Thread: Introducing, The New Prevx Edge.
View Single Post
  #553  
Old November 19th, 2008, 08:44 AM
PrevxHelp's Avatar
PrevxHelp PrevxHelp is offline
Prevx Moderator
  
Join Date: Sep 2008
Location: USA/UK
Posts: 4,650
Default Re: Introducing, The New Prevx Edge.
Quote:
Originally Posted by Kees1958
Edge has become a clearer application for me now:
When I would be the first one to encounter a threat (intrusion), Edge would mark it as suspicious and silently watch its behaviour with a higher level of alert. In the mean time it would be sent to the central (CSI like) automated analysis centre. There the decision would be made to qualify it good or bad (after automated/professional analysis and not by empty headed community voting)

Question: does Edge watch marked suspicious items with a higher alert level (until answer is received from the community analysis process)? How does it bridge the time between zero day and threat identification? Does it place these 'researched threats' in a temporary locker/vault/quarantaine?

You hit the nail on the head That is precisely how it works - except we don't only watch samples when you are the first person to encounter a threat, we watch them and build information on the file across thousands of users as many threats appear differently to different users (different configurations, different IP addresses, etc.) and we do not use community voting at all like some of the other vendors do.

Until a program is completely determined as "good", Edge monitors and learns about hundreds of unique program behaviors to attempt to build the clearest picture of a threat possible. If a file is really "borderline", it may be submitted into our server-side sandboxing system where we can tear it apart piece by piece. If it still can't be decided upon quickly, one of our researchers will get notified and will analyze it manually and write heuristic rules to teach the DB how to block similar threats in the future (however, in most cases, malware is blocked before it even needs to get through any of these processes).

Threat identification is generally immediate, however, sometimes it may take a few minutes and during that time, Edge will continue to monitor and track what the program is doing, so, if it does turn out to be bad, Edge will be able to remove any malicious registry entries associated with the file and close down any other pieces of malware associated with it.

Hope that helps!