In testing Prevx 3.0 trial, came across a weird detection delay:
- downloaded Antivirus 2008 rogue scanner from <safetyscanguide . com / index.php>
- manually scanned Install.exe with Prevx, no malicious files found
- scanned it with Symantec SEP locally, and in 6 miutes it took SEP to scan it, Prevx all of a sudden identified it as Medium Risk Malware.
I am curious as to what caused the initial failure to detect something this trivial, and delayed detection thereafter. I send an email to Prevx as well, but figured I'd ask the wise and expereienced here.
Thanks!

{QUOTE-> In testing Prevx 3.0 trial, came across a weird detection delay:
- downloaded Antivirus 2008 rogue scanner from <safetyscanguide . com / index.php>
- manually scanned Install.exe with Prevx, no malicious files found
- scanned it with Symantec SEP locally, and in 6 miutes it took SEP to scan it, Prevx all of a sudden identified it as Medium Risk Malware.
I am curious as to what caused the initial failure to detect something this trivial, and delayed detection thereafter. I send an email to Prevx as well, but figured I'd ask the wise and expereienced here.
Thanks! <-QUOTE}

I suspect we automatically added detection for it during the time you waited to run the scan. If you'd like, feel free to send me a scan log (I'll PM you my email address :)) and I'll see exactly when we found the file.

{QUOTE-> I suspect we automatically added detection for it during the time you waited to run the scan. If you'd like, feel free to send me a scan log (I'll PM you my email address :)) and I'll see exactly when we found the file. <-QUOTE}

PM sent. I guess my question is this: did Prevx detect it later because I initially scanned the file (and therefore submitted its signature to Prevx), and definition was released and issued in the time it took SEP to scan it quarantine it?
In other words, did Prevx detect it only because I manually scanned it, or did I just get "lucky" and tested a file two minutes before detection was available for it?

Hello,
Thank you for the scan log. The file was indeed automatically determined at 10:33 today and has only been seen by one user still. I suspect it wasn't found initially because you just right clicked on the file to scan - this doesn't get a full picture of the file as it is only an on-demand scan. A normal "deep" scan will pick up more than right clicking on a file and trying to execute the file is the real best measure of our protection.

Had you executed the file in your first test, we would have most definitely caught and blocked it, even though it was the first time it was seen. I suspect the variant you're testing with is a server-side polymorphic threat as we have a signature in our database which is currently covering around 30,000 similar XP Antivirus files.

{QUOTE-> Hello,
Thank you for the scan log. The file was indeed automatically determined at 10:33 today and has only been seen by one user still. I suspect it wasn't found initially because you just right clicked on the file to scan - this doesn't get a full picture of the file as it is only an on-demand scan. A normal "deep" scan will pick up more than right clicking on a file and trying to execute the file is the real best measure of our protection.

Had you executed the file in your first test, we would have most definitely caught and blocked it, even though it was the first time it was seen. I suspect the variant you're testing with is a server-side polymorphic threat as we have a signature in our database which is currently covering around 30,000 similar XP Antivirus files. <-QUOTE}

Thank you for prompt reponse.
Can you elaborate on the differences between "on-access" scan and manual "right-click" on-demand file scan? I would expect behavior to be opposite to what you described above; i.e. on-access scan not having a full picture/deep inspection of the file in order to accelerate scan (not something I'd like to see, but from a theoretical point of view, at least understandable) and not slow down a starting process, versus manual on-demand have full control of the file and really dig in deep.

{QUOTE-> Thank you for prompt reponse.
Can you elaborate on the differences between "on-access" scan and manual "right-click" on-demand file scan? I would expect behavior to be opposite to what you described above; i.e. on-access scan not having a full picture/deep inspection of the file in order to accelerate scan (not something I'd like to see, but from a theoretical point of view, at least understandable) and not slow down a starting process, versus manual on-demand have full control of the file and really dig in deep. <-QUOTE}

Conventional AVs use the approach you describe, however, we look at it differently - when a program is actually starting to execute/load into memory, THAT is the point when the program has the propensity to affect your system, not when it is sitting dormant. Therefore, we consider the point of entry as being the execution, not the creation of the file on disk (unless the file is created into a boot-loading location which is an entirely different story :))

Our on-demand scans are looking at the files out of context within the system (i.e. if a program tries to enter the system from a possible browser exploit, we apply entirely different heuristics on it) and we tend to limit the amount of analysis actually done for files which are scanned purely on-demand (ones which have never loaded/are not referenced in the system) to save resources on both the client PCs and the centralized analysis.

This approach admittedly gives us some worse scores if an antivirus tester is performing a purely on-demand test, but if an antivirus test is performed with real world infections attempting to enter the system (or on a computer which is already infected which would also provide an equivalent environment).

However, it allows us to streamline on-demand scans as well as on-execution scans by limiting the overhead of the analysis and data transmission without sacrificing any security :)

{QUOTE-> Conventional AVs use the approach you describe, however, we look at it differently - when a program is actually starting to execute/load into memory, THAT is the point when the program has the propensity to affect your system, not when it is sitting dormant. Therefore, we consider the point of entry as being the execution, not the creation of the file on disk (unless the file is created into a boot-loading location which is an entirely different story :))

Our on-demand scans are looking at the files out of context within the system (i.e. if a program tries to enter the system from a possible browser exploit, we apply entirely different heuristics on it) and we tend to limit the amount of analysis actually done for files which are scanned purely on-demand (ones which have never loaded/are not referenced in the system) to save resources on both the client PCs and the centralized analysis.

This approach admittedly gives us some worse scores if an antivirus tester is performing a purely on-demand test, but if an antivirus test is performed with real world infections attempting to enter the system (or on a computer which is already infected which would also provide an equivalent environment).

However, it allows us to streamline on-demand scans as well as on-execution scans by limiting the overhead of the analysis and data transmission without sacrificing any security :) <-QUOTE}

I see now. SEP has similar theory behind their techniques, however their real-time detection of executing processes is beyond poor, and their behavior analysis of those processes that don't fall under the signature is close to non-existant.
So with Prevx testing, you suggest just go for it and execute bad things to get a feel of its detection capabilities? How good is behavior-based detection of unknown (not signature-based) threats with Prevx?
Thanks, and sorry for potentially trivial Prevx questions..

I think this (http://pxnow.prevx.com/zeroL/PCMag_Review.pdf) would be a good start for an explanation. I am not as savy as most, but have been foolish enough to buy all and test in a newbie arena, and I still say that right now, there isnt a better method for staying safe while allowing you to actually use your PC.

{QUOTE-> I see now. SEP has similar theory behind their techniques, however their real-time detection of executing processes is beyond poor, and their behavior analysis of those processes that don't fall under the signature is close to non-existant.
So with Prevx testing, you suggest just go for it and execute bad things to get a feel of its detection capabilities? How good is behavior-based detection of unknown (not signature-based) threats with Prevx?
Thanks, and sorry for potentially trivial Prevx questions.. <-QUOTE}

We monitor all forms of loading code (not just "double clicking" on a file to execute it) so we should catch any means possible of actually entering into the system. I do suggest executing the threats, but to get a feel of our protection and a nice overview of what we provide, you may be interested in reading the PC Magazine review of Prevx 3.0 (http://www.pcmag.com/article2/0,2817,2346861,00.asp).

