Introducing, The New Prevx Edge.

yep, took it off for 3 days, mainly to try a new HIPS. Did not take me long to realize how much I missed it and how well it worked. I may never fully understand HIPS products, but I do understand Edge.

 

Hello,
Over the last few months we have made significant improvements to CSI but have not changed the shortcuts during an update because that tends to annoy users (restoring, changing possibly deleted shortcuts). You don't have to do anything with CSI (it automatically scans, etc.) but you can now do things with CSI if you want as we've added a number of new features.

I've PM'd you a link to an update for Edge. If you could install this, I believe it will correct your problems. We will be releasing it as an update shortly.

 

You hit the nail on the head That is precisely how it works - except we don't only watch samples when you are the first person to encounter a threat, we watch them and build information on the file across thousands of users as many threats appear differently to different users (different configurations, different IP addresses, etc.) and we do not use community voting at all like some of the other vendors do.

Until a program is completely determined as "good", Edge monitors and learns about hundreds of unique program behaviors to attempt to build the clearest picture of a threat possible. If a file is really "borderline", it may be submitted into our server-side sandboxing system where we can tear it apart piece by piece. If it still can't be decided upon quickly, one of our researchers will get notified and will analyze it manually and write heuristic rules to teach the DB how to block similar threats in the future (however, in most cases, malware is blocked before it even needs to get through any of these processes).

Threat identification is generally immediate, however, sometimes it may take a few minutes and during that time, Edge will continue to monitor and track what the program is doing, so, if it does turn out to be bad, Edge will be able to remove any malicious registry entries associated with the file and close down any other pieces of malware associated with it.

Hope that helps!

 

Just an update, running extremely well alongside Avast!, sandboxie and Shadow Defender (on demand).

The first few days or so, many applications were being 'analysed' for a few seconds before startup, but now it seems everything (all applications and web browsing) loads and responds as if the program wasn't even loaded in the first place.

 

My two cents:

Running KIS 2009, PrevX Edge and Malware Defender 1.2.1 (Overkill ?! ).

Works fine here...


H

 

Um, yeah. That's a bit much.

 

Great thx, just an additional question (and I hope you say ney, otherwise Edge really has to much of an edge over the top of breed competition)

Does Edge do registry key and file tracking (like ThreatFire) or does it also keep track of the changes (like Spyberus). In the last case a value change from say 10 to 20 could be revoked to 10 again.

Nice to see that behavior blocking indeed is using virtualisatioin to gain time for analysis of patterns (as predicted )

 

I will have to say nay (for now) to this Our implementation is not quite this advanced.... yet.... but we are developing this extended system currently. The only reason why it is not completely in the current version is that it does require some additional overhead to store backup copies of every value, when most values that are changed will not turn out to be malicious, but, we are working on an optimal solution which will be pushed out to all clients as an update in a few weeks when it has been thoroughly tested and proven

As well as this extended feature, we have a number of other exciting improvements, so, stay tuned Prevx is not sitting idle at all

 

Hi,

A couple of questions?

1) If I run a exe file via Sandboxie, if it exhibits malware charactistics will EDGE flag it even though its been run within a sandbox?

2) There is the option to manually detect a file that you know is malware and prevx does not detect. As soon as you do this PREVX recognises it as malware on your computer. If you double click on the detection you can then see the file on Prevx database and it generally gets listed as 'These files have yet to be determined.......'

If another user clicks on the same exe file, will it get listed as malware on their Prevx Edge as well or will the file be allowed to run untill its determined as malware on the database (or of course if it trips you central heuristcs it will do this automatically)

Sorry for the lenthy question!

Best wishes

Jlo

 

Does Prevx have regular signature updates like AVs? I'm using it right now as my AV.

 

Not too much for me, if it works. KIS won't install, though, if Prevx is already on the machine.

 

(Lengthy questions are always preferred My responses tend to be just as lengthy so I deserve some retaliation!! )

1) We haven't tried running malware from within a sandbox and seeing what Edge can see but I'd imagine that if the sandbox was working properly, Edge would not be able to see the behavior as the sandbox would isolate it from reaching the system at all. I also don't know how the internals of Sandboxie work

2) Our Community approach does not take the opinions of the users in the community, rather, it looks at the behavior of programs on the computers in the community. Therefore, even if 5,000 users mark a file as 'Good' in Edge, it will not automatically mark it as good in the database. This prevents Mr. Malware Author from getting a bunch of computers together and fooling us into thinking it is good.

