Introducing, The New Prevx Edge.

-= Huh..? New website..?

 

-= Eh..? What is this "others" in the graph..? Specifically what antiviruses..?

-= And by the way, please input the exact date instead of the word yesterday since Global Time differentials is a big factor for considering the updated status of the graph..

-= Moreover, the graph stated that Symantec did not detect Image.exe a.k.a. fxinstaller [Reference] though it was actually detected since 2003..?

 

Others is all of the others that aren't categorized under a unique vendor name. We have other vendors in the graph as well like Norman, Sophos, and a handful of others but they aren't popular enough to be shown alongside the others in the main graph and "Others" doesn't include these vendors.

We update them at least once per day but it varies so there isn't an exact answer. Generally, they are updated around midnight London time (UTC).

If you have an exact file of Image.exe which you are referencing I can analyze it for you, but I suspect this is a newer version using the same filename akin to the hundreds of svchost.exe infections and other popular infection names. Filenames are easy for users to understand at the surface level but are difficult to differentiate between when looking for specific data.

 

lol .....hidethetruth=y

 

PrevxHelp, I appreiate the point. To allow interested members of this forum community to reach their own conclusions in a transparent manner, I am requesting a simple dataset containing the “threats missed by other security vendors” for a single day to better understand the threat landscape. Specifically, would Prevx be willing to publically post a file (e.g., in CSV format) containing records with the following variables:

• File Name (e.g., “PP10.EXE”)
• Vendor (e.g., “Symantec”)
• Vendor’s Security Product (e.g., “Norton Internet Security”)
• Vendor’s Security Product Version (e.g., “16.5.0.134”)
• Threat Level (e.g., low/medium/high, as classified on that day)
• Malware Group (e.g., “worm,” “virus,” “adware,” etc.)
• Times Seen (i.e., the count of the number of PCs scanned containing the malicious file name seen on that day, for the specified vendor’s security product)
• Times Not Seen (i.e., the count of the number of PCs scanned on which the malicious file name was absent on that day, for the specified vendor’s security product)

Vendors should be limited to Avast, AVG, Avira, Eset, F-Secure, Kaspersky, McAfee, Microsoft, Panda, Symantec, and Trend (i.e., exclude “Other”).

Thank you for this consideration.

P.S.: Nice job on the “new website” (http://www.prevx.com/default.asp?hidethetruth=y)!

 

Hello,
While we appreciate the interest, it is unfeasible to fulfill every request for detailed information. We offer the data you have requested (and more) to partner antivirus companies many of whom are on the list on the homepage but we do not have a feed which is available for public display and we aren't considering dedicating the resources to create a feed like this. We have a lot to do to make our products as powerful as possible and it seems like a much better use of everyone's time if we focus on this (and I personally don't see the reason why this database would be helpful).

 

PrevxHelp, the one day dataset could be used to probe many questions that have arisen on this forum, including:

• Do security suites (e.g., Kaspersky Internet Security) miss fewer threats than component solutions (e.g., Kaspersky Anti-Virus)?
• Are there differences among anti-virus vendors in the number of “high risk” threats missed?
• To what extent are the same threats missed by multiple anti-virus vendors?
• How many users with “missed threats” are running an out-of-date version of an anti-virus vendor's product (i.e., not the most recent version)?
• How do anti-virus vendors differ with respect to the mean number of threats missed (i.e., total threats missed divided by total PCs scanned)?

Wouldn’t making this data available contribute to your mission of promoting the fact that no one security solution provides “total protection”? If you’re already selecting and organizing the “missed threats” data to share with other anti-virus companies, then isn’t this request simply a subset of what is already being done? Note that a continuous daily feed isn’t being requested – just data for a single day.

Alternatively, if Prevx isn’t willing to provide the data, are you willing to accept requests for specific, well-formulated analyses of the data and then post the results of those queries?

 

I believe we have already proven this and that it is common knowledge amongst users who would understand the analyzed snapshot of data so we'd be "preaching to the choir" rather than providing any tangible benefit to general user knowledge.

This would logically be true, assuming each component is designed to protect against different threats than other components so I'm not sure what additional knowledge would be gained by splitting the numbers. We don't detect hack attempts which a firewall would block and we don't look for spam which an antispam product would have found. We are looking directly at the anti-malware components of the suites which should be identical to the separate antivirus/antimalware components. The only time when this would be different would be, for example, in the case of an antispam component of a security suite blocking an infection from entering via an email but had that infection entered from other means, it would have never been interrogated by the antispam engine so differentiating between security suites and individual products focuses more on individual infection vector rather than the threat itself. If there was a crucial piece of technology to prevent malware in the suite, the company would logically put it in the antimalware offering - firewalls, antispam, antiphishing, parental controls, data backup, etc. are all additional features for different means.

