We are testing an Enterprise version of PrevX and have been busy putting it to test. Results, sadly, are disappointing. Out of 5 test machines, two were succesfully infected and continued to remain infected until remote session from PrevX support was established and infections were removed manually.
The failure remains the inability (or unwillingness) of PrevX behavior detection engine to identify malicious behavior, and this has been discussed in other threads by myself and others. PrevX is marketed as advanced behavioral detection engine but so far it failed to detect the most trivial malicious behavior we observed in our tests.
Consider the following (REAL) scenario
- file downloaded and executed, it's a true 0-day and PrevX has no signature for it and lets it run.
- file registers itself in all Autorun locations
- file integrates in Windows shell
- file installs BHO in IE and makes a host of other changes, like modifiying IE security settings, changing search page and installing its own rogue proxy
- file installs its own versions in SystemRestore and other Windows locations to prevent easy removal and detection
- its dependencies execute on each boot and download existing and new versions from hosts in China
None of the above is detected by PrevX behavior-based detection engine. PrevX detects that some of the files being pulled from Chinese web servers are malware and blocks it, and have caught the initial install EXE after it was submitted to PrevX, but upon every reboot system gets infected again and again. PrevX scans and bluescreens it on every startup as it can't clean all infections in real time, but behavioral engine -- the core component that should've prevented this in a first place! -- is siltently allowing system to get reinfected on every conseqcuitive boot.
I was very excited about PrevX at first, especially after 175+ pages of nothing but praises here on WS. We were looking for an enterprise solution that had an intelligent behavioral detection engine, and it looked like PrevX would fit the bill, despite minor bugs and overall "beta-like" feel of the enterprise console. However, our tests showed that unless there's a way to tune behavior detection engine settings to suit our needs, PrevX is nothing but a lightweight cloud-based antivirus.
I'm really hoping PrevX would reconsider their "fits all" approach and give its customers the ability to decide what's best for them, versus "protecting them from themselves", because as it stands right now I see no use of PrevX in our enterprise.

Here's a screen of bad things executing on a VM in question:
http://i41.tinypic.com/2illzs0.png

Here's a post-execution scan with MBAM and PrevX:
http://i42.tinypic.com/2j0cz82.png

Hello,
As I've said before, there is no perfect solution and behavior monitoring is really not the solution you're looking for. It is very trivial to block "point" behaviors, such as all changes to the HOSTs file, etc. which you have described, but that doesn't actually add any security which can be used by the average user. It would honestly be a matter of a few easy days of work to get it implemented but we have had virtually no demand for it and we do not want to go back the route of making our software overly complex.

An Enterprise should lock down all software installations regardless of the behavior of the program. In an Enterprise, you really should either be using limited user accounts or whitelisting or ideally - both. We offer this functionality and our Enterprise customers use the whitelisting-based approaches rather than trying to lock down specific behaviors. Regardless of the "techie" level of the Enterprise IT manager, they will not let users install arbitrary programs into their network - it simply is a bad idea for any corporation and opens everything wide up for problems.

{QUOTE-> We are testing an Enterprise version of PrevX and have been busy putting it to test. Results, sadly, are disappointing. Out of 5 test machines, two were succesfully infected and continued to remain infected until remote session from PrevX support was established and infections were removed manually. <-QUOTE}

We don't claim to be 100% effective and I suspect you could take any AV and perform the same tests and see identical results. Behavior blocking may have improved the protection marginally but at what cost ??? Users would be prompted with dozens of prompts every day for legitimate software - it is a much better idea to just block any software from installing in this case.

{QUOTE-> PrevX scans and bluescreens it on every startup as it can't clean all infections in real time <-QUOTE}

None of our users have reported similar issues, but if you could please let us know the details of the BSODs and minidumps if available, we could help diagnose the problem, however, I suspect that the crashes are due to the malware on the system and not Prevx itself.

Joe,
You make valid points and I agree with what you're saying, however in my test, I have five machines that I tested PrevX against, and three out of them are infected to some degree. As you can see from the screenshot, PrevX is not detecting everything using signature-based method (MBAM seems to be doing a better job there) and behavior-based detection is not catching it either pre or post-execution. This is not a good score in my book for a product that claims to protect against 0-day and behavior-based attacks.
I also agree on having users log in as underpriviliged users but this is not an option in my case. If PrevX can only provide adequate protection when operating in conjunction to that, I am definitely wasting my time then, as I'm not in position to change the way this enterprise operates.
I am honestly not clear why you are so against making adjustments to behavior-based detection available (at least in Enterprise version), the way it seems to have been in v2. If there're no plans to make it a viable option in the future, please let me know as soon as possible and I will stop wasting everyone's time. I'm not here to bash PrevX or stir up unnecessary emotions.

