Three examples:

Prevx age/population heuristics "high", pdf-exploit

http://img204.imageshack.us/i/pdfexploit.jpg/

Prevx age/population heuristics "maximum", pdf-exploit. Browser inside Defencewall

http://img40.imageshack.us/i/pdfexploit2.jpg/

Prevx age/population heuristics "maximum", zapchast-malware. Rising Pc doctor stops it, I ignore.

http://img40.imageshack.us/i/zapchast.jpg/

Scotty (Winpatrol) barks loadly!

I do not see anything heuristic about Prevx.
The only heuristics I observe is the Prevx algorithm contacting the Prevx Server to determine the statistical age of an file according to the Prevx community, then jurying the file.
That is not heuristics, true heuristics does not care about the age of an file, true heuristics juries an file by what action the file is performing right now in real time.


HKEY1952

-{ Quote: "I do not see anything heuristic about Prevx.
The only heuristics I observe is the Prevx algorithm contacting the Prevx Server to determine the statistical age of an file according to the Prevx community, then jurying the file.
That is not heuristics, true heuristics does not care about the age of an file, true heuristics juries an file by what action the file is performing right now in real time.


HKEY1952" }-

Totally agree.

I'm not interested in nomenclature. I want to know if a given protection method works or not.

Well.....you just Posted your disappointment.....now you know.....


HKEY1952

-{ Quote: "Well.....you just Posted your disappointment.....now you know.....


HKEY1952" }-

Matters are not (or should not) be so simple. See

http://www.wilderssecurity.com/showthread.php?t=240214

ako, I don't know the 'technical' ins and outs of prevx, but I've learned from these forums, some of the best security programs don't get every problem file.

For example, winpatrol might detect these, but misses others.

What problems do these files create, if run?

-{ Quote: "ako, I don't know the 'technical' ins and outs of prevx, but I've learned from these forums, some of the best security programs don't get every problem file.

For example, winpatrol might detect these, but misses others.

What problems do these files create, if run?" }-

The point is: they are new files, but one gets no warning even age/pop. heuristics set as maximum.

When Joe gets online, he's sleeping I'm betting, send them through to him and wait for his follow-up. :)

I've already done it...

Good stuff. :thumb: Just out of interest, what sort of site did these files come from, gaming, adult etc?

-{ Quote: "I've already done it..." }-

He's doing an excellent job, definitely deserving his rest. ;)

I heard the man doesn't sleep, survives off mouthfuls of air. That true? ;)

-{ Quote: "Good stuff. :thumb: Just out of interest, what sort of site did these files come from, gaming, adult etc?" }-

Infected random sites,no special title.

Ako,

Have you set DefenseWall to protect additional folders? Or did you select the option to be informed when protected resourced are accessed?

You know there is a nice trick with DefenseWall Resource Protection to add extra security (on files/registry). Simply add those items as resources of the "System" process.

Ilya has added a lot of my extra file and registry protection by default. I am interested to known whether you have defined extra's yourself.

Regards Kees

I haven't done so far any 'tweaking', unless proven otherwise, I hope I can trust the default settings of DW.

please tell what's your ruleset?

Hi ako,
I'm unsure what the source of the issue is but could you get me some details about your system including what version of DefenseWall and what browser you're using/service pack level? There may be an incompatibility causing the detection to not work properly (it definitely works as it bugs me every time we make a new build ;D).

And @HKEY1952: only one portion of our centralized database uses age/popularity to detect the file, the rest is entirely based on heuristics/heuristics from behavior (we don't have 1-1 signatures).

XP sp2 (no updates), IE7, DW 2.56, Adobe 7.08

Could you try a similar test with DW/WinPatrol not installed? I'm interested to see if it is related to them in particular as I just tried a similar setup (SP3 VM) and no malware got through (EDIT - said the inverse of what happened... coffee needed...)

Also, does that VM image have a full Prevx license in it? That can make a difference with age/popularity protection.

-{ Quote: "Hi ako,
I'm unsure what the source of the issue is but could you get me some details about your system including what version of DefenseWall and what browser you're using/service pack level? There may be an incompatibility causing the detection to not work properly (it definitely works as it bugs me every time we make a new build ;D).

