PrevX CSI how does it works?

[Kees1958]

Darren,

Asked me in the 'Cluster of the future post' what I thought of PrevX CSI.

I told him that I could not understand the magic behind PrevX

The PrevX CSI only scans for KNOWN malware (problably missed by the top 5 leading vendors). How is PrevX collecting these malwares?

Does anyone known how they find malware in the first place. It can not be CSI (as mentioned in the pic) because CSI scans with footprints (and you already have to know the malware), eSAC is a pre bank checking the environment of the client side (same as CSI I suppose), this leaves only the existing PrevX2 users for the advanced detection. The web site does not mention the PrevX2 installed base, but the users scanning with CSI. What good is CSI for adding new malware when it is only scanning for KNOWN malware. HELP I DO NOT UNDERSTAND

[ghiser1]

Hi Kees,

Prevx CSI is not a simple "scan with footprints" tool. Prevx CSI actually employs "behavioural characteristics" analysis like Prevx 2.0. Unlike Prevx 2.0, which is a real-time behavioural monitor, Prevx CSI performs a static analysis of files and registry entries and builds a partial behavioural picture from it. The reporting to Prevx from CSI and Prevx 2.0 are almost identical in this respect.

Prevx CSI also employs all of the family identification signatures that Prevx 2.0 does.

So, Prevx CSI is often reporting data about programs never seen before (by Prevx) to the Prevx database. The family identification signatures and behavioural characteristics can trigger the same automated malware determination rules in the Prevx CWC as the reports from Prevx 2.0 do. This means that Prevx CSI can identify a threat that is completely new to Prevx but related in some way to another threat in the same way that Prevx 2.0 can.

All the intelligence is in the center - Prevx 2.0 and CSI are in effect the eyes and ears that feed file, signature and behavioural data into the Prevx brain. Any file determined as Bad (by signatures or behavioural characteristics) where we don't yet have a sample of it from other sources is automatically requested from Prevx 2.0 and Prevx CSI. These new samples are then tested against 5 commonly deployed vendors and the results fed into the daily stats that you see on our web-site.

Hope this helps,

Darren

[solcroft]

Quote:

Originally Posted by ghiser1

All the intelligence is in the center - Prevx 2.0 and CSI are in effect the eyes and ears that feed file, signature and behavioural data into the Prevx brain. Any file determined as Bad (by signatures or behavioural characteristics) where we don't yet have a sample of it from other sources is automatically requested from Prevx 2.0 and Prevx CSI. These new samples are then tested against 5 commonly deployed vendors and the results fed into the daily stats that you see on our web-site.

In other words, the samples you feed into the graph haven't been verified by a human analyst?

[ghiser1]

Quote:

Originally Posted by solcroft

In other words, the samples you feed into the graph haven't been verified by a human analyst?

Verify them all manually? Hell no - we've got better things to do with our time! Then again, we don't need too. Take today. Of 2579 new samples, 2061 were confirmed as Bad by Microsoft - that's 79.9% -1792 were confirmed by Symantec - that's 69.4%. There's some overlap in those two groups of course, but many picked up by MS weren't picked up by Symantec and vice versa. Across the five shown we normally have 90-95% confirmation by one or more of them on day one.

We do have a closer look oat any that don't get picked up by any of the other vendors, and we also keep testing retrospectively. Within a couple of weeks one or more of them will be picking up all the samples.

[solcroft]

Quote:

Originally Posted by ghiser1

Verify them all manually? Hell no - we've got better things to do with our time! Then again, we don't need too.

Darren,

I suggest you reconsider. Investing some manpower in this might mean that Prevx won't report Firefox, Thunderbird, Sandboxie, Returnil, and IrfanView (among others) as malware.

It's interesting to see a security vendor claim that manual verification isn't required for new samples. Your company must place a lot of trust in your product's abilities - or do you wait for Microsoft, Symantec, Trend Micro, CA and McAfee to do the work for you?

[Kees1958]

Quote:

Originally Posted by ghiser1

Hi Kees,
1
Prevx CSI performs a static analysis of files and registry entries and builds a partial behavioural picture from it. The reporting to Prevx from CSI and Prevx 2.0 are almost identical in this respect.
2
Prevx CSI also employs all of the family identification signatures that Prevx 2.0 does. This means that Prevx CSI can identify a threat that is completely new to Prevx but related in some way to another threat in the same way that Prevx 2.0 can.
3
All the intelligence is in the center - Prevx 2.0 and CSI are in effect the eyes and ears that feed file, signature and behavioural data into the Prevx brain. Any file determined as Bad (by signatures or behavioural characteristics) where we don't yet have a sample of it from other sources is automatically requested from Prevx 2.0 and Prevx CSI. These new samples are then tested against 5 commonly deployed vendors and the results fed into the daily stats that you see on our web-site.

