-{ Quote: "
So why is that not detected? The malicious behavior is so obvious! And i run PrevX with highest settings...." }-

This malware appears to use a new form of obfuscation - it is only found by one vendor on VirusTotal, but we've added protection now for it.

-{ Quote: "We don't focus on detecting files like this (a batch script). We may consider adding more detection for files like this in the future but today, these are not threats to normal users (and nearly always only exist in malware collection)." }-
This was on a my friends PC. He wanted to crack CS.
So this is not a threat to me cause i would not execute the file but he is a "normal" user and now he has problems.

-{ Quote: "This was on a my friends PC. He wanted to crack CS.
So this is not a threat to me cause i would not execute the file but he is a "normal" user and now he has problems." }-

The file doesn't actually do anything bad - the only functional piece of it is that it will try and spread on IRC so your friend shouldn't have any problems.

-{ Quote: "This malware appears to use a new form of obfuscation - it is only found by one vendor on VirusTotal, but we've added protection now for it." }-
Following Vendors catch the sample by behavior analysis:
Bitdefender
G-Data
Kaspersky
Norton (Sonar)

Following Vendors catch the sample by heuristics:
Kaspersky

And that are only the AV progs i tested.

So where is prevx's behavior analysis?

-{ Quote: "So where is prevx's behavior analysis?" }-

At no point do we claim our protection is perfect - we simply missed this sample. The products you mentioned miss many samples every day as well.

I never said that you claim your product as perfect. I absolutely know that no AV product is perfect.

But i thought that this file should easily be caught by behavior analysis. And i have the slight feeling that there is nearly no behavior analysis done by prevx. Thats all i think about cause i want to know what a product, i use and i pay for, is able to afford.

-{ Quote: "But i thought that this file should easily be caught by behavior analysis. And i have the slight feeling that there is nearly no behavior analysis done by prevx." }-

This is incorrect - I'm not sure how I can convince you without divulging company secrets but Prevx is entirely based on behavior, just using unique identifiers/signatures ("PX5s" as you'll see in the log) so that we can track back to individual files if they're reported as incorrect.

-{ Quote: "This is incorrect - I'm not sure how I can convince you without divulging company secrets but Prevx is entirely based on behavior, just using unique identifiers/signatures ("PX5s" as you'll see in the log) so that we can track back to individual files if they're reported as incorrect." }-
Hm, ok. Let me ask some questions and you try to answer without divulging company secrets.

1. How can your server do behavior analysis on a completely unknown file by only transmitting informations to your server?
Normally a bahavior analysis should base on special rule packets. For example a file should be marked as bad if: It runs without visible window, creates an autostart entry and sends e-mails.

But if this is the case i think a programm witch writes to the autorun, opens myspace and sends itself via instant messenger should easily be caught.

2. I have the strong feeling that prevX is missing absolutely new files very often. If the file is seen by the cloud it reacts very very fast! but if the threat is completely unknown i cant see protection.
So is there an "unknown threat protection" or not?

3. Can you give an example of what an unknown malicious file has to do to be caught by prevx?

Thank you very much.

-{ Quote: "
1. How can your server do behavior analysis on a completely unknown file by only transmitting informations to your server?
Normally a bahavior analysis should base on special rule packets. For example a file should be marked as bad if: It runs without visible window, creates an autostart entry and sends e-mails." }-

This is similar to the information which we send up - instead of trying to decide on a file locally, we make the decision centrally.

-{ Quote: "But if this is case i think a programm witch writes to the autorun, opens myspace and sends itself via instant messenger should easily be caught." }-

Sometimes yes, sometimes no. This particular sample uses a different technique to interface with Messenger than most worms which is probably why it got past. We'll be updating our engines accordingly, but there isn't a function in Windows named "SpamToMSNContacts()" so malware authors try various odd techniques to do so :)

-{ Quote: "2. I have the strong feeling that prevX is missing absolutely new files very often. If the file is seen by the cloud it reacts very very fast! but if the threat is completely unknown i cant see hardly see protection.
So is there an "unknown threat protection" or not?" }-

I'd be interested in seeing what is causing you to make this assumption. It is likely that a file may not be found if it has literally never been seen before, but in that case, it would usually be caught by the Age/Popularity protection.

-{ Quote: "3. Can you give an example of what an inknown malicious file has to do to be caught by prevx?" }-

I can't, as the system is extremely dynamic. A file may be caught because it shares structure with another malicious file or family of files, or it could be caught because of similarities in behavior (or by a number of other factors).

I can't say exactly why your file wasn't caught, but I do know that we aren't seeing the MSN traffic properly for this sample and we will be updating our engines to better handle this type of behavior. Your file is also extremely new - seen by only a couple of users and seen for the absolute first time at 17:45 today (I determined it as malicious at 19:57, about 8 minutes after your report).

It is starting to spread wider now (up to some dozen users in the span of < 3 hours) but everyone past the second user has been protected from it.

-{ Quote: "This is similar to the information which we send up - instead of trying to decide on a file locally, we make the decision centrally.
" }- I understand that.

-{ Quote: "..., but there isn't a function in Windows named "SpamToMSNContacts()" so malware authors try various odd techniques to do so :)" }- :D Ok. I got that.


-{ Quote: "
I'd be interested in seeing what is causing you to make this assumption. It is likely that a file may not be found if it has literally never been seen before, but in that case, it would usually be caught by the Age/Popularity protection.
" }- It is just a feeling, as i said.
And i am a user who always want to know more or less exactly what is going on on his maschine. A least i have to understand what is going on. Otherwise i am not satisfied.

-{ Quote: "
I can't, as the system is extremely dynamic. A file may be caught because it shares structure with another malicious file or family of files, or it could be caught because of similarities in behavior (or by a number of other factors).
" }- Ok, so it is more about similarity then about behavior?

-{ Quote: "
I can't say exactly why your file wasn't caught, but I do know that we aren't seeing the MSN traffic properly for this sample and we will be updating our engines to better handle this type of behavior.
" }- You always do and you do your job quit well! No question about that.
-{ Quote: "
Your file is also extremely new - seen by only a couple of users and seen for the absolute first time at 17:45 today (I determined it as malicious at 19:57, about 8 minutes after your report)." }- YES! :D And i am very happy about that cause it is very difficult to catch real zero-hour threats to test some antivirus programms and other defending techniques.

-{ Quote: "
It is starting to spread wider now (up to some dozen users in the span of < 3 hours) but everyone past the second user has been protected from it." }- Yes, cause i throwed it up here or would it has been caught without my intervention?

And why did my PrevX (with highest settings) didn't stop it by age protection?


PS: Do i have to change to Apply after Age/Popularity detection?

What is safer?

-{ Quote: " Ok, so it is more about similarity then about behavior?" }-

Its about similarity, behavior, and similarity of behavior :) Generally, most threats are variants of existing threats so its easy to tie them back. If something is absolutely brand new, it takes a bit more work to correlate - possibly requiring additional data.

-{ Quote: "You always do and you do your job quit well! No question about that." }-

Thank you :)

-{ Quote: "Yes, cause i throwed it up here or would it has been caught without my intervention?" }-

I suspect it would have been automatically caught very soon after I marked it based on the speed at which it is spreading (and the additional data we now have on the file).

-{ Quote: "And why did my PrevX (with highest settings) didn't stop it by age protection?" }-

That is indeed a very good question... and one I'm not sure I can answer currently. Could you let me know how you originally got/tested the file? (i.e. did you run it from a browser or double clicking in Windows Explorer?) Age/Popularity protection doesn't apply to a right-click scan so that could be one reason, but it would be good to know how the file came in so that I can investigate it closer :)

-{ Quote: "
PS: Do i have to change to Apply after Age/Popularity detection?

What is safer?" }-

Apply before is safer - it says that the advanced heuristics (different than the rest of our heuristics) are considered regardless of the age of the file.

-{ Quote: "Apply before is safer - it says that the advanced heuristics (different than the rest of our heuristics) are considered regardless of the age of the file." }-O.k. This is what i thought.