{QUOTE-> As you can see from the screenshot, PrevX is not detecting everything using signature-based method (MBAM seems to be doing a better job there) and behavior-based detection is not catching it either pre or post-execution. <-QUOTE}

This is just because nothing is perfect. Can you send a scan log from the infected machines to report@prevxresearch.com so that we can add protection for this new rogue?

Anyone can take any AV and find thousands of threats which bypass it in a matter of hours, so I'm not sure your test proves anything new except the fact that nothing is perfect.

{QUOTE->
I am honestly not clear why you are so against making adjustments to behavior-based detection available (at least in Enterprise version), the way it seems to have been in v2. If there're no plans to make it a viable option in the future, please let me know as soon as possible and I will stop wasting everyone's time. I'm not here to bash PrevX or stir up unnecessary emotions. <-QUOTE}

It's not that are against making the changes, it's just that there is virtually zero demand for it. We offered a free upgrade to users from Prevx 2.0 to 3.0 and nearly everyone had converted over within the first two weeks, including our Enterprise users. The average user does not understand behavior blocking and we are developing software for the 99+% of the population rather than the < 1%.

The additional "techie" controls which we will be adding in a future version will include the ability to see a report of the behavior of a file but I do not see us opening up the controls to the point where a user can block a specific action like "modifying x file/x registry entry" as this defeats the purpose of using a security application for most users - you may as well open up a debugger and set a breakpoint on various system calls like RegSetValueExW and WriteFile to get the highest level of control :)

Understood. Thanks for your help, Joe, I must say that PrevX support has been nothing but amazing so far! :thumb:
Unfortunately, I don't see us being able to use the product in its current form in our enterprise. I will definitely keep a close eye on it in case situation on either end changes.

I have found Prevx sometimes misses rogues and often lets them install and run without detection. Sometimes Prevx will detect the active rogue if a system scan is run.

To cover this weakness, I have found Zemana Antilogger to be good. Zemana has picked up on everything Prevx has missed - and yet it is not as annoying / noisy as most HIPS in that it only ever seems to alert on REAL malware or risky behavour.

I realise running Zemana with Prevx probably wont be the solution you are after - but it may well be of value to home users.

Puss

I'm just thinking of which malware you used? I mean, in enterprise, who will browse to those sites anyway? There is a small chance that someone will. I mean, if Prevx fails on these rogues (and some other malware), is it a total failure? I think not. But to be honest, I prefere Prevx to detect them ;)
Sometimes there is a small lag between user and Prevx's server. You may wait 10 minutes and make rescan, maybe some new malware will be detected.
I think you may be more worried about email viruses or so.
I'm not defending Prevx, but I am just thinking about your test :P

{QUOTE-> I'm just thinking of which malware you used? I mean, in enterprise, who will browse to those sites anyway? There is a small chance that someone will. I mean, if Prevx fails on these rogues (and some other malware), is it a total failure? I think not. But to be honest, I prefere Prevx to detect them ;)
Sometimes there is a small lag between user and Prevx's server. You may wait 10 minutes and make rescan, maybe some new malware will be detected.
I think you may be more worried about email viruses or so.
I'm not defending Prevx, but I am just thinking about your test :P <-QUOTE}

I just went to a well known site which lists the domains of these malware and rogus etc and managed to find three which Prevx misses (it found two of the five) - I just downloaded them in date order.

Its easy to read more than you should in to Prevx missing things (well, possibly!) as Prevx is probably going to catch most of what is in circulation - by which, I mean, what has been seen in the Prevx community (5 million I believe) - so any significant threats out there will be countered. This said however, I think Prevx should be able to catch these rogues etc (even if not seen in the community) as everyone knows where to find them and it wouldnt take much to employ some bored teenager and get them to gather all the new rogues from these well known sites.

Dont get me wrong - I have tested Prevx several times and it is one of the best three in detecting new malware - but as I say, it should be able to detect some of the stuff it misses - even if it is has not been seen by the community - as there is always the first time - and as the thread starter has shown, the behavoural analysis cant be counted on to catch all the rogues.