Hope this helps,

Darren

Darren, first of all, thanks for the explanation. Your answer lead to more questions (one fool can generate more questions than a campus full of professors can answer), hope you have the time to elaborate.

Ad 1
Static file and registry entry. This would mean that files mentioned in the registry (like for instance runscanner finds unsigned file reference in the registry with a MD5 hash which is not registrated in its data base yet), Okay I do understand that with some Crime Scene Investigation alghorithemns you can pinpoint suspicious files with a static scan. This is part of the magic which is based on a unique skill: static behavior analysis
Like in CSI: you were are in the neigbourhood of the crime scene at the time of the crime.

Ad 2
How do you do that "new but related"! Antivirus use heuristics and sometimes look at sniplits of code. When doing so the PrevXCSI should offer suspicious files found in 1, to the central sniplits of fingerprint data base
Could you tell me more about this mechanisme, I did not see a lot of communication going from my PC to the Web site when CSI was scanning (but then I had a clean PC)
Like in CSI: as in 1 plus you were carrying something that looks like a knife, gun, basebal bat, strangling rope, etc.

Ad 3
This where it really becomes mistifying. CSI reports suspicious files (being the ears and eyes), but the intelligence is located centrally. How is it possible to determine ON THE FLY that it is a real baddy or malware. My guess is that you use the 5 AV's for the positive indication, but inn the mail to Solcroft you mention a 90 to 95% positive confirmation. What do you do with the remaining 10 to 5 percent. How do find out that these are really BAD (please explain)

This is what I can not figure out. Becasue the next question is even more intriguing. How do you provide a cure on the FLY?

It is do-able, because you offer infected PC-users an option to pay for CSI+ to cure the infection. Since I believe that PrevX is a trustworthy organisation, there has the bo an explanation of two things:
a) How can PrevX be sure it is a real bad guy?
b) How can PrevX provide a cure so fast?

Could you please explain the cursive questions

Thanks

[C.S.J]

Quote:

Originally Posted by solcroft

In other words, the samples you feed into the graph haven't been verified by a human analyst?

do you think AVC and AV-TEST verify via a human analyst?

nope.

[ghiser1]

Quote:

Originally Posted by solcroft

Darren,

I suggest you reconsider. Investing some manpower in this might mean that Prevx won't report Firefox, Thunderbird, Sandboxie, Returnil, and IrfanView (among others) as malware.

If we were marking all those applications as Malware I think our support inbox would be humming with people complaining - but it isn't. I suggest you contact support about the specific samples you have.

Quote:

Originally Posted by solcroft

It's interesting to see a security vendor claim that manual verification isn't required for new samples. Your company must place a lot of trust in your product's abilities - or do you wait for Microsoft, Symantec, Trend Micro, CA and McAfee to do the work for you?

Do we wait for them? That's the best laugh I've had all day

It's very simple. Throwing people at malware analysis is a very expensive and never ending game. As the number of samples is increasing exponentially, the analysts simply cannot keep up and it isn't cost productive to keep adding analysts. Our small group of analysts focus on writing central heuristics and analyzing samples that were not picked up automatically first time to see why. All the AV vendors employ some level of automation these days.

Compare the size of those company's and the resources that they can throw at the analysis problem, to what we are achieving purely with automation. We have the advantage. The higher the number of samples, the better our automation works.

Darren

[solcroft]

Quote:

Originally Posted by C.S.J

do you think AVC and AV-TEST verify via a human analyst?

nope.

Perhaps, perhaps not, but last I checked neither of them were a software vendor producing a security app for sale.

[Kees1958]

Please guys (CSJ/Solcroft) let Darren answer the questions. I am not into bashing statements which just lead us away from the questions posed?

I do not give a damn whether it is automated or not: I want to understand HOW?

Let's keep OT or start your own thread

[solcroft]

Darren,

I see. Thanks for the explanation.

[starfish_001]

Quote:

Originally Posted by solcroft

Darren,

I suggest you reconsider. Investing some manpower in this might mean that Prevx won't report Firefox, Thunderbird, Sandboxie, Returnil, and IrfanView (among others) as malware.

It's interesting to see a security vendor claim that manual verification isn't required for new samples. Your company must place a lot of trust in your product's abilities - or do you wait for Microsoft, Symantec, Trend Micro, CA and McAfee to do the work for you?