The risk level is highly subjective so we are unsure of the breakdown with these statistics and I doubt it would be useful anyway. Is a mass mailing worm which does nothing else more of a risk than an identity stealing application? Threat severity is a difficult area to measure and we're constantly changing the logic behind it so I wouldn't consider this a key aspect of the detection.

This argument is non-relevant in that each new version of software should not invalidate previous versions. Just because a company releases a new product does not mean that users using the previous version of the product should be unprotected against today's threats. Regardless of the software version being used, the user is relying on their security solution to protect them and the presence of an infection proves that it has failed. If the model of the antivirus company prevents users from updating frequently enough to detect new threats then it is the antivirus company who is conceptually at fault, not the product version.

This figure is also meaningless because we aren't trying to sell our software to users who are perfectly protected already. If a user is coming to the Prevx website, they are not looking to remove their current security if it is working properly and hasn't failed them - they're either looking to add some additional layer of protection or to fix a threat which got past. Therefore, the number of clean PCs versus infected PCs is skewed because of the intent of the users coming to our website - a far-higher-than-normal percentage of users trying our products are indeed infected so the statistics would be unfairly skewed when compared to the normal population of users. We had these statistics on the charts ages ago and had a number of complaints because people thought we were fabricating them

Currently we are only providing the samples to other vendors and are not interested in expending any further resources for this analysis being that the point of the charts is to show the individual infections, not to interrogate individual product versions or pollute their purpose with unnecessary additional data. We offer the charts and underlying data as-is and users should be able to take that and draw their own conclusions. As the title suggests: "Threats missed by other security vendors" is indeed what the charts show and we aren't trying to make any grander assumptions from that data.

 

Is it already possible to use Prevx in combination with McAfee again.

 

Exactly Regarding Comodo - we only look at the product registered in the "antivirus" category in the security center so if they aren't registering themselves there, we wouldn't see them (and if they do, they might just not have enough users to be added into the main lists).

We have given a number of other AV vendors access to the data/samples and they use our lists of missed samples on a daily basis to add the new detections as quickly as possible

 

We have been unable to reproduce the problems in-house and now we have had a large drop-off in the number of complaints so they may have solved it on their end. If you have a few CPU cycles and a bit of free time, it may be worth trying it again to see if they corrected it behind the scenes

 

New Prevx Edge user here. Really nice software, btw. And very "quiet" on my machines, even with heuristics set at maximum.

If I could submit one small suggestion for the GUI... when right-clicking the Prevx icon in the systray, it would be nice if one of the resulting menu selections was the System Status page. That's where I like to start from. As it is now, I select Configure Protection and then Status.

Told you it wasn't a big deal!

 

Just double click on the icon!

HTH,

TH

 

Absolutely that helps! Thanks for the heads up. Boy do I feel dumb.

 

Hey that's OK, good thing I didn't say double left clicking LOL

TH

 

-= How is it possible that you could actually fit 2 or more antiviruses in one entry..? It could be possible ONLY if all those antiviruses in the category of OTHERS have the same database of threats..

-= As far as what I am seeing now, the graph seems to be inaccurate and the flaw gives me a doubt towards the rest of the categories..

-= And I would like Prevx to consider Pleonasm's recommendation to give a more ACCURATE explanation of the graph by filling in the information about each AV..

-= Previous versions lack features than the most recent have.. This could certainly affect the result.. So, in that case, you may say that since previous versions aren't a factor, your graph may actually display a comparison of Avast 3, Avira 7 Kaspersky 2008 and PrevX 3..? Every product should be considered fairly.. The most recent one will have more percent of advantage compared to the out-of-date ones & will surely make an INACCURATE database..

 

I'm not sure I understand what you're saying - we can't possibly have a list of 4,500+ programs/versions on the homepage so we have to group the less-popular vendors together

I still do not see how it is inaccurate or flawed - can you please elaborate?

This is beyond the scope and intention of the graph and I've explained it quite a few times in previous responses to Pleonasm.

