Prevx detects viruses which no other vendors can. When I uploaded these "viruses" to Virustotal,the result often could be 1/41.

Today I uploaded a "virus" detected by the updated Prevx CSI to VT,the result is "0/41".

And in the Prevx's website,they also provide detailed virus information like what this virus do etc. So has this virus already been analyzed by them?

I often heard that Avira has many FPs but to me it never gives a FP in my pc since version 8. But I seldom hear complaints about Prevx's FPs which is really strange to me.

Now I'm the one who wants to complain that "Prevx has too many FPs." By the way,the GUI is not user friendly either.

I like Prevx. But I hope you make it better.

if they provide detail information :blink: for me seems they have analyzed it

all products have FP

if you never got Avira's FP is good , but keep in mind that many Prevx Costumers also never get any FP

the GUI is under development and many more features are going to be implemented soon

-{ Quote: "if they provide detail information :blink: for me seems they have analyzed it

all products have FP

if you never got Avira's FP is good , but keep in mind that many Prevx Costumers also never get any FP

" }-
Is this file under system32 a virus?
File Behavior

WLGPCLNT.DLL has been seen to perform the following behavior:

* The Process is polymorphic and can change its structure

WLGPCLNT.DLL has been the subject of the following behavior:

* Created as a process on disk

Country Of Origin

The filename WLGPCLNT.DLL was first seen on May 5 2008 in the following geographical regions of the Prevx community:

* The EUROPEAN UNION on May 5 2008
* SPAIN on May 5 2008
* CANADA on Nov 14 2008
* KOREA, REPUBLIC OF on May 1 2009
Vendor, Product and Version Information

Files with the name WLGPCLNT.DLL have been seen to have the following Vendor, Product and Version Information in the file header:

* Microsoft Corporation; 802.11 Group Policy Client; 6.0.6001.18000 (longhorn_rtm.080118-1840)
* Microsoft Corporation; 802.11 Group Policy Client; 6.0.6002.16497

File Type

The filename WLGPCLNT.DLL is used by multiple object types including objects,Dynamic Link LIbrarie

I used Prevx about 2 weeks and I had 5 FPs, no problem for me so far. But ordinary Joe (my wife ;D ) would ask all the time: Is it malware? Is it a virus? What have I done?

I think a behavior blocker is the better choice for ordinary Joe :)

-{ Quote: "I used Prevx about 2 weeks and I had 5 FPs, no problem for me so far. But ordinary Joe (my wife ;D ) would ask all the time: Is it malware? Is it a virus? What have I done?

I think a behavior blocker is the better choice for ordinary Joe :)" }-

Wow... 5 on two weeks? That sounds like quite a lot... For the ordinary Joe I would rather install something that's completely automatic. If it wasn't for the FPs of Prevx, you could've set that to automatic operation in the settings.

-{ Quote: "if they provide detail information :blink: for me seems they have analyzed it

all products have FP

if you never got Avira's FP is good , but keep in mind that many Prevx Costumers also never get any FP

the GUI is under development and many more features are going to be implemented soon" }-

If a product has serious FPs or interruption - then I avoid that product. As simple as that. FPs is not something you can live with all the time if you want everything to go smooth - therefore it leads to interruption.

I'm sure PrevxHelp will be able to provide a much more detailed explanation, but you should be aware that VirusTotal is using a very much "stripped down" version of Prevx, with no behavioral analysis (probably Prevx's key strength), etc. Therefore VirusTotal results will be seen to create many more FP's compared to actually having Prevx 3.0 installed on your machine and coming across these same files.

With any security program you install, you run a full scan, open up all your regular programs, fix/ignore any false positives, 20 minutes later, you're away to go.

I don't see it as a big inconvenience. Some programs on the other hand, can be so silent, all sorts of malware gets through.

The problem is the type of user. Us here, we're always testing out new, relatively unknown programs, so a small number of FPs are a given.

Oh also...

-{ Quote: "By the way,the GUI is not user friendly either.

I like Prevx. But I hope you make it better." }-

Feel free to send me a PM with any suggestions for improvements to the GUI, or reasons why you think it's not user-friendly, and I'll see what we can do :)

Hello all,
The engine at VirusTotal is significantly different from the one that the consumer product contains and therefore tends to generate more FPs. The reason behind this is that at VirusTotal, we don't have the ability to analyze behavior so we have to make a "best guess" about what the file does, and that causes a lower number of real detections and a higher number of FPs, just because it isn't as accurate as actually sitting on a user's computer and analyzing files as they come through.