I have used Prevx for a long time .... it has never marked these as malware. Sometimes as unknown amber ....never red

[C.S.J]

Quote:

Originally Posted by starfish_001

I have used Prevx for a long time .... it has never marked these as malware. Sometimes as unknown amber ....never red

+1

[C.S.J]

Quote:

Originally Posted by Kees1958

Please guys (CSJ/Solcroft) let Darren answer the questions. I am not into bashing statements which just lead us away from the questions posed?

I do not give a damn whether it is automated or not: I want to understand HOW?

Let's keep OT or start your own thread

not sure about CSI, but prevx 2.0 does the following, i think.

sample

checked via signatures:

if known - block/allow
if unknown - sandbox technology/query event.

still nothing detected for the unknown sample:
behavior based technology kicks in

known bad sample/malware: blocked.

[ghiser1]

Quote:

Originally Posted by Kees1958

Darren, first of all, thanks for the explanation. Your answer lead to more questions (one fool can generate more questions than a campus full of professors can answer), hope you have the time to elaborate.

Ad 1
Static file and registry entry. This would mean that files mentioned in the registry (like for instance runscanner finds unsigned file reference in the registry with a MD5 hash which is not registrated in its data base yet), Okay I do understand that with some Crime Scene Investigation alghorithemns you can pinpoint suspicious files with a static scan. This is part of the magic which is based on a unique skill: static behavior analysis
Like in CSI: you were are in the neigbourhood of the crime scene at the time of the crime.

CSI reports data about all the files it comes across, it makes no decision as to whether anything is suspicious or not. The central database responds to the data for each file to indicate whether it is considered Good, Bad or Undecided. The data passed in includes things like: the filename(s) and path name(s), the version data, file size, whether it was found running, where it was referenced in the registry etc. This information is merged with the global view held for that unique file that has been built up from all CSI and Prevx 2.0 agents that have "seen" that file. Whenever the data is updated, the central database passes the data through the central heuristics and updates whether its considered Good, Bad or Undecided accordingly. We aim to send as little data as possible - which is why its fast.

Quote:

Originally Posted by Kees1958

Ad 2
How do you do that "new but related"! Antivirus use heuristics and sometimes look at sniplits of code. When doing so the PrevXCSI should offer suspicious files found in 1, to the central sniplits of fingerprint data base
Could you tell me more about this mechanisme, I did not see a lot of communication going from my PC to the Web site when CSI was scanning (but then I had a clean PC)
Like in CSI: as in 1 plus you were carrying something that looks like a knife, gun, basebal bat, strangling rope, etc.

There isn't much I can say about the "how" of this in public. What I can say is that we employ a number of identification signature techniques. These allow us to build a signature profile for a sample file. Some of these identification signatures a based on certain parts of the file (code section, PE headers etc) but some are obtained by dynamically removing packers to see the "real contents". Others are well known like MD5 and SHA-1. Some of the signatures are "family" signatures. Samples that appear completely different at first glance can have the same "family" signature. If we know the "family" is Bad, the new family member is automatically considered Bad too.

Quote:

Originally Posted by Kees1958

Ad 3
This where it really becomes mistifying. CSI reports suspicious files (being the ears and eyes), but the intelligence is located centrally. How is it possible to determine ON THE FLY that it is a real baddy or malware. My guess is that you use the 5 AV's for the positive indication, but inn the mail to Solcroft you mention a 90 to 95% positive confirmation. What do you do with the remaining 10 to 5 percent. How do find out that these are really BAD (please explain)

No. We don't rely on any other product to determine Bad. We only compare against other products to see how they perform so we can publsh the stats. The identification signatures and behavioural data are often enough to mark something as Bad on first sight.

Quote:

Originally Posted by Kees1958

This is what I can not figure out. Becasue the next question is even more intriguing. How do you provide a cure on the FLY?

It is do-able, because you offer infected PC-users an option to pay for CSI+ to cure the infection. Since I believe that PrevX is a trustworthy organisation, there has the bo an explanation of two things:
a) How can PrevX be sure it is a real bad guy?
b) How can PrevX provide a cure so fast?

Could you please explain the cursive questions

Thanks

We can provide a cure on the fly very simply. We do not attempt to "fix" the file - we delete it (and any registry reference to it). That is, the "CURE" is the same for all infections.

How can we be sure it's a real Bad guy? We've been developing the algorithms over several years to keep false positives to a minimum. For example, before any new heuristic is employed to automatically determine files as Bad, that rule is run over our entire database. If a single known-Good file triggers that new heuristic it is rejected as a live-rule. It's passed back to the originiting analyst to modify it to dial out the false positive. Can we be sure that we never have a false positive? No, of course not. But we believe we have very few and they are getting less frequent.