-{ Quote: "I suspect it would have been automatically caught very soon after I marked it based on the speed at which it is spreading (and the additional data we now have on the file)." }- I did not get that yet.
Plz. explain the procedure again. In case i wouldn't had thrown it up here (hope that is grammatical correct !? ^^)...

-{ Quote: "That is indeed a very good question... and one I'm not sure I can answer currently. Could you let me know how you originally got/tested the file? (i.e. did you run it from a browser or double clicking in Windows Explorer?) Age/Popularity protection doesn't apply to a right-click scan so that could be one reason, but it would be good to know how the file came in so that I can investigate it closer" }- I opened the link with Sandboxed FireFox.
FireFox asked me if i want to download this .jpg.exe file and i did so.
After that i executed the file in the sandboxed explorer by doubleclicking it.
The reptile.exe was created but wasn't able to connect to the internet because of my sandbox settings.
Thats it.
System is a Vista HP SP2 Laptop.

-{ Quote: "Plz. explain the procedure again. In case i wouldn't had thrown it up here (is that grammatical correct ? ^^)..." }-

Our database automatically determines files in realtime and analyzes them constantly as new data is found. We automatically find ~20-30,000 new files every day as malicious - we manually determine only a few :)

-{ Quote: "I opend the link with Sandboxed FireFox.
FireFox asked me if i want to download this .jpg.exe file and i did so.
After that i executed the file in the sandboxed explorer by doubleclicking it.
The reptile.exe was created but wasn't able to connect to the internet because of my sandbox settings.
Thats it.
System is a Vista HP SP2 Laptop." }-

That's the reason - executing it sandboxed will completely change the behavior and may cause us to not detect a file we would have normally detected.

-{ Quote: "Our database automatically determines files in realtime and analyzes them constantly as new data is found. We automatically find ~20-30,000 new files every day as malicious - we manually determine only a few" }- So it would has been analysed automatically and marked as bad without user intervention?!

-{ Quote: "That's the reason - executing it sandboxed will completely change the behavior and may cause us to not detect a file we would have normally detected." }- Hm, behavior, Ok. but i thought the age protection would work like "only allow programs which have been seen by a very large percentage of the PrevX Community". So if sandboxed or not: The file is brand new and wasn't seen by any percentage of the PrevX Community.

Can you reproduce if prevx would have caught the file outside the sandbox?

-{ Quote: "So it would has been analysed automatically and marked as bad without user intervention?!" }-

Yes, except in some stray cases, all of our research is done automatically which allows us to have a microscopic research team in comparison to most AV companies with hundreds/thousands of researchers :)

-{ Quote: "Hm, behavior, Ok. but i thought the age protection would work like "only allow programs which have been seen by a very large percentage of the PrevX Community". So if sandboxed or not: The file is brand new and wasn't seen by any percentage of the PrevX Community.

Can you reproduce if prevx would have caught the file outside the sandbox?" }-

I will need to take a closer look at this. There may be an issue in the fact that the sandbox would prevent any behaviors from happening, so we wouldn't see the file doing anything within the system which would lead to the "missed" detection.

There is an ongoing thread at the moment with other users that have problems under a sandbox and I suspect the same issues are what you're encountering. We're nearing the end of massive changes for Prevx 3.5 which is why we haven't tested the sandbox issue yet (as we will be waiting until 3.5 to release any fix).

I will let you know as soon as I have an answer :)

Very good.

Thanks for your open ears and longanimous answers Joe. :thumb:

-{ Quote: "
I opened the link with Sandboxed FireFox.
FireFox asked me if i want to download this .jpg.exe file and i did so.
After that i executed the file in the sandboxed explorer by doubleclicking it.
The reptile.exe was created but wasn't able to connect to the internet because of my sandbox settings." }-This sounds a lot like the issues discussed in this thread (http://www.wilderssecurity.com/showthread.php?t=250434); PrevxHelp said they're investigating the Sandboxie problem.

-{ Quote: "This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of
its recipients. The following addresses failed:

<report@prevxresearch.com>

SMTP error from remote server after transfer of mail text:
host aspmx.l.google.com[209.85.220.12]:
552-5.7.0 Our system detected an illegal attachment on your message. Please
552-5.7.0 visit http://mail.google.com/support/bin/answer.py?answer=6590 to
552 5.7.0 review our attachment guidelines. 12si9198202fxm.53" }-

I guess password protected zip files are no longer good enough for prevx? I'm not sure what google has to do with this, no I'm not using a google account.

-{ Quote: "I guess password protected zip files are no longer good enough for prevx? I'm not sure what google has to do with this, no I'm not using a google account." }-

I think we're using Google for part of the email hosting of the report@prevxresearch.com domain. Could you try sending the file in a rar/7z/other archive type to see if it gets through?

I'm not sure why Google blocks password protected zips but it is quite annoying :-\

QIP and some of it's registry entries is detected as malicious.
I am a bit confused cause Virustotal shows a problem with that file but i think it is safe.
~snip~VirusTotal URL removed as per policy
-{ Quote: "[B] c:\program files\qip\qip.exe [PX5: D3BC942C00CE6F7D12B032281418C4007D4D7751] Malware Group: Medium Risk Malware" }-

And i have the slight feeling that something is terrible wrong here. Several other legitimate apps are marked as -{ Quote: "Malware Group: Community.OuterEdge" }- in the log. But they dont show up in the scan results. (God save cause they are clean.)

I will PN Joe my log.

-{ Quote: "QIP and some of it's registry entries is detected as malicious.
I am a bit confused cause Virustotal shows a problem with that file but i think it is safe.
~snip~VirusTotal URL removed as per policy

-{ Quote: "And i have the slight feeling that something is terrible wrong here. Several other legitimate apps are marked as in the log. But they dont show up in the scan results. (God save cause they are clean.)

I will PN Joe my log." }-

The seemingly terrifying number of "detections" are not detections - its just a flag we use that will be changed to a much more friendly designation than saying it is malware in the next version :)

There is quite a bit of consistency in the VirusTotal link so I tend to think the detection is correct. However, could you send me the file so that I can analyze it to see if it is really a FP?

Of course i will send you the file.

~snip~Possible malicious URL removed

Password is

infected

Hopefully not! :o I run qip on my productive PC here....

OMG! I think i really got hit.

A^2 says W32/Induct.

And i read about this threat today! :o http://www.viruslist.com/en/weblog?weblogid=208187826 on heise.de is an article about that Virus too: http://www.heise.de/security/Virus-infiziert-Entwicklungsumgebung-Update--/news/meldung/143679

I cant believe that! Several other Programms seems to be infected too. Like AnyTV, TidyFavorites on the Chip.de CD !

Win32.induc.a
~snip~Possible malicious URL removed

There are an awful lot of infected installers in the wild at the moment!

I am waiting desperately for Joe's answer cause i am not sure what to do.

A note to all: If you could please send possible malware directly to report@prevxresearch.com using the instructions in http://www.wilderssecurity.com/showthread.php?t=245129 it would be greatly appreciated :) We don't want any users to unsuspectingly click on a link and end up infected :-\

-{ Quote: "There are an awful lot of infected installers in the wild at the moment!

I am waiting desperately for Joe's answer cause i am not sure what to do." }-

This does look like a new file infector - we're in the process of investigating/analyzing it to see what can be done.

Thanks so far.
Further Information: http://www.f-secure.com/weblog/archives/00001752.html
http://www.viruslist.com/en/weblog?weblogid=208187826

-{ Quote: "A note to all: If you could please send possible malware directly to report@prevxresearch.com using the instructions in http://www.wilderssecurity.com/showthread.php?t=245129 it would be greatly appreciated :)" }-Agreed, but sometimes no response is given even if a decision is taken not to add the application(s) to the database.

A good example of this is the Perfect Uninstaller program I mentioned earlier in this thread at post #246; I had emailed about it 3 days previously (admittedly without the PX5 identifiers - will try to add those in future), but no response was received so I gave it time in case you were analysing it still. The program was/is still not being detected, perhaps rightly so, but I posted here to draw attention to it.