So what you're saying is that if x antivirus company releases a new version, all other versions are ineffective? If I'm a paying user and have paid for a year of upgrades, I will have to then also buy the new software, every time they release a new version? In that case, AV companies should release a new version every week and require everyone to buy it fresh as the older versions are useless.

Also, if I'm the average home user, I'm clearly going to have to join a forum and spend hours a day keeping up with what antivirus company releases what new products/features...

Security software should be silent and I'm surprised this mentality of "only the newest is valid to compare" is around at all. If an AV requires a new feature to improve protection, the antivirus company should release it as an update to existing customers unless it is literally a completely different product but in that case, they should offer a free upgrade if it is a critical update to continue protecting against new threats. We've done this with Prevx2 and Prevx1 - if you are using either of them you can get a completely free upgrade to Prevx3. Why? Because you purchased our software to secure your computer and we weren't able to back-port all of the new protection so rather than try and squeeze in the protection into the previous version, we give you the new one for free (and we have shown a message to all existing Prevx2 users to upgrade to Prevx3).

When a user purchases an AV, they don't purchase protection against yesterday's threats up to the day that they bought the AV - they are purchasing a subscription for updates and it is the frequency of updates and conceptually flawed design which requires the clients to download updates which is causing AVs to fail to detect new threats, not that there is a new version out which can also fold your laundry and reprogram your DVD player while making lunch and driving your kids to soccer practice.

 

-= You just said: "but they aren't popular enough to be shown alongside the others in the main graph" therefore do what you say, exclude them.. In fact, it is better to do it that than make false statistics about the "Other" AVs for since, grouping them together simply put down the other AVs who do not actually missed the particular threat..

-= You are again, playing with word games, by exaggerating such information.. There aren't any AV that develop newer versions every week.. That's why they are named as X Antivirus 2009, Y Security Suite 2009.. They are released yearly..

-= Playing another word game to exaggerate the thought.. I stressed about the lack of features [mainly engine updates] meaning, less feature, less percentage of detection.. I did not say "NO DETECTION" for you to say that they were ineffective..

-= They do, that's why they have update servers and that's why most AVs have a need to reboot after a certain update since those updates are not just mere detection signatures but for AV system updates.. For example updating from 3.09 to 3.1

-= Still, if you analyze the thought, you are no different from those paid subscription AVs who release AVs annually.. Why..? You also have a Yearly subscription license, the only difference is that the new editions aren't just released in a fixed "every new year".. Henceforth, if a year-long PrevX license expires, you have to buy a new one, same to buying a new annually released AV.. Therefore, no difference between your free AV upgrade and the annual licensed-released AVs..
http://www.prevx.com/buyoptions.asp

 

i'm not here to bash PrevX or theirs stats but i think the values in stats are extremely 'wrong' due to huge number of false positives ...

just let's look on analysis of some example system scanned today with PrevX 3.0.1.65

- all sandbox scanners reports clean, all online scanner AV services same, all online malware services same, all threat monitors same


false positives classified as High Risk:
fsum.exe
- from Slavasoft, http://www.slavasoft.com/fsum/
CRC32: 7634C61E
MD5: 8E685166C1EBA689E35967EE1E430F93
SHA-1: 7C414FDC9F3AFD80ED3C56AA250E1758A9142F8B

false positives classified as Medium Risk:
archpr.exe
CRC32: 52993105
MD5: 24E7161BA890C85371475A16ABD9A985
SHA-1: B5440074B8F17265F134C2D0039CC9672A56DF73

- from Elcomsoft, http://www.elcomsoft.com/products.html
- archive password recovery installed via valid install
- system contains valid uninstall keys and startmenu/icons which are unmasked thus 99% chance installed by owner
- there is even Infected Entry for normal shortcut
advance archive password recovery.LNK

vfind.exe
CRC32: 6BD964E1
MD5: 0E64A620DF8B48A9388EEB7114D9368D
SHA-1: BE09D612E941997DDBCC1D988DECB93987D0E6EC
- file associated with Combofix! , http://www.combofix.org/
just example of threat listing of this file

everest_icons.dll
CRC32: C1ABB74C
MD5: 930D3E9A79B82856D187F5631CC7F1F2
SHA-1: 7EA22BB608616F11BDE42E50D406EB87544038D2

everest_xpicons.dll
CRC32: BA505F92
MD5: E90918AC4447B27E3AB7C3A3194CFAF0
SHA-1: B5D4D4A90C5D979C8AA663D7964F0ACE3A6095D5