5 FPs in 2 weeks is extremely high - a vast majority of our users have never experienced a FP and I'd tend to expect they're all due to some underlying factor (maybe beta software or Windows 7?)

If anyone has any FPs which are still detected, please send them to me via PM and I'll get them fixed ASAP :) Regarding WLGPCLNT.DLL, there are pieces of malware named WLGPCLNT.DLL so searching for that filename itself doesn't necessarily mean you're looking at the one you're looking for (if that makes sense :)). In another example, there are many infections named svchost.exe so a search to a Prevx Filename page would show that it could be malware, while it is also a system component.

Hope that helps! As always, let me know if you have any other concerns, questions, etc.

-{ Quote: "Hello all,
The engine at VirusTotal is significantly different from the one that the consumer product contains and therefore tends to generate more FPs. The reason behind this is that at VirusTotal, we don't have the ability to analyze behavior so we have to make a "best guess" about what the file does, and that causes a lower number of real detections and a higher number of FPs, just because it isn't as accurate as actually sitting on a user's computer and analyzing files as they come through.
" }-

No,the result is that my Prevx CSI detected a "virus" while the Prevx on VT says "negative".
-{ Quote: "
5 FPs in 2 weeks is extremely high - a vast majority of our users have never experienced a FP and I'd tend to expect they're all due to some underlying factor (maybe beta software or Windows 7?)
" }-
I tried Prevx on Vista before and now use it on Windows 7.
I usually get 2 or 3 FPs on my system from Prevx while Avira give none. And Avira saved me several times from real viruses.
-{ Quote: "
Regarding WLGPCLNT.DLL, there are pieces of malware named WLGPCLNT.DLL so searching for that filename itself doesn't necessarily mean you're looking at the one you're looking for (if that makes sense :)). In another example, there are many infections named svchost.exe so a search to a Prevx Filename page would show that it could be malware, while it is also a system component.
" }-

I didn't search for the file on Prevx. Prevx told me that wlgpclnt.dll under my system32 archive is a virus. I clicked the link for more detailed information. And I see those descriptions for the file. I uploaded it to VT and the result was 0/41.

For the GUI:
1. Too many clicks in settings.
2. Too many steps when I want to quit Prevx from Real time monitor.

-{ Quote: "No,the result is that my Prevx CSI detected a "virus" while the Prevx on VT says "negative".

I tried Prevx on Vista before and now use it on Windows 7.
I usually get 2 or 3 FPs on my system from Prevx while Avira give none. And Avira saved me several times from real viruses.


I didn't search for the file on Prevx. Prevx told me that wlgpclnt.dll under my system32 archive is a virus. I clicked the link for more detailed information. And I see those descriptions for the file. I uploaded it to VT and the result was 0/41." }-

We have been generating a few FPs on Windows 7 builds just because there is so much new data coming in and a lot of Microsoft components do perform suspicious actions. If you could send me a scan log (by clicking Tools > Save Scan Results) of any FPs you've experienced, I'll be able to correct them immediately and tell you why they've happened :)

-{ Quote: "For the GUI:
1. Too many clicks in settings.
2. Too many steps when I want to quit Prevx from Real time monitor." }-

We're considering making it easier to disable the realtime protection, but this is a one-time-action which very few users ever use.

What steps are you finding too numerous in the settings? Short of making the status screen a list of checkboxes, I'm not sure we can minimize it much further ;D

-{ Quote: "
2. Too many steps when I want to quit Prevx from Real time monitor." }-
You can achieve this by right-clicking the system tray icon :)

Early days yet, but I have yet to see one FP in nearly 2 months of use.

A lot will depend upon your software mix and the heuristic setting.

Brings back memories of complaints of high FPs against Dr Web, VBA32 and Avira. I see/saw very few FPs with any of these AVs in years of use.

I don`t see many FP`s in Prevx. In fact i think heuristics just does what it is supposed to do. "Hey, check this out, it could be dangerous". That`s not FP`s in my opinion. Yes, you could remove many of these detections, but you would lose a lot of security.

I've fixed the FP reported by bonedriven - it is a legitimate FP and it does indeed share many characteristics with a large group of infections, most likely because of the software protection they have on the program itself.