I hope you do get the emails as 2 weeks ago there was an issue because someone was on holiday so you missed it.-{ Quote: "I found your submission - there was a management issue in report@prevxresearch... it was assigned to Marco (EraserHW) but he's on vacation currently" }-

-{ Quote: "Agreed, but sometimes no response is given even if a decision is taken not to add the application(s) to the database.

A good example of this is the Perfect Uninstaller program I mentioned earlier in this thread at post #246; I had emailed about it 3 days previously (admittedly without the PX5 identifiers - will try to add those in future), but no response was received so I gave it time in case you were analysing it still. The program was/is still not being detected, perhaps rightly so, but I posted here to draw attention to it.

I hope you do get the emails as 2 weeks ago there was an issue because someone was on holiday so you missed it." }-

Hmm.... I found your email about Perfect Uninstaller and you're correct that the email was deleted and not responded to. This is against our policy (we should respond to every message, albeit probably later than when we originally add the detection) and I'll be looking into why this was dismissed in this manner.

However, regarding Perfect Uninstaller - I personally wouldn't consider this to be rogue. It's true that they do require you to pay to uninstall programs but they do appear to provide additional functionality on top of the default uninstall routines (and they do provide the user with the relevant information on the areas that would be removed.

Again, sorry for the complete lack of a response - that definitely isn't helpful to anyone! :-[

-{ Quote: "Agreed, but sometimes no response is given even if a decision is taken not to add the application(s) to the database.

A good example of this is the Perfect Uninstaller program I mentioned earlier in this thread at post #246; I had emailed about it 3 days previously (admittedly without the PX5 identifiers - will try to add those in future), but no response was received so I gave it time in case you were analysing it still. The program was/is still not being detected, perhaps rightly so, but I posted here to draw attention to it." }-

That's my fault. I apologize about it. I handled a number of reports present in our report e-mail account and I was sure I replied to yours too. Instead, the e-mail was still here on my e-mail client and wasn't succesfully sent.

I still apologize about it, anyway we always reply to all e-mails we receive. If for any reason you don't get a response it's because there has been an error forsure.

Thank you for your patience.

what a man, taking the fall for Joe.:blink:

Good Team... ;) As it should be. :thumb:

-{ Quote: "However, regarding Perfect Uninstaller - I personally wouldn't consider this to be rogue.

Again, sorry for the complete lack of a response - that definitely isn't helpful to anyone! :-[" }-Thanks for your response re: Perfect Uninstaller and apology for lack of response. That goes for EraserHW too. :) I appreciate both of you being upfront about it.

Now I can remove PU from my sandbox. ;D

aswmon2.sys & aswmon.sys

These are avast! file system filter drivers, I believe. The Prevx alert, as you can see, popped up while running a Hitman Pro scan...

As a quick follow up to the above fp's...

FYI, initially I got the same behavior that I alluded to here (http://www.wilderssecurity.com/showpost.php?p=1524153&postcount=4425), wherein clicking "View Threats" produced a scan instead. The scan came up clean.

I then removed the Detection Overrides I had put in place for these two files and re-scanned and all was good.

I don't understand one thing. Actually, there's a lot in life I don't understand yet but this is a good place to start.
If Hitman is using the latest from Prevx, why does Prevx pop up with a 'false positive' while Hitman says that nothing was found?
Hugger

Those FPs are caused by the age/popularity heuristics - could you let me know what your heuristic settings are? Higher settings could sometimes produce more FPs for these detections.

Hitman Pro uses part of our engine but not the whole thing - Prevx contains additional rootkit scanning and heuristics in realtime which will detect additional malware on top of the threats we find with the default scanning.

Heuristics are maximum, Joe. I am not in anyway distraught about such findings... it's easy enough to investigate the files in question, after trusting one time. I know I can adjust the heuristics downward, but I don't mind the occasional fp if it means enhanced protection.

Is it correct that after Prevx alerted on those two avast! files (and on two machines, also) that the cloud then recognized them and no longer ID'd them as risks? ... because subsequent scans, within minutes, came up clean.

-{ Quote: "Heuristics are maximum, Joe. I am not in anyway distraught about such findings... it's easy enough to investigate the files in question, after trusting one time. I know I can adjust the heuristics downward, but I don't mind the occasional fp if it means enhanced protection.

Is it correct that after Prevx alerted on those two avast! files (and on two machines, also) that the cloud then recognized them and no longer ID'd them as risks? ... because subsequent scans, within minutes, came up clean." }-

Yes, that's correct - we tend to learn about files quite quickly so the FPs generally fix themselves (and I get to sit back and not do anything :))

-{ Quote: "(and I get to sit back and not do anything :))" }-
I'm sure that's not exactly the way it goes, Joe. ;)

I dumped a log from a XP gaming machine that still has Prevx on it, here's a bunch of FP's that may or may not be fixed.

-{ Quote: "[DN] (ACTIVE) c:\***\mozilla\firefox\profiles\lyocze1p.default\extensions\keyscrambler@qfx.software.corporation\components\keyscramblerie.dll [PX5: 17F30311F048B2907E5B0C9FE1F5DB00359C347E] Malware Group: Community.OuterEdge
[DN] (ACTIVE) c:\***\mozilla\firefox\profiles\3qbfg8az.default\extensions\keyscrambler@qfx.software.corporation\components\keyscramblerie.dll [PX5: 17F30311F048B2907E5B0C9FE1F5DB00359C347E] Malware Group: Community.OuterEdge
[DN] (ACTIVE) c:\***\mozilla\firefox\profiles\lyocze1p.default\extensions\keyscrambler@qfx.software.corporation\components\keyscramblerie.dll [PX5: 17F30311F048B2907E5B0C9FE1F5DB00359C347E] Malware Group: Community.OuterEdge
[D] (ACTIVE) c:\***\team fortress 2\bin\inputsystem.dll [PX5: 660CAE62F8442EC9C4D40144420DE90094CCD42D] Malware Group: Community.OuterEdge
[D] (ACTIVE) c:\***\team fortress 2\bin\haptics.dll [PX5: 194A7093F8019A03A400031F279438007203B3CB] Malware Group: Community.OuterEdge
[D] (ACTIVE) c:\***\team fortress 2\bin\adminserver.dll [PX5: 3BDA79AAF88A9CB8E4460B272AA18F0084D66CFA] Malware Group: Community.OuterEdge
[D] c:\***\team fortress 2\bin\inputsystem.dll [PX5: 660CAE62F8442EC9C4D40144420DE90094CCD42D] Malware Group: Community.OuterEdge
[D] c:\***\team fortress 2\bin\haptics.dll [PX5: 194A7093F8019A03A400031F279438007203B3CB] Malware Group: Community.OuterEdge

[DPN] (ACTIVE) c:\***\apps\2.0\lnatxyx0.4jy\1ojcgdj9.yae\curs..tion_eee711038731a406_0004.0000_782676a957ae6288\curseclient.exe [PX5: 44E4148C00EDB0D8823309FA0D16E1005AC8BDB2] Malware Group: Community.OuterEdge
[DPN] c:\***\apps\2.0\lnatxyx0.4jy\1ojcgdj9.yae\curs..ient_3cbc29eb0a26dbf9_0004.0000_none_0c5254890c13bfbf\curseclient.exe [PX5: 44E4148C00EDB0D8823309FA0D16E1005AC8BDB2] Malware Group: Community.OuterEdge" }-

Did you actually see these FPs in realtime? We log "Malware Group: Community.OuterEdge" into the log just as a flag without actually warning in many cases (so some users could end up with hundreds of them, not meaning we would have detected all of those files if they were run :))

Regardless, I've fixed these files anyway and they are now trusted in the database.

-{ Quote: "Those FPs are caused by the age/popularity heuristics - could you let me know what your heuristic settings are? Higher settings could sometimes produce more FPs for these detections.