The same goes in the opposite direction - if 5,000 people mark a file as bad, it will not be automatically changed to bad (as there is the possibility that Mr. Malware Author just wants to discredit us by marking good files as bad).

In both cases, samples with overridden determinations, either good or bad, are sent into manual analysis or deeper automated server-side analysis, so, there will be some delay from when you override to when we actually change the global determination.

However, if you do have overrides on malware to block them, feel free to let any of the Prevx people here know and we can mark them as bad immediately. Going through the overrides every day does take time and logic to reason through and sort out the incorrect user overrides, so, it would be faster if you send the samples in question through to us directly (we will provide you with email addresses, etc. and we are in the process of developing a sample submission system to help out in automated analysis of manual overrides).

I hope my verbosity make you dismiss the message! Let me know if you have any further questions!

 

KIS appears to check for the registry key HKEY_LOCAL_MACHINE\Software\PCSI, which is our main registry key (just has a couple values in it).

If you want to get Edge/CSI to work alongside KIS, you will want to first uninstall our products, make sure that the key is removed completely, and then install KIS and after that install Edge/CSI on top.

This has worked for users that have come into our inbox with the question, but if not, please let us know and we'll try and find another workaround

 

We have extremely regular signature updates, but they are nothing like normal AVs. We add literally thousands of new samples every hour to our definitions and heuristics, but everything takes place on the Community-side, so, you never need to download updates - the clients just check against the newest definitions on the server.

 

well, i must say.

I do love the new version, like a kid with a new toy.

so, have i mis-read something, or are more security-features for the EDGE product on its way via updates?

 

From my experiences using Edge and Sandboxie together, Edge will see and block malware if it starts to run in the sandbox. Pretty much the same as using an AV together with Sandboxie. Programs outside the sandbox can look in but programs in the sandbox can't look out.

 

Thank you for the excellent answers.

Best wishes

Jlo

 

I agree with you CSJ, Edge has permanently taken the place of an AV on my computer.

 

Oh yes While they won't be released for a few weeks, we have a number of security-related features that will be incrementally added into Edge, coming down to clients via automatic updates.

(Note: We do have an update scheduled for later today in Edge as well which fixes a lot of the compatibility issues with other AVs)

 

Brilliant. thats just what I wanted to know.

Jlo

 

Good to know! Thanks for the clarification

 

No problem!!!

 

cool, cant wait.

so, what kind of things? (in a few weeks)

will they help detection, removal or what?


---

also, i do wonder how EDGE would perform in one of the tests compared to the traditional antivirus solutions do you not think it should be included?

 

I'm trying KIS 2009 and Prevx together now. No major problems yet, but after Prevx finished scanning and went to real time, KIS popped up with a "Trojan.Generic" alert that I think might have been related to Prevx, since the only option was to allow. Maybe this can be checked out. Thanks for all your help!

 

We have a number of new behavior modeling algorithms baking in the oven as well as removal improvements and a whole mess of other things

I think comparing Edge against traditional antivirus products is a bit unfair for both ends. Firstly, standard AVs detect a great deal of things that Edge won't, for example, old DOS viruses from 20 years ago and corrupt virus samples that have remnants of old, inactive infections in them.

On the other hand, Edge detects a great deal of things normal AVs don't detect, in the time that it takes them to release an update.

If you look at it graphically, normal AVs have to cover all old samples, even ones that can't affect users, up until new samples. However, based on the conceptual problems in definition updates, it isn't possible to have extremely fast detection of new threats.

However, if you look at Edge, which covers malware that actually affects users today rather than users of 20 years ago, all the way up to malware that will be affecting users next week, you see that there is some overlap but not a whole lot.

With how fast infections are mutating, testing antivirus products is becoming increasingly difficult and time consuming. Rather than being able to just right click on a folder and select 'Scan', testers now have to take into account whether the file is detected in realtime, while loading, on demand, in memory, if under a rootkit, coming via an exploit, etc. etc.

Honestly, in today's threat landscape, I would not want to be a tester

To make a long story short (too late), Edge and conventional AVs shouldn't really be tested side by side as they both have very different intentions. I hope that helps, sorry for the essay!