And @HKEY1952: only one portion of our centralized database uses age/popularity to detect the file, the rest is entirely based on heuristics/heuristics from behavior (we don't have 1-1 signatures)." }-

I have been following your Posts and you always have an definite positive answer, fix , workaround, and soon to be updated fix for every single negative Post about Prevx.
Prevx always works for you and it is always the clients configuration causing Prevx not working properly. No Program is that dynamically perfect and no human is that
dynamically intelligent.....although your performance here on Wilders Security Forums is very convincing to the average person.


HKEY1952

-{ Quote: "I have been following your Posts and you always have an definite positive answer, fix , workaround, and soon to be updated fix for every single negative Post about Prevx.
Prevx always works for you and it is always the clients configuration causing Prevx not working properly. No Program is that dynamically perfect and no human is that
dynamically intelligent.....although your performance here on Wilders Security Forums is very convincing to the average person." }-

:-\ I'm sorry if I'm being too truthful... when something isn't working properly we issue a fix for it, and a fixed version is soon to be updated so I'm not sure where the problem is ??? I'm not blaming the client's configuration, I'm just working to be able to reproduce it so that we can correct the problem.

-{ Quote: "Prevx always works for you and it is always the clients configuration causing Prevx not working properly. No Program is that dynamically perfect and no human is that dynamically intelligent" }-Forgetting Prevx for a moment, when I look around at these and other forums, I see a mixture of users with product X; those who have problems and those who don't despite the fact it's the same product and version being used. There has to be a reason why one user has an issue, but another doesn't. The trick is finding out why, but often that's not an easy task to accomplish, which is why some users give up and move on to something else.

I came to the conclusion a long while ago that the developers cannot know the myriad configurations that exist out there, and that being the case some anomalies may occur. They can do their best to cover most scenarios, but not all. Each and every one of us has a different configuration, and, unfortunately, some software may cause conflicts.

Those that say they have no issues are lucky; the software they have installed works nicely within their configuration. Other factors to bear in mind are the fact that some of these people don't have as many programs installed, and some, like me, don't run too many things at once.

Having said all that, when the support division of a vendor tries their best to work with the customer to resolve any issues, that is to their credit. Sadly, that doesn't always happen; in this instance Prevx has to be applauded for at least going some way to try and fix things as quickly and as humanly possible.

-{ Quote: "I have been following your Posts and you always have an definite positive answer, fix , workaround, and soon to be updated fix for every single negative Post about Prevx.
Prevx always works for you and it is always the clients configuration causing Prevx not working properly. No Program is that dynamically perfect and no human is that
dynamically intelligent.....although your performance here on Wilders Security Forums is very convincing to the average person." }-
But of course you're not convinced because you are not average, isn't that what you're saying? You are one of the very special people who show up now and then here at Wilders to enlighten the general population. I am so glad that I am alive during your time. :thumb:

HKEY1952's post was rather cryptic. Not sure if he was praising Prevxhelp for finding fixes & workarounds or just working hard, seemed like he was praising all three. What an butt-kisser. JK :P

I think it would be legit to crucify someone for not trying.

-{ Quote: "Could you try a similar test with DW/WinPatrol not installed? I'm interested to see if it is related to them in particular as I just tried a similar setup (SP3 VM) and no malware got through (EDIT - said the inverse of what happened... coffee needed...)

Also, does that VM image have a full Prevx license in it? That can make a difference with age/popularity protection." }-

Full licence.

I uninstalled DW, and closed winpatrol. This time the malware was stopped (Due to recognized as malware, who knows why. Perhaps it is in the database already?)

I just wonder: During my tests I have never seen age/pop heur. in action. Why?

Could you do a favour: download DW trial, Winpatrol free and test yourself that combo.

I've found the issue! The age/popularity protection is limited to certain areas to prevent false positives and to define which area we will apply the age/popularity protection to, we use a specific type of signature however this isn't working properly for some builds of Reader and apparently for the Foxit PDF reader as well.

We will need to issue a software update to correct this but this will definitely correct the problem and is the reason why you aren't getting the age/popularity detections.

Thank you for your patience with this and your testing :) We are moving slowly towards the next release but in the meantime I will send you over a new test version within the next couple days which will correct this issue so you can double check that everything is then working properly.