Our entire model is based around behavioral analysis and we only have conventional white/black listing as a supplement to the centralized behavioral analysis technology so while our protection isn't perfect, it does provide a solid layer on top of conventional AVs (and works alongside them if so desired :))

{QUOTE-> We monitor all forms of loading code (not just "double clicking" on a file to execute it) so we should catch any means possible of actually entering into the system. I do suggest executing the threats, but to get a feel of our protection and a nice overview of what we provide, you may be interested in reading the PC Magazine review of Prevx 3.0 (http://www.pcmag.com/article2/0,2817,2346861,00.asp).

Our entire model is based around behavioral analysis and we only have conventional white/black listing as a supplement to the centralized behavioral analysis technology so while our protection isn't perfect, it does provide a solid layer on top of conventional AVs (and works alongside them if so desired :)) <-QUOTE}

Thank you for your response. I am going to buy a 30-day license to test the Edge protection and hammer away at my test VM. I will post my findings as things progress further.
Again, thanks for your prompt response.

{QUOTE-> Thank you for your response. I am going to buy a 30-day license to test the Edge protection and hammer away at my test VM. I will post my findings as things progress further.
Again, thanks for your prompt response. <-QUOTE}

Without trying to dissuade a purchase, if you are only going to be testing on a VM, I wouldn't mind giving you a 30 day test license (especially in this economy :))

Oooh, you are good Joe, really good.:)

I have some swamp land in Nevada, think you can help with that.;)

{QUOTE-> Oooh, you are good Joe, really good.:)

I have some swamp land in Nevada, think you can help with that.;) <-QUOTE}

We can see that you have swamp land on how many times you change your pants ;D

{QUOTE-> I am going to buy a 30-day license to test the Edge protection and hammer away at my test VM. I will post my findings as things progress further. <-QUOTE}
I can assure you that there are a great many of us here who look forward to viewing your findings. :)

To the original poster, if you are going to download a host of malicious files, I'd download a trial of Shadow Defender (http://www.shadowdefender.com/) (30 days) or Returnil (free version) (http://www.returnilvirtualsystem.com/)to use alongside prevx to test any threats.

I'm not saying prevx isn't up to the task of detecting the programs you test it against, because something it misses might actually be in fact harmless and a simple uninstall might do the trick. 'Hey it got past prevx, and it's a rogue, but hang on, uninstall removes the whole program!'. :)

I just think there is a difference between downloading something which is from your regular google searches, and downloading something intentionally (from certain sites) which is 'designed' to corrupt your system, but isn't going to affect the average user.

Anyway, what I'm saying, if you're messing around with installations, a simple reboot with Shadow Defender or even Returnil will remove all files, that is all installation download files and so on.

I know some are skeptical at whether prevx performs as it describes. I too have thought the same. The issue about how a product is being marketed aside, this new version of prevx, as far as I can tell, seems to perform exactly as described (analysing all executions - preventing damage).

And if it doesn't (perform how expected), as long as the support prevxhelp (Joe) is working at the company, I think he'll do all he can to make sure something is fixed. So I believe in a program's support and their ability to listen to feedback, and use that feedback, more than anything else.

Joe,
Thank you for your generous offer, I will respond privately in a PM and explain what we're trying to achieve with PrevX.
In the meantime, I just came across another rogue antivirus that Prevx didn't catch on execution, but the moment I re-enabled A2 AntiMalware, it picked it right up, both as bad Website and as a rogue antispyware program.
This is the download link for the program, it's called Adware Pro2009 and is hosted on a known RBN network:
< adwareprofessional . com / ?hop=adwpro&mode=d >
and it appears to be along the lines of the original post. This time I did both scan it with PrevX by right-clicking on the file and actually executing it. In both cases, PrevX allowed the file to run.
Any thoughts?

I sent a copy of that to EraserHW a couple of days ago! I really do think that Prevx should be adding more Rogues to there list as it is out of control. >:(

TH

{QUOTE-> I sent a copy of that to EraserHW a couple of days ago! I really do think that Prevx should be adding more Rogues to there list as it is out of control. >:(

TH <-QUOTE}

This is what worries me. We are looking for a behavior-based product that is intelligent enough to not rely solely on signatures and is able to detect unknown risks stirclty on its malware and virus-like behaviors.
I though PrevX was excatly that and still hope it's the case and that these are isolated cases. A lot of people here swear by it and it comes highly recommended through other channels, so, again, I'm hoping this is an exception to the rule and not the norm.

{QUOTE-> This is what worries me. We are looking for a behavior-based product that is intelligent enough to not rely solely on signatures and is able to detect unknown risks stirclty on its malware and virus-like behaviors.
I though PrevX was excatly that and still hope it's the case and that these are isolated cases. A lot of people here swear by it and it comes highly recommended through other channels, so, again, I'm hoping this is an exception to the rule and not the norm. <-QUOTE}

I'll see why the sample wasn't added by EraserHW :-\

However, the problem with rogue antimalware programs is that they generally do not exhibit malicious behavior, which is how most of the newer ones are getting past conventional AVs. From the surface level down, they look like completely legitimate applications but they're able to generate revenue for the malware authors merely with social engineering, which is extremely difficult to detect with behavior alone.

Rogue antimalware is indeed an exponentially-growing threat and we're working on technology to help combat them better but it is a non-trivial task, and all other AVs are struggling as well (seen by many rogues resulting in a 0/40 detection on VT).

dlimanov, take a look at this thread:
http://www.wilderssecurity.com/showthread.php?t=232388

Others on the forum and I tested many rogue programs to see if scanners such as Dr Web, prevx etc picked up these as rogue.

You'll notice for every program say Norton, prevx, a-squared find, they also miss another rogue say Dr Web finds, and vice versa.

In summary, basically it's hit and miss. Prevx does do quite well, i'd say better than most.

The problem with these rogue or fake programs is that there are new ones being created every day, every minute.

Some of them install adware/viruses on your system, some of them function just like any other legitimate program to obviously avoid being labelled as malicious (and continue to serve its purpose of extracting money from users).

All depends on what they do. Most can be easily uninstalled through add/remove programs.

Here's a quote from Joe in the earlier thread: {QUOTE-> "These rogue AVs are always generally difficult to detect as some of the newer ones don't actually have malicious code in them - just annoying code/GUIs that force you to buy software because you are "infected". <-QUOTE}

Joe/Saraceno:
I can totally understand the argument that most rogue spyware scanners are close to impossible to detect, and I'm content with the fact that if the program emulates legitimate application behavior and the only malice that comes from it is wasted memory and CPU cycles and pay-per-click banners in the app itself, then it's not an issue for me. This particular bad boy is not as harmless as you think, though. I didn't get deep inside, but it does install its own BHO to do search hijacking, as well tries to download and install other "payware" stuff.
I ran some tests using Spycar (http://www.spycar.org/Spycar.html) with A2 disabled, as it intercepted every test. PrevX failed almost every "Autostart" test and blocked about 20% of the test in total. Now, this is worriesome to me, as Spycar uses vanilla spyware techniques to test your protection -- this is bread and butter for PrevX and similar behavior-based apps! There's no obfuscation or hiding, just straight registry Autorun injection and browser hijacking. Again, maybe my PrevX is not configured right (it's at default config), but it caught about 20% of the attacks on Spycar site.
Anyone else can try it and see if yours behaves differently?

