can get the same FP. Are medium heuristics recommended?

And Prevx should get along with the Avira AntiVir Suite (without the firewall) and PC Tools Firewall Plus, right?

It appears there is no false positive with heuristics on medium.

{QUOTE-> Saw a false positive on the online updater for the known desktop weather program WeatherPulse. I'll try heuristics on medium and see if I can get the same FP. Are medium heuristics recommended?

And Prevx should get along with the Avira AntiVir Suite (without the firewall) and PC Tools Firewall Plus, right? <-QUOTE}

Some of those weather programs are "grayware" (like WeatherBug). It might be worth sending me over a scan log or download link as to where to get it (via PM so we don't accidentally spam potentially unwanted URLs on Wilders :))

(Medium heuristics are recommended)

Edge should get along fine with Avira, but we did recently see a couple users having some problems with PC Tools Firewall and Edge, however, nothing is definitive enough to say unequivocally that it was PC Tools FW + Edge that were interacting badly. Just for the sake of getting more information on the issue, it might be worth having you test it against PC Tools FW as well - we are going to be setting up test environments using a large number of combinations of PC Tools FW + Edge + other security products to hopefully narrow down where the issue lies.

{QUOTE-> It appears there is no false positive with heuristics on medium. <-QUOTE}

Ah ok, good to know. I would still be interested in the scan log to help tune the heuristics rules to prevent it in the future if you have it on hand :) (please send either the single entry or the entire log via PM)

I sent you a PM. So far working well here with the PC Tools firewall.

{QUOTE->
Edge should get along fine with Avira, but we did recently see a couple users having some problems with PC Tools Firewall and Edge, however, nothing is definitive enough to say unequivocally that it was PC Tools FW + Edge that were interacting badly. <-QUOTE}

Well, I got a basically frozen system couple minutes after I've installed PC Tools Firewall 5.0.0.19 beta and rebooted. Disabling Enhanced Security Verification under filtering tab in PCT FW solved this completely. No problem w/ Avira Free/Premium.

EDIT: I'll test again with 5.0.0.25 just released (http://www.pctools.com/forum/showthread.php?p=195512#post195512).

{QUOTE->
New ESV (Enhanced Security Verification) driver - more secure and more stable. Solves the following problems:
- 100% CPU caused by GDI kernel hooks
- System hangs caused by previous driver
- Faster game mode (frame rates is almost the same with and without the ESV engine)
<-QUOTE}

EDIT2: Forget this, lot worse, had to uninstall PCT FW in safe mode, otherwise logging in resulted in a frozen system. Happened with PrevX Edge uninstalled as well... so, to conclude, this ESV feature in PCT FW is plain broken and should be disabled by default.

EDIT3: Scratch the above. Nice waste of time with reinstalling the old .19 version - because providing installers with filename reflecting the version is apparently too difficult for some vendors so you end up downloading outdated stuff from outdated mirrors... :thumbd: >:( :wacko:

{QUOTE->

And, moreover, would you be able to share undetected samples with us so that we can better tune our heuristic engine?

<-QUOTE}

Hello EraserHW,

In regards to your above quote, does Prevx convert undetected samples into traditional antivirus-like blacklist signatures or are they really used to physically fine-tune their heuristics engines? The reason that I am asking is because the main reason that I purchased Prevx Edge(PE) is because of it's advanced behavioral heuristics, application of whitelisting and community detection network and ability to detect and block zero day threats(exploit targeted malware or malware that bypasses most, if not all, of the thirty-five or so antivirus scanners) with little or no help from traditional blacklist signatures.

In other words, I am under the impression that "most" of PE's ability to detect and block malware is derived from heuristics and the community detection network and not from signatures. I am not at all interested in installing and purchasing another blacklist scanner.

Lastly, approximately what percentage of heuristics, whitelisting, blacklisting and community can be typically attributed to PE's ability to detect and block malware?


