Edge, 2 months and your thoughts.

I like the way yall name stuff so pls dont change it to somethingh thats allready in use by others.

 

Don't worry I agree and like our naming system as well - rather than saying that this file is Adware.Win32.ScaryName.32768.a... we'll say something like "Adware"

Saves a lot of hassle and confusion for users

 

speaking of Prevx,

I keep hearing in-experienced people testing Prevx by doing a scan on a little 'malware collection' and finding out a detection rate based on the files remaining, this is a really bad way to test, especially to test Prevx.

ie. In my own private testing, I think i already posted that based on Prevx's scanner-alone, detection rate is roughly around the 50% mark, and some people think this is their detection rate, ive seen some people label the software has junk purely based on this.

Please note, this is the scanner-alone detection rate of Prevx, and there are other technologys within Prevx to detect the other files.

In my own testing, i found Prevx to detect around 95% once bad-corrupted samples had been removed, including all the technologys such as analyzing the behaviour of the undetected-scanner-samples,

People should not be judging Prevx on scanner-based detections, its wrong.

carry on

 

Anyone experience Edge detect malware(s) that your other apps missed, particularly AV ?

According to statistics at Prevx and with the thousands of customers that they have, one should have already hear quite a formidable number of testimonials in the forums, isn´t it ?

Prevx claim to see more and their charts show that. But I want to hear more real users talking about it.

For instance, MBAM ( known as one of PC Tech´s malware-removal kit ) have users ( incl. technicians ) talk about their detection and removal abilities others missed. I rarely or have seen anyone talk as enthusiastically about Prevx and that it should be included in their arsenal against the bad guys.

Thanks.

 

well, im very careful with what i do.

but i could test it and prevx will find threats both by signature and by its behaviour that my antivirus does not detect.

however, real-time and my general use... drweb has always got it all.

 

Ok ive stopped worrying HeHe and i agree, it is much more clear to just simple name stuff Like Adware or Trojan, Virus, Malware, Rootkit, Spyware, etc. and LOL @ Win32ScaryName

 

Its okay. Just let us know when you encounter a real infection detected by Prevx slipped through by others. That would carry more weight than charts, signature database, and so on.

 

If you saw our inbox, you would hear stories from thousands of satisfied customers However, our products are commercial so we will never have anywhere near as many people saying how we saved their lives from infections compared to the free products.

 

I was working on a seriously infected laptop last Friday. I used MBAM to do the main clean & after the cleanup & general tidy I installed paid versions of Nod32 v3 then PrevxEdge (Nod32 needs to be installed first otherwise it zaps Prevx grrr). PrevxEdge found 1 remaining rootkit that had been missed by MBAM & Nod32.

 

Do you remember what rootkit that is ?

 

am i wrong in my conclusion that Prevx Edge was developed in part to serve as an zero-day, in fact a zero-hour anti-malware tool?

if so then i am doubly confounded by the explanation i received as to why Edge missed a malicous sample (not scanned, Edge was disabled during malware installation, and then when infection had taken hold Edge was enabled) which if memory serves me, was Gromozon. the explanation i reeived for the miss was that i was literally the only one in the entire community that had seen that code, and there simply was not enough information on it. then i must wonder aloud, how can Edge protect against zero-day/hour code when as i interpret that comment, Edge must have a prior library of data on malcode to detect it.

that said, i still use Edge, and to a degree, rely on it to monitor code behavior, i just now prop it up with an AV and Sandboxie (which i had hoped i would not feel the necissity to add). will i purchase Edge after my complimentary license expires? absolutely. it works far more often then it doesn't. development is ongoing. and Prevx has demonstrated it is committed to staying the course in it's engagement with the end-user. cudos to Prevxhelp and Eraser.

my wish list:

1) expanded comms with the user base, for example, when Castlecops closed, i feel there should have been an announcement on how Prevx will fill that hole near term and long term.

2) when Edge detects i would like it to indicate what the code was attempting when the detection occured, and what tecnology caught it. heuristics, sigs, behavior, sandbox.

