All heuristical settings set to Max - no prompt on new malware?

I'm testing new malware on MDL with no luck whatsoever to get a single prompt from Prevx, all heuristical features set to Max. I even tested to make the heuristical analysis AFTER Age and Pop. Nada

 

Please send the files to Prevx as stated in this post: https://www.wilderssecurity.com/showthread.php?t=245129

Thanks,

TH

 

Doesn't matter what I test, different kind of malware. There's no prompt.

 

Upload some to VT and give us the results only like how many out of 0/41 but Please send them to Prevx as I stated in my first post! Or send me a PM with some of the links and I will test them in my VM!

TH

 

I've previously checked many rogues with the same result - brand new, no prompt, validated to be fake AVs. See PM for a trojan link. I ran it inside SBIE before with no luck (no prompt).

 

I have a prompt when I execute with the link you sent me:

And this is my settings:

And VT results: 7/41 And it could be SBIE conflict?

TH

 

Running samples inside SBIE would likely cause them to either not show any behaviors to the underlying operating system or would cause them to not be scanned by Prevx unless they tried to execute outside of the sandbox.

Could you try running some of the samples on a virtual machine without Sandboxie limiting the execution?

 

I'm frequently testing new fake AVs over time OUTSIDE any sort of virtualization/box and have always got the same result, or I wouldn't be reporting this in the first place (if it was just run in SBIE/similar all the time).

Something is screwed with my current installation I think since COMODO causes serious and weird problems. SafeOnline will do fine for now, will test more once I've reformatted unless you've other suggestions.

 

I took a look at the sample you sent and indeed it doesn't do a whole lot on the system. (TH forwarded it to me ) I suspect that Prevx wouldn't capture enough behavior from it to condemn it as malicious just because it only created a batch script which then deleted the file and made a few innocuous changes to the system.

Let me know what else you run into - I haven't heard of anything specifically producing incompatibilities between us and Comodo but if you are in a scenario where Prevx isn't blocking known threats (the Trojan Simulator sample is probably the most reliable one to test with), I can definitely try to reproduce it here on one of our internal testing PCs so that we can correct the issue.

Thanks for the help!

 

Just wanted to report that the newest beta (159) seems to fix the Age and Pop. protection bug. At least it prompted on the new Opera beta when I started it after a reboot (didn't before restart?). Opera doesn't start at boot, so once I started it shortly after, it prompted me in other words - not the previous session.

Hope that gives any clues.


Can't find any new pieces of malware to test safely. A trojan which I believe was some hours old got blocked by Norton DNS.

 

Did you end up doing a OS reinstall?

TH

 

Personally, I've experienced a very bad detection against rouge AVs. But any other threat, Prevx will stop (literally speaking). I heard Prevx 4 will get improved detection against rouge AVs, which will greatly increase the overall protection IMO.

 

Not yet - too busy chatting with my gf.

@shadek: Good to know, but as long as it's not bugging EVERYTHING new will be prevented in the first place.

 

yer the rogue protection must be better in the future!

 

Prevx (and I'm sure they'll correct me if this is wrong) relies mostly on behavioural detection, and the problem with rogues is they don't exhibit much in the way of malicious behaviour - all rogues are after are you to, of your own accord, enter your credit card details and send it to them - again of your own accord.

Seriously, if you stuck to reputable companies, or bothered doing some research before buying, or simply used some common sense, you'd never need an AV to tell you 'don't give your credit card details to a box that pops up on your screen without your permission asking for your credit card details.

 

Some of us have said time & again, fake AVs et al (not counting the ones that may include trojans) don't generally contain malicious code per se so it is more difficult to add detection routines for this class of unwanted program. Anti-malware programs are getting better at detecting these rogues, but there's so many and new ones keep popping up that don't get detected. :/

 

Exactly true (Vikorr's comments as well ) Rogues are non-trivial to find in the wild and sometimes not even malicious to begin with. We had a long dialog with a company who's product was considered to be rogue by most security products and we convinced them to make some key changes to their messaging which have now allowed them to be considered legitimate by us and other vendors. It is a difficult balance and unfortunately these products generally are not doing anything malicious which is where the problems occur.

Imagine trying to find a rogue text editor where the only rogue aspect is that its spell check finds too many words as incorrectly spelled when they are correctly spelled... that is exactly the same scenario with rogue antimalware products but rest assured that we do have at least a partial solution in the works for Prevx 4.0

 

Well then I guess MS Word is screwed since long then.

 

Readers of this thread may be interested in the Symantec Report on Rogue Security Software (October, 2009).