Hitman Pro uses part of our engine but not the whole thing - Prevx contains additional rootkit scanning and heuristics in realtime which will detect additional malware on top of the threats we find with the default scanning." }-

Heuristics are set to max, medium and medium respectively.
Now that I understand what is happening I'm not concerned about it.
Thanks for your help.
Hugger

What I am seeing is that Prevx finds the same fp files repeatedly when I run Hitman Pro.

These fp's were noted here (http://www.wilderssecurity.com/showpost.php?p=1527736&postcount=286) yesterday. I thought that those two files were finally recognized by Prevx as fp's, but they are back again, with numerous other Alwil drivers flagged by Prevx. Yes, heuristics are on maximum, but my understanding was that the cloud would soon recognize these Alwil files and stop flagging them... in fact I thought that was the case yesterday, but evidently not.

FWIW, in addition to the two files yesterday (aswmon.sys & aswmon2.sys), Prevx is now identifying...

aswRdr.sys
aswFsBlk.sys
aswSP.sys
aavmker4.sys

as threats that should be removed.

Now here's the confusing part. After removing these files from the Prevx Detection Override, I right-click scan my system32\driver folder and Prevx says all files are clean. But if I run Hitman Pro again, Prevx jumps up and alerts on all of them as threats! It also ID's some in the Alwil program file.

Maybe this behavior makes sense to you, Joe. It's strange to me. Is it all due to maximum settings for heuristics? Does that explain clean Prevx scans (even of the specific driver folder), and subsequent Prevx alerts during Hitman Pro scans?

Also, as a suggestion, I'd like to recommend that Prevx Detection Override feature have a "Select All" option for removal, so that I don't have to take each fp out of there individually. Maybe that option already exists and I didn't look around enough.

This doesn't really make sense to me ;D It sounds like an issue - but could you mail over a scan log so I can see exactly what's happening? I'm thinking Avast may be randomizing its drivers when it scans (possibly to evade malware blocking different components) but we have been making some large changes to the behavior for users on maximum protection so these FPs could be the result of those.

A scan log will definitely help to either let us tune the rules better or at least to fix these individual FPs :)

(Also, detection overrides doesn't have a select all feature.)

-{ Quote: "
(Also, detection overrides doesn't have a select all feature.)" }-It doesn't currently, but he's suggesting it should.

-{ Quote: "This doesn't really make sense to me ;D It sounds like an issue - but could you mail over a scan log so I can see exactly what's happening? I'm thinking Avast may be randomizing its drivers when it scans (possibly to evade malware blocking different components) but we have been making some large changes to the behavior for users on maximum protection so these FPs could be the result of those.

A scan log will definitely help to either let us tune the rules better or at least to fix these individual FPs :)

(Also, detection overrides doesn't have a select all feature.)" }-
Okay, I will send a scan log. FYI, on reboot just now I received an Age/Spread Criteria Violation Detection on aswRdr.sys... max heuristics, I know, but it's the same file I've been getting for a couple of days.

Hi!

Ive recently scanned my computer using Prevx 3 and it finds pixetell.exe as a Low Risk Adware. I can say for sure its not malware. Its kinda like a multimedia communication tool for e-mail.
You can check it out here:http://www.ontier.com/

-{ Quote: "Hi!

Ive recently scanned my computer using Prevx 3 and it finds pixetell.exe as a Low Risk Adware. I can say for sure its not malware. Its kinda like a multimedia communication tool for e-mail.
You can check it out here:http://www.ontier.com/" }-

I believe I've fixed the false positive - if you try running another scan, it should be fixed :)

-{ Quote: "A scan log will definitely help to either let us tune the rules better or at least to fix these individual FPs" }-
My last Hitman Pro scan did not produce and avast! fp's from Prevx.
-{ Quote: "Also, as a suggestion, I'd like to recommend that Prevx Detection Override feature have a "Select All" option for removal, so that I don't have to take each fp out of there individually." }-
Can this be added?

-{ Quote: "
Can this be added?" }-

We will consider it but currently there isn't much of a demand for it - users rarely see FPs and adding an extra checkbox in the interface could overcomplicate the decision process for the average user.

-{ Quote: "We will consider it but currently there isn't much of a demand for it - users rarely see FPs and adding an extra checkbox in the interface could overcomplicate the decision process for the average user." }-
By not much of a demand, do you mean no one else has suggested it? As for overcomplicating the decision process, I think you could slip one little "Select all" into this dialog without confusing the masses. ;)

-{ Quote: "By not much of a demand, do you mean no one else has suggested it? As for overcomplicating the decision process, I think you could slip one little "Select all" into this dialog without confusing the masses. ;)" }-

Indeed we haven't had any other suggestions of it but it would be a worthy addition :)

FP with gmer:
[BP] c:\program files\gmer\gmer.exe [PX5: ABD49BF200C56E4C6803046DAE13BE00583EB383] Malware Group: High Risk Cloaked Malware

http://majorgeeks.com/GMER_d5198.html

-{ Quote: "FP with gmer:
[BP] c:\program files\gmer\gmer.exe [PX5: ABD49BF200C56E4C6803046DAE13BE00583EB383] Malware Group: High Risk Cloaked Malware

http://majorgeeks.com/GMER_d5198.html" }-

Fixed - I knew this would happen sooner or later ;D GMER's random file name downloads look increasingly suspicious :)

GesWall 2.9 is being flagged as a High Risk Worm on a new installation on a new netbook. VirusTotal shows it detected by Prevx, Sophos, and McAfee Artemis. I had this problem on another machine when I was getting a FP with AntiVir.

Prevx is not flagging this file on my other machines (older installations).

File can be found here:

http://gentlesecurity.com/download.htm

Thanks,

Dave

-{ Quote: "GesWall 2.9 is being flagged as a High Risk Worm on a new installation on a new netbook. VirusTotal shows it detected by Prevx, Sophos, and McAfee Artemis. I had this problem on another machine when I was getting a FP with AntiVir." }-

I believe I've corrected the false positive - could you try running another scan?

-{ Quote: "I believe I've corrected the false positive - could you try running another scan?" }-

I deleted my override and ran 2 scans, and it appears to be fixed.

Thanks!

Dave

Hi,

flushflash.exe

211532

The other one listed, not shown, i know about that i tested.

Which i discovered through here - http://www.broadbandreports.com/forum/r22909209-Free-Flush-Flash-eradicate-those-nasty-flash-cookies

Scanned online at various places, all clean except,


Comodo - Heur.Packed.Unknown

CP Secure - BackDoor.W32.GrayBird.aj


So FP or ?

This does look like a FP - I've corrected it but its hard to say if I got the exact file which you're referring to. Can you try running another scan to see if it is fixed?

Thanks! :)

All GREEN now

211539

Thanx

This one http://info.prevx.com/aboutprogramtext.asp?PX5=BA98697400F6BA678015005A4250B7009CE08CC8

I believe MAXA Cookie manager is legimate ;)

-{ Quote: "
I believe MAXA Cookie manager is legimate ;)" }-

It is :) Thanks for the report!

Joe,
A FP with Shadow Defender when trying to commit a downloaded PDF file, this version has been around some while, have been committing files without any problems for ages - no idea why it should suddenly start now. Also tried committing several downloads I know are clean - same result on all of them.

-{ Quote: "Joe,
A FP with Shadow Defender when trying to commit a downloaded PDF file, this version has been around some while, have been committing files without any problems for ages - no idea why it should suddenly start now. Also tried committing several downloads I know are clean - same result on all of them." }-

That's strange indeed - could you try once again now to see if I've fixed the right file?

-{ Quote: "That's strange indeed - could you try once again now to see if I've fixed the right file?" }-

:thumb: Working OK now without any problems.