Puss

Gentlemen,
My concern was not that PrevX misses detection per se, Joe is absolutely correct in saying that no one detects 100% of everything. For some reason I was under assumption that PrevX'es behavior-based detection was superior to those already currently on the market, and this is where I concentrated in my tests. Unfortunately, I was not happy with results and currently researching other options for what we're trying to achieve.
I don't want this thread to become a PrevX bashing central, this was not my initial purpose nor my current intent. PrevX is a good product for its own niche; it just doesn't fit ours.

{QUOTE-> Gentlemen,
My concern was not that PrevX misses detection per se, Joe is absolutely correct in saying that no one detects 100% of everything. For some reason I was under assumption that PrevX'es behavior-based detection was superior to those already currently on the market, and this is where I concentrated in my tests. Unfortunately, I was not happy with results and currently researching other options for what we're trying to achieve.
I don't want this thread to become a PrevX bashing central, this was not my initial purpose nor my current intent. PrevX is a good product for its own niche; it just doesn't fit ours. <-QUOTE}

Trust me, Im not bashing Prevx, I think its top notch and i understand nothing catches 100%

{QUOTE-> I just went to a well known site which lists the domains of these malware and rogus etc and managed to find three which Prevx misses (it found two of the five) - I just downloaded them in date order.
<-QUOTE}
and those 3 that were missed were detected, under what name, and removed using what software?

{QUOTE-> and those 3 that were missed were detected, under what name, and removed using what software? <-QUOTE}

They were detected and removed using A2.

One of them was detedted and removed by hitman

All were detected and removed by Avira

All were detected and removed by F-Secure

thanks, and the malware name(s)?

{QUOTE-> thanks, and the malware name(s)? <-QUOTE}
Rather than waste my time, have a look here and see for yourself:

~Link removed. No links to malware in the forums.~

Puss

{QUOTE-> Rather than waste my time, have a look here and see for yourself:
<-QUOTE}
i wouldn't want you to waste time. i was curious what malware was missed by Prevx but detected by others as in the name the others gave to the malware.

I've got few PMs with questions and suggestions. It looks like what we need is something along the lines of ThreatFire and Mamutu. Unfortunately, neither product is available as an enterpise solution, which is too bad, because I had excellent results with A2 at home. So the search continues..

Thx for the test dlimanov.

Did you run the test out of the box?

What about highest heuristic settings? I am very interessted of how PrevX is preventing against unknown malware if the settings are at maximum...

{QUOTE-> My concern was not that PrevX misses detection per se, Joe is absolutely correct in saying that no one detects 100% of everything. For some reason I was under assumption that PrevX'es behavior-based detection was superior to those already currently on the market <-QUOTE}It can work the other way too. One program PrevX detects that you highlighted in a previous post - adwareprofessional.exe - is still not recognised by a number of AVs. Strangely enough though, this program isn't picked up by Hitman Pro, which also uses PrevX so I'm a bit confused as to why that is.

{QUOTE-> It can work the other way too. One program PrevX detects that you highlighted in a previous post - adwareprofessional.exe - is still not recognised by a number of AVs. Strangely enough though, this program isn't picked up by Hitman Pro, which also uses PrevX so I'm a bit confused as to why that is. <-QUOTE}

Hitman Pro uses a very old version of our engine and scans files in a different manner which most likely explains why they miss it.

{QUOTE-> Hitman Pro uses a very old version of our engine and scans files in a different manner which most likely explains why they miss it. <-QUOTE}Thanks for the explanation. :)

{QUOTE-> I've got few PMs with questions and suggestions. It looks like what we need is something along the lines of ThreatFire and Mamutu. Unfortunately, neither product is available as an enterpise solution, which is too bad, because I had excellent results with A2 at home. So the search continues.. <-QUOTE}

Have you considered a HIPS type program like Malware Defender or DefenseWall along with Prevx?

I think it was mentioned before, but what were the heuristics set to? There is a big leap from default to high ;)

Also, of course no program detects it all and that is why you need layers to protect your enterprise. You could have Prevx all alone in a working environment with an enforced strict policy + url filtering. Prevx would catch the stuff that gets through, which is what it is there for.

I am not being biased towards your test, rather pointing out how in a business environment Prevx is very well suited. Not to mention a home environment...but with that said I wouldn't use Prevx alone. Prevx is well worth the purchase if you want that added protection or even standalone protection if you aren't a risky surfer ;)

{QUOTE->
We are testing an Enterprise version of PrevX and have been busy putting it to test. Results, sadly, are disappointing. Out of 5 test machines, two were succesfully infected and continued to remain infected <-QUOTE}
You set your time or money on the wrong horse.;D ;D ;D I am sure.