I've checked the heuristic rule to see if there are any other similar FPs and there were a few (granted, they had only been seen by a small number of users). One of the triggers which set off this detection was an identification of remote code injection (process hijacking) which looks to be accidental because of the software protection but because of this and a handful of other factors including registering itself to load on bootup, modifying IE's memory/registering a BHO, and making some obscure outbound internet connections, we flagged it.

This is one of the many cases where good software can really seem quite bad, and its very difficult to differentiate between them in some cases, which is the main reason why AVs generate FPs.

Hope that helps clear up some of the confusion :)

It has no more then others.;)

-{ Quote: "Prevx detects viruses which no other vendors can. When I uploaded these "viruses" to Virustotal,the result often could be 1/41.

Today I uploaded a "virus" detected by the updated Prevx CSI to VT,the result is "0/41".

And in the Prevx's website,they also provide detailed virus information like what this virus do etc. So has this virus already been analyzed by them?

I often heard that Avira has many FPs but to me it never gives a FP in my pc since version 8. But I seldom hear complaints about Prevx's FPs which is really strange to me.

Now I'm the one who wants to complain that "Prevx has too many FPs." By the way,the GUI is not user friendly either.

I like Prevx. But I hope you make it better." }-

Yes, I think the FPs could be lower. I get more than any AV I have had. I think they will continue to work on this, though.

Thanks for the quick response.

An anti malware program that wants to detect those other AVs miss may certainly result in more FPs.

I just want to let you know that there are unsatisfied customers when most of the sound comes from applause.

I've an insisting FP on Nirsoft's regscanner. It has stayed that way the last week.:thumbd:

I don't think the number of FP's is an issue with Prevx.

I think from my experience that it depends greatly on the frequency of new installations you do and what kind of software you install.

There is quite a lot of software nowadays that have behavior of malware.

My last example are the Nirsoft Utilities. There are quite a lot of them that trigger the warnings of Prevx what I fully understand why.

Usually what I do is to exclude the files or folders involved.

-{ Quote: "I don't think the number of FP's is an issue with Prevx.

I think from my experience that it depends greatly on the frequency of new installations you do and what kind of software you install.

There is quite a lot of software nowadays that have behavior of malware.

My last example are the Nirsoft Utilities. There are quite a lot of them that trigger the warnings of Prevx what I fully understand why.

Usually what I do is to exclude the files or folders involved." }-

It does depend on the software involved, but Prevx can still do a better job of differentiating - in my experience.

-{ Quote: "I don't think the number of FP's is an issue with Prevx.

I think from my experience that it depends greatly on the frequency of new installations you do and what kind of software you install.

There is quite a lot of software nowadays that have behavior of malware.

My last example are the Nirsoft Utilities. There are quite a lot of them that trigger the warnings of Prevx what I fully understand why.

Usually what I do is to exclude the files or folders involved." }-

Thanks for your reply.

OK did so (exclude files)

Can I reduce the FP's by other than default settings in Heuristics then?

-{ Quote: "Thanks for the quick response.

An anti malware program that wants to detect those other AVs miss may certainly result in more FPs.

I just want to let you know that there are unsatisfied customers when most of the sound comes from applause." }-
The reality is that there will always be someone somewhere not happy with a product. :( I have yet to have a FP. Great product, great support.

FPs are sometimes the price you pay for high detection capability.

A2 is about the best signature based scanner available, but it has a few FPs.

In my experience, Prevx has fewer FPs than A2, but its as good or sometimes better at catching new malware.

I would rather have a couple of FPs, than have someone fleece my bank account!

you tell um Puss.;)

-{ Quote: "Thanks for your reply.

OK did so (exclude files)

Can I reduce the FP's by other than default settings in Heuristics then?" }-

I think you can reduce FP's by reducing heuristics strength.

I've still gotten too many with heuristics on medium. Just because some don't get FPs doesn't mean that others don't get an annoying number.

-{ Quote: "I've still gotten too many with heuristics on medium. Just because some don't get FPs doesn't mean that others don't get an annoying number." }-

It really is dependent on the software you use. If you have any outstanding FPs, please send them to me (and if you're receiving recurring FPs from certain programs, let me know and I'll get the research team to write a rule to prevent them in the future).