I have received two emails from Prevx saying my system is infected, each the result of a scan. The Prevx icon in the systray is green and when I search for the offending file, it is nowhere to be found. The filename is MEL-69047DAA0D94FF11128201E40FA144001643EE50.EXE

-{ Quote: "I have received two emails from Prevx saying my system is infected, each the result of a scan. The Prevx icon in the systray is green and when I search for the offending file, it is nowhere to be found. The filename is MEL-69047DAA0D94FF11128201E40FA144001643EE50.EXE" }-

That's the Prevx test virus (which I believe you've been testing with in a different thread). It says it is currently in your recycle bin which is probably why you can't find it - it might be worth just emptying your recycle bin to see if that clears it up :)

ogacheckcontrol.dll is a malware or a FP?

Log file is attached

-{ Quote: "ogacheckcontrol.dll is a malware or a FP?" }-

It was the latter, now it's neither :) Thanks for the report!

-{ Quote: "That's the Prevx test virus (which I believe you've been testing with in a different thread). It says it is currently in your recycle bin which is probably why you can't find it - it might be worth just emptying your recycle bin to see if that clears it up :)" }-
Question is, how did it get into the recycle bin?

-{ Quote: "Question is, how did it get into the recycle bin?" }-

Not sure :-\ Prevx doesn't move anything to the recycle bin on cleanup (or any other time).

I tried adding Recycler folder to Detection Overrides and then scanning. The scan, again, came up clean green, but an email arrived within seconds saying I am infected (I posted the MyPrevx screen shot). Then I emptied the recycle bin using CCleaner and re-scanned with Prevx. Scan came back clean green and another email arrived from MyPrevx saying I am infected.

I will try the configuration change you suggested in the other thread (unticking both of the last items) and will report back.

Edit in: Reported back on specific thread (http://www.wilderssecurity.com/showthread.php?p=1530709#post1530709), if that's okay.

During the scan by MBAM,I got the popup - "Threat Identified in File" > C:\WINDOWS\system32\drivers\SBREDrv.sys

Looks like a FP.;)

See attached screenshots:

See also, recent excerpt from scan log.

Prevx Scan Log - Version v3.0.1.65
Log Generated: 26/8/2009 14:05, Type: 1,8192
Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
Some non-malicious files are not included in this log.
Heuristics Settings: Age: 2, Pop: 2, Heu: 4 (Dir: 1)
Last Scan: Wed 2009-08-26 11:05:41 E. Australia Standard Time. Number of Scans: 532. Last Scan Duration: 14 minutes 58 seconds.
[D] c:\windows\system32\drivers\sbredrv.sys [PX5: B1E9E654B0C128C66E8201E7CAA9E600094909BC] Malware Group: Community.OuterEdge
[D] c:\$isr\1\windows\system32\drivers\sbredrv.sys [PX5: B1E9E654B0C128C66E8201E7CAA9E600094909BC] Malware Group: Community.OuterEdge
[D] c:\windows\system32\drivers\sbredrv.sys [PX5: B1E9E654B0C128C66E8201E7CAA9E600094909BC] Malware Group: Community.OuterEdge
[D] c:\windows\system32\sbbd.exe [PX5: C04760EA28AF6F49A18800A99DBCAC0062880C1B] Malware Group: Community.OuterEdge
[DN] (ACTIVE) c:\recycler\s-1-5-21-1417001333-2049760794-725345543-1003\dc757.exe [PX5: 5BF3813B30EDD274CBC904213272CD008582EBEC] Malware Group: Community.OuterEdge

Thank you for the notification, it should be now fixed :)

Happily browsing when a pop up from Prevx informed that mswsock.dll had been injected into my registry and asked if I wanted to allow it once, always, block etc so i hit block.

It then requested I reboot my PC. Only then did I google mswsock.dll to find it is "a module providing extensions for Winsock. Services provided by this file are not part of Winsock." [according to Uniblue anyway]

I'm guessing this is an FP but perhaps someone with greater savvy than me could confirm?

-{ Quote: "Happily browsing when a pop up from Prevx informed that mswsock.dll had been injected into my registry and asked if I wanted to allow it once, always, block etc so i hit block.

It then requested I reboot my PC. Only then did I google mswsock.dll to find it is "a module providing extensions for Winsock. Services provided by this file are not part of Winsock." [according to Uniblue anyway]

I'm guessing this is an FP but perhaps someone with greater savvy than me could confirm?" }-

Hello,
Could you let us know what version of Prevx you're using? Prevx 3.0 does not have any warnings like this as it automates this decision process - you may want to upgrade to Prevx 3.0 if you are using Prevx 2.0 and do not find any benefit in the additional warnings.

Thanks for the lightning fast response :o

What is strange is that I am running Prevx 3.0. I purchased a license last Sunday?!

-{ Quote: "Thanks for the lightning fast response :o

What is strange is that I am running Prevx 3.0. I purchased a license last Sunday?!" }-

If I did manage to respond as fast as light I'd be scared! :) I'm unsure what warning you would have received, but it would be worth investigating it further if you could click Tools > Save Scan Results and then save the .log file to disk and email it to report@prevxresearch.com

We'll analyze it from there to see what would have caused the prompt. Let me know if you have any other questions!

Thanks. Is there a setting whereby logs are saved automatically? Unfortunately I have no current saved logs. Would a pop up generate a log entry? It was a light silver box with the warning message. I do have all the heuristics settings at max which may be (a) overkill and (b) potentially disruptive...

If any further incidents occur I will grab a screen shot.

-{ Quote: "Thanks. Is there a setting whereby logs are saved automatically? Unfortunately I have no current saved logs. Would a pop up generate a log entry? It was a light silver box with the warning message. I do have all the heuristics settings at max which may be (a) overkill and (b) potentially disruptive...

If any further incidents occur I will grab a screen shot." }-

The warning dialog from Prevx 3.0 should look like the one in this post: http://www.wilderssecurity.com/showpost.php?p=1530574&postcount=316

You should be able to create a log on demand by clicking Tools along the left side of the Prevx interface and then clicking Save Scan Results which will contain information on the newest scan you've run and most of the previously seen files as well. If this doesn't save them for you, let me know and I'll walk you through getting the other scan logs which are saved to disk automatically :)

I uninstalled KIS 2010 and reinstalled KIS 2009 and now Prevx is saying Im infected.

The threat says,

klif.sys in c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\klifx64

The weird thing is that I had both running just two days ago and no problems.

I did go to the Kaspersky website to download a new KIS 2009 file and it seems that is where the problem is.

I'm not sure what I sure do. Is this a false positive?

-{ Quote: "
I'm not sure what I sure do. Is this a false positive?" }-

I'm almost positive it is - we have had some historic FPs against Kaspersky's kilf.sys driver. There are a lot of infections which are using the kilf.sys name as well so its not possible to track down exactly which file you're seeing - could you send a scan log from Tools > Save Scan Results to report@prevxresearch.com so that I can correct the FP?

Thanks! :)

-{ Quote: "I'm almost positive it is - we have had some historic FPs against Kaspersky's kilf.sys driver. There are a lot of infections which are using the kilf.sys name as well so its not possible to track down exactly which file you're seeing - could you send a scan log from Tools > Save Scan Results to report@prevxresearch.com so that I can correct the FP?

Thanks! :)" }-


Sure thing. Should I right click on the threat line where it says to report also?

I got a file, so I will send it email right away. Just confused on what to do on Prevx now. Just leave it or what?

Sorry about being dumb about it, but since I don't want to clean it, I'm not sure how to get the threat detection off.

-{ Quote: "Sure thing. Should I right click on the threat line where it says to report also?

I got a file, so I will send it email right away. Just confused on what to do on Prevx now. Just leave it or what?

Sorry about being dumb about it, but since I don't want to clean it, I'm not sure how to get the threat detection off." }-

I've fixed the FP - we do prefer having FPs reported manually by sending a scan log in just to ensure that a human looks at it. This particular FP is caused by a more subtle rule which I've now identified. I've only corrected this particular file for now but I've forwarded the information to the research team so that they can get it fully corrected in the AM :)

Thanks for the report!