-{ Quote: "I've found the issue! The age/popularity protection is limited to certain areas to prevent false positives and to define which area we will apply the age/popularity protection to, we use a specific type of signature however this isn't working properly for some builds of Reader and apparently for the Foxit PDF reader as well.

We will need to issue a software update to correct this but this will definitely correct the problem and is the reason why you aren't getting the age/popularity detections.

Thank you for your patience with this and your testing :) We are moving slowly towards the next release but in the meantime I will send you over a new test version within the next couple days which will correct this issue so you can double check that everything is then working properly." }-

Hi!

Glad to hear that the issue has been found! I'm happy I could help and I'm looking forward to seeing the next version.

One more comment: is my case 3 (see post #1) explained by the same thing?
It is not pdf-exploit. (PM sent)

-{ Quote: "One more comment: is my case 3 (see post #1) explained by the same thing?
It is not pdf-exploit. (PM sent)" }-

Could you give me some details on exactly how you tested the infection? It's hard to tell from the mini-Process Explorer window :)

-{ Quote: "Could you give me some details on exactly how you tested the infection? It's hard to tell from the mini-Process Explorer window :)" }-

Just executed from explorer address bar. (I tried other executables: same results )

-{ Quote: "Just executed from explorer address bar. (I tried other executables: same results )" }-

Hmm... could you send me one of these files? There are other factors involved with the age/spread detection but they should be flagged from that :-\

-{ Quote: "Hmm... could you send me one of these files? There are other factors involved with the age/spread detection but they should be flagged from that :-\" }-

See PM

-{ Quote: "See PM" }-

??? ??? ???

We've had this file as a known bad since December 2008. Age/Popularity shouldn't even have to come into play - it has been blocked in realtime on 916 PCs since then :-\ .

Executing it here, it is blocked immediately as "High Risk Cloaked Malware".

This may be a realtime protection incompatibility in the VM you have if the on-demand scan is picking these up. Would you be willing to have me remotely check in the VM to see what might be wrong? (See PM :))

-{ Quote: "But of course you're not convinced because you are not average, isn't that what you're saying? You are one of the very special people who show up now and then here at Wilders to enlighten the general population. I am so glad that I am alive during your time. :thumb:" }-
You took the words, right out of my mouth... hallelujah:isay:

Great post Page42. One of the funniest I've read. :)

HKEY, I understand there are forums where a developer/sponsor is always on the scene to mop up any spill. Some people can feel that is was their fault to begin with and not the product's.

But I have to agree that we're fortunate developers such as prevxhelp (Ilya, Stefan etc) spend their time (most likely free time) stopping by and helping users out. The alternative is users asking many questions without an answer and going around in circles.

Yes prevxhelp doesn't always have the answer and there will be faults with the program prevx from time to time (just like any program). But you have to give the company and support staff credit for all the effort they're putting in to resolve a problem and answer our questions.

When Microsoft releases Microsoft Windows 7 third party security vendors will start to be phased out so none of this really matters any way.
Security vendors have been warned to find another source of income with the release of the scaled back Microsoft Windows Vista.
When the 64 bit computing architecture is fully implemented there will no longer exist third party security venders as we know them today.


HKEY1952

-{ Quote: "When Microsoft releases Microsoft Windows 7 third party security vendors will start to be phased out so none of this really matters any way.
Security vendors have been warned to find another source of income with the release of the scaled back Microsoft Windows Vista.
When the 64 bit computing architecture is fully implemented there will no longer exist third party security venders as we know them today.


HKEY1952" }-
Wow, really? I didnt know that.

I will tell some of the CEOs I know later today. They need to know this ASAP.

Puss

-{ Quote: "Wow, really? I didnt know that.

I will tell some of the CEOs I know later today. They need to know this ASAP.

Puss" }-

Yes! Really!
Microsoft has the right to protect their own Operating System and are going to do just that starting with the release of Microsoft Windows 7.
Just look at the shock wave Microsoft Security Essentials sent out. Some of the major security vendors are still crying.

So, having the following, what more does one need for security, or what third party security software is really needed?