It isn´t worth a penny, sorry for my harshness, but that´s my opinion.
The hard truth about it is that approx 30-50% of its alarms are fp´s, the true dangers
remain undetected by this unimportant tool.

As stated in the introduction (http://www.wilderssecurity.com/showpost.php?p=1484330&postcount=1) of Prevx to the Forums:{QUOTE-> Prevx is a top notch and light weight behavior based anti-malware product that is a great complement to most any security setup. Prevx can be added along side an existing anti-virus product to provide a great layered approach to computing security. <-QUOTE}In this context, it is a very useful program.

{QUOTE-> As stated in the introduction (http://www.wilderssecurity.com/showpost.php?p=1484330&postcount=1) of Prevx to the Forums:In this context, it is a very useful program. <-QUOTE}

Thanks Ron I couldn't of said it better myself!

Cheers,

TH

@G1111: I am researching other products right now, and will definitely include Malware Defender in my tests.

@333halfevil: With enterprise version of Prevx, heuristics settings are set automatically for you and can not be changed, or so I was told by support. Without a little registry hack, you don't even see the regular Prevx GUI when agents are deployed. We were considering using Prevx alongside Symantec SEP for behavior-based detection of unknown and 0-day threats; SEP does a fairly good job doing signature-based detection.

Currently, I am testing newest A-squared Anti-Malware and F-secure Client Security. First product is not a true enterprise solution but I just wanted to get a feel for it as it combines signature-based detection as well as cloud/community option and behavior-blocking via Mamutu. F-secure I haven't touched yet, but they claim to have the fastest cloud-based detection and a powerful behavior-based engine with DeepGuard 2.0. Unfortunately, even if F-secure is as good as they say they are, it's an overkill for us as we have a traditional virus scanner in place already.
Stay tuned, I will keep this thread updated, if Joe and other moderators don't mind, of course.

{QUOTE-> Stay tuned, I will keep this thread updated, if Joe and other moderators don't mind, of course. <-QUOTE}

Not a problem at all :)

{QUOTE-> @G1111: I am researching other products right now, and will definitely include Malware Defender in my tests.
<-QUOTE}

You can try all the classical behavior blockers that look at point behaviors (as in single bahaviors like adding entries to startup) but you will have to either gives users control as to what to block or have a predefined policy. If you have a predefined policy, unless you really finely tune your rules, things are bound to screw up and you support staff are going to have a hell of a time. If you let users decide, you may just as well as not have it (because users are lazy, generally dont give a damn and will click allow). These products DO NOT work in a corporate environment.

{QUOTE-> Currently, I am testing newest A-squared Anti-Malware and F-secure Client Security. First product is not a true enterprise solution but I just wanted to get a feel for it as it combines signature-based detection as well as cloud/community option and behavior-blocking via Mamutu. F-secure I haven't touched yet, but they claim to have the fastest cloud-based detection and a powerful behavior-based engine with DeepGuard 2.0. Unfortunately, even if F-secure is as good as they say they are, it's an overkill for us as we have a traditional virus scanner in place already.
Stay tuned, I will keep this thread updated, if Joe and other moderators don't mind, of course. <-QUOTE}

And the results are going to be almost exactly the same as any other blacklist scanner with Prevx. Or if they are different, I suggest it will be because of you not having a statistically large enough sample rather than any of the two solutions being inheriently better than the other.

The Prevx moderators here may be too polite to tell you this (or they are quietly confident that you fill find this out in due time) but putting it bluntly, your quest with behavior blockers will be in vain. Classic behavior blockers just dont work in a corporate environment. Smart behavior blockers will be more or less the same.

If you are looking for that close to 100% assurance in a corporate environment, I'd suggest to you that you 1) Have a robust patching cycle such that no have NO vulnerable software on computers (or at lease minimize the window for when they are vulnerable). Secunia has a program called NSI which can be extremely useful for this. 2) White list exes using Anti-Executable or a similar program. 3) Black list websites using either your inbuilt capability at the gateway level or through a service like OpenDNS. Kill social networking sites, common free email providers (gmail, live mail, yahoo mail), porn and warez sites etc. Seems draconian but thats the only way you can really get that level of assurance you seem to expect. Otherwise, lower your expectations with blacklisting + behavior blocking + 'cloud technology' and what not.