{QUOTE->
I ran some tests using Spycar (http://www.spycar.org/Spycar.html) with A2 disabled, as it intercepted every test. PrevX failed almost every "Autostart" test and blocked about 20% of the test in total. Now, this is worriesome to me, as Spycar uses vanilla spyware techniques to test your protection -- this is bread and butter for PrevX and similar behavior-based apps! There's no obfuscation or hiding, just straight registry Autorun injection and browser hijacking. Again, maybe my PrevX is not configured right (it's at default config), but it caught about 20% of the attacks on Spycar site.
Anyone else can try it and see if yours behaves differently? <-QUOTE}

Adding protection for the Spycar tests is trivial, but unnecessary. We focus on real threats rather than components of threats tested via leaktests. We most likely shouldn't even find 20% of the threats as they aren't malicious by themselves. Detection of a real threat may contain elements or flags referring to the fact that it modifies a registry entry or privacy settings, but those changes alone are not enough to condemn a program without suffering massive false positives.

The difference between Prevx and a behavior blocker is that a behavior blocker doesn't look at the overall intent of the program and just sets itself out to block specific actions (i.e. creating a bootup entry). While many pieces of malware do create bootup entries, many MANY legitimate programs do as well so the added protection is a result of a large number of additional prompts and user queries. Without trying to slight other vendors, writing a behavior blocker is trivial at best - it is a subset of the technology built into Prevx and many other advanced solutions and like us, most of the other AV vendors do not spend resources to detect tests like Spycar which do not correctly represent a real threat in the real world.

Joe,
Do you have an example of behavioral detection that PrevX would do in real world? While I understand what you're saying about potentially creating false positives since many legitimate programs are modifying Registry settings upon installations, I am not comfortable with the idea that an end-user can download something from the Internet that will auto-register itself to start in every way imaginable, and my spy/malware protection doesn't as much as warn him/me about it.
If I understand what you're saying correctly, PrevX would step in and block the application if it exhibited trojan or other malicious behavior while already installed? In other words, it would let the program auto-register and load, but once it started capturing keystrokes (for example), PrevX would immediately step in and shut it down?

{QUOTE-> Joe,
Do you have an example of behavioral detection that PrevX would do in real world? <-QUOTE}

I have more than 20,000 new examples every day :)

{QUOTE-> While I understand what you're saying about potentially creating false positives since many legitimate programs are modifying Registry settings upon installations, I am not comfortable with the idea that an end-user can download something from the Internet that will auto-register itself to start in every way imaginable, and my spy/malware protection doesn't as much as warn him/me about it. <-QUOTE}

No, it's a combination of events which causes it to be triggered - virtually always far before it installs. Downloaded from the internet + registering on bootup is not enough to condemn a program (installers do it all the time) so that isn't a viable option to consider. A program as a whole contains many attributes - not just the boot registering aspects - which can condemn it.

We don't detect leaktests because the leaktests only perform one function of the infection, rather than a real infection which may have many components performing different actions with varying levels of suspicious behavior in each.

{QUOTE-> If I understand what you're saying correctly, PrevX would step in and block the application if it exhibited trojan or other malicious behavior while already installed? In other words, it would let the program auto-register and load, but once it started capturing keystrokes (for example), PrevX would immediately step in and shut it down? <-QUOTE}

What you're describing is still in the "behavior blocker" category, but a marginally more advanced version which contains some local logic. Our centralized analysis takes and processes the behaviors of "loads on bootup" and "captures keystrokes" and then decides if the program should be blocked or not by factoring aspects like the popularity of the program, the age of the program, various physical characteristics and the relationship to other files or families/groups of files.

Simply blocking a program because it logs keystrokes and registers itself on bootup will still cause false positives - which is the basic flaw in behavior blocking. A good example is a program which we saw we were causing a false positive against a few years ago: it was an encrypted, GUI-less application which loaded on bootup, recursively iterated through files on disk searching for email addresses and then proceeded to send out mass mails to each of the contacts it finds.... and yet it was a completely legitimate application :-\

Behavior blocking looks great from the surface level. We've been there before and tried it in Prevx Home (~2004) but it was not an effective means of actually securing the every day user's PC. The level of complexity and the learning curve required to understand what prompts mean lies far outside of the scope of what users should be expected to do. In Prevx 3.0, we've eliminated a majority of the user decision process so that we can automate as much as possible while producing as few false warnings as possible.

So while you may not get a warning that the new Windows-bootup-loading screenshot utility you just installed is going to take screenshots of the system, the piece of malware which one of your customers just accidentally ran into via an exploit which covertly takes screenshots after loading on bootup will be swiftly blocked before it has a chance to do either of those nefarious actions :)

{QUOTE-> I sent a copy of that to EraserHW a couple of days ago! I really do think that Prevx should be adding more Rogues to there list as it is out of control. >:(

TH <-QUOTE}

Sorry about that, I checked again and your email has been marked as spam so I didn't see it. Now I added a rule for these e-mails

I apologize for the delay :)

{QUOTE-> Joe,
Thank you for your generous offer, I will respond privately in a PM and explain what we're trying to achieve with PrevX.
In the meantime, I just came across another rogue antivirus that Prevx didn't catch on execution, but the moment I re-enabled A2 AntiMalware, it picked it right up, both as bad Website and as a rogue antispyware program.
This is the download link for the program, it's called Adware Pro2009 and is hosted on a known RBN network:
hxxp://www.adwareprofessional.com/?hop=adwpro&mode=d
and it appears to be along the lines of the original post. This time I did both scan it with PrevX by right-clicking on the file and actually executing it. In both cases, PrevX allowed the file to run.
Any thoughts? <-QUOTE}

Antivir, among others, dis not detect it either ...

But Geswall and Defencewall blocked it easily, of course.

{QUOTE-> Antivir, among others, dis not detect it either ...

But Geswall and Defencewall blocked it easily, of course. <-QUOTE}

Out of curiosity - did Geswall/Defensewall use signatures to block them or do they have some other technology in place?