01)- Firewall Router
02)- Microsoft Windows 7 with improved Limited User Account
03)- Microsoft Windows 7 with improved two way Firewall
04)- Microsoft Security Essentials free Antivirus and Antispyware
05)- Microsoft Internet Explorer 8 with improved security, Ad Blocking, Phishing Filter, and In Private Browsing
06)- Optional Open DNS Account

Answer = None


HKEY1952

-{ Quote: "Yes! Really!
Microsoft has the right to protect their own Operating System and are going to do just that starting with the release of Microsoft Windows 7.
Just look at the shock wave Microsoft Security Essentials sent out. Some of the major security vendors are still crying.

So, having the following, what more does one need for security, or what third party security software is really needed?

01)- Firewall Router
02)- Microsoft Windows 7 with improved Limited User Account
03)- Microsoft Windows 7 with improved two way Firewall
04)- Microsoft Security Essentials free Antivirus and Antispyware
05)- Microsoft Internet Explorer 8 with improved security, Ad Blocking, Phishing Filter, and In Private Browsing
06)- Optional Open DNS Account

Answer = None


HKEY1952" }-

I agree with you for the most part. I made a post here a few weeks back about MSE. The pathetic comments from some vendors about it being no good etc were an indication that they were worried. I have tested MSE and it is good and is all the average user needs. I would imagine the consumer AM market will be hit as a result of MSE and the other features of Win 7. a minority will use spacalised stuff (Wilders members etc), but there will still be the enterprise / busines market.

I test malware daily and can say that in my extensive testing, Prevx is the best at catching new threats and overall is only matched bt A2 in terms of overall detection. I think Vendors are going to have to look to new technology like Prevx to have an edge over MSE (because right now, none of them have anything to better it)

There are many environments, markets, situations, where MSE / traditional AMs are not well suited. There will always be a market for innovatibe 3rd party AMs and security apps.

I think MSE is good in that it will wipe out most of the also ran type AM / security products - as well as most of the snake oil AS/AT apps and leave the truly innovative products.

Time will tell.

Puss

true Puss, but the market will get smaller. Just the 2 in my sig, err, MSE and Sandboxie, are basically freebies and in reality provide you with plenty of security. There are others for different purposes to supplement them but the reality is, the day of the $50.00 + suite, will soon be history.

No offense trjam, but we all know you use different AV's so you should probably mention what the "two in your sig" are in your posts since soon they will be different. ;D

thanks dude, as AppGuard is starting to look good after the write up kees did.8)

-{ Quote: "When Microsoft releases Microsoft Windows 7 third party security vendors will start to be phased out so none of this really matters any way." }-That seems a bit unlikely seeing as many vendors have created or are creating versions that work with Windows 7.

I do think as time goes by, it will be harder to market a product due to Microsoft feeling like they need to fill the gap. It is just the way it is.

-{ Quote: "I do think as time goes by, it will be harder to market a product due to Microsoft filling like they need to fill the gap. It is just the way it is." }-

Microsoft isn't new the AV field and I think they are only beneficial - especially with their malware removal tool distributed via Windows Update.

Will they single-handedly kill off the entire AV/security software industry: not at all, unless they prevent users from installing software or viewing/modifying/deleting files (granted, they could do that very swiftly with a bugged update patch :))

I didnt say the whole market, but a good free AV will take its hits on some. The question is, no one knows, including Mr. Gates, the new ways malware will evolve. Thus a gap will always need to be filled.

-{ Quote: "I didnt say the whole market, but a good free AV will take its hits on some. The question is, no one knows, including Mr. Gates, the new ways malware will evolve. Thus a gap will always need to be filled." }-

I agree (and the whole market inference wasn't directed towards you - rather, a certain other post in this thread :))

-{ Quote: "Microsoft isn't new the AV field and I think they are only beneficial - especially with their malware removal tool distributed via Windows Update.

Will they single-handedly kill off the entire AV/security software industry: not at all, unless they prevent users from installing software or viewing/modifying/deleting files (granted, they could do that very swiftly with a bugged update patch :))" }-

I agree, Microsoft will not single-handedly kill off the entire Antivirus/Security Software industry, however,
when the tide rolls back only the most innovative security companies will remain, and that is good news for some home consumers, no more snake oil and BS security programs.
Only the security programs that are truly innovative and actually secure systems against Internet threats will remain, sort of like survival of the fittest.
Sadly, the surviving security companies and their tools will not be needed by the home consumer. Security companies will profit more from the enterprise sector.
There will still be some profit from the home consumer market because not everyone is going to go all Microsoft with their security setup.

