Infected big time with Prevx

Okay, just today I bought myself a brand new licence of Prevx. Enthusiastic as I was, I wanted to test its abilities to the max. I set all settings at maximum heuristic and I set Prevx to autoblock and autodelete on detection of malware.

Then I ran ***.com/***/****/***/fid.exe (~ Virus Total Results Removed per Policy ~) and sweet, Prevx prevented my computer from being infected and autoblocked the attempt. It did however not delete the fid.exe file. I ran fid.exe again and BAM, without Prevx even notifying me this time, I got infected by a rouge AV. Without rebooting, I ran a deep scan with Prevx, which couldn't find any installed malware. My solution was to revert back to an old restore point, which finally made the malware go away.

My questions are now:
1) Why did Prevx not delete the file which I specifically told it to upon detection?
2) Why didn't Prevx do anything the second time I executed the same file? The installation mwent right through without even a propt from Prevx.
3) How come Prevx, which detected the malware at first, did not find anything during deep scan when the malware was installed on my computer?

Regards,

Gabe

 

can you please post the link
like this:
hxxp//thelink.com/therest
next, make a new scan, klick right the prevx symbol in the tray, select tools, safe log.
send it to:
report@prevxresearch.com
write in the mail your problem and the topic link.
next: say us the prevx version you are using.

last: its no good idea to infect your pc i think you using it, next time use an vm or other pc.

 

I saved the log but on on-demand scan won't detect the malware. I am not sure how I should proceed with this matter. It bugs me that when executed, the file is detected as malware... but the fid.exe is not removed and after the detection, when I run it manually again, it infects me. I've tested it three times, and all of them ended up with the malware compromising my system.

I am using Prevx 3.0.5.130 with all modules active on Windows 7 x64. The log file does indeed contain: [DN] c:\users\SSSSS\desktop\fid.exe PX5: 26402D6D00EFBC38688F0363A2731B005F1595D5]. But Prevx won't stop it from infecting me when I install the second time.

 

@shadek

I downloaded fid.exe and scanned it with Prevx



So i'm not sure why there is a discrepancy between your scan and mine ? However i did NOT run it

But according to VT when i uploaded it, it IS a Trojan FakeAV as confirmed by 5 vendors.

Let's see what Prevx says but at least you were able to restore

 

Yeah, on-demand scan won't detect the malware, but the heuristic detects it when launched... and blocks it... but the second time it compromises your system (at least it did for me). I'm not sure why Prevx doesn't stop the second attempt as well... And yeah, I am super glad I got rid of it. First time ever I've actually had use of restore points Windows made.

 

yer, send the prevx log to the prevx mail adress i posted, perhaps it helps to find the problem.

 

I sent it to Prevx report e-mail, following the guidelines presented in this forum. Furthermore, even Avira set on high heuristic combined with Prevx set on max heuristic will help against this malware sample. It sure is a sneaky sample.

 

No one solution will guarantee 100% detection and that's Prevx also! No AV will detect everything so if you play with malware you are going to get infected! What would you do if your system restore was not working as some malware will delete all restore points If you are going to play with malware you should use a VM and run Shadow Defender with it just in case!

Regards,

TH

 

I do realize I was lucky. But it was detected first time, but not second time. That's what bugs me.

 

Sometimes it takes and hour or more because it's a "community database" so not many other Prevx users have seen this malware on there machines! I downloaded it and NOD32 stop it as a new variant of Win32/Kryptik.DXV trojan! Did you send it to them via this post? https://www.wilderssecurity.com/showthread.php?t=245129


TH

 

It bugs me too. I hope Joe can provide an answer here. Dubious PrevX behaviour...

 

You play with fire you are going to get burnt!

TH

 

Wait a minute , is it behaviour blocker which detects something only based on what "community database" have said ?
In either case, detecting this malware first time and then not detecting it second time is no good

 

Maybe it's in Detection Overrides?

TH

 

I thought of that, but he said that the settings was to autoblock and autodelete

Maybe the question for him would be has he cheked detection overrides after not detecting it second time

 

Quote Triple Helix

Not just malware that does that, as i and a number of others have found out to our cost

https://www.wilderssecurity.com/showthread.php?t=270069

Yeah, sometimes Good point though

Quote pabrate

Yes, very strange, be interesting to hear what Prevx makes of it all

 

It's odd indeed. Hopefully Prevx can replicate the scenario and we'll see an even better antimalware product.

 

Hello,
We're investigating this infection further, but it looks like it may not directly exhibit malicious behaviors which would explain why it may not have been automatically found. Many of these fake AV threats sneak under the radar of antimalware software because of their reliance on social engineering rather than malicious actions, but we try to keep on our toes with regard to the newest rogue AVs. Our research team will be analyzing this sample closer and will report back with what we find.

Thanks again for the help and please let me know if you find anything else!

EDIT: We've confirmed protection for this sample but could you let you know what you initially responded to when the sample was blocked? If you hit the X on the warning dialog instead of clicking "Block" it could potentially respond differently in the future.

Let me know what you find!

 

I am pretty sure that I clicked 'X' when the pop-up windows said the malware had been blocked. This because Prevx informed the threat had been blocked and I saw no other way to get rid of the pop-up. I'll be installing a virtual environment today to test a few new rouge AVs.

 

That is the best thing, I hate when ones get infected because they want to test malware with no virtual environment and they have no way of correcting but to do a format and reinstall the OS! I remember a few years ago helping a friend because he was so infected we formatted and reinstalled the OS and then we installed NOD32 2.5 at the time and it found 4 malware running in memory still but we finely got it cleaned up! Also download the trial of Shadow Defender 1.1.0.325 for the extra protection in Shadow mode!

TH

 

I tried it and it is malicious. Killed my internet connection in IE8.

 

Yes But I know you do it in a safe environment

TH

 

If you don't want to use a virtual machine, at least take an image of your drive before experimenting with malware. ( I bet TH does both)

I am not sure if the Prevx guaranteed malware removal (with remote support, if necessary) applies if someone infects their machine on purpose .

 

I'd never ask for remote help. I was about to reinstall my entire system. I was well aware of the risks when I tried to infect my computer. Glad the problem was sorted out and Prevx got a little better at the same time.