-{ Quote: "I've an insisting FP on Nirsoft's regscanner. It has stayed that way the last week.:thumbd:" }-

A lot of NirSoft's software is sadly used by malware very frequently - if you would like, send me an email with a scan log (to the address I've PM'd you) and I'll see if we can do anything to prevent it but their software is more popularly seen from infections than from normal downloads :-\

-{ Quote: "It really is dependent on the software you use. If you have any outstanding FPs, please send them to me (and if you're receiving recurring FPs from certain programs, let me know and I'll get the research team to write a rule to prevent them in the future)." }-

I think mine have been fixed up to now. Good job on that! But will future versions be more "intelligent"?

-{ Quote: "Thanks for the quick response.

An anti malware program that wants to detect those other AVs miss may certainly result in more FPs.

I just want to let you know that there are unsatisfied customers when most of the sound comes from applause." }-

Without trying to sound cliche, we do try and please everyone if possible. I know some users complain about FPs, but really the entire volume of FPs is extremely low compared to everything else.

If you have any other complaints, however, let me know and I'll see what I can do :)

-{ Quote: "I think mine have been fixed up to now. Good job on that! But will future versions be more "intelligent"?" }-

Yes, we're working on new technology which runs alongside our behavior monitoring drivers that will allow us to much clearer differentiate between good/bad software, reducing FPs and increasing detections.

We're still 2-3 weeks away from having this completed, but from what our preliminary testing has shown, it will have a significant impact in both directions.

-{ Quote: "Yes, we're working on new technology which runs alongside our behavior monitoring drivers that will allow us to much clearer differentiate between good/bad software, reducing FPs and increasing detections.

We're still 2-3 weeks away from having this completed, but from what our preliminary testing has shown, it will have a significant impact in both directions." }-

Great! Thanks for the info.

I have.. well let's see, 12 fp's in one week. I am a registered user and all of my settings are at recommended levels. So far, Prevx "caught":

- idmmbc.dll (Internet Download Manager's dll file which is extremely dangerous according to Prevx's file info web page),
- lbtwiz.exe (actually Logitech's bluetooth control panel, the funny thing is my keyboard and mouse were having weird problems for over a week, now i understand why),
- rhttpaa.dll (Microsoft's http runtime),
- agcpanelspanish.dll (Nvidia Phsyx string table),
- mscorjit.dll (Microsoft .NET compiler)
- msonsext.dll (SharePoint Portal Server)
- wmstream.dll (Windows Media Server)

etc. etc... All of these were identified as "serious threats" according to Prevx's file info web pages. (Not now, they seem to be reviewed again now.) So far, i am disappontied. I know real malware uses same filenames too, but still, too many. I am getting "infections found" messages nearly everytime i boot my computer.

P.S. Sorry for the bad english, i am trying :)

-{ Quote: "I have.. well let's see, 12 fp's in one week. I am a registered user and all of my settings are at recommended levels. So far, Prevx "caught":

- idmmbc.dll (Internet Download Manager's dll file which is extremely dangerous according to Prevx's file info web page),
- lbtwiz.exe (actually Logitech's bluetooth control panel, the funny thing is my keyboard and mouse were having weird problems for over a week, now i understand why),
- rhttpaa.dll (Microsoft's http runtime),
- agcpanelspanish.dll (Nvidia Phsyx string table),
- mscorjit.dll (Microsoft .NET compiler)
- msonsext.dll (SharePoint Portal Server)
- wmstream.dll (Windows Media Server)

etc. etc... All of these were identified as "serious threats" according to Prevx's file info web pages. (Not now, they seem to be reviewed again now.) So far, i am disappontied. I know real malware uses same filenames too, but still, too many. I am getting "infections found" messages nearly everytime i boot my computer.

P.S. Sorry for the bad english, i am trying :)" }-

Hmm... that volume seems like there is a file infector involved. I've PM'd you my email address - if you could send me a scan log, I'll be able to see why they're being found.

Scan log sent!
I would like to add that i am also using Norton Internet Security 2009 and this was a computer newly formatted. (Actually i installed WindowsXP one week ago, installed Prevx/NIS2009 the same day, only trusted software and only one game -which happens to be WoW- installed, and i really am a paranoid net user :)

-{ Quote: "Scan log sent!
I would like to add that i am also using Norton Internet Security 2009 and this was a computer newly formatted. (Actually i installed WindowsXP one week ago, installed Prevx/NIS2009 the same day, only trusted software and only one game -which happens to be WoW- installed, and i really am a paranoid net user :)" }-

Hello,
I've checked your log and only one of the files is an actual detection in the database and that looks to be a correct identification of malware (or at least riskware as its found by 4 other vendors) (filename of patch.exe). ???