Joe,
Thank you for your detailed and thorough response. This topic is extremely interesting and important to us, because your answer mirrors the Symantec response was when we presented them with our concerns. As I mentioned provately, we're using SEP as an endpoint protection and Symantec's stance on the topic is very close to yors: do not scan the file until it executes and minimize potential false positives as much as possible. While on paper it looks acceptable, in real life it plain doesn't work.
Now, I'm not saying PrevX doesn't work, but I would prefer my anti-virus/spyware program to alert me of a suspicious site, and scan file as it was being downloaded and then upon execution. I would also want it to alert me (at the minimum) if the file I just downloaded and executed has some characteristics of being a malware, like registry AutoRun access, service installation and startup, Explorer/shell integration, etc.
Maybe I'm old-fashioned, but I will take a false positive ANY DAY over an infection that bypassed signature and behavior-based detection. Am I alone in this?

P.S. My scope and requirements are for the enterprise, obviously for the home user different rules apply.

so surely symantec should have a webscanner to prevent the file ever getting on your HD?
as long as the file doesnt do any damage whats the harm?

{QUOTE->
Now, I'm not saying PrevX doesn't work, but I would prefer my anti-virus/spyware program to alert me of a suspicious site, and scan file as it was being downloaded and then upon execution. I would also want it to alert me (at the minimum) if the file I just downloaded and executed has some characteristics of being a malware, like registry AutoRun access, service installation and startup, Explorer/shell integration, etc.
Maybe I'm old-fashioned, but I will take a false positive ANY DAY over an infection that bypassed signature and behavior-based detection. Am I alone in this?

P.S. My scope and requirements are for the enterprise, obviously for the home user different rules apply. <-QUOTE}

We have a large number of Enterprise customers and they all, without an exception, have a completely different opinion than what you have been describing. Rather than trying to guess the behavior of a program before it executes (which in many cases is not technically feasible without massive amounts of overhead), Enterprises tend to block the installation of untrusted programs entirely.

If an Enterprise wants to be secure, they really should not allow their users to install arbitrary programs within the network and it should be made very obvious to their users what restrictions are in place, rather than using a solution which is going to show a warning popup on every bootup entry which is created that will not only confuse users but also massively increase support costs.

I suspect if you were to roll out a "conventional" behavior blocker which warns when system modifications are made, your job may be at risk :) We had this happen a while back in one of our previous products - an enterprise rolled out our product with the most advanced settings enabled (which is essentially what you are describing: show a warning if it creates a boot entry, modifies a system component, etc.) and he called us frantically because of the massive implications it had on the usability of the employee's systems and the fear it generated across the network when a simple software update was distributed.

From what I've seen, it is generally not a good idea to impede on the work being done in a large enterprise and security should be as silent and transparent as possible. While no security product is impenetrable, you need to weigh out the potential support nightmare with strong security.

Therefore, for an enterprise, I think that focusing on whitelisting/"Draconian" application control as well as an intelligent antimalware application is a more viable technology than trying to only block specific behaviors.

Just my $0.02 :)

{QUOTE-> Sorry about that, I checked again and your email has been marked as spam so I didn't see it. Now I added a rule for these e-mails

I apologize for the delay :) <-QUOTE}

That is great! But I just checked and it is still not detected.

TH

EDIT: I did a deep scan and is now detected! :thumb:

{QUOTE-> Therefore, for an enterprise, I think that focusing on whitelisting/"Draconian" application control as well as an intelligent antimalware application is a more viable technology than trying to only block specific behaviors. <-QUOTE}
Joe,
Your approach is understandable and I agree to what you're saying, to some point. However, from my point of view, it's difficult to explain to an end-user (and my management) that despite having two anti-virus/spyware programs installed, blatantly rogue program got installed and active, and the only reason either product didn't detect it was because they didn't want to cause a potentially false-positive alarm, or while the the program in question is definitely unwanted, it is not malicious enough to be blocked upon execution.
What I'm saying is that there's another side of the coin, it's not as clear cut as it seems.

{QUOTE-> Joe,
Your approach is understandable and I agree to what you're saying, to some point. However, from my point of view, it's difficult to explain to an end-user (and my management) that despite having two anti-virus/spyware programs installed, blatantly rogue program got installed and active, and the only reason either product didn't detect it was because they didn't want to cause a potentially false-positive alarm, or while the the program in question is definitely unwanted, it is not malicious enough to be blocked upon execution.
What I'm saying is that there's another side of the coin, it's not as clear cut as it seems. <-QUOTE}

I suspect they didn't miss the file because they didn't want to cause a false positive - they probably missed it because it didn't really do anything malicious. Could you let me know what the "blatantly rogue program" was trying to do on the system?

Although a lot of malware does register itself to start on bootup, that is not a panacea either. Determining if a non-malicious program is unwanted after the user has installed it is not a trivial task and really the only way to accomplish it is to write signatures to block the malicious programs (and we have thousands of such signatures in place).

Therein lies the problem of what defines malicious. As you described, a program installing a shell extension/toolbar, loading on bootup, and detecting files as threats is really not enough physical evidence to block the program - there simply isn't a way to do it automatically. In this case, we would block any AV which packages a toolbar component :-\

The line which separates some of the new rogue antimalware products from legitimate software is just the number of false positives produced. Other than that, everything else looks legitimate (and in many cases, the GUIs of the programs look better than some legitimate software ;D)

It may be worth assessing exactly how your users are coming across these rogue products and blocking them at that level. Rogue products are only a subset of all of the threats and do need to be handled differently from the rest of malware (and virtually always require manual, human interaction to decide the determination).

Joe,
I totally agree and understand, and we are blocking malware on different levels, such as proxy, Web filtering, domain blacklisting and NIPS and firewall. But at the same time, our user base is extremely dynamic and a lot of people travel and work from home, where the endpoint itself is the only point we have control over.
Now, we're blocking a lot of stuff with SEP's application control, the really nasty stuff like hacking tools, password crackers, etc., using both filename and checksum options. However, our help desk is struggling with a lot of tickets about poor machine performance, where it's riddled with these "borderline" malicious rogue products. Now, from your (anti-virus/malware maker) point of view, they're not malicious enough to justifiy detection, leave alone alert and quarantine/removal. From my point of view, they exhibit all the characteristics of malware (registry, BHO, local rogue proxy install, HOSTS file modification, etc.) and I need to be able to detect and remove them before they get on the machine.
I understand the delicate balance between breaking end-user workflow with endless alerts and false-positives, but feel there's a protection drawback with all this.
I wonder, does PrevX has an ability control intensity/paranoia of the scan? A2 has "paranoid" mode that seems to be blocking (or at least alerting me) almost everything I can throw at it. Does PrevX has something similar that can be customized? I messed around with heuristics settings, but didn't seem to make any difference.

{QUOTE-> Out of curiosity - did Geswall/Defensewall use signatures to block them or do they have some other technology in place? <-QUOTE}
They are both policy-based sandboxes - ideal compliments for any AM.

{QUOTE->
I wonder, does PrevX has an ability control intensity/paranoia of the scan? A2 has "paranoid" mode that seems to be blocking (or at least alerting me) almost everything I can throw at it. Does PrevX has something similar that can be customized? I messed around with heuristics settings, but didn't seem to make any difference. <-QUOTE}

The heuristic settings apply primarily to programs as they try to execute (but before any code is actually executed).

If you have specific samples which you think we should be detecting, feel free to email them to me at the address I PM'd you and I'll see why we're missing them.