3) helpfile. i seem to recall that early in Edges release, Joe indicated he was working on helpfiles, and in fact in one post he said he would be finished in a day or two. where is that? yes, Edge is mostly load and forget, and not a lot of moving parts, but it still does things that there is no explanation for. for instance, sometimes it will throw out a detection dialog box in the mid screen, and other times in the lower right hand corner...why? detection override is still a mystery to me, i know it was brought up previously, i am just not going to wade through the huge thread to find the explanation...that is what helpfiles are for.

summary: i have high hopes still for this product, and will continue to until it becomes obvious that it can never live up to it's promise, and even then i would use it. Edge at 60-75% is more useful and powerful to me than most other security apps. besides, who can bail on Joe?


Mike

 

Ah, how interesting! A first case! Well, i suppose it's normal for community based protection. The 1st to come into contact with a malware that isn't in the database, has to pay the price (aka do the victim), so that the other users after him will be protected. You were one unlucky guy, but you saved many others!

If i were you, in order to avoid similar future misfortunes, i would add a classical HIPS and/or Threatfire (which is quite capable in detecting malicious behaviour even without consulting the online database). This duo (PrevX Edge + one of the others) would make it hardly possible for you to get infected.

 

Hello simmike/others

The Gromozon sample which you sent was almost 2 years old - not exactly 0 day This antiquated sample was only ever seen by you in the entire community and in many cases, we would block it immediately then. However, it is impossible to block 100% of infections when the first user encounters them. Zero-day/Zero-hour infections try to spread as fast as possible and you were the only user to ever see it (I just double checked - you are STILL the only user to have ever seen the infection )

But, you may have actually gotten bitten by a bug which we had in the community analysis. We technically SHOULD have blocked that sample and we identified an issue which could prevent that sample and some samples like it from being blocked (this was a month or so ago when you first reported it). I think that, looking forward, you would have been blocked by a similar infection if it was to occur again.

Castlecops closing was a big shock to us and the entire community. We were completely unaware that this would happen so we weren't able to start putting the measures in place to move somewhere else. We still do have a forum planned but we are currently dedicating time to other support-related projects (like significantly improving our own internal customer support inbox). As soon as the other customer service changes are completed, we will start exploring exactly how to handle a new forum and how to make it work as best as possible for the users and for us. There are a number of benefits to having users come directly into the inbox but I do agree that there are benefits to a support forum (user interaction being the main one).

We don't show the granularity of the detection algorithm used in all cases, however, in some cases you will see heuristic detections labeled as: "Age/Spread Detection", "Edge Heuristic", "Community.Heuristic", or "Community.OuterEdge". They give a bit more granularity on which engine is used to find the files, but besides those, we dilute the names down to names like "Malicious Software", "Adware", etc.

The help file is a work in progress We're hoping to get at least a preliminary version of it out within the next week or so but we have been a bit latent in finishing it.

Thanks for your support and questions. The helpfile will be elaborating more on detection overrides and the block windows but if it takes too long to release the helpfile, I'll make a post explaining them better.

Please let me know if you have any other questions!

 

Wow, talk about bad luck! Simmikie, i don't see you winning the lottery any time soon!

Anyway, cheer up mate!

http://img523.imageshack.us/img523/2393/51381471os7.jpg

http://img523.imageshack.us/img523/5308/89052697ks5.jpg

 

unless ive missed something, when it pops up with infected - block, allow once, allow always, how can i find out why it was trigged to be infected?

... i could do that with prevx2, think ive missed it on edge, surely it has to be there, maybe?

 

LOL, the gromozon thing was self-inflicted to specifically test Edge. though i am still unlikely to win the lottery. they insist on this silly rule that one must play first....


Mike

 

It will show the infection name, but we don't give any more detailed information on it as to what it was doing but the 99.999% of users in the world do not benefit from the more technical information and just want something straightforward which they can answer Block to. We may add in more technical information in the future, but it is currently low on the priority list.

 

ohhh, i dont want to be an average user though Joe,


get it done. *lol*

 

well if that was the alpha and omega of Edges technolgies, i would agree, but it does have sandboxing which has been significantly strengthened over PX2 according to Joe, it has Heuristics, again supposedly much more advanced than PX2, and more importantly to me HIPS-like behavior monitoring. so the first infected should not necessarily have to "fall on the sword" to save the rest of the community. i count on this being true, for Edge to live up to my expectations (which may be too high...i dunno)

i purposely did away with a classical HIPS, while i have installed and used everything from Coreforce to OA, i realised, that although i rarely became infected, it was pure luck. i generally had no real idea of what these HIPS pop-ups were asking, and do not posses enough of a working knowledge to intelligently answer them, not consistently anyway. that is the promise of Edge, to intelligently recognize malicious behavior from benign behavior, and make those decisions for me from the clouds. my ego does not demand that i make those calls, so Edge is my perfect fit...when it works.