I can't see any FPs now but your log shows that you have overrides in place. Could you try removing them and running another scan? Chances are that the FPs were fixed automatically as I don't see any actual human interaction involved in these entries, however, we'll see once you scan ;D

Also, if you do believe that the patch.exe file is non-malicious, feel free to send it to me and I'll manually analyze it - at this point I've left it as being detected as it does look suspicious (but only 5 vendors find it so its possible that it is actually clean).

-{ Quote: "Prevx detects viruses which no other vendors can. When I uploaded these "viruses" to Virustotal,the result often could be 1/41.

Today I uploaded a "virus" detected by the updated Prevx CSI to VT,the result is "0/41".

And in the Prevx's website,they also provide detailed virus information like what this virus do etc. So has this virus already been analyzed by them?

I often heard that Avira has many FPs but to me it never gives a FP in my pc since version 8. But I seldom hear complaints about Prevx's FPs which is really strange to me.

Now I'm the one who wants to complain that "Prevx has too many FPs." By the way,the GUI is not user friendly either.

I like Prevx. But I hope you make it better." }-

FPs are common for any new product until it is finely tuned in. Show me any new AV that did not have this issue at the start. Some oldies, still do. Prevx 3.0 is coming along fine and in a short time, some of you are going to be amazed at what it has added. I agree that FPs can be dangerous, but a product has to have the ability to detect first, some dont, and then you work on the FPs afterwards.

-{ Quote: "Hello,
I've checked your log and only one of the files is an actual detection in the database and that looks to be a correct identification of malware (or at least riskware as its found by 4 other vendors) (filename of patch.exe). ???

I can't see any FPs now but your log shows that you have overrides in place. Could you try removing them and running another scan? Chances are that the FPs were fixed automatically as I don't see any actual human interaction involved in these entries, however, we'll see once you scan ;D

Also, if you do believe that the patch.exe file is non-malicious, feel free to send it to me and I'll manually analyze it - at this point I've left it as being detected as it does look suspicious (but only 5 vendors find it so its possible that it is actually clean)." }-

Patch.exe is a no-cd patch for a game i legally own. Sure, will send it too.
I am not sure what you mean by "i cant see any fp's now, only overrides". I'll try to explain a little more. Prevx gives me huge warning about infections and shows the files i explained in my post. I right click on them and select "report this to prevx if you dont etc. etc." Then, files automatically ignores.

Will do a fresh scan after i remove them and inform you.

Thanks for the answer, actually it is a very nice and kind thing to see a developer post. That was the first reason i choose Prevx.

Another problem is that Prevx's malware information is misleading when it comes with FPs. When it detects an FP unfortunately,it leads the user to the real malware information page. I think it is really really confusing.

I am getting too now too many FP's.
I am programming in Delphi (Delphi 2007 to be exact), and every time I compile an exe and run it, its flagged again, and I cannot even test the exe.
This time, it get flagged as Low Risk Adware...
This is annoying. I am thinking of just ditching it.

softtouch, I noticed emsisoft a-squared picked up a few of the programs listed on that freeware site you post to.

I think it's best to report the Delphi programs as fps to prevx and emsisoft, as ditching the software doesn't help other users using these security programs who might want to download your work.

-{ Quote: "softtouch, I noticed emsisoft a-squared picked up a few of the programs listed on that freeware site you post to.

I think it's best to report the Delphi programs as fps to prevx and emsisoft, as ditching the software doesn't help other users using these security programs who might want to download your work." }-

I did report them to emsisoft... but they seem not to care.
The problem is, every line of code added to a delphi program let the exe look different again, and it is again flagged.

Every time I compile a delphi program (and that is the whole day, I am programming in Delphi), I have to upload FP's to them. That takes more time than actually working on my projects. Thats not a solution.

The scanner can just not distinguish between normal functions and malware behavior in my opinion.

If they see that you access the web, and download something and display it, it is flagged.

Of course, some of my programs check for updates online, and inform the user if there is an update... and this is for some scanner "Adware behavior"...