{QUOTE-> The heuristic settings apply primarily to programs as they try to execute (but before any code is actually executed).

If you have specific samples which you think we should be detecting, feel free to email them to me at the address I PM'd you and I'll see why we're missing them. <-QUOTE}

It's not that I think PrevX is not detecting particular file or application, it's the behavior detection that is not working to the level I thought it would be.
Spycar is a good example in my book: something so blatantly and obviously malicious should be warned about, at the minimum, or blocked, if application is set to highest protection level. For the record, Symantec SEP -- which I hate with the passion and will knock on every chance I get -- detected every single one of Spycar's attempts. Now, they've done it with signatures and not behavior, and I understand your point about Spycar earlier in this thread, but I personally think that this behavior should be logged and/or blocked by ANY anti-virus/malware program on the market today.
Again, this my personal opinion.

{QUOTE-> However, our help desk is struggling with a lot of tickets about poor machine performance, where it's riddled with these "borderline" malicious rogue products. <-QUOTE}
{QUOTE-> Therefore, for an enterprise, I think that focusing on whitelisting/"Draconian" application control as well as an intelligent antimalware application is a more viable technology than trying to only block specific behaviors. <-QUOTE}A good example is what one System Administrator implemented:

http://isc.sans.org/diary.html?storyid=6529
{QUOTE-> At the time, we were using an enterprise anti-virus product that allowed abitrary behavior-blocking rules to be created and enforced. I created a set of behavior-blocking rules that arbitrarily prevented creation or execution of any .EXE files (as well as other dangerous types) within the user's C: Documents and Settings their-user-profile directory, which is where such a scareware file would have to be executed from when the user is a Restricted User. <-QUOTE}A more draconian approach, where the entire systems are completely locked down:

http://www.faronics.com/whitepapers/CaseStudy_LAPD.pdf
{QUOTE-> "We currently have a policy that prohibits unauthorized installation of non-Department sanctioned/owned software on any Department computer," said Mr. Riley. <-QUOTE}There are various methods/software available to keep systems clean. It's just a matter of commitment on the part of company CEOs to instruct their support personnel to do it.

----
rich

Unfortunately, restricting user account is a lost battle with us. All users are local admins.
I know, I know..

Are these local admins regular employees or company officers?

----
rich

{QUOTE-> Are these local admins regular employees or company officers?

----
rich <-QUOTE}

Regular company users.

You wrote earlier,

{QUOTE-> However, from my point of view, it's difficult to explain to an end-user (and my management) that despite having two anti-virus/spyware programs installed, blatantly rogue program got installed and active, <-QUOTE}Actually, it's not difficult to explain to management, that as long as employees are able to install anything not specifically related to work, not authorized by Management, there will continue to be problems.

As I said above, until Management decides "enough is enough" you are fighting a losing battle, as you just wrote.

----
rich

{QUOTE-> I would also want it to alert me (at the minimum) if the file I just downloaded and executed has some characteristics of being a malware, like registry AutoRun access, service installation and startup, Explorer/shell integration, etc. <-QUOTE}
This sounds to me more like you want a HIPS or restriction policies. Would an average user make the right decisions? I feel hopeless lost with HIPS-like alerts (even if I understand them). Is this particular action now legimit or not? How should I know? And even experienced users may have difficulties to recognize rogue software just by this alerts.

The decisions of Prevx 3.0 are made by an automated analysis - and it does it *much* better then I (or maybe your customers) ever could. I feel much safer with Prevx than with a HIPS - and I appriciate its silence.

On a company-owned computer, there should be no user decisions to make.


All installed software should be job-related


Any additional software a user requires should be submitted to Management for checking and approval, to be installed by Support personnel.


Under these conditions no unwanted programs or malware can intrude.

----
rich

You guys must be living in a perferct world! Unfortunately, it is what it is, and we have to deal with it.
My original post wasn't as much about standard security practices in the enterprise; instead I asked about behavioral detection with PrevX and why it didn't catch certain actions. I am curious how many of current PrevX users deployed it in the enterprise and what are the results?

{QUOTE-> We have a large number of Enterprise customers and they all, without an exception, have a completely different opinion than what you have been describing. Rather than trying to guess the behavior of a program before it executes (which in many cases is not technically feasible without massive amounts of overhead), Enterprises tend to block the installation of untrusted programs entirely. <-QUOTE}
{QUOTE-> However, the problem with rogue antimalware programs is that they generally do not exhibit malicious behavior, which is how most of the newer ones are getting past conventional AVs. From the surface level down, they look like completely legitimate applications <-QUOTE}
{QUOTE-> The heuristic settings apply primarily to programs as they try to execute (but before any code is actually executed) <-QUOTE}
@Joe
My prevx V2 set-up does this (blocks installs) as per rules I have used.
Isnt this the 'lost' function of V3 ??
Depending on hueristics has it's limits as noted ??
Isnt this also a 'hole' for the zero day ?

Of course there are other options as noted.

{QUOTE-> I suspect if you were to roll out a "conventional" behavior blocker which warns when system modifications are made, your job may be at risk We had this happen a while back in one of our previous products - an enterprise rolled out our product with the most advanced settings enabled (which is essentially what you are describing: show a warning if it creates a boot entry, modifies a system component, etc.) and he called us frantically because of the massive implications it had on the usability of the employee's systems and the fear it generated across the network when a simple software update was distributed.
<-QUOTE}That actually sounds like admin failure in the roll out process ??

What's version 2? Is it different then v3?

{QUOTE-> What's version 2? Is it different then v3? <-QUOTE}

Seriously, I don't have time to go through all that stuff, but that question would almost be considered an insult for some people I believe. ;D I'm sure Joe will be more than happy to explain the hundred points - maybe he even has a book stored on his system somewhere that he can copy from. ;D

{QUOTE-> What's version 2? Is it different then v3? <-QUOTE}

V2 is not for sale anymore, V2 = Behaviour Blocker + In the Cloud Tech, V3 = Heuristics + Clouds :o

{QUOTE-> @Joe
My prevx V2 set-up does this (blocks installs) as per rules I have used.
Isnt this the 'lost' function of V3 ??
Depending on hueristics has it's limits as noted ??
Isnt this also a 'hole' for the zero day ? <-QUOTE}

This is the functionality which we've automated in v3 - the number of user complaints and volume of confusion far outweighed the benefits. We've since offered free upgrades to existing Prevx 2 users and have had nearly 100% convert up to it with only a handful of people still use it just for the behavior blocker aspects.

There really is no way to explain behavior blocking to the average user who doesn't/shouldn't care about security. Rolling out a behavior blocker in an enterprise is going to cause users a flood of complaints and confusion. The reason why we don't catch certain actions is that certain actions aren't malicious by themselves. For instance, we don't flag Windows Explorer because it has the ability to delete files and format drives and we don't flag your email client because it sends out emails :) Detection of malware is the result of a complex harmony of rules and logic rather than detecting a single action as a threat.