EDIT: Also have strict policies in place such that either work computers can only be used for work and educate users not to do stupid things like opening attachments from people they don't know, dont click on "you may have a virus" banners etc.

@huangker: Thank you for your input. With exception of restricting user logon to unpreviliged user, we have all of the items you mentioned, plus some. I disagree that behavioral detection doesn't work in enterprise, however. Is it time-consuming to implement and fine-tune? Absolutely! But we are using Cisco Security Agent, a true behavior-based HIPS on all mission-critical servers, and it works like champ, protecting systems that are in DMZ against unknown attacks and doing a fine job at that, I might add.
To give you a good idea of what I'm trying to achieve, here's a scenario:
- User clicks on link or visits a malicious website; address is checked against known malicious hosts in the cloud (or local or central server) and alert is generated/presented to user, asking if he wants to continue;
- User decides to continue, downloads the malicious file and executes it. File is checked against signature in the cloud (or local or central server, doesn't matter at this point) and if signature is available, file is blocked/quarantined and user is notified of the action.
- If signature is not available and this a true 0-day or modified existing threat (like million of Conficker variants), this is where it gets interesting. Behavior engine kicks in and analyzes the ENTIRE scope of the process execution that occured thus far: i.e., download from potentially malicious site, lack of signature and some general file header or other specific file information, like how it was packed, formed, etc. File is than "sandboxed" and allowed to execute, so its actions can be monitored and analyzed further, with emphasis on virus-like behavior. Resulting combination of the pre- and post-sandbox behavior is checked against the cloud OR centrally-defined policy and appropriate action is taken and/or user is notified and given an option to execute or block/quarantine the file.

Now many would argue that this could break legitimate processes that fall under some of the categories of actions that we'll be looking for, and this argument is 100% correct. For this, initial scan for infections is performed immediately after installation to make sure machine is clean, and then a learning period takes place, where program learns the "normal" behavior of the machine and builds appropriate rules automatically. Additionally, certain "allow" rules should be pre-built, WindowsUpdate or SMS, for example, to make admin's life easier.

Scenario above is the "perfect world" example of what should happen, IMO. Various vendors have various levels and pieces of what I described above. FWIW, this is merely food for thought scenario to better illustrate my point and keep discussion going.

@dlimanov:

I think Kaspersky running interaktive will fulfil all your needs...

And it will provide another layer of security to the internet user: The sandbox!

{QUOTE->
- If signature is not available and this a true 0-day or modified existing threat (like million of Conficker variants), this is where it gets interesting. Behavior engine kicks in and analyzes the ENTIRE scope of the process execution that occured thus far: i.e., download from potentially malicious site, lack of signature and some general file header or other specific file information, like how it was packed, formed, etc. File is than "sandboxed" and allowed to execute, so its actions can be monitored and analyzed further, with emphasis on virus-like behavior. Resulting combination of the pre- and post-sandbox behavior is checked against the cloud OR centrally-defined policy and appropriate action is taken and/or user is notified and given an option to execute or block/quarantine the file. <-QUOTE}

Besides the ability to support a "centrally defined policy", this is exactly what we do and I'm unaware of any enterprise vendor which does offer the ability for an admin to make a complex policy like this.

{QUOTE-> Besides the ability to support a "centrally defined policy", this is exactly what we do and I'm unaware of any enterprise vendor which does offer the ability for an admin to make a complex policy like this. <-QUOTE}

Joe,
I really wish you did have this option, I truly do. :thumb:
I think F-secure's Client Security has something like this, I've yet to install the demo, however, so don't hold me responsible just yet.

{QUOTE-> Besides the ability to support a "centrally defined policy", this is exactly what we do and I'm unaware of any enterprise vendor which does offer the ability for an admin to make a complex policy like this. <-QUOTE}

P.P.S.:

Joe,
I think if Prevx would give an end-user an option (versus making a decision for them), it would be very helpful in my particular case. In other words, since central policy is not available, I'd like to be able to at least give user an option when potentially malicious behavior is detected but no signature/cross-reference is available in the cloud. A2 does this with "paranoid" mode, maybe Prevx can have this setting available in the future? Not sure if this belongs here or in "Future Requirements" thread.

We're still in early stages of designing a lot of the Prevx 4.0 functionality but it looks as though this will be present as we will be having a significant amount of the server-side analysis available to the enterprise customers as configuration options (including the ability to view full reports on what individual programs change on the system and the ability to block classes of programs by behavior).