I think prevx is going crazy now...
Its since 15 minutes "downloading disinfection files... please wait" and nothing happen anymore...

Also, I have a program (delphi), with the filename bachresize.exe, which resize images. It is not flagged, is clean. When I rename it to bir.exe (short for batch image resizer), it gets flagged immediately as "Low Risk Malware". When I rename it back, it works again...
Don't tell me prevx flags files because of their filename and not of what they are doing?????

It gets better...

I compiled an empty delphi project (no code added), twice, one I created under the name bir.exe, the 2nd. under the name abc.exe

I then compared them with a hex editor, and they are binary identical, bit by bit.

The bir.exe get flagged as adware by prevx, the abc.exe not.

What is going on with prevx????

Appreciate your reply. Joe will be reading this thread shortly.

I'll sign up and post your issue on the emsisoft forum (later on), as it's the scanner I'm using at the moment, and was interested in a few of those programs.

Keep up the good work with the programming. Wish I had more brain power to do that. :thumb:

-{ Quote: "Appreciate your reply. Joe will be reading this thread shortly.

I'll sign up and post your issue on the emsisoft forum (later on), as it's the scanner I'm using at the moment, and was interested in a few of those programs.

Keep up the good work with the programming. Wish I had more brain power to do that. :thumb:" }-

Thanks for your help with that.
I can guarantee the freeware on my website is malware free!

I don't know what the scanner have against borland executable...

I just did the same test with delphi 2009, and C++ Builder 2009, and even the C++ program is flagged identical to the delphi program, as ADWARE.

Hello softtouch,
I checked out the bir.exe file you sent - it is indeed encrypted/compressed and has suspicious attributes because of that. If you want AVs to stop detecting it, the best way would be to move away from using PECompact2 and molebox - two packers used primarily by malware, especially when combined.

We are more than willing to whitelist software as you release it, but the heuristics involved to block these programs are valid - when you are first testing the files, you are the only user to have ever seen them and they are packed/encrypted/obfuscated.

And note that we don't scan by filename but you're feeding the heuristics by showing that the program appears with different names/locations.

You should consider getting a digital certificate from Verisign and signing your software with that - we can whitelist by specific digital certificate but your software is too suspicious to be whitelisted by itself because of the way that you obfuscate it.

-{ Quote: "Hello softtouch,
I checked out the bir.exe file you sent - it is indeed encrypted/compressed and has suspicious attributes because of that. If you want AVs to stop detecting it, the best way would be to move away from using PECompact2 and molebox - two packers used primarily by malware, especially when combined.

We are more than willing to whitelist software as you release it, but the heuristics involved to block these programs are valid - when you are first testing the files, you are the only user to have ever seen them and they are packed/encrypted/obfuscated." }-

It happen also when not packed.
I only pack them to reduce the size.

PECompact2 and molebox are legitimate programs.
People who create malware also use winzip and winrar to pack their malware, does that mean that in future all packers will be blacklisted?
And upx/pecompact2 are widely used by many freeware author to reduce the filesize on disk.
But packing is not the point here, delphi programs are getting dlagged packed or not, thats my problem.

I am sure not going to purchase a digital certificate, which cost a lot of money, because of FP results.

-{ Quote: "It happen also when not packed.
I can create 2 exe files, binary identical, with one exception: In one exe is the word ~bir, and the filename is bir.exe
It get flagged. This also happen when I use Borland C++, not just Delphi.
And this happen uncompressed." }-

Can you send me a link to these files?

-{ Quote: "Can you send me a link to these files?" }-

I just created again a new exe file, uncompressed, no code at all added, just an empty delphi 2007 project,compiled as exe.

bir.exe - get flagged as adware
abc.exe - binary identical, just another filename, not flagged.

abc.exe is bir.exe, just renamed...

http://www.delphifreeware.com/downloads/avtest.zip

-{ Quote: "I just created again a new exe file, uncompressed, no code at all added, just an empty delphi 2007 project,compiled as exe.

bir.exe - get flagged as adware
abc.exe - binary identical, just another filename, not flagged.

abc.exe is bir.exe, just renamed...

http://www.delphifreeware.com/downloads/avtest.zip" }-

We've corrected this FP - could you try making another program and see if that is still detected?

