Edge, 2 months and your thoughts.

We considered adding Prevx2 functionality into Edge, however we have since decided against it because we really want to emphasize the fact that Edge has been built for simplicity. We have some features planned which are similar to some functionality in Prevx2, however we are not going to be implementing the same type of "Expert" mode features.

You can use Edge and Prevx2 on the same computer FWIW

 

Impressed by Edge just now...

I've been at a customer's this afternoon cleaning some infections. I use a USB pen drive for this & as usual, I popped it in my pc to run a few scans to check it wasn't infected.

Immediately I popped the pen drive in the slot, PrevxEdge popped up a red warning that it was stopping m.exe on the pen drive. Nod32 at this point was doing nothing. I opened the root folder on the pen drive but did not see the file (Nod32 did nothing) & then changed the view options to view hidden files & folders. I then saw the m.exe file & immediately Nod32 popped-up & deleted the file.

Time Module Object Name Threat Action User Information
14/01/2009 17:42:42 pm AMON file H:\m.exe a variant of Win32/Agent.OKD trojan quarantined - deleted DOMAIN\Username Event occurred on a file modified by the application: C:\Windows\Explorer.EXE. The file was moved to quarantine. You may close this window.

I was very impressed that PrevxEdge saw this threat WAY before Nod32.

 

Good work Biscuit. I am not surprised. More are going to see in time, just how good this jewel is.

 

Thanks for letting us know We're also planning on adding further protection for USB infections into Edge - USB has really jumped up as a much more popular infection vector recently (not coming in this next update, but soon after )

 

Just for information. It's not PrevX's fault, but Ashampoo Firewall free apparently has a conflict. It doesn't pop up an alert to allow outbound. It even blocks the connection even if you manually add a rule for PrevX. I have seen this behaviour before with an old KAV version. Ashampoo can't "see" the connection attempt. I have no idea why. I installed PrevX over Shadow Defender, but i don't think this was the problem.

PrevX was poping a message that can't connect, check proxy settings, etc. AShampoo hasn't updated the firewall for ages, so i don't think this will be solved.

 

So much for their "Anti-Stealth" - and this isn't even a root-kit! You mean NOD didn't see it, even if it wasn't even hidden!? If I understand correctly, you just changed the folder options to show hidden files & folders? Sounds riddiculous. (No, I don't mean anything against NOD in particular, even if it sounds like it - I only find the situation weird. )

 

Cool. Any thoughts on when that might happen?

 

We're looking to release it within the next 1-2 weeks - it will be a fully functional version of CSI/Edge for x64 as well as Windows 7.

The full list of OS's which are now going to be supported in CSI will include:
Windows NT4, 98, ME, 2000, XP, 2003, Vista, 2008, 7

Edge will support:
2000, XP, 2003, Vista, 2008, 7

 

Good to hear. Also please add edition note on your webpage.
Currently it only lists Windows versions and users have to find out the hard way that for now program doesn't even work under x64. But thats not mentioned on the webpage itself. WinXP and Vista are both 64bit and based on webpage i'd expect PrevX Edge to work on both. Devs usually dont mention editions when both 32 and 64bit are supported. And this isn't a problem just on your webpage, its a global problem. Like its so hard to type those 10 extra characters and inform the users in advance.

 

Well, the System Requirements page lists a "32bit Pentium4 processor or higher" and the download pages for both CSI and Edge mention that it is not 64 bit compatible (i.e. http://info.prevx.com/downloadedge.asp)

Where are you referring to having it stated?

 

http://www.prevx.com/prevxedge.asp

System Requirements tab... saying 32bit processor doesn't make much sense even though you can't run x64 software on it.
Because my C2D is 32bit and 64bit...

I don't know why is so hard for everyone to write requirements like this:

Windows 2000 SP4, XP SP2/3 (32bit only), 2003 (32bit only), or Vista (32bit only).

 

Well... Just to be fair... NOD could have detected it as well, if Prevx Edge wouldn't have jumped in and blocked it earlier. And then maybe NOD did not find it, because it did not seek. I wouldn't want a security app to scan each usb-drive automatically after beeing plugged in. Eventually NOD found the file, when explorer accessed it the first time to show it. That could have been the first real contact that NOD had to it. Maybe...?

Was that somehow understandable ?!?

 

Yes, I see what you mean. The thing is, he mentioned NOD was doing nothing till he changed the folder options. Who knows, maybe it was inactive and viewing it made it... active...

 

USB drives do "load" programs when they're first inserted and it looks like in this case Edge caught it as it was first being accessed by the system. I'm assuming NOD has an on-access engine as well but there could be any number of reasons why it wasn't found and then subsequently found.

Anyway, the result is that the computer is still clean so I'm happy

 

Fair enough

However, if you were to try and download CSI or Edge, the download page itself does have the note which says it is not compatible with 64bit so we do reinforce the point there.

Anyway, the problem will fix itself shortly

 

Amended

 

Good to know.

The drive is a Sandisk U3 for your info & was being protected (cough) by Avast.

Could really do with a Prevx version for U3?

 

Nod saw the infection once I had browsed to the pen drive & changed the view settings to view hidden files & folders. Edge found it immediately I inserted the pen drive in the USB slot.

 

We have a U3 version planned down the road a bit We just have to work on a few things for a quick install/uninstall without actually persisting data on the user's computer, but we will definitely have this in the future

 

In this case, my guess is that because Windows Explorer didn't try and access the file when browsing, NOD didn't bother scanning it as it wasn't accessed.

However, because Edge actually scanned it that means that something did access the file in the Windows subsystem...

(Edge does not just blindly scan entire USB keys on insertion - it will only find files which could pose a threat to the system).

 

Excellent - looking forward to testing it!

 

The most important thing is you´ll be fine with either of them on the system. The fact that no pop up from NOD earlier means that the malware had not done its rounds yet or something else.

To prevent any future autorun.inf from infecting the thumbdrive again so as to create a conflict to prevent it from copying itself, just create an empty folder with the same name.

It has to be said, there are some clever malwares that can remove it and then copy its own, in that case;

1. Click Start->Run… and type CMD.
2. At the command prompt type, E: then hit Enter
3. Type MD AUTORUN.INF, hit Enter (skip this step if you already have an autorun.inf folder)
4. Type CD AUTORUN.INF, hit Enter
5. Type MD .\CON\, hit Enter.

 

Kudos!

http://www.prevx.com/blog/110/RealWorld-Example-of-IntheCloud-Technology.html

 

Thanks, but did you miss what Prevxhelp talked about?

Re the autorun, U3 drives don't really work like that. They have a partition which acts like a CD drive.

 

Agree Miyagi