Mike

 

Hi Mike,
The Gromozon which you saw was significantly different compared to the Gromozon which we wrote the removal tool for, just happens to be the same name

I know we missed the sample before, but I'm going to stand behind the fact that we had a known issue which caused the detection to be missed. If Gromozon did make that many system changes, I'd believe that if the bug was not present, we would have enough data from your system alone to determine it as bad and block it.

The problem with reporting an event like "file x is accessing memory" is that this event is not malicious. No behavior by itself is malicious - there are thousands of legitimate reasons for accessing memory remotely, or installing a service, or terminating a process, etc. This is the conceptual difference between Edge and behavior blockers/some HIPS programs. Rather than just looking at individual behaviors, it looks at the program as a whole so the actual analytical information may not be from your system at all but from some system miles away and the client program is not aware of all of this (it just reports the end information which the database tells it).

 

I see. Some day i should install PrevX Edge over SD and run it a bit.The problem is, how good is the behaviour blocker. I haven't tried Edge yet and i am prejudiced against community programs. I also remember Drive Sentry, that without internet it was dumb as a rock (at least when i tried an early version when Katie first appeared in the forum) despite the supposed behaviour blocking ability.

Do you know if the behaviour analysis is supposed to be done locally on your PC or online, in the PrevX center?

I understand and i see your point. I don't always know what to expect from an application with classical HIPS either. I thought i had somewhat of an experience after years of HIPS, but recently i installed a tiny screenshot program that was asking for a wide variety of things. I only allowed it because i was trusting it. But other than that, it was asking for so many and unusual requests that if i had no idea what it was doing. I was actually surprised that it wanted so many access rights. So i went with virtualization. Of course sooner or later i will go back to D+ or something (once i get over the shock).

 

Our analysis is done in the Prevx database online and not locally on the computer. While we aren't quite as dumb as a rock without the internet, you definitely do want to stay online if you want to detect new threats. (However, with the large number of broadband users now, almost everyone is online all the time anyway - and, when offline, your risk for getting infected is dramatically lower also).

Normal users don't understand behavior blockers which is why we use data from all of the behaviors across the community, using the context of the other programs, to determine the intention of programs and then automatically make the decision with no human interaction required (in virtually all cases). We do not have a behavior blocker in Edge - Edge monitors and analyzes behaviors but does not have any functionality which would allow a user to, say, "block all registry access to hklm\software\...\run"

I ask you to go to a large city and ask people on the street what the Windows Registry or a behavior blocker is You may be surprised

 

I see. Thank you for the explanation. You try a fully automatical approach for the average user (which is a logical thing to do). Don't worry, you won't hear an argue from me about whether people know what a behaviour blocker is. For the target audience you have set, your approach is undoubtly the best.

 

@ fuzzfas:

it's all done in the clouds with Edge. PX2 had what was reffered to as a local agent, which communicted with a Community Watch Doo-Hicky, which in turn (i believe) communicated with the Mothership. the local agent had some autonomy to perform tasks on it's own and was not completely out of the game without an internet connection.

one Prevx guy likened it to the Bork and the Collective, from the Captain Kirk, Spock series whose name escapes me. at the time i thought it a great analogy as to how PX2 worked. maybe i should go back to PX2, since it can leverage some of Edges advances.

well keep in mind that PX2's and Edges community databases are completely different from A2, Threatfires, and Drivesentry execution of community. they seek to take the pulse of the user part of the community. Prevx's utilization of the community,cares little about what the user does, it's focus is on what users files on their computers are up to and examine file behavior acroos the entire community, with the express intent of making determinations of malicious or benign. it is truly an outside the box, novel approach to the community paridgm, and really at the risk of offending, the only one that makes sense to me. i have a small glimmer of understanding of why (not how) Edge works or should, and zero understanding of why it sometimes fails. go figure


Mike