{QUOTE-> That actually sounds like admin failure in the roll out process ?? <-QUOTE}

It wasn't, he just deployed it in "Expert" mode which intentionally creates quite a lot of interaction with the user as it functions as a standard behavior blocker.

{QUOTE-> I am curious how many of current PrevX users deployed it in the enterprise and what are the results? <-QUOTE}

I'm not sure of the exact count but we've been focusing on enterprises with ~500-2000 employees and we're now going to be moving to larger enterprises with our new agreement with Unisys: http://www.scmagazineuk.com/Prevx-signs-software-and-services-agreement-with-IT-solutions-company/article/138350/

Joe,
I have been playing with PrevX some more on my home machine. Downloaded Adware 2009 (hxxp://www.adware-2009.com/) from a known RBN site and scanned it manually -- nothing found. Installed it on VM with PrevX, again, no complaints.
Tonight, I boot up my machine and PrevX immediately finds the insallation file I downloaded yesterday and reports it as High Risk Fraudulent Program and cleans it. Same story on the VM with Adware 2009 installed, PrevX stops it from running.
Am I wrong assuming that yesterday, my machine was used as a honeypot to some degree? I.e., PrevX uploaded file characteristics to your server when I manually scanned and installed it, and even though it thought it was clean initially, consecqutive examination on your side determined that it was indeed malicious and definitions were created. I got them today, and file(s) are detected. Here's a signature from my log:
[B] (ACTIVE) c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\adwareprofessional.exe [PX5: 14A6205A984CA6059E65247FD347C7009A04F0FF] Malware Group: High Risk Fraudulent Security Program

Moreover, I mentioned how Spycair was not being detected yesterday. Low and behold, today everything is being blocked using the signatures below:
[B] (ACTIVE) c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\adwareprofessional (1).exe [PX5: 14A6205A984CA6059E65247FD347C7009A04F0FF] Malware Group: High Risk Fraudulent Security Program
[B] c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\hklm_runonce.exe [PX5: 5C861AF2007D90102E7900F4E80B7B00E3245D88] Malware Group: Medium Risk Malware Dropper
[B] c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\hklm_runonceex.exe [PX5: B7FCD6D2000B4BB92EA400B88E221600BC1B7996] Malware Group: Medium Risk Malware
[B] c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\ie-sethomepage.exe [PX5: 43C8BBDC00FB34FC289700AAF65B6700A7496D7C] Malware Group: Medium Risk Malware Dropper
[B] c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\alterhostsfile.exe [PX5: 0486270400A304BC286E00AE0C51F00065FEF74C] Malware Group: Medium Risk Malware Dropper
[B] c:\users\dlimanov\appdata\local\opera\opera\profile\cache4\temporary_download\towtruck.exe [PX5: 3D14AB6300219B583EF50029A4E1BC001B71E1FB] Malware Group: Medium Risk Malware Dropper

My question is this: why didn't PrevX detect both instances of unwanted programs using its behavior analysis, but as soon as the files were analyzed on your server, signatures were issued for them? The whole appeal of the product is that it's moving away from signature-based detection and uses advanced behavior detection instead; here it looks like behavior detection failed to determine that the files were malicous and program fell back on signature-based detection instead. Is this expected?

{QUOTE->
My question is this: why didn't PrevX detect both instances of unwanted programs using its behavior analysis, but as soon as the files were analyzed on your server, signatures were issued for them? The whole appeal of the product is that it's moving away from signature-based detection and uses advanced behavior detection instead; here it looks like behavior detection failed to determine that the files were malicous and program fell back on signature-based detection instead. Is this expected? <-QUOTE}

I've looked at the files you pasted and all of them were determined automatically - the behavior detection didn't fail to determine the files, it just failed to determine them the first time they were seen. I suspect that we just needed more data to cross reference about the programs before they were able to be found immediately. We automatically detect thousands of new threats every day the first time they're seen, but we find many more after they've been seen by another user (we usually lock down on the threat after its been seen by the second user).

The "PX5" entries which you see are not signatures, they are just identifiers to allow us to look at the exact files. The actual detections behind the files which you have are far more complex and all held server side, but it does sometimes take data from multiple points to really determine the intent of the program.

{QUOTE-> I've looked at the files you pasted and all of them were determined automatically - the behavior detection didn't fail to determine the files, it just failed to determine them the first time they were seen. <-QUOTE}

Joe,
Can you please elaborate on this? I'm not sure I understand what you're saying.
When PrevX scans a file and applies behavior detection analysis to it, does it then need to confirm with the "cloud" that this file/behavior was reported elsewhere already, and only then it can be blocked? Does it mean that otherwise (like in my case), if there's no cross-reference and even though behavior detection engine recognized these files as malicous, they will not be acted upon?

We don't check if the behavior was reported elsewhere, but it helps to cross reference reports. Programs, especially malware, do not behave the same on every computer and it helps our confidence levels to see a semi-suspicious file from multiple perspectives (especially in the case of a rogue antispyware application).

The behavior engine locally does not make any determinations - it sends up all of the details which are then analyzed centrally to return determinations based on the newest sets of data.

Now I get it. If it's not a secret, what are the determinations based on when something like this is processed on the server? When you say it helps to look at the file from multiple perspectives, does it mean that you're analyzing reports from other reported sources to cross-reference if the behavior is the same?
What I'm getting to is this: let's say, I have a file that's malicious and PrevX detection knows about it, but there are no other reports to "back it up", so to speak. Would PrevX block the file based on its own behavior engine alone, or does it need to cross-reference it within the cloud with other, similar instances, and only then the "kill" is approved?

{QUOTE-> Now I get it. If it's not a secret, what are the determinations based on when something like this is processed on the server? When you say it helps to look at the file from multiple perspectives, does it mean that you're analyzing reports from other reported sources to cross-reference if the behavior is the same? <-QUOTE}

It is a bit of a trade secret :) We collect 7 distinct signatures from the physical file itself, as well as contextual data like how the program entered the system/where the program exists on the system, information on any registry entries pointing to the file, etc. as well as the behaviors that the program performs in realtime. Multiple perspectives are useful especially for rogue antimalware products which tend to behave very differently on different systems. For instance, one installation (starting from the same initial dropper) may create its files in C:\Program Files\FakeAV2009\ and use an HKLM\...\Run registry entry named "SvcHost Loader" while the exact same dropper on another system may create an HKLM\...\RunServices entry named "Microsoft Updater" pointing to its file in C:\Program Files\DifferentName2009\

Polymorphism doesn't necessarily only happen on the file level - it also frequently happens within the behavior of a program itself and our engines lock onto these characteristics to identify suspicious looking programs.

{QUOTE-> What I'm getting to is this: let's say, I have a file that's malicious and PrevX detection knows about it, but there are no other reports to "back it up", so to speak. Would PrevX block the file based on its own behavior engine alone, or does it need to cross-reference it within the cloud with other, similar instances, and only then the "kill" is approved? <-QUOTE}

On a daily basis, we automatically identify upwards of 20,000 new programs as malicious on the first time they're seen. We would immediately block it before execution in this case, but the detection rates aren't perfect just from this layer alone. The benefit of our centralized database is that even if we can't immediately identify a file as malicious, it is likely that another file which we see in the future will be similar to it which can allow us to automatically add detection to the first file, either by seeing a new similar file or by getting additional reports from the individual file itself.

