Prevx 3.0: delayed detection

In testing Prevx 3.0 trial, came across a weird detection delay:
- downloaded Antivirus 2008 rogue scanner from <safetyscanguide . com / index.php>
- manually scanned Install.exe with Prevx, no malicious files found
- scanned it with Symantec SEP locally, and in 6 miutes it took SEP to scan it, Prevx all of a sudden identified it as Medium Risk Malware.
I am curious as to what caused the initial failure to detect something this trivial, and delayed detection thereafter. I send an email to Prevx as well, but figured I'd ask the wise and expereienced here.
Thanks!

 

I suspect we automatically added detection for it during the time you waited to run the scan. If you'd like, feel free to send me a scan log (I'll PM you my email address ) and I'll see exactly when we found the file.

 

PM sent. I guess my question is this: did Prevx detect it later because I initially scanned the file (and therefore submitted its signature to Prevx), and definition was released and issued in the time it took SEP to scan it quarantine it?
In other words, did Prevx detect it only because I manually scanned it, or did I just get "lucky" and tested a file two minutes before detection was available for it?

 

Hello,
Thank you for the scan log. The file was indeed automatically determined at 10:33 today and has only been seen by one user still. I suspect it wasn't found initially because you just right clicked on the file to scan - this doesn't get a full picture of the file as it is only an on-demand scan. A normal "deep" scan will pick up more than right clicking on a file and trying to execute the file is the real best measure of our protection.

Had you executed the file in your first test, we would have most definitely caught and blocked it, even though it was the first time it was seen. I suspect the variant you're testing with is a server-side polymorphic threat as we have a signature in our database which is currently covering around 30,000 similar XP Antivirus files.

 

Thank you for prompt reponse.
Can you elaborate on the differences between "on-access" scan and manual "right-click" on-demand file scan? I would expect behavior to be opposite to what you described above; i.e. on-access scan not having a full picture/deep inspection of the file in order to accelerate scan (not something I'd like to see, but from a theoretical point of view, at least understandable) and not slow down a starting process, versus manual on-demand have full control of the file and really dig in deep.

 

Conventional AVs use the approach you describe, however, we look at it differently - when a program is actually starting to execute/load into memory, THAT is the point when the program has the propensity to affect your system, not when it is sitting dormant. Therefore, we consider the point of entry as being the execution, not the creation of the file on disk (unless the file is created into a boot-loading location which is an entirely different story )

Our on-demand scans are looking at the files out of context within the system (i.e. if a program tries to enter the system from a possible browser exploit, we apply entirely different heuristics on it) and we tend to limit the amount of analysis actually done for files which are scanned purely on-demand (ones which have never loaded/are not referenced in the system) to save resources on both the client PCs and the centralized analysis.

This approach admittedly gives us some worse scores if an antivirus tester is performing a purely on-demand test, but if an antivirus test is performed with real world infections attempting to enter the system (or on a computer which is already infected which would also provide an equivalent environment).

However, it allows us to streamline on-demand scans as well as on-execution scans by limiting the overhead of the analysis and data transmission without sacrificing any security

 

I see now. SEP has similar theory behind their techniques, however their real-time detection of executing processes is beyond poor, and their behavior analysis of those processes that don't fall under the signature is close to non-existant.
So with Prevx testing, you suggest just go for it and execute bad things to get a feel of its detection capabilities? How good is behavior-based detection of unknown (not signature-based) threats with Prevx?
Thanks, and sorry for potentially trivial Prevx questions..

 

I think this would be a good start for an explanation. I am not as savy as most, but have been foolish enough to buy all and test in a newbie arena, and I still say that right now, there isnt a better method for staying safe while allowing you to actually use your PC.

 

We monitor all forms of loading code (not just "double clicking" on a file to execute it) so we should catch any means possible of actually entering into the system. I do suggest executing the threats, but to get a feel of our protection and a nice overview of what we provide, you may be interested in reading the PC Magazine review of Prevx 3.0 (http://www.pcmag.com/article2/0,2817,2346861,00.asp).

Our entire model is based around behavioral analysis and we only have conventional white/black listing as a supplement to the centralized behavioral analysis technology so while our protection isn't perfect, it does provide a solid layer on top of conventional AVs (and works alongside them if so desired )

 

Thank you for your response. I am going to buy a 30-day license to test the Edge protection and hammer away at my test VM. I will post my findings as things progress further.
Again, thanks for your prompt response.