-{ Quote: "We've corrected this FP - could you try making another program and see if that is still detected?" }-

I did create some more exe, and they are not detected anymore.
I also created some exe with Delphi 2009, also not detected.
I then molebox them, and it also is fine now.

What was the cause why it was always detected? I am quiet interested to know from the programmers perspective.

But now, Borland C++ 2009 exe are detected...

Here is an empty, compiled c++ project:

http://www.delphifreeware.com/downloads/testc.zip

-{ Quote: "I did create some more exe, and they are not detected anymore.
I also created some exe with Delphi 2009, also not detected.
I then molebox them, and it also is fine now.

What was the cause why it was always detected? I am quiet interested to know from the programmers perspective.

But now, Borland C++ 2009 exe are detected...

Here is an empty, compiled c++ project:

http://www.delphifreeware.com/downloads/testc.zip" }-

We had a very old rule still in place from the Prevx1 days which was a bit too touchy :) The Borland issue should now be fixed as well :)

A little update.
Seems like Prevx does not like Internet Download Manager. Seconds ago, it's "threat detection" window opened and tagged ALL of the files inside Internet Download Manager folder as medium risk malware.
I became paranoid and scanned my whole system with a2squared, SAS and MBAM. Fresh and updated installs. Nothing.
Really weird..

Also, sent the updated log file.

-{ Quote: "A little update.
Seems like Prevx does not like Internet Download Manager. Seconds ago, it's "threat detection" window opened and tagged ALL of the files inside Internet Download Manager folder as medium risk malware.
I became paranoid and scanned my whole system with a2squared, SAS and MBAM. Fresh and updated installs. Nothing.
Really weird.." }-

??? It might be doing something strange with the files, could you send me another scan log with these files?

-{ Quote: "We had a very old rule still in place from the Prevx1 days which was a bit too touchy :) The Borland issue should now be fixed as well :)" }-

Great, thanks a lot. Will check tomorrow. Its almost 1am here.

The issue with Internet Download Manager should be fixed now also :)

Prevx says "combofix.exe" and "killbox.exe" in Hiren's bootable cd are malwares.

Is she right?

-{ Quote: "Prevx says "combofix.exe" and "killbox.exe" in Hiren's bootable cd are malwares.

Is she right?" }-

No, but Combofix is detected by many other applications, because it contains some malware related files.

-{ Quote: "No, but Combofix is detected by many other applications, because it contains some malware related files." }-

Exactly - many apps like this are sadly abused by malware frequently. Can you send me a scan log? I'll see if I can get them whitelisted but it is a delicate situation to try and handle.

There are many applications like this which are legitimate but misused: mIRC, ServU, a number of programs by SysInternals, radmin, WindowHider, etc. the list is extensive :-\

It's just those two files in an original hiren's bootable cd in my usb drive.

B] k:\hbcd\wintools\combofix.exe [PX5: 0ECE4AA2C82DA010C2BB2C456E748D00006C4640] Malware Group: Medium Risk Malware
[BP] k:\hbcd\wintools\killbox.exe [PX5: CACA42C0006886C56AC901BFA1672E005A17DA21] Malware Group: Medium Risk Malware

IMHO,for a user there are simply two sides. Malicious or Not. So I think you need to whitelist those two?

I have marked them good, however, there isn't always a 100% "good or bad" for many programs but these are farther on the good side than the bad side :)

-{ Quote: "IMHO,for a user there are simply two sides. Malicious or Not. " }-
Not quite :) some companies use PUA or PUP (pot. unwanted app/program) designation for software in the grey area. This category would include for example mIRC, process killers, pw sniffers, port scanners etc. that can be used either for good or bad.

This is used to alert users to presence of such apps. Good or bad would depend on if the user actually downloaded/launched such app himself.
Unfortunately IMHO this classification is needed. Fortunately those regular users rarely use stuff that'd trigger such alerts. We who use irc clients etc. should be able to understand the situation.

I ran the PrevX Business on a laptop. I had install software that I know has two files in it. But I had thought PrevX would detect the files as it monitors the files on the system. I even ran the file and nothing from PrevX. I had to do a full scan with PrevX before it detected one has a medium Worm and the other was Cloaked-Malware. Both were easy to spot in the W\system32 folder.. PrevX Business did clean them differently this time around. Removed the cloaked one first then rebooted the system. The second one was gone also. I ran GMER and SmithFraudfix to see afterward to see if anything is still there. None!