Peace & Gratitude,

CogitoErgoSum

{QUOTE-> Hello EraserHW,

In regards to your above quote, does Prevx convert undetected samples into traditional antivirus-like blacklist signatures or are they really used to physically fine-tune their heuristics engines? The reason that I am asking is because the main reason that I purchased Prevx Edge(PE) is because of it's advanced behavioral heuristics, application of whitelisting and community detection network and ability to detect and block zero day threats(exploit targeted malware or malware that bypasses most, if not all, of the thirty-five or so antivirus scanners) with little or no help from traditional blacklist signatures.

In other words, I am under the impression that "most" of PE's ability to detect and block malware is derived from heuristics and the community detection network and not from signatures. I am not at all interested in installing and purchasing another blacklist scanner.

Lastly, approximately what percentage of heuristics, whitelisting, blacklisting and community can be typically attributed to PE's ability to detect and block malware? <-QUOTE}

(I'll answer for Marco :))
Besides some one-off samples which appear periodically, we almost always add heuristic rules to catch malware as it is simply not economical to only detect one file when there are most likely similar variants floating around.

Very few of our signatures are derived from plain blacklisting. We have some signatures which catch millions of samples with one heuristic signature - definitely not useful if we were to add each one manually ;D

I don't have a specific percentage, but literally everything is community based (not user decision - automated heuristics community based) and it is a bit of a rarity that we actually mark a single file bad.

{QUOTE-> (I'll answer for Marco :))
Besides some one-off samples which appear periodically, we almost always add heuristic rules to catch malware as it is simply not economical to only detect one file when there are most likely similar variants floating around.

Very few of our signatures are derived from plain blacklisting. We have some signatures which catch millions of samples with one heuristic signature - definitely not useful if we were to add each one manually ;D

I don't have a specific percentage, but literally everything is community based (not user decision - automated heuristics community based) and it is a bit of a rarity that we actually mark a single file bad. <-QUOTE}

Hello PH,

The clarification was very much appreciated and reassuring.


Peace & Gratitude,

CogitoErgoSum

{QUOTE->

Very few of our signatures are derived from plain blacklisting. We have some signatures which catch millions of samples with one heuristic signature - definitely not useful if we were to add each one manually ;D

<-QUOTE}

"Very few" is still plain old fashioned blacklisting, CogitoErgoSum just stopped living dangerously (now with a blacklist) :P

{QUOTE-> Ok, I totally forget about reply :) Sorry :)

You can see if they have been detected by signature or heuristic when Edge advise you that a new threat has been blocked. If it says the name of the malware, then it has been detected by signature. If it says something like "Age/Spread Criteria..." then it has been detected by one of the heuristic engines. <-QUOTE}

Hello EraserHW,

Thank you for the explanation.


Peace & Gratitude,

CogitoErgoSum

{QUOTE-> Hello EraserHW,

Thank you for the explanation. <-QUOTE}

Also, to clarify his response as well - that means it has been found by ONE of the heuristic engines, one of the unique ones to Edge which measures Age/Popularity (the bottom two sliders in the Heuristics Settings page).

The other heuristics are applied silently behind the detections :)

{QUOTE-> "Very few" is still plain old fashioned blacklisting, CogitoErgoSum just stopped living dangerously (now with a blacklist) :P <-QUOTE}

Hello Kees,

Can't win 'em all. Well, at least PE is not an antivirus in the traditional sense.:D


Peace & Gratitude,

CogitoErgoSum

Just teasing my friend

I have to admitt I am surprised by both PrevX and A2 Malware with their improved applications

just curious on heuristics of program age and program popularity what settings would be best or should I say most likely set at by user here.Example I have mine set to following.avanced heuristics at max,program age medium and popularity low.

I had prevx edge on for one day yesterday, the paid version as I could not do a full trial without paying. I must admit the idea of one program protects all sounded great, so thats what I tried. The first day of using I ran into a problem. I got hit with a dns changing rootkit trojan, prevx found it and said it had deleted it. Then my searches got redirected. A scan with antimalwarebytes found 6 more files all related to this trojan. So I am afraid the one security app to protect all does not work for me and have gone back to the full norton IS 2009. I have taken it off my machine with a full restore with acronis. I have requested a refund but am still to hear back.

