Prevx CSI Scanner?

[ErikAlbert]

PrevX CSI detected 3 rootkits on my system partition :

1. C:\WINDOWS\system32\drivers\OADriver.sys (Hidden data)
2. C:\WINDOWS\system32\drivers\OAmon.sys (Hidden data)
3. C:\WINDOWS\system32\drivers\OAnet.sys (Hidden data)

When scanners detect something on my system partition, I always report it at Wilders, because these objects are supposed to be false positives in theory.

IMO these files are related to Online Armor Free Firewall, which I recently installed, but I would like to have an intelligent opinion, rather than a artificial intelligent opinion of a scanner.

Are these 3 object rootkits or false positives ? Yes or No.

[lucas1985]

Yup, they look like FPs

[ErikAlbert]

Quote:

Originally Posted by lucas1985

Yup, they look like FPs

Thanks man. Artificial Intelligence sucks.

Computers can't "think", they only "compare".

[lucas1985]

OA's drivers are digitally signed?
Also, you can compare checksums with other OA users.

[Huupi]

Quote:

Originally Posted by ErikAlbert

Thanks man. Artificial Intelligence sucks.

On occasion it sucks ,but how many are actually saved by it.

user intelligence sucks even more !

[sukarof]

Quote:

Originally Posted by ErikAlbert

Thanks man. Artificial Intelligence sucks.

Computers can't "think", they only "compare".

No they are not intelligent, they dont know how another HIPS works, if they did what would prevent malware to mimic a HIPS?
As I understand it HIPS like software do hook them selves to the same places as malware do, and sort of behaves like malware in a way.
So to me it is no big surprise, it is actually a good sign imo, that behavior based antimalware identifies them as suspicious. I would be more worried (if I ever were to use two HIPS like software at the same time, which I would never do) if it didnt detect another HIPS.
It is annoying, yes. But they just do their job.

[ErikAlbert]

I reported this to Prevx, to avoid scaring people for nothing in the future.

[EraserHW]

Thanks for your report.

It should be now fixed

[ErikAlbert]

Quote:

Originally Posted by sukarof

No they are not intelligent, they dont know how another HIPS works, if they did what would prevent malware to mimic a HIPS?
As I understand it HIPS like software do hook them selves to the same places as malware do, and sort of behaves like malware in a way.
So to me it is no big surprise, it is actually a good sign imo, that behavior based antimalware identifies them as suspicious. I would be more worried (if I ever were to use two HIPS like software at the same time, which I would never do) if it didnt detect another HIPS.
It is annoying, yes. But they just do their job.

I understand. The worst f/p, I've seen after running many scanners was "ShadowProtect". I don't remember which one, but it's somewhere posted at Wilders.
I hate it, when a scanner reports a Windows object as malware, but all f/p's of other softwares are acceptable for me.

[solcroft]

Quote:

Originally Posted by ErikAlbert

Thanks man. Artificial Intelligence sucks.

Computers can't "think", they only "compare".

Thinking computers?

Skynet, anyone?

[lucas1985]

Quote:

Originally Posted by ErikAlbert

The worst f/p, I've seen after running many scanners was "ShadowProtect".

IIRC, Prevx has some FPs with some SP's files.

[lodore]

Quote:

Originally Posted by solcroft

Thinking computers?

Skynet, anyone?

LMAO skynet is coming run!

[Tarq57]

Quote:

Originally Posted by ErikAlbert

I reported this to Prevx, to avoid scaring people for nothing in the future.

Erik, could you post a link to where these (FP or other unknown detections) can be sent please? I've posted a query on the Prevx forum at Castlecops, regarding a rootkit detection that seems false- I don't really know, but no reply yet.

[ErikAlbert]

Quote:

Originally Posted by Tarq57

Erik, could you post a link to where these (FP or other unknown detections) can be sent please? I've posted a query on the Prevx forum at Castlecops, regarding a rootkit detection that seems false- I don't really know, but no reply yet.

http://info.prevx.com/supportpagew2.asp

[Tarq57]

Thanks.

[ErikAlbert]

A smart scanner provides a function in the scanner to report false/positives and makes it as easy as possible and TIME-SAVING for the user to report false/positives.

[Tarq57]

Right. I'll need to re-install it before using the "support" button, which is only available when it's installed.
Unfortunately, I don't know for sure that what I have are FP's. Certainly the files referred to in the scan report can't be found. (Or, I can't find them.)

[ErikAlbert]

Quote:

Originally Posted by Tarq57

Right. I'll need to re-install it before using the "support" button, which is only available when it's installed.
Unfortunately, I don't know for sure that what I have are FP's. Certainly the files referred to in the scan report can't be found. (Or, I can't find them.)

I can't even find "Report False/Positives" on the Prevx website.
If a vendor does that to me, I take the first link I find on the website, even when that link is not the right one.
The vendor must be glad, I take the time to report these and I'm certainly not paid to do this.
I couldn't even copy/paste the f/p's to my email.

[LoneWolf]

Quote:

Originally Posted by ErikAlbert

A smart scanner provides a function in the scanner to report false/positives and makes it as easy as possible and TIME-SAVING for the user to report false/positives.

Absolutely, that's the smart thing to do.

[EraserHW]

Quote:

Originally Posted by ErikAlbert

A smart scanner provides a function in the scanner to report false/positives and makes it as easy as possible and TIME-SAVING for the user to report false/positives.

It's already in the Todo list

We're going to release a big update in about a week and this one will include the requested feature too.

[Threedog]

Will there be an update for the 2.0 version also?

[ErikAlbert]

Quote:

Originally Posted by EraserHW

It's already in the Todo list

We're going to release a big update in about a week and this one will include the requested feature too.

Very wise decision !!! You will be one of the first scanners, that has such a "report f/p" function. The easier this function is, the more f/p will be reported and that makes your scanner safer for average users, because the f/p's reported by knowledgeable users are gone.

[LoneWolf]

Quote:

Originally Posted by ErikAlbert

Very wise decision !!! You will be one of the first scanners, that has such a "report f/p" function.

MBAM has this also.

[ErikAlbert]

Quote:

Originally Posted by LoneWolf

MBAM has this also.

Show me a long list of scanners with such a report function, that would me make feel better. As far I know SUPERAnti-Spyware has also this function.
I'm telling this already for 2 year at Wilders.
Once it is marked as a f/p by the user, the scanner knows all the information of these objects, because it's on the harddisk and knows where to send that info.
Why do users have to collect all this manually ?
TrojanHunter is the worst I've seen, they make an art of it to report f/p's, including a complete guide, how to report f/p's. Crazy !!!

[Jadda]

Yes, SUPERAntiSpyware dows also have such a function. Very usefull indeed. I'm hoping more security softwares will have this function in the future - which I am sure they will.