It's worth saying that the heurstics and family signatures are also employed to automatically determine the Good files as well as the Bad.

[Kees1958]

Thx,

I think you really ought to explan the magic of CSI. As mentioned in the post this are questions which should guide you in making up the marketing material and website. A big bummer in your website is that you talk of being protected, when in fact you offer a cure (post infection), this element is also very weak in your website.

1. Are the benefits clear or is the threat clear to which it protects?
2. Can these usage advantages be communicated in an elevator ride (in 10 to 20 seconds)?
3. Is it simple to use/install (complexity of use, needed knowledge involved)
4. Is it there a new consumption/usage behavior involved (yes means a big usage threshold)
5. What is the try out consequences/risk in terms of money and social acceptance (a low try out risk is a medicine against the fears of a new consumption pattern/behavior when the other questions are answered clearly).


You know you do not have to explain teh technology as long as you give it a trade marked name (with XYZ out new gasoline drives cleaner),

[lucas1985]

Quote:

Originally Posted by ghiser1

CSI reports data about all the files it comes across, it makes no decision as to whether anything is suspicious or not. The central database responds to the data for each file to indicate whether it is considered Good, Bad or Undecided. The data passed in includes things like: the filename(s) and path name(s), the version data, file size, whether it was found running, where it was referenced in the registry etc. This information is merged with the global view held for that unique file that has been built up from all CSI and Prevx 2.0 agents that have "seen" that file. Whenever the data is updated, the central database passes the data through the central heuristics and updates whether its considered Good, Bad or Undecided accordingly. We aim to send as little data as possible - which is why its fast.
There isn't much I can say about the "how" of this in public. What I can say is that we employ a number of identification signature techniques. These allow us to build a signature profile for a sample file. Some of these identification signatures a based on certain parts of the file (code section, PE headers etc) but some are obtained by dynamically removing packers to see the "real contents". Others are well known like MD5 and SHA-1. Some of the signatures are "family" signatures. Samples that appear completely different at first glance can have the same "family" signature. If we know the "family" is Bad, the new family member is automatically considered Bad too.No. We don't rely on any other product to determine Bad. We only compare against other products to see how they perform so we can publsh the stats. The identification signatures and behavioural data are often enough to mark something as Bad on first sight.

Great, thanks
Prevx CSI seems like the right tool for those of us running without real-time anti-malware applications.

[simmikie]

Quote:

Originally Posted by solcroft

Darren,

I suggest you reconsider. Investing some manpower in this might mean that Prevx won't report Firefox, Thunderbird, Sandboxie, Returnil, and IrfanView (among others) as malware.

It's interesting to see a security vendor claim that manual verification isn't required for new samples. Your company must place a lot of trust in your product's abilities - or do you wait for Microsoft, Symantec, Trend Micro, CA and McAfee to do the work for you?

well you have now made me curious. does Threatfire use human analyst to determine if a file is malicous, or is it automated?


Mike

[solcroft]

Quote:

Originally Posted by simmikie

well you have now made me curious. does Threatfire use human analyst to determine if a file is malicous, or is it automated?


Mike

There's a difference between a product identifying a file as suspicious, and a security vendor confirming its product's automated analysis and adding the file to a blacklisting database.

[SMPRICESOLUTIONS]

Quote:

Originally Posted by simmikie

well you have now made me curious. does Threatfire use human analyst to determine if a file is malicous, or is it automated?


Mike

I would assume that if Threatfire came across an unknown file that it would get uploaded to their advanced patented automated threat analysis system.

[simmikie]

Quote:

Originally Posted by solcroft

There's a difference between a product identifying a file as suspicious, and a security vendor confirming its product's automated analysis and adding the file to a blacklisting database.

no need solcroft to fly defensive bfm...it is a real question. Threatfire does indeed identify suspicious files and allow the end-user a choice to allow or quarantine. other times Threatfire auto qurantines known bad files. how is the known bad determined, by analyst or through an automated process?


Mike

[simmikie]

Quote:

Originally Posted by SMPRICESOLUTIONS

I would assume that if Threatfire came across an unknown file that it would get uploaded to their advanced patented automated threat analysis system.

yes that is what appears to happen when an unknown is encounterd. my question more closely relates to what is the process for moving a file from unknown, to known bad determination? is it all automated? or are there a number of hamster cage folk, in an endless loop of making manual determinations?


Mike