Rollers

{QUOTE-> I had prevx edge on for one day yesterday, the paid version as I could not do a full trial without paying. I must admit the idea of one program protects all sounded great, so thats what I tried. The first day of using I ran into a problem. I got hit with a dns changing rootkit trojan, prevx found it and said it had deleted it. Then my searches got redirected. A scan with antimalwarebytes found 6 more files all related to this trojan. So I am afraid the one security app to protect all does not work for me and have gone back to the full norton IS 2009. I have taken it off my machine with a full restore with acronis. I have requested a refund but am still to hear back.

Rollers <-QUOTE}it happens to me too,first week it was just perfect:thumb:,that was the trial,but after it started to give me so many problems with other programs i decided to deleted,i wanted to love it but i guez i am still in love with defensewall and malware defender:thumb:

{QUOTE-> I had prevx edge on for one day yesterday, the paid version as I could not do a full trial without paying. I must admit the idea of one program protects all sounded great, so thats what I tried. The first day of using I ran into a problem. I got hit with a dns changing rootkit trojan, prevx found it and said it had deleted it. Then my searches got redirected. A scan with antimalwarebytes found 6 more files all related to this trojan. So I am afraid the one security app to protect all does not work for me and have gone back to the full norton IS 2009. I have taken it off my machine with a full restore with acronis. I have requested a refund but am still to hear back.

Rollers <-QUOTE}

NIS isnt exactely superman either.

{QUOTE-> NIS isnt exactely superman either. <-QUOTE}none of them are,but the advice is stay with the one you like;D

we have just registered our licence with prev x and i am a bit concerned at the information that is stored within "my account", stored is the infected file and various other things, can you please explain why you need this information.

{QUOTE-> I had prevx edge on for one day yesterday, the paid version as I could not do a full trial without paying. I must admit the idea of one program protects all sounded great, so thats what I tried. The first day of using I ran into a problem. I got hit with a dns changing rootkit trojan, prevx found it and said it had deleted it. Then my searches got redirected. A scan with antimalwarebytes found 6 more files all related to this trojan. So I am afraid the one security app to protect all does not work for me and have gone back to the full norton IS 2009. I have taken it off my machine with a full restore with acronis. I have requested a refund but am still to hear back.

Rollers <-QUOTE}
It sounds like it detected after the fact you where already infected.So often this happens with may apps can happen with norton as well,But imo what a product detects it should stop it at the gate so to speak or what it detects at a latter should be able to clean it.This is the problem with so many security apps,They detect whats already to little to late or they stop it but can not clean it or they completely miss and sometime we get lucky they do it all.So imo there is not such thing a perfect all in one security and imo layered approach is still needed regardless of claims by any vendor.

I anstalled it but everything is slower than before. Ill let it run for a while and see what happens.

Is this community based so that PrEd reports home?

I uninstalled Outpost a while back so I dont know whats happening outbound with only WinFW.

Threatfire allow to disable community contact - can I do the same with PrEd?

Best Regards

{QUOTE-> I anstalled it but everything is slower than before. Ill let it run for a while and see what happens.

Is this community based so that PrEd reports home?

I uninstalled Outpost a while back so I dont know whats happening outbound with only WinFW.

Threatfire allow to disable community contact - can I do the same with PrEd?

Best Regards <-QUOTE}

Edge depends on the community database for scanning, but everything is anonymous of course and we don't collect any personal information (we only collect signatures of program behavior - no documents, no other information, etc.)

There may be a marginal slowdown, but it should not affect performance much. Please let us know what you find after using it for a bit longer.

{QUOTE-> I had prevx edge on for one day yesterday, the paid version as I could not do a full trial without paying. I must admit the idea of one program protects all sounded great, so thats what I tried. The first day of using I ran into a problem. I got hit with a dns changing rootkit trojan, prevx found it and said it had deleted it. Then my searches got redirected. A scan with antimalwarebytes found 6 more files all related to this trojan. So I am afraid the one security app to protect all does not work for me and have gone back to the full norton IS 2009. I have taken it off my machine with a full restore with acronis. I have requested a refund but am still to hear back.

