What just happened?

Hugger · #1 July 19th, 2011, 07:27 PM

Look at the MRG test results and please tell me I'm hallucinating.
Prevx failed 3 of 4.

d0t · #2 July 19th, 2011, 08:36 PM

Pretty sad

PrevxHelp · #3 July 19th, 2011, 09:38 PM

The Flash tests are over single samples which don't reflect the tens of thousands of other samples we're blocking every day. There isn't an issue - no vendor finds 100% and it is easy to find files that would bypass every vendor listed every day if wanted - it is just the nature of today's malware.

Kirk Reynolds · #4 July 19th, 2011, 11:56 PM

Quote:

Originally Posted by PrevxHelp

The Flash tests are over single samples which don't reflect the tens of thousands of other samples we're blocking every day. There isn't an issue - no vendor finds 100% and it is easy to find files that would bypass every vendor listed every day if wanted - it is just the nature of today's malware.

You don't think that the MRG flash tests have any value? That is the essence of what you're saying, isn't it? I'm not saying that I do, I'm just trying to clarify, is all.

PrevxHelp · #5 July 20th, 2011, 12:06 AM

Quote:

Originally Posted by Kirk Reynolds

You don't think that the MRG flash tests have any value? That is the essence of what you're saying, isn't it?

No, they do have value. They are a point-in-time snapshot of single file threats and need to be understood as such. Just because we missed SpyEye today doesn't mean that we miss all SpyEye - it could very well just be that we missed that single sample. To put it in perspective - we have detection over several hundred thousand unique versions of SpyEye alone.

I don't have the MD5s/samples of the samples so I couldn't get further metrics on the scope of these files but most infections today are designed to only ever affect a very small number of users.

Kirk Reynolds · #6 July 20th, 2011, 12:21 AM

Ah ok, I gotcha.

TonyW · #7 July 20th, 2011, 05:33 PM

It should be pointed out that any missed samples are sent to the vendor before the test results are published - quote by Sveta of MRG:

Quote:

Missed samples are submitted to vendors, this is done before the tests are published.

So Prevx should actually have copies of those three undetected malware.

Triple Helix · #8 July 20th, 2011, 05:37 PM

Quote:

Originally Posted by TonyW

It should be pointed out that any missed samples are sent to the vendor before the test results are published - quote by Sveta of MRG:So Prevx should actually have copies of those three undetected malware.

Also Prevx would have them in there database when MRG scan them that's the good thing about full cloud based Anti-Malware we don't have to wait for a signature download to be protected!

TH

Zorak · #9 July 20th, 2011, 09:06 PM

MRG test with programs at default settings. If age/popularity based heuristics were increased, I would assume Prevx's detection rate would increase in these tests.

I have always run max program heuristics and high age/popularity and don't find false positives to be excessive, but am now considering an increase to max for both.

PrevxHelp (Joe) are you able to tell from your end what difference an increase in age/popularity based heuristics would have made in each of the missed samples from the MRG tests?

PrevxHelp · #10 July 20th, 2011, 09:11 PM

I'm not sure - I haven't been able to find who within Prevx is receiving the samples from MRG so I still don't have visibility into them. I'm still investigating and should hopefully have an answer by the morning.

d0t · #11 July 24th, 2011, 03:06 PM

Could you get ur hands on them? I'm curious eheh

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search