However, the version of Prevx 4.0 for Enterprise will be ready later than the consumer version and this level of granular control will be one of the final features to be added in the roadmap (I'm not sure on exact timings at this point).

{QUOTE-> it looks as though this will be present as we will be having a significant amount of the server-side analysis available to the enterprise customers as configuration options (including the ability to view full reports on what individual programs change on the system and the ability to block classes of programs by behavior). <-QUOTE} That sounds fantastic! :thumb:

By the way: I have to correct myself. A friend of mine wrote a test sample (of course completely unknown in the cloud) and tested it against PrevX.
PrevX did its job very well and detected it as low risk malware! :thumb:
After that he tested an other programm written by himself which is not malicious.
PrevX did again a good job by not classifying it as malicious.

Accordingly PrevX definitely has behavior analysis implemented. And i can understand the PrevX Team not to tell us all tricks they do for analysing the files...

So PrevX works perfect for me and i think the next upgrades will be even better!

best regards

{QUOTE-> We're still in early stages of designing a lot of the Prevx 4.0 functionality but it looks as though this will be present as we will be having a significant amount of the server-side analysis available to the enterprise customers as configuration options (including the ability to view full reports on what individual programs change on the system and the ability to block classes of programs by behavior).

However, the version of Prevx 4.0 for Enterprise will be ready later than the consumer version and this level of granular control will be one of the final features to be added in the roadmap (I'm not sure on exact timings at this point). <-QUOTE}

This is the best news I've heard all week, thanks Joe! When beta time for the enterprise comes, please put me on the list of beta-testers, if such thing exists.

{QUOTE-> This is the best news I've heard all week, thanks Joe! When beta time for the enterprise comes, please put me on the list of beta-testers, if such thing exists. <-QUOTE}

Will do! :)

{QUOTE-> That sounds fantastic! :thumb:

By the way: I have to correct myself. A friend of mine wrote a test sample (of course completely unknown in the cloud) and tested it against PrevX.
PrevX did its job very well and detected it as low risk malware! :thumb:
After that he tested an other programm written by himself which is not malicious.
PrevX did again a good job by not classifying it as malicious.

Accordingly PrevX definitely has behavior analysis implemented. And i can understand the PrevX Team not to tell us all tricks they do for analysing the files...

So PrevX works perfect for me and i think the next upgrades will be even better!
<-QUOTE}

Glad to hear :)

Indeed the next upgrades to v3 and to development of v4 will mark another major step-change for Prevx - we're moving forward on a number of pieces of functionality simultaneously but as soon as everything is ready we will be passing around Betas to everyone interested.

{QUOTE-> as soon as everything is ready we will be passing around Betas to everyone interested. <-QUOTE} Here's one... ;)

Prevx has been the only constant in my setup of late; improved behavioral detection would be great as I currently have no HIPS. Version 4 will be better in this regard?

{QUOTE-> Prevx has been the only constant in my setup of late; improved behavioral detection would be great as I currently have no HIPS. Version 4 will be better in this regard? <-QUOTE}

We will indeed have significantly improved behavioral detection, however, for consumers, we are staying away from a full blown classical HIPS/behavior blocker to stay with the same mentality of very few popups/near-silent security.

{QUOTE-> We will indeed have significantly improved behavioral detection, however, for consumers, we are staying away from a full blown classical HIPS/behavior blocker to stay with the same mentality of very few popups/near-silent security. <-QUOTE}

I like the silent philosophy. I am glad it's possible to improve behavioral detection while keeping it that way. :)

{QUOTE-> I like the silent philosophy. I am glad it's possible to improve behavioral detection while keeping it that way. :) <-QUOTE}

Me too!

I changed from Kasperksy to PrevX cause i didnt like the vast array of PopUps.

{QUOTE->
- If signature is not available and this a true 0-day or modified existing threat (like million of Conficker variants), this is where it gets interesting. Behavior engine kicks in and analyzes the ENTIRE scope of the process execution that occured thus far: i.e., download from potentially malicious site, lack of signature and some general file header or other specific file information, like how it was packed, formed, etc. File is than "sandboxed" and allowed to execute, so its actions can be monitored and analyzed further, with emphasis on virus-like behavior. Resulting combination of the pre- and post-sandbox behavior is checked against the cloud OR centrally-defined policy and appropriate action is taken and/or user is notified and given an option to execute or block/quarantine the file.
<-QUOTE}

This is hard to do. Prevx is supposed to be one of the better behavior blockers. This leg of the transaction wont give you anywhere near the level of assurance you are looking for.