Our spread detection heuristics (in the Settings > Heuristics Settings page) work completely separately from the rest of our architecture and look at the age/popularity of programs in question. For example, if a new program has only been seen by a single user across the entire Prevx community, it is very likely that the program has polymorphic characteristics which means it is most likely server-side modified malware. This allows us to conceptually block a vast majority of 0-day threats and new polymorphic threats (i.e. the Storm worm) without having to add additional signatures.

Joe, thank you very much, this is exactly what I was looking for!
In my case with Adware 2009 and Spycair, the reason they were not blocked initially (even though behavior detection engine probably identify them as possibly malicious) was becasue it took some time to cross-reference them on the server and positively identify them as indeed malicious. Is this correct?

{QUOTE-> Joe, thank you very much, this is exactly what I was looking for!
In my case with Adware 2009 and Spycair, the reason they were not blocked initially (even though behavior detection engine probably identify them as possibly malicious) was becasue it took some time to cross-reference them on the server and positively identify them as indeed malicious. Is this correct? <-QUOTE}

Yes :)

Good stuff, I think I'm getting a handle on this, at least understanding the behind the scenes magic.
So, it looks like behavior-based engine on the client is not truely independent, it still needs to check with the cloud and cross-reference behavior with known, similar variants. If there's no known cross-reference, application in question will be allowed but its actions will be further analyzed and cross-reference "signature" will be created so it can be blocked on next execution.
Is it possible to customze this behavior on the client to not rely on the cloud's cross-reference all the time, but act on threats automatically? Is there any level of customization of detection available on the client, other then heuristics?

{QUOTE-> Good stuff, I think I'm getting a handle on this, at least understanding the behind the scenes magic.
So, it looks like behavior-based engine on the client is not truely independent, it still needs to check with the cloud and cross-reference behavior with known, similar variants. If there's no known cross-reference, application in question will be allowed but its actions will be further analyzed and cross-reference "signature" will be created so it can be blocked on next execution. <-QUOTE}

Correct :)

{QUOTE-> Is it possible to customze this behavior on the client to not rely on the cloud's cross-reference all the time, but act on threats automatically? Is there any level of customization of detection available on the client, other then heuristics? <-QUOTE}

We currently do not have this functionality but we are considering adding some more granular controls like this into a future version further down the roadmap.

{QUOTE-> Correct :)



We currently do not have this functionality but we are considering adding some more granular controls like this into a future version further down the roadmap. <-QUOTE}

Excellent, this is something I'd definitely want to see in the client. On a separate note, please check your PMs when you have a chance, I have an Enterprise licensing question.

@Joe
{QUOTE-> I'm not sure of the exact count but we've been focusing on enterprises with ~500-2000 employees and we're now going to be moving to larger enterprises with our new agreement with Unisys: http://www.scmagazineuk.com/Prevx-si...rticle/138350/ <-QUOTE}

HOLY COW !!
That is fantastic: what a score.
Congratulations to PrevX. I really hope this goes well and maybe some benefits will flow downstream too. ?
:thumb:
:thumb:

With respect to this massive opportunity and workload, I am sure "we" here appreciate even more the effort the PrevX support mob: WebDesigner, MG and you Joe put in for us. I know I do.
Respect.

Heh: as to:
{QUOTE-> This is the functionality which we've automated in v3 - the number of user complaints and volume of confusion far outweighed the benefits. We've since offered free upgrades to existing Prevx 2 users and have had nearly 100% convert up to it with only a handful of people still use it just for the behavior blocker aspects. <-QUOTE}

LOL: truly, ....I got the message...:o ...., penetrating slowly...just a bit slow on the uptake down here.
Coriolis effects dontcha know..
Thanks. :)

Joe,
A question on Prevx 2.0 - I have a P2 license that runs out end of August and keep the P2 installer stored on a USB stick, will I be able to renew this P2 license or would it be an automatic upgrade to P3. ie. will P2 eventually be discontinued by not renewing licenses as they expire until they have all expired?

Another question :what:
When the next version of P3 surfaces with the secure browsing etc included will there be any restrictions for unlicensed users other than the present 'detection only' one.
ie: will potential paid users/customers be able to trial/use the secure browsing etc or will they be restricted in some way - the full works only available to license holders?

{QUOTE-> Correct :)



We currently do not have this functionality but we are considering adding some more granular controls like this into a future version further down the roadmap. <-QUOTE}

Now, what if what's not blocked at first is suddenly deemed malicious and still running - is it suddenly just blocked in real-time? (Ofc I suppose this ;D) For some reason, nah, obviously I'm concerned that analyzis needs to be done elsewhere, which means it can do its thing. :-\

Is this completely true if I, say, turn off Age/Spread heuristics? If that would *sometimes* block the new malware, it means it's sometimes useful, but greatly increases the risk of FPs and maybe prompts for the user.

{QUOTE-> @Joe


HOLY COW !!
That is fantastic: what a score.
Congratulations to PrevX. I really hope this goes well and maybe some benefits will flow downstream too. ?
:thumb:
:thumb:

With respect to this massive opportunity and workload, I am sure "we" here appreciate even more the effort the PrevX support mob: WebDesigner, MG and you Joe put in for us. I know I do.
Respect.
<-QUOTE}

Indeed we do. :) On another note, I get an error when I go to that page - says it doesn't exist. ;D Would you mind posting the results that Prevx got?

Some problem with the 'quote'
here is the link from joe's post.
http://www.scmagazineuk.com/Prevx-signs-software-and-services-agreement-with-IT-solutions-company/article/138350/

search 'prevx unisys' for lots of references.

Joe,
Should PrevX be able to detect PDF exploits? If yes, where do I submit a file it didn't detect?

{QUOTE-> Another question :what:
When the next version of P3 surfaces with the secure browsing etc included will there be any restrictions for unlicensed users other than the present 'detection only' one.
ie: will potential paid users/customers be able to trial/use the secure browsing etc or will they be restricted in some way - the full works only available to license holders? <-QUOTE}

We're still deciding exactly how all of the functionality will be given to users - we will let everyone know exactly what comes of the discussions :)

{QUOTE-> Joe,
Should PrevX be able to detect PDF exploits? If yes, where do I submit a file it didn't detect? <-QUOTE}

I've sent you a PM with an address of one of our researchers - EraserHW :)

{QUOTE-> Joe,
A question on Prevx 2.0 - I have a P2 license that runs out end of August and keep the P2 installer stored on a USB stick, will I be able to renew this P2 license or would it be an automatic upgrade to P3. ie. will P2 eventually be discontinued by not renewing licenses as they expire until they have all expired? <-QUOTE}

It is still possible to renew a P2 license to P2 (and we will continue to support it), but you can renew P2 > P3 or just upgrade to P3 for free from P2 by using our license swap utility: http://info.prevx.com/licenseswap.asp

{QUOTE-> Downloaded Adware 2009 (hxxp://www.adware-2009.com/) from a known RBN site and scanned it manually -- nothing found. Installed it on VM with PrevX, again, no complaints.
Tonight, I boot up my machine and PrevX immediately finds the insallation file I downloaded yesterday and reports it as High Risk Fraudulent Program and cleans it. Same story on the VM with Adware 2009 installed, PrevX stops it from running. <-QUOTE}I find this interesting as I scanned the executable with KL and it reported nothing. Even accessing the website with the web AV on didn't prompt any alerts. I sent the file for analysis to KL while I did some more testing.