-{ Quote: "I've fixed the FP - we do prefer having FPs reported manually by sending a scan log in just to ensure that a human looks at it. This particular FP is caused by a more subtle rule which I've now identified. I've only corrected this particular file for now but I've forwarded the information to the research team so that they can get it fully corrected in the AM :)

Thanks for the report!" }-


No Problem. Thanks for the quick response. Glad to know it was OK.

I got this reported as malware-

http://www.fileinspect.com/task-manager/

It's from auslogics. Listed on their blog here-

http://www.auslogics.com/en/blog/2009/08/auslogics-task-manager-to-help-you-control-your-pc/

-{ Quote: "I got this reported as malware-

http://www.fileinspect.com/task-manager/

It's from auslogics. Listed on their blog here-

http://www.auslogics.com/en/blog/2009/08/auslogics-task-manager-to-help-you-control-your-pc/" }-

I didn't receive a FP when testing it here - could you save a scan log by clicking Tools > Save Scan Results and send it to report@prevxresearch.com so I can ensure I'm looking at the exact file you have?

Thanks :)

-{ Quote: "I didn't receive a FP when testing it here - could you save a scan log by clicking Tools > Save Scan Results and send it to report@prevxresearch.com so I can ensure I'm looking at the exact file you have?

Thanks :)" }-

Not sure if this makes a difference, but when I scanned with Prevx I got the false positive and reported it as such. Then I just scanned with Hitman Pro and got the malware alert again. It does not show as a false positive anymore when I just use Prevx. But I thought that was because once I reported it as a false positive I got a message saying I wouldn't be warned about it anymore.

The MD5 Hash of the auslogics task manager program is 77601BB504C619C13614BEE4993628F0 . And the SAH1 Hash is F571DB0272E72B29ECB9C94210A813B718BCAE0D .

The following file is identified as "Rootkit" (:doubt:):

[28/8/2009 13:18] The file [c:\program files\calibre\uninstall.exe] contains a threat of type [] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86

The following related (more or less) entries are detected as well, the last two detections are kind of strange since these shortcuts do not point to any "uninstall.exe" at all. (I seriously hope I never have to clean my system using PrevX... :blink:)

[28/8/2009 13:18] The file [\??\C:\Users\[....]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\calibre\Uninstall calibre.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86
[28/8/2009 13:18] The file [\??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre\Uninstall calibre.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86
[28/8/2009 13:18] The file [\??\C:\Users\Public\Desktop\Call of Duty(R) 2 - Einzelspieler.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86
[28/8/2009 13:18] The file [\??\C:\Users\Public\Desktop\Call of Duty(R) 2 - Mehrspieler.lnk] contains a threat of type [Infected Entry: [uninstall.exe]] - Identity: 823A04CA9D73EA731FC5163F7865390017546B86

I've fixed the FP, that could be caused by recent changes to the harddisk - had you just installed the "Calibre" program or made any significant changes to your disk layout?

-{ Quote: "Not sure if this makes a difference, but when I scanned with Prevx I got the false positive and reported it as such. Then I just scanned with Hitman Pro and got the malware alert again. It does not show as a false positive anymore when I just use Prevx. But I thought that was because once I reported it as a false positive I got a message saying I wouldn't be warned about it anymore." }-

It will locally not show as a false positive within Prevx but it is not automatically changed across the community. I've corrected it now, however, so if you run another scan you should be clean :)

-{ Quote: "I've fixed the FP, that could be caused by recent changes to the harddisk - had you just installed the "Calibre" program or made any significant changes to your disk layout?" }-
Calibre was updated immediately before or during a bootup scan (since it takes nearly 20 minutes to complete the scan it's hard to tell). Calibre is updated at least once a week and this is the first time PrevX detected it.
However Calibre is using InstallJammer which apparently builds or modifies the uninstall.exe at runtime, so this may have caught PrevX's attention.

-{ Quote: "It will locally not show as a false positive within Prevx but it is not automatically changed across the community. I've corrected it now, however, so if you run another scan you should be clean :)" }-

thanks

I just got message from prevx about kbda1.dll is to be cleaned - is that FP ?

-{ Quote: "I just got message from prevx about kbda1.dll is to be cleaned - is that FP ?" }-

Yes, I believe I've fixed it - can you try once more? :)

its ok now

thank you

Earlier today, Prevx alerted me to an attack. After it attempted to clean out the infected files, it asked for a reboot. After the reboot, my system wouldn't come back up, and after quite a bit of debugging, I ultimately had to do a repair install of WinXP.

Once it came back up, Prevx insisted on rescanning my system. It found infections in these files in the directory C:\windows\system32\drivers\

ipfltdrv.sys
nwinkfwd.sys

It sent me through the regular routine of disconnecting from the net, etc. But each time it cleaned up, rebooted and rescanned, it found the same infected files. I did this four or five times.

Finally, I booted on a cleanly installed winxp drive. I copied those files to a thumb drive and then came back to my regular drive. Prevx was still complaining about those two files.

I ran a checksum on the "infected" files and the ones from the clean install, and they were identical.

Prevx seems to be in this infinite loop, and I don't know if there is an actual threat, or if it's a false positive.

And I can't find any way to stop Prevx.

-{ Quote: "Earlier today, Prevx alerted me to an attack. After it attempted to clean out the infected files, it asked for a reboot. After the reboot, my system wouldn't come back up, and after quite a bit of debugging, I ultimately had to do a repair install of WinXP.

Once it came back up, Prevx insisted on rescanning my system. It found infections in these files in the. directory C:\windows\system32\drivers\

ipfltdrv.sys
nwinkfwd.sys

It sent me through the regular routine of disconnecting from the net, etc. But each time it cleaned up, rebooted and rescanned, it found the same infected files. I did this four or five times.

Finally, I booted on a cleanly installed winxp drive. I copied those files to a thumb drive and then came back to my regular drive. Prevx was still complaining about those two files.

I ran a checksum on the "infected" files and the ones from the clean install, and they were identical.

Prevx seems to be in this infinite loop, and I don't know if there is an actual threat, or if it's a false positive.

And I can't find any way to stop Prevx." }-

Hello,
I'm very sorry for the confusion and issues here. Can you please save a scan log by clicking Tools - Save scan results and send this to us by emailing it to report@prevxresearch.com? Some rootkits can hide their data in such a way that checksumming/comparing the files will make them appear clean although they are not.

A scan log will allow us to diagnose the problem accurately, whether it is a cleanup.issue or a false positive.

Things have gone from bad to worse. I'm reinstalling Windows for the second time. I'm almost convince that something might have infected Prevx. Once I get a stable system up again, I'll try to run prevx and save the log you requested.

Thanks for replying!

enchant try to clean your MBR befor reinstalling! Use the recovery console with /fixmbr to do so.

Directly after that you have to reinstall.

-{ Quote: "enchant try to clean your MBR befor reinstalling! Use the recovery console with /fixmbr to do so.

Directly after that you have to reinstall." }-
Sorry, I'm afraid I don't understand any of that.

Ok, since my post at 5:05pm yesterday, here is the sequence of events:

While Prevx was complaining about those two files, I re-installed WinXP Service Pack 3. Once that was done, I hit "next" on Prevx and let it reboot and try to fix those two files.

When my system came back up, Prevx started scanning again. This time, it found 96 infections! At this point, I probably should have killed the prevx process from the task manager, or just hit the reset button or something, but I figured I'd continue with prevx one more time.

When my system tried to reboot, it wouldn't come up. It sat at the blue "Welcome" screen for about 15 minutes. Wouldn't even come up in safe mode.

I realized I'd have to reinstall windows again, but at this point, I was thinking that Prevx wasn't really my friend anymore. So I booted on another clean disk with my main disk mounted. I renamed c:\program files\prevx, then went through the process of reinstalling windows and SP3.

My machine seems to be stable now. I did a full scan using SuperAntiSpyware and it found nothing. I understand that sometimes Prevx find things that others miss. I'm just sayin'...

I'd be willing to re-enable Prevx, but I'd like to do it in such a way that when it finds all of the "infected" files, I have the option to tell it not to do anything. Then I could submit a log.