 

Without trying to dissuade a purchase, if you are only going to be testing on a VM, I wouldn't mind giving you a 30 day test license (especially in this economy )

 

Oooh, you are good Joe, really good.

I have some swamp land in Nevada, think you can help with that.

 

We can see that you have swamp land on how many times you change your pants

 

I can assure you that there are a great many of us here who look forward to viewing your findings.

 

To the original poster, if you are going to download a host of malicious files, I'd download a trial of Shadow Defender (30 days) or Returnil (free version)to use alongside prevx to test any threats.

I'm not saying prevx isn't up to the task of detecting the programs you test it against, because something it misses might actually be in fact harmless and a simple uninstall might do the trick. 'Hey it got past prevx, and it's a rogue, but hang on, uninstall removes the whole program!'.

I just think there is a difference between downloading something which is from your regular google searches, and downloading something intentionally (from certain sites) which is 'designed' to corrupt your system, but isn't going to affect the average user.

Anyway, what I'm saying, if you're messing around with installations, a simple reboot with Shadow Defender or even Returnil will remove all files, that is all installation download files and so on.

I know some are skeptical at whether prevx performs as it describes. I too have thought the same. The issue about how a product is being marketed aside, this new version of prevx, as far as I can tell, seems to perform exactly as described (analysing all executions - preventing damage).

And if it doesn't (perform how expected), as long as the support prevxhelp (Joe) is working at the company, I think he'll do all he can to make sure something is fixed. So I believe in a program's support and their ability to listen to feedback, and use that feedback, more than anything else.

 

Joe,
Thank you for your generous offer, I will respond privately in a PM and explain what we're trying to achieve with PrevX.
In the meantime, I just came across another rogue antivirus that Prevx didn't catch on execution, but the moment I re-enabled A2 AntiMalware, it picked it right up, both as bad Website and as a rogue antispyware program.
This is the download link for the program, it's called Adware Pro2009 and is hosted on a known RBN network:
< adwareprofessional . com / ?hop=adwpro&mode=d >
and it appears to be along the lines of the original post. This time I did both scan it with PrevX by right-clicking on the file and actually executing it. In both cases, PrevX allowed the file to run.
Any thoughts?

 

I sent a copy of that to EraserHW a couple of days ago! I really do think that Prevx should be adding more Rogues to there list as it is out of control.

TH

 

This is what worries me. We are looking for a behavior-based product that is intelligent enough to not rely solely on signatures and is able to detect unknown risks stirclty on its malware and virus-like behaviors.
I though PrevX was excatly that and still hope it's the case and that these are isolated cases. A lot of people here swear by it and it comes highly recommended through other channels, so, again, I'm hoping this is an exception to the rule and not the norm.

 

I'll see why the sample wasn't added by EraserHW

However, the problem with rogue antimalware programs is that they generally do not exhibit malicious behavior, which is how most of the newer ones are getting past conventional AVs. From the surface level down, they look like completely legitimate applications but they're able to generate revenue for the malware authors merely with social engineering, which is extremely difficult to detect with behavior alone.

Rogue antimalware is indeed an exponentially-growing threat and we're working on technology to help combat them better but it is a non-trivial task, and all other AVs are struggling as well (seen by many rogues resulting in a 0/40 detection on VT).

 

dlimanov, take a look at this thread:
https://www.wilderssecurity.com/showthread.php?t=232388

Others on the forum and I tested many rogue programs to see if scanners such as Dr Web, prevx etc picked up these as rogue.

You'll notice for every program say Norton, prevx, a-squared find, they also miss another rogue say Dr Web finds, and vice versa.

In summary, basically it's hit and miss. Prevx does do quite well, i'd say better than most.

The problem with these rogue or fake programs is that there are new ones being created every day, every minute.

Some of them install adware/viruses on your system, some of them function just like any other legitimate program to obviously avoid being labelled as malicious (and continue to serve its purpose of extracting money from users).

All depends on what they do. Most can be easily uninstalled through add/remove programs.