- files from beta of Everest Ultimate , http://www.lavalys.com/products.php?ps=UE&lang=en&page=9

r_server.exe
CRC32: 631588FC
MD5: 6A413E4D338FB13E58916E3B8051DBBD
SHA-1: E351AF195E910C1E49A5BFA9A39B88F40F5C1582
- from Remote Administrator 2.1, archaic program btw.
- system contains valid uninstall keys and startmenu/icons which are unmasked thus 99% chance installed by owner
- there is even Infected Entry for normal shortcuts
Settings for Remote Administrator server.LNK
start remote administrator server.lnk
stop remote administrator server.lnk


uninstsw.exe
CRC32: 95057A82
MD5: 731727B1357CE4E527391CB2AC4BEDDE
SHA-1: BD74BC585302BB08875A15855EBD1B7717EA9DF5
some uninstall from very old program


from my quick look on the PrevX detection it seems that most or all false positives are based on the filename / path or who knows what detection method ...

also the worst example is
several of these files (maybe all) i reported in v2 (maybe v1) several times
and at some i was informed by PrevX staff that the false positive will be removed ...

so much for statistics and results ...
it's all relative and need to be taken with grain of salt

so when You apply this example from my point of view on these stats
then according to PrevX these samples now missed by my other security products are 100% bogus and false positives thus the stats are 100% bogus and false
of course that's not true and this is just extreme situation but i believe the FP rate on PrevX (after seeing hundreds of various computer results) is very high (not 1% like claimed by some staff around)

but this is just my personal experience and this may vary ...

so ...
anyone from PrevX wanna shine some light on this why so many FPs happens at all ?

 

I would also like to see an answer to this. Specially for on the road laptop users that are not always online.

Thank you.

 

PrevxHellp, in that case, it is misleading to display the “missed threats” statistics by vendor rather than by vendors’ products, since the risk that Prevx is supposedly protecting against would be less (or negligible) for users of security suites. Shouldn't users have that information available so that they can make their own independent and informed decisions about the degree of incremental protection (if any) afforded by the adoption of Prevx? I believe that Prevx is afraid of disclosing the information that I have requested, for fear that it would reduce the perceived need for its product.

There are not many products per vendor, and so the argument that it would make the charts “too confusion” does not have merit, in my opinion.

PrevxHelp, the issue is not that a new version “invalidates” a previous version of a security product. If the “missed threats” statistics showed, for example, that users with out-of-date versions of Kaspersky Anti-Virus were at considerably more risk than those with the up-to-date version, then the obvious conclusion would be to update the Kaspersky tool rather than to buy Prevx. I believe this is why Prevx is afraid of disclosing the information that I have requested.

While there are many versions for each vendor’s product, the simply way to display the data would be to classify the “missed threats” in a binary manner (i.e., “up-to-date version” and “not up-to-date version”). Thus, the argument that it would make the charts “too confusion” does not have merit, in my opinion.

PrevxHelp, your statement is technically true: you are not making errors of commission. As has been suggested in this forum by myself and by other individuals, however, you may be making errors of omission.

Prevx has plainly demonstrated that it has no interest in reducing the possible misinterpretation of the “missed threats” statistics through the addition of simple, clarifying statements to the “Explain this chart” section on its home webpage. As a consequence, Prevx is complacent in perpetuating confusion, in my opinion. This is especially unfortunate, since the product could be effectively marketed through a professional description of its technological features and benefits, as is done by other security vendors. I wonder why Prevx is so hesitant to increase the likelihood that its "missed threats" statistics are properly interpreted.

 

Hello,
I've corrected each of the false positives and in total, all of them combined have only been seen by about 200 users so over the course of the last months that they have been falsely determined, they have only accounted for 200 detections and the vendor charts on the homepage are on a per-day basis so they accounted for less than 1/1000th of the detections today.

They aren't - the false positives are because many of these files exhibit semi-questionable behavior, and some of them contain similar structure to known threats. Regarding r_server.exe, that file is very commonly used by malware to remotely access the system and is found by 22/40 vendors on VirusTotal but we are reassessing it and for now we have marked it Safe.

I'm not sure why these weren't fixed before, but they are all quite low volume in comparison to other threats. For example, one of the false positives was triggered by a detection for Vundo which has caught 26,831 Vundo infections on 59,223 computers and has caught this file on accident. I checked through the other detections and indeed this appears to be the only false positive... not a bad trade off when you look at the whole picture.