Is this possible?

Thanks again for the help.

Hello,
I'm still concerned that your system is infected, possibly by a rootkit - it is not normal for this many detections to exist and all of them be completely incorrect :-\

Could you send a scan log by clicking Tools > Save Scan Results and email it to report@prevxresearch.com? We will analyze it there to see what the reason is for these detections.

I suspect Habakuck is correct in thinking it is a MBR rootkit - that can survive past operating system reinstallations and could be causing the infections you are seeing. Also, please ensure you're downloading Prevx from http://info.prevx.com/downloadcsi.asp. There have been some illegitimate copies of Prevx created in the past by malware authors looking to deface the Prevx name (and Trend Micro's name for that matter) by packaging malware with a look-alike Prevx.

-{ Quote: "Hello,
I'm still concerned that your system is infected" }-
I share your concern.

-{ Quote: "Could you send a scan log by clicking Tools > Save Scan Results and email it to report@prevxresearch.com? We will analyze it there to see what the reason is for these detections." }-

I'd definitely like to do that. But is there a way for me to run Prevx with the option of not having it do anything? Re-installing Windows and the SP is kind of time consuming, and I'd prefer not to have to do it if I can avoid it.

-{ Quote: "Also, please ensure you're downloading Prevx from http://info.prevx.com/downloadcsi.asp. There have been some illegitimate copies of Prevx created in the past by malware authors looking to deface the Prevx name (and Trend Micro's name for that matter) by packaging malware with a look-alike Prevx." }-
That's definitely where I got it initially, and it's a registered copy. It pulled me out of a problem that other packages couldn't fix about a month ago. I just tried to PM you my license info, but it says that PMs are currently unavailable.

FP with SARDU Multi Boot AV Rescue CD/USB (http://forum.nexthardware.com/sistemi-operativi-windows-e-software-generale/58889-shardana-antivirus-rescue-disk-utility-multiboot.html)

sardu.exe
[PX5: 4095E928E768CBBBAD8A063C5B425B00FF1729D5] Malware Group: Medium Risk Virus

I know its a rare utility but very useful.

Since no one is replying, should I assume that there is no way to run Prevx without it forcing you to comply with its cleaning suggestions?

-{ Quote: "Since no one is replying, should I assume that there is no way to run Prevx without it forcing you to comply with its cleaning suggestions?" }-

Just do not click "Cleanup Now" - after the scan finishes, it will show you the list of files and then you can click "Status" again, then "Tools" and "Save Scan Results".

Let me know if you have any questions with this and I'll write a more detailed set of instructions for it.

-{ Quote: "FP with SARDU Multi Boot AV Rescue CD/USB" }-

Fixed, thanks :) Indeed that is a very useful utility!

-{ Quote: "Just do not click "Cleanup Now" - after the scan finishes, it will show you the list of files and then you can click "Status" again, then "Tools" and "Save Scan Results".

Let me know if you have any questions with this and I'll write a more detailed set of instructions for it." }-
Thanks. When I fired up Prevx, it had the previous set of found infections listed, so I saved those in a log. I then scanned again and saved THAT in another log and mailed the two of them to report@prevxresearch.com.

Thanks again for the help.

Edit: For what it's worth, I ran Malwarebytes and it found nothing.

-{ Quote: "Thanks. When I fired up Prevx, it had the previous set of found infections listed, so I saved those in a log. I then scanned again and saved THAT in another log and mailed the two of them to report@prevxresearch.com.

Thanks again for the help.

Edit: For what it's worth, I ran Malwarebytes and it found nothing." }-

Hello,
Thank you for the log - it is quite odd as you probably expected. Prevx did remove a number of actual threats from your system but the log is full of Manually Added files - files which were added to cleanup by the user. Did you use the Tools > Manual File Cleanup function at all? I can't see any way that this would happen outside of manually using the Manual File Cleanup feature.

If you uninstall and reinstall Prevx 3.0 from the Add/Remove Programs control panel applet, you should return to a normal "Secure" status as all of the detections are marked as good in the database.

Please let me know if you somehow still get the detections and we'll investigate further. Quite a bizarre case, however :-\

-{ Quote: "[MM] c:\windows\system32\drivers\ip6fw.sys [PX5: 93047826004370A18F5A0004B987DC008A8F55C7] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\drmkaud.sys [PX5: E77F06BC803B27C80BA600EB22B53D00B79BCD14] Malware Group: Manually Added
[MM] (ACTIVE) c:\windows\system32\drivers\aec.sys [PX5: E884BE24008C5EEB2D92028B46462900B520927C] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\dmusic.sys [PX5: 64B493018066E6FACEE6008D21636D0042F7754A] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\atmarpc.sys [PX5: C41A09F600246E0AEA81009B2DE4BF0010DB722C] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\asyncmac.sys [PX5: 8BD45D2B002F3B40389D007E91CC5900FB93CEA1] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\ipfltdrv.sys [PX5: E130718C809C039180F700DA0AC8EE00F2B31814] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\mspclock.sys [PX5: E3D3244C00A7CE72157A001337247B008F8E8497] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\mspqm.sys [PX5: E79874108063B1F513260078C414AC00D0AB678F] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\swmidi.sys [PX5: 2892580B00DCE1F2DD42008A125D7D002F2F9BB3] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\irenum.sys [PX5: EFF123FF009559F82C9800EF91504100B6FCDE09] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\splitter.sys [PX5: 249A00638095166C184E008C6AC358001B15C957] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\mskssrv.sys [PX5: 1206502B8070367E1DC0005B0E279D003A9EE63B] Malware Group: Manually Added
[MM] c:\windows\system32\drivers\nwlnkfwd.sys [PX5: B9B73139006979BB7FBC0031EA7E320032D237D0] Malware Group: Manually Added
..." }-

-{ Quote: "Hello,
Thank you for the log - it is quite odd as you probably expected. Prevx did remove a number of actual threats from your system but the log is full of Manually Added files - files which were added to cleanup by the user. Did you use the Tools > Manual File Cleanup function at all? I can't see any way that this would happen outside of manually using the Manual File Cleanup feature." }-
I really believe that I didn't, but if nothing else explains it, I can't say that I've never ever clicked the wrong button in an application.

I'll uninstall/reinstall and report back. Thanks.

I uninstalled/reinstalled, and as you predicted, the scans are now clean.

Thanks again for the help with this.

-{ Quote: "Since no one is replying, should I assume that there is no way to run Prevx without it forcing you to comply with its cleaning suggestions?" }-
-{ Quote: "Just do not click "Cleanup Now" - after the scan finishes, it will show you the list of files and then you can click "Status" again, then "Tools" and "Save Scan Results"." }-
When reading the above exchange (my boldings), I realized that there may be confusion with some users as to whether the instruction (Cleanup Now) is directed at the user or at the program. In other words, is the program telling the user to clean up, or is the user being given the option to tell the program to clean up? Despite what the developer believes the instruction is doing, in actual use, it depends on the user's point of view, and there appears to be room for misinterpretation, which can lead to lots of trouble.

As I understand it, the "Cleanup Now" instruction in Prevx is not instructing the user to clean up now. It is not a "suggestion". It is a choice that the user may select which, if chosen, instructs the program what to do. However, an unknowing user might see "Cleanup Now" and think to himself, "I guess I'd better do what Prevx wants me to do".

Likewise, I think that the wording used in Prevx detection dialogs ("It is strongly recommended that you Remove these threats") could be softened. If I followed those instructions every time Prevx produced a false positive, I don't know what kind of a mess I would find myself in. :)

In my case, it seemed similar to installing a piece of software. When doing a software installation, you get a series of dialog boxes, each with a few choices (e.g., back, next, cancel) Once you make your selection, you get the next dialog box in the sequence.

At the time, there appeared to be only two options - clean up, or scan again. Scan again simply brought me back to the box.

Somehow, it didn't occur to me that I could simply minimize Prevx and go about my business. It truly seemed that Prevx was in the middle of doing something, and it was waiting for final confirmation.