Virustotal displayed only 4/39 vendors detecting this file, including PrevX. Virscan only showed 2/38, and these two were in the other group, namely Comodo and DrWeb.

A KL Virus Analyst replied saying there's no malicious code in the file. I don't wish to dispute the accuracy of these guys as they are renowned the world over for their expertise, but I'm curious as to whether the program is really that malicious given so few vendors recognise it.

adware-2009.com is on a number of malware domain blocklists.

A similar program to this - errorclean.exe - from errorclean.com is detected by KL, and I assume by PrevX as well.

All this just got me wondering why given the similarity between such programs and the fact they're listed by a number of other places why certain vendors don't recognise it.

{QUOTE-> I find this interesting as I scanned the executable with KL and it reported nothing. Even accessing the website with the web AV on didn't prompt any alerts. I sent the file for analysis to KL while I did some more testing.

Virustotal displayed only 4/39 vendors detecting this file, including PrevX. Virscan only showed 2/38, and these two were in the other group, namely Comodo and DrWeb.

A KL Virus Analyst replied saying there's no malicious code in the file. I don't wish to dispute the accuracy of these guys as they are renowned the world over for their expertise, but I'm curious as to whether the program is really that malicious given so few vendors recognise it.

adware-2009.com is on a number of malware domain blocklists.

A similar program to this - errorclean.exe - from errorclean.com is detected by KL, and I assume by PrevX as well.

All this just got me wondering why given the similarity between such programs and the fact they're listed by a number of other places why certain vendors don't recognise it. <-QUOTE}

Here's my dumbed down understanding of how PrevX works:
- you execute a program and its fingerprint is created on the fly and checked agains the "cloud"
- if matching fingerprint is found, application is blocked using signature engine detection
- if matching fingerprint is NOT found, then behavioral engine kicks in
- if malicious behavior is identified, it is cross-referenced against other, similar behaviors in the cloud
- if cross-reference match is found, application is blocked via behavior engine detection
- if cross-reference match is NOT found (or not sufficient), process is allowed and you are infected
- process behavior is then sent in for further analysis (manual or automatic, I don't know), and if found malicious, fingerprints are released. This is how one program is not detected (and infected you) today, but caught and removed tomorrow.

I have a BIG problem with second to last item, to be honest. I feel that behavior-based detection option should be customizable; i.e. I should be able to specify how sensitive the detection is, and decide whether I want to allow the process whose behavior appears to be malicious, but for which there's no signature/behavior cross-reference available, or I want to quarantine or block/delete it altogether. I am really hoping PrevX will incorporate this option in the future release.

{QUOTE->
I have a BIG problem with second to last item, to be honest. I feel that behavior-based detection option should be customizable <-QUOTE}

The reason why we don't have this currently is that it is a <very> techie-oriented feature. 99+% of users would never touch it or have any idea what it does. We did have this functionality in previous products but have since removed it and haven't looked back because, through our telemetry over previous products, we saw a far less than 1% adoption of the more technical features which allowed granular configuration of what behaviors to block.

{QUOTE-> i.e. I should be able to specify how sensitive the detection is, and decide whether I want to allow the process whose behavior appears to be malicious, but for which there's no signature/behavior cross-reference available, or I want to quarantine or block/delete it altogether. I am really hoping PrevX will incorporate this option in the future release. <-QUOTE}

What exactly would you define as an apparent malicious behavior? Regarding "no signature/behavior cross-reference" - we see more than 250,000 new programs every day, many of which are completely new products with no ties to previous programs.

What you are describing is, in my opinion, much more a whitelist approach (which we offer) than a behavioral approach - only allow in what you trust and block everything else.

In the case of adware-2009, it is clearly evident that the program doesn't contain any malicious behavior at all - as supported by the response from Kaspersky's analyst - but the program is indeed malicious. I don't see how any company could possibly identify this heuristically if it isn't doing anything bad and is a brand new program :-\

{QUOTE->
- if malicious behavior is identified, it is cross-referenced against other, similar behaviors in the cloud
<-QUOTE}

Just a clarification on this step - we send up <any> behavior, malicious or not. We filter them down locally so as to not report every pixel drawn to the screen, but the local agent does not have a concept of malicious behavior (as individual behaviors are not malicious, entire programs are).

Joe,
I guess we disagree on usefeullness of the ability to configure the sensititvity of the behavior-based anaylisis. I would like to see this feature from an enterprise point of view, as well as built-in detection criterias for potentially malicious programs that may fall outside of the scope of the signature-based detection: rogue antivirus programs, unwanted proxy applications, P2P clients, etc. In this case, programs like Ultrasurf or Tor (or Antivirus 2009 we discussed in this thread) can be blocked, even though they may not fall under the standard malicious detetction categories.
By apparent malicious behavior, I still consider items like BHO installation, browser modification (adding sites to "trusted", for example, or modifiying IE's security zone settings), modifications of Windows shell and Explorer integration, and certain Registry keys and system areas (HOSTS file, for example). Would this increase amounts of FPs and prevent certain legitimate programs from operating (Windows Updates, SMS, etc.) if turned on at full force? Absolutely! But I, as an admin, should be able to specify these settings according to security policy we dhave in place, versus vendor limiting my ability in order to "protect me from myself". Again, I'm talking about enterprise model, for the home user you're 150% correct and they are perfectly happy with hands-off approach PrevX provided.
Just my thoughts..

{QUOTE-> Our centralized analysis takes and processes the behaviors of "loads on bootup" and "captures keystrokes" <-QUOTE} How does PrevX do that?
I have the information that PrevX installs a file system filter, a Process Creation Notification callback and a handful of hooks to prevent processmanipulatation. So in my opinion PrevX is completely blind to most malicious bahavior.
It is a very powerfull cloud based AntiVirus product but i cant see any protection against a Targetted Attack.

{QUOTE-> How does PrevX do that?
I have the information that PrevX installs a file system filter, a Process Creation Notification callback and a handful of hooks to prevent processmanipulatation. So in my opinion PrevX is completely blind to most malicious bahavior.
It is a very powerfull cloud based AntiVirus product but i cant see any protection against a Targetted Attack. <-QUOTE}

Responded in the "Future Changes to Prevx" thread ;)

{QUOTE-> Responded in the "Future Changes to Prevx" thread ;) <-QUOTE}

Jop... :)