I strongly disagree, otherwise we would be completely out of business. If you put your reported FPs into perspective of our entire userbase, they represent 6 (or 7) files out of literally billions of files seen by millions of users, out of tens of millions of legitimate malicious detections. If we actually had a 1% false positive rate, we would have to produce thousands of false positives per day and the files you submitted have produced a little under 200 false positives in two years.

Indeed we try and avoid false positives at all possible measures, but when a file has only been seen on a few PCs and contains suspicious behavior, we tend to scrutinize it harshly. FPs are inherent in any heuristic-based system but I think we are well within the acceptable range.

 

This is correct (except that the database isn't blacklisting Blacklisting is only a very small portion of the database )

However, when offline, it is impossible for any other AV to update as well so you would be vulnerable using a standard signature model if a new threat was just released - but - it would be extremely difficult for that threat to actually affect you if you are indeed offline: you would have to actually get a brand new threat via USB key which someone would physically give you. You can either circumvent this by disabling autorun or wait a few weeks and we will have new technology implemented for localized USB malware protection when offline

 

This is standard practice in graphs - when there isn't enough data for each item, they are grouped together, although I do understand what you mean, I think removing the "Other" category will cause a number of people to say: "why isn't X av included"? We avoid these questions by showing the other category as an encapsulation for the other products.

I was being hypothetical Yearly or weekly is doesn't make a difference to the average home user who would much rather completely forget about the product. If I purchase X Antivirus 2009 the day before X Antivirus 2010 comes out, did I just waste my money?

I see no reason why an antivirus company would not want to back-port their engine updates. It is in their best interest to protect their customers, otherwise if a threat gets through, there would be absolutely no way that the customer would ever upgrade. Therefore, if the customer is using the 2009 version and the AV company releases the 2010 product with some new protection module that blocks an additional 1% of threats, they will logically release it into the 2009 version as well to protect their existing customers to get the upgrade payment.

We have the same subscription model as other AVs, but we provide the software updates which improve protection to previous users as well without charging. Users renewing their subscription don't have to re-purchase the entire fee, they are given a discount (and you can purchase multi-year licenses at a further discount as well).

 

There are not many products per vendor, and so the argument that it would make the charts “too confusion” does not have merit, in my opinion.[/QUOTE]

I believe you misunderstood my point - the use of an internet security suite doesn't provide any additional protection if the threat comes by a different means that the security suite doesn't protect against. If a threat comes in via a spam email, the suite may block it but if that same threat comes in via a USB key, the antimalware module would have to be used to block it.

If a user doesn't want the additional antispam/parental controls/backup/etc. features there should be no need to purchase an internet security suite as it wouldn't provide any additional protection against malware, which is what we are testing.

The fact is that the instant that a user of a conventional AV downloads an update, their protection is out of date. There is simply no way to determine that an AV is "up to date" because the signature model is completely reactive. If the user is indeed out of date relative to the other users of that product, then the question remains as: WHY?! An antivirus program should be self managing and self updating automatically. The user shouldn't have to click "Update" every 10 minutes to get a new update, it should happen in the background. If for some reason masses of users are not updating to the newest signatures, I believe the antivirus companies should be extremely worried as it would outline a critical flaw in their updating which would make their model 100% ineffective, rather than just mostly ineffective. If it is malware doing the job behind the scenes preventing the AVs from updating, then I believe we have uncovered an even worse problem

We are not afraid of disclosing this information, but I think the other vendors might be afraid of it

See my previous comment about the concept of being up to date.

Frankly, your posts and a very small number of other members of this forum are the only ones who have ever criticized the statistics. We have had no complaints into our customer service inbox and everyone we describe the charts to immediately understand our intentions. Even at the RSA conference, we showed the statistics to hundreds of people, many who were IT professionals looking to secure their corporate networks, and they understood exactly what we meant, many of them congratulating us on debunking the myths that AV protection is effective as they experience its flaws first hand on a day-to-day basis. The most common question was: "Can I see what threats were missed by these vendors?" And the answer to that is - "Yes, click the bar in the chart and it elaborates on the information by listing a summary of the threats found and the breakdown of each type."

Other vendors, many of whom are listed on the chart itself, are receiving the samples every day and adding the detections in their own products. We look to close the gap between the time the threat is released and the time conventional AVs find the threat so we have absolutely no problem giving this data to our competitors as we know our solutions are effective and that distributing the samples can only help reduce the volume of garbage which the malware authors create.