-{ Quote: "When reading the above exchange (my boldings), I realized that there may be confusion with some users as to whether the instruction (Cleanup Now) is directed at the user or at the program. In other words, is the program telling the user to clean up, or is the user being given the option to tell the program to clean up? Despite what the developer believes the instruction is doing, in actual use, it depends on the user's point of view, and there appears to be room for misinterpretation, which can lead to lots of trouble." }-

I agree - this does indeed open up some confusion. "Cleanup Now" is a recommendation to the user, not a mandate (otherwise we would just automatically clean the files).

-{ Quote: "Likewise, I think that the wording used in Prevx detection dialogs ("It is strongly recommended that you Remove these threats") could be softened. If I followed those instructions every time Prevx produced a false positive, I don't know what kind of a mess I would find myself in. :)" }-

Most of the FPs you've personally encountered have been heightened-heuristic-induced false positives and we agree that we should lighten up this text when the detection is the result of a high level of heuristics.

-{ Quote: "Most of the FPs you've personally encountered have been heightened-heuristic-induced false positives" }-
Without a doubt (and I should have stressed this)... nearly all fp's I've had were due to maxed-out heuristics. :)

-{ Quote: "Without a doubt (and I should have stressed this)... nearly all fp's I've had were due to maxed-out heuristics. :)" }-

page with all the level-headness you demonstrated through this thread, you get my vote for license for a year.:)

-{ Quote: "Without a doubt (and I should have stressed this)... nearly all fp's I've had were due to maxed-out heuristics. :)" }-

I am guilty of the same offence, Page.

CMDRTR64.DLL

This file is being reported as cloaked malware. As far as I know, it is part of my sound card driver package install from Creative for my X-Fi sound card. I just did an update and rebooted, and this file is now reported. In the file properties, it says it is copyright Creative Technology.

-{ Quote: "CMDRTR64.DLL

This file is being reported as cloaked malware. As far as I know, it is part of my sound card driver package install from Creative for my X-Fi sound card. I just did an update and rebooted, and this file is now reported. In the file properties, it says it is copyright Creative Technology." }-
I am really biting my lip on this but how does it happen. I know, vendors have explained but their approach is not working.

sorry I am finished dealing with products like this. I just ran a full scan on a totally clean shot and this what I get:


Heuristics Settings: Age: 2, Pop: 2, Heu: 3 (Dir: 1)
Last Scan: Tue 2009-09-01 16:27:07 Eastern Daylight Time. Number of Scans: 4. Last Scan Duration: 33 minutes 41 seconds.

Previously Detected Files:
[B] c:\windows\winsxs\amd64_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20777_none_867317cf39b013d2\iebrshim.dll [64] [PX5: DAF1ECB500CCAA3C380802F5FA77E200095EE9A8] Malware Group: Medium Risk Malware


Prevx 3.0 v3.0.1.65 Cleanup Log for 1/9/2009 16:31
(0) Remove File: \DosDevices\c:\windows\winsxs\amd64_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20777_none_867317cf39b013d2\iebrshim.dll

Cleanup Complete

this is a FP and I have had it with FPs. Especially with this product. iebrshim.dll is part of Vista and safe and deleting it can do big damage. But it wont because I am finished listening to how FPs are not a real threat with Prevx. They are, you know it, and I wish you well. You are a good person, but your constant denial of this issue will be brought out in time.

I have to agree with trjam. The very fact that there is a thread specifically devoted to Prevx users self-reporting FPs indicates a problem...

well Joe is here and I am sure typing, and this is not to say that Prevx does not have a long range plan for it that may very well work. But quit telling me there isnt a frigging issue when there is. Just be honest. There is nothing wrong with cranking the heuristics up. I remember those specific words from Stefan when comenting on Aviras FPs. He was honest about it. It doesnt matter, I am just one user, Prevx will do well and life goes on.

One last thought, how can something that says they use cloud scanning have such a issue. If anything you would think it would be the other way around. Prevx is a AV, plain and simple.

The iebrshim.dll FP was caused by one of our researchers manually determining it as bad - the file hooks the browser which is probably what caused our researcher to think it was malicious.

-{ Quote: "One last thought, how can something that says they use cloud scanning have such a issue. If anything you would think it would be the other way around. Prevx is a AV, plain and simple." }-

Cloud AVs are just like normal AVs - newly created rules/signatures affect every other file. I would like you to look at any other AV which also produces FPs (so any AV). Just because a file is not detected one day does not mean it will not be detected the next day - look at every AV product: they, at one point, all say that a file is clean, then after updating signatures you will see that the file is detected - the same works in the inverse for false positives. Every changed detection affects every other detection in Prevx and in every other AV.

I disagree, with respect. Look here (http://virusinfo.info/index.php?page=testseng) and forget about the validity of the tests, but look at the yellow for suspicious, that is how to me, cloud scanning works. On their site it says: "c) detection of suspicious file (detecting yet unknown malware by the method of informing the user about suspicious characteristics of a sample under analysis. Examples: "Suspicious file"; "VIPRE: Suspicious")

That is real cloud scanning and who is using it, not red.

From the Vipre site, seems to match those calculations, or how they are calculated.

NEW - MX-Virtualization™ analyzes malware in real-time, in a secured memory "lock box" that emulates Windows. MX-V fools the malware into thinking it has taken over your PC. MX-V allows VIPRE to observe how the malware behaves and kill it before it can harm your PC. MX-V technology is the safest way to protect against zero-day threats.
IMPROVED - VIPRE's Genscan™ and Cobra™ heuristics use super efficient dynamic pattern assessment to determine if something is malware.

And we already know how Artemis works. Prevx just pops it, plain and simple.

And boy, I may just owe IC a very big apology.:blink:

-{ Quote: "That is real cloud scanning and who is using it, not red." }-

::) If you could please check the signature database size of Prevx and note that it is 0 you'll be able to see that we are a cloud AV :) Our VirusTotal scanner has none of the behavioral analysis pieces, file infector detection, exploit detection, or any of the more indepth analysis components which is why we don't have yellow bars and why those tests are completely and unequivocally irrelevant.

-{ Quote: "From the Vipre site, seems to match those calculations, or how they are calculated.

NEW - MX-Virtualization™ analyzes malware in real-time, in a secured memory "lock box" that emulates Windows. MX-V fools the malware into thinking it has taken over your PC. MX-V allows VIPRE to observe how the malware behaves and kill it before it can harm your PC. MX-V technology is the safest way to protect against zero-day threats.
IMPROVED - VIPRE's Genscan™ and Cobra™ heuristics use super efficient dynamic pattern assessment to determine if something is malware. " }-

Vipre is actually the complete opposite of cloud analysis - all of the analysis takes place on the user's PC.

-{ Quote: "And we already know how Artemis works." }-

Yes, by sending simple 1-to-1 checksums to the cloud, something we moved away from years ago as it is ineffective (to say the least).

well, we both have better things to do so, I guess this boils down to, "Time will tell."

Hello all,
We've done some reassessing of the usefulness of this thread and have determined that it really does not bring any benefit to our users. Virtually all of the FPs reported here just result in one of us requesting a scan log, making the post here just an unnecessary hurdle.

We have an email address set up for false positive/missed detections which will be much easier to manage and report to: report@prevxresearch.com. If you could follow the instructions in this post: http://www.wilderssecurity.com/showthread.php?t=245129 that will allow us to get at your log file as quickly as possible.

Alternatively, you can write into our customer support inbox to report a misdetection directly, or you can right click on the file in the product and select "Report as a false positive". The latter approach will not result in a human response but it will allow you to immediately remove detection on your local system.

You can also send one of us a PM but that isn't as optimal as sending an email as it is then limited to only the Wilders support staff to analyze it, while an email submission can be viewed by any of our researchers.

For now, I'm going to close this thread. Feel free to continue any discussions outside in another thread within our forum, or contact us by PM/email/inbox and we will be happy to discuss anything further.