Here's a quote from Joe in the earlier thread:

 

Joe/Saraceno:
I can totally understand the argument that most rogue spyware scanners are close to impossible to detect, and I'm content with the fact that if the program emulates legitimate application behavior and the only malice that comes from it is wasted memory and CPU cycles and pay-per-click banners in the app itself, then it's not an issue for me. This particular bad boy is not as harmless as you think, though. I didn't get deep inside, but it does install its own BHO to do search hijacking, as well tries to download and install other "payware" stuff.
I ran some tests using Spycar (http://www.spycar.org/Spycar.html) with A2 disabled, as it intercepted every test. PrevX failed almost every "Autostart" test and blocked about 20% of the test in total. Now, this is worriesome to me, as Spycar uses vanilla spyware techniques to test your protection -- this is bread and butter for PrevX and similar behavior-based apps! There's no obfuscation or hiding, just straight registry Autorun injection and browser hijacking. Again, maybe my PrevX is not configured right (it's at default config), but it caught about 20% of the attacks on Spycar site.
Anyone else can try it and see if yours behaves differently?

 

Adding protection for the Spycar tests is trivial, but unnecessary. We focus on real threats rather than components of threats tested via leaktests. We most likely shouldn't even find 20% of the threats as they aren't malicious by themselves. Detection of a real threat may contain elements or flags referring to the fact that it modifies a registry entry or privacy settings, but those changes alone are not enough to condemn a program without suffering massive false positives.

The difference between Prevx and a behavior blocker is that a behavior blocker doesn't look at the overall intent of the program and just sets itself out to block specific actions (i.e. creating a bootup entry). While many pieces of malware do create bootup entries, many MANY legitimate programs do as well so the added protection is a result of a large number of additional prompts and user queries. Without trying to slight other vendors, writing a behavior blocker is trivial at best - it is a subset of the technology built into Prevx and many other advanced solutions and like us, most of the other AV vendors do not spend resources to detect tests like Spycar which do not correctly represent a real threat in the real world.

 

Joe,
Do you have an example of behavioral detection that PrevX would do in real world? While I understand what you're saying about potentially creating false positives since many legitimate programs are modifying Registry settings upon installations, I am not comfortable with the idea that an end-user can download something from the Internet that will auto-register itself to start in every way imaginable, and my spy/malware protection doesn't as much as warn him/me about it.
If I understand what you're saying correctly, PrevX would step in and block the application if it exhibited trojan or other malicious behavior while already installed? In other words, it would let the program auto-register and load, but once it started capturing keystrokes (for example), PrevX would immediately step in and shut it down?

 

I have more than 20,000 new examples every day

No, it's a combination of events which causes it to be triggered - virtually always far before it installs. Downloaded from the internet + registering on bootup is not enough to condemn a program (installers do it all the time) so that isn't a viable option to consider. A program as a whole contains many attributes - not just the boot registering aspects - which can condemn it.

We don't detect leaktests because the leaktests only perform one function of the infection, rather than a real infection which may have many components performing different actions with varying levels of suspicious behavior in each.

What you're describing is still in the "behavior blocker" category, but a marginally more advanced version which contains some local logic. Our centralized analysis takes and processes the behaviors of "loads on bootup" and "captures keystrokes" and then decides if the program should be blocked or not by factoring aspects like the popularity of the program, the age of the program, various physical characteristics and the relationship to other files or families/groups of files.

Simply blocking a program because it logs keystrokes and registers itself on bootup will still cause false positives - which is the basic flaw in behavior blocking. A good example is a program which we saw we were causing a false positive against a few years ago: it was an encrypted, GUI-less application which loaded on bootup, recursively iterated through files on disk searching for email addresses and then proceeded to send out mass mails to each of the contacts it finds.... and yet it was a completely legitimate application

Behavior blocking looks great from the surface level. We've been there before and tried it in Prevx Home (~2004) but it was not an effective means of actually securing the every day user's PC. The level of complexity and the learning curve required to understand what prompts mean lies far outside of the scope of what users should be expected to do. In Prevx 3.0, we've eliminated a majority of the user decision process so that we can automate as much as possible while producing as few false warnings as possible.

So while you may not get a warning that the new Windows-bootup-loading screenshot utility you just installed is going to take screenshots of the system, the piece of malware which one of your customers just accidentally ran into via an exploit which covertly takes screenshots after loading on bootup will be swiftly blocked before it has a chance to do either of those nefarious actions

 

Sorry about that, I checked again and your email has been marked as spam so I didn't see it. Now I added a rule for these e-mails

I apologize for the delay