Rollers <-QUOTE}

The issue here is that we just didn't correct the DNS settings, which we can help you with manually if you come into our inbox.

No antivirus product is perfect, and no one claims they are. Of course we will miss things - MalwareBytes tends to find dormant, non-threatening components. Was it able to correct your DNS settings, or was the restore the only way?

Generally, we request that if you have a problem with our products that you let us know and we will definitely work with you to correct it.

{QUOTE-> we have just registered our licence with prev x and i am a bit concerned at the information that is stored within "my account", stored is the infected file and various other things, can you please explain why you need this information. <-QUOTE}

This information is stored for your personal use only, to help manage multiple PCs to be monitored of infections. It is beneficial to users that have many computers or want historical data, but, if you don't want this information, you can just not use/delete the account and the information will be inaccessible.

{QUOTE-> it happens to me too,first week it was just perfect:thumb:,that was the trial,but after it started to give me so many problems with other programs i decided to deleted,i wanted to love it but i guez i am still in love with defensewall and malware defender:thumb: <-QUOTE}

We still have not had any definitive reports of problems, so, it is very hard to see what's going wrong. If you could shed some light as to what you think the incompatibility may be, this would be very helpful.

Many Wilders users have dozens of security applications installed, bound to cause SOME incompatibility. It's just difficult to get it to work with everything and to find what is breaking the compatibility.

The best thing to do would be to let us know what isn't working so we can work on resolving the problem :)

A couple of questions:

-How come PrevX is compatible with other avs while it's an Av itself?
-Can I use the HIPS with Comodo's D+ or should I disable on of them?

{QUOTE-> A couple of questions:

-How come PrevX is compatible with other avs while it's an Av itself?
-Can I use the HIPS with Comodo's D+ or should I disable on of them? <-QUOTE}

Edge is compatible with other AVs because when it detects malware, it doesn't interfere with other software's attempts to detect the malware as well (but does prevent it from loading or accessing the system in any way). This way, multiple AVs can find the same file at once without breaking anything or crashing the system.

You can use Edge alongside Comodo's Defense+, we have not experienced any problems with both of them :thumb:

{QUOTE-> just curious on heuristics of program age and program popularity what settings would be best or should I say most likely set at by user here.Example I have mine set to following.avanced heuristics at max,program age medium and popularity low. <-QUOTE}

These settings should be fine. We have worked on tuning the heuristics to perform best (tightest balance of false positives versus detection) at the default settings, however, if you don't experience any problems, it should be fine to move the protection up higher :)

{QUOTE-> Edge is compatible with other AVs because when it detects malware, it doesn't interfere with other software's attempts to detect the malware as well (but does prevent it from loading or accessing the system in any way). This way, multiple AVs can find the same file at once without breaking anything or crashing the system.

You can use Edge alongside Comodo's Defense+, we have not experienced any problems with both of them :thumb: <-QUOTE}

Looks nice, a kind of SAS of the antivirus category;D
Might give it a ride, if it's not too much resource intensive.

{QUOTE-> Looks nice, a kind of SAS of the antivirus category;D
Might give it a ride, if it's not too much resource intensive. <-QUOTE}

Resource usage should be very light and the only real slowdown you may see is directly after loading a new, rarely used program.

Please let me know what you think :)

{QUOTE-> Resource usage should be very light and the only real slowdown you may see is directly after loading a new, rarely used program.

Please let me know what you think :) <-QUOTE}
yep, its light.

only slight delay i see is loading the actual GUI itself, takes a few seconds for me.