Now, the only problem that remains is the security issue of the Cloud Technology, not the vender, not the program, but the Cloud Technology itself.
There must be an more secure way to transmit client data over the World Wide Web other than the way it is currently implemented. Perhaps over an Separate Network.
Each vender can have their own private encryption and globally share an Special Network that is segregated from the World Wide Web mainstream.


HKEY1952

Well, you know the old saying, only time will tell.

-{ Quote: "
Now, the only problem that remains is the security issue of the Cloud Technology, not the vender, not the program, but the Cloud Technology itself.
There must be an more secure way to transmit client data over the World Wide Web other than the way it is currently implemented. Perhaps over an Separate Network.
Each vender can have their own private encryption and globally share an Special Network that is segregated from the World Wide Web mainstream" }-

Just a clarification - are you referring to the security of data used by in-the-cloud applications like Amazon's EC2 and Google Docs/etc. or in-the-cloud security vendors? From what I've seen, all of the independent security vendors using the cloud for security purposes all use proprietary encryption on top of standard encryption measures.

However, if you're referring to corporations storing documents online with Google Docs or similar services, I agree - I honestly hope corporations do not move to storing data in the cloud... they can't secure user data when housed within their own networks, let alone by a third party :-\

-{ Quote: "Just a clarification - are you referring to the security of data used by in-the-cloud applications like Amazon's EC2 and Google Docs/etc. or in-the-cloud security vendors? From what I've seen, all of the independent security vendors using the cloud for security purposes all use proprietary encryption on top of standard encryption measures.

However, if you're referring to corporations storing documents online with Google Docs or similar services, I agree - I honestly hope corporations do not move to storing data in the cloud... they can't secure user data when housed within their own networks, let alone by a third party :-\" }-

Does Prevx implement proprietary encryption on top of standard encryption measures?
If the answer is Yes, please elaborate, when you have the time.
If the answer is No, please elaborate, when you have the time.


HKEY1952

-{ Quote: "Does Prevx implement proprietary encryption on top of standard encryption measures?
If the answer is Yes, please elaborate, when you have the time.
If the answer is No, please elaborate, when you have the time.


HKEY1952" }-

Yes :) I can't elaborate much, of course, for privacy and internal reasons.

-{ Quote: "Yes :) I can't elaborate much, of course, for privacy and internal reasons." }-

Okay, sort of my fault, I should have been more clear.
What I meant to ask was:
If Prevx uploads say an Excel Spreadsheet to scan in-the-cloud, is this communication encrypted?
Also, what reassurance does the client have that Prevx will not store the file/s?


HKEY1952

-{ Quote: "Okay, sort of my fault, I should have been more clear.
What I meant to ask was:
If Prevx uploads say an Excel Spreadsheet to scan in-the-cloud, is this communication encrypted?
Also, what reassurance does the client have that Prevx will not store the file/s?
" }-

Prevx doesn't upload information about documents/images/non-executable files at all - the cloud protection focuses entirely on executables. You may see files being scanned locally in the scan dialog but that is just because we need to read the files to determine if they should be scanned/perform any local checks.

-{ Quote: "Prevx doesn't upload information about documents/images/non-executable files at all - the cloud protection focuses entirely on executables. You may see files being scanned locally in the scan dialog but that is just because we need to read the files to determine if they should be scanned/perform any local checks." }-

Okay, if an spreadsheet contains an Macro Virus, please explain step by step how Prevx will handle this.
I know this is an challenging question, but now is the time to convince me, and perhaps others.
I am not asking you to reveal trade secrets, or reveal inter workings, just explain on the surface the overall procedure.


HKEY1952

-{ Quote: "Okay, if an spreadsheet contains an Macro Virus, please explain step by step how Prevx will handle this.
I know this is an challenging question, but now is the time to convince me, and perhaps others.
I am not asking you to reveal trade secrets, or reveal inter workings, just explain on the surface the overall procedure." }-

We don't focus on detecting macro viruses (being that Microsoft's measures to prevent them within Office have killed them) or other dead malware (i.e. DOS viruses) but we use local logic to detect them when needed that doesn't require a trip back to the cloud to scan.

-{ Quote: "We don't focus on detecting macro viruses (being that Microsoft's measures to prevent them within Office have killed them) or other dead malware (i.e. DOS viruses) but we use local logic to detect them when needed that doesn't require a trip back to the cloud to scan." }-

The hilighted part does not make sense, please elaborate!


HKEY1952

Just because we are cloud AV doesn't mean we can't have local signatures/intelligence ;) We scan for certain threats without using the cloud by using local logic (logic meaning signatures/checks/heuristics/etc.)

-{ Quote: "Just because we are cloud AV doesn't mean we can't have local signatures/intelligence ;) We scan for certain threats without using the cloud by using local logic (logic meaning signatures/checks/heuristics/etc.)" }-

I see, so executables will be uploaded for scans and non-executables, images, and documents will be scanned with local logic. The uploaded executables will be encrypted during transit. Is all of this correct?


HKEY1952

-{ Quote: "I see, so executables will be uploaded for scans and non-executables, images, and documents will be scanned with local logic. The uploaded executables will be encrypted during transit. Is all of this correct?" }-

Yes that is correct, except that very rarely do we actually upload the entire executable - uploading that much data is a big waste of bandwidth/resources so we resort to much more heuristic means via behavioral analysis locally (and then sending up those behaviors) or using our specialized signatures to identify files and the intent of files without needing the contents themselves.

-{ Quote: "Yes that is correct, except that very rarely do we actually upload the entire executable - uploading that much data is a big waste of bandwidth/resources so we resort to much more heuristic means via behavioral analysis locally (and then sending up those behaviors) or using our specialized signatures to identify files and the intent of files without needing the contents themselves." }-

Very interesting, my overall idea of the concept of Cloud Technology was wrong. For example, I always believed the entire executable was uploaded.
So most of the work is done locally and the Cloud only kicks in when needed or necessary, correct?
I am almost through hammering you ;D


HKEY1952

-{ Quote: "Very interesting, my overall idea of the concept of Cloud Technology was wrong. For example, I always believed the entire executable was uploaded.
So most of the work is done locally and the Cloud only kicks in when needed or necessary, correct?" }-

Yes, a sizable amount of the work is done locally, but the real timeconsuming work is done in the cloud. Comparing against hundreds of millions of database entries locally is not a great way to spend the user's CPU time :) The other benefits of the cloud are that it is always up to date (no need to download signature updates), and that the intelligence gathered from the behaviors of other programs helps feed and improve the detection of new programs.

-{ Quote: "I am almost through hammering you ;D" }-

Keep 'em coming ;)

-{ Quote: "Yes, a sizable amount of the work is done locally, but the real timeconsuming work is done in the cloud. Comparing against hundreds of millions of database entries locally is not a great way to spend the user's CPU time :) The other benefits of the cloud are that it is always up to date (no need to download signature updates), and that the intelligence gathered from the behaviors of other programs helps feed and improve the detection of new programs.



Keep 'em coming ;)" }-

But are the local signatures updated at all?


HKEY1952

-{ Quote: "But are the local signatures updated at all?" }-

Yes, but they are much, much less prevalent so updates are only required periodically (and come alongside the other cloud communications so the process is seamless). Most threats exist for less than 24 hours and that is where our benefits show as we're able to block new threats immediately as they start spreading rather than requiring the user to update and rescan.

-{ Quote: "Yes, but they are much, much less prevalent so updates are only required periodically (and come alongside the other cloud communications so the process is seamless). Most threats exist for less than 24 hours and that is where our benefits show as we're able to block new threats immediately as they start spreading rather than requiring the user to update and rescan." }-

Okay Sir, thank you for your time and patience, I commend you on your dedicated work here on the Wilders Security Forums.
I really learned quite an bit form our conversation, you almost have me convinced. :)
I believe I underestimated you. :-[

I have to go and think now! >:(

I look forward to having another conversation with you..... :thumb:


HKEY1952

-{ Quote: "Okay Sir, thank you for your time and patience, I commend you on your dedicated work here on the Wilders Security Forums.
I really learned quite an bit form our conversation, you almost have me convinced. :)
I believe I underestimated you. :-[

I have to go and think now! >:(

I look forward to having another conversation with you..... :thumb: " }-

You're very welcome and thank you :)

Guess we can sleep now.