{QUOTE-> It sounds like it detected after the fact you where already infected.So often this happens with may apps can happen with norton as well,But imo what a product detects it should stop it at the gate so to speak or what it detects at a latter should be able to clean it.This is the problem with so many security apps,They detect whats already to little to late or they stop it but can not clean it or they completely miss and sometime we get lucky they do it all.So imo there is not such thing a perfect all in one security and imo layered approach is still needed regardless of claims by any vendor. <-QUOTE}

Hi thanks for your response. The infection was not on before I used Prevx. It happened whilst I was using it, and it did not prevent it from installing enough components to function. Unfortunately I do not trust a system that has had a rootkit on it, so acronis was the only answer for me. If its a stealth rootkit, you never know which bits are still on there and working. I am not knocking the new prevx, but it does not hold enough confidence for me to run as an only program. I have been running NIS for some time and never had a problem ( confirmed by other scans such as MBAM) I have prevx on for one day, get hosed. I guess it is good to run along side other programs but not what I was looking for.

{QUOTE-> Hi thanks for your response. The infection was not on before I used Prevx. It happened whilst I was using it, and it did not prevent it from installing enough components to function. Unfortunately I do not trust a system that has had a rootkit on it, so acronis was the only answer for me. If its a stealth rootkit, you never know which bits are still on there and working. I am not knocking the new prevx, but it does not hold enough confidence for me to run as an only program. I have been running NIS for some time and never had a problem ( confirmed by other scans such as MBAM) I have prevx on for one day, get hosed. I guess it is good to run along side other programs but not what I was looking for. <-QUOTE}

I bet this is just luck of the draw. The one day you decided to try out the new product you get infected. It's very possible that NIS would have missed it as well, MBAM could have actually been missing it also.

It's always useful to use multiple security programs, but for many users, Edge is enough - it really just depends what you run into on a day to day basis. Some infections will always get through no matter what you have installed (hence why many users here have 20+ security apps installed ;D)

{QUOTE-> just curious on heuristics of program age and program popularity what settings would be best or should I say most likely set at by user here.Example I have mine set to following.avanced heuristics at max,program age medium and popularity low. <-QUOTE}

Hello djohn,

Based upon recent tests against over 77 malware samples, I have come to the conclusion that setting advanced heuristics to "medium(default)", program age to "medium" and popularity to "medium" provides a good compromise between minimum false positives and effective detection performance. FYI, these are the settings that I personally use.

Hope this helps.


Peace & Gratitude,

CogitoErgoSum

{QUOTE-> Hello djohn,

Based upon recent tests against over 77 malware samples, I have come to the conclusion that setting advanced heuristics to "medium(default)", program age to "medium" and popularity to "medium" provides a good compromise between minimum false positives and effective detection performance. FYI, these are the settings that I personally use.

Hope this helps.


Peace & Gratitude,

CogitoErgoSum <-QUOTE}
thanks for your response,Sounds like a good balance of detection without excessive FP:thumb:

{QUOTE-> thanks for your response,Sounds like a good balance of detection without excessive FP:thumb: <-QUOTE}

Hello djohn,

You are very welcome.


Peace & Gratitude,

CogitoErgoSum

Since yesterday that in my PC Edge gets disabled after a few minutes of running. Perhaps reinstalling could help?

{QUOTE-> Since yesterday that in my PC Edge gets disabled after a few minutes of running. Perhaps reinstalling could help? <-QUOTE}

Hello,
We will have a new test version out later today which would be very helpful if you wouldn't mind trying out :) Or, one of our researchers can connect to your comp now and help you solve it immediately.

{QUOTE-> I bet this is just luck of the draw. The one day you decided to try out the new product you get infected. It's very possible that NIS would have missed it as well, MBAM could have actually been missing it also.

It's always useful to use multiple security programs, but for many users, Edge is enough - it really just depends what you run into on a day to day basis. Some infections will always get through no matter what you have installed (hence why many users here have 20+ security apps installed ;D) <-QUOTE}


Hi

when ever i use multiples security, i have used bit defender for 3 years now, their support always will blame any other security software for my problems, they always tell me to uninstall all other security software/

Seems Edge and CSI may be the same app with less features turned on in CSI.

If CSI is installed first then the CSI gui comes up at installing Edge?