Prevx age/population heuristics - disappointment

Three examples:

Prevx age/population heuristics "high", pdf-exploit

http://img204.imageshack.us/i/pdfexploit.jpg/

Prevx age/population heuristics "maximum", pdf-exploit. Browser inside Defencewall

http://img40.imageshack.us/i/pdfexploit2.jpg/

Prevx age/population heuristics "maximum", zapchast-malware. Rising Pc doctor stops it, I ignore.

http://img40.imageshack.us/i/zapchast.jpg/

Scotty (Winpatrol) barks loadly!

 

I do not see anything heuristic about Prevx.
The only heuristics I observe is the Prevx algorithm contacting the Prevx Server to determine the statistical age of an file according to the Prevx community, then jurying the file.
That is not heuristics, true heuristics does not care about the age of an file, true heuristics juries an file by what action the file is performing right now in real time.


HKEY1952

 

Totally agree.

 

I'm not interested in nomenclature. I want to know if a given protection method works or not.

 

Well.....you just Posted your disappointment.....now you know.....


HKEY1952

 

Matters are not (or should not) be so simple. See

https://www.wilderssecurity.com/showthread.php?t=240214

 

ako, I don't know the 'technical' ins and outs of prevx, but I've learned from these forums, some of the best security programs don't get every problem file.

For example, winpatrol might detect these, but misses others.

What problems do these files create, if run?

 

The point is: they are new files, but one gets no warning even age/pop. heuristics set as maximum.

 

When Joe gets online, he's sleeping I'm betting, send them through to him and wait for his follow-up.

 

I've already done it...

 

Good stuff. Just out of interest, what sort of site did these files come from, gaming, adult etc?

 

He's doing an excellent job, definitely deserving his rest.

 

I heard the man doesn't sleep, survives off mouthfuls of air. That true?

 

Infected random sites,no special title.

 

Ako,

Have you set DefenseWall to protect additional folders? Or did you select the option to be informed when protected resourced are accessed?

You know there is a nice trick with DefenseWall Resource Protection to add extra security (on files/registry). Simply add those items as resources of the "System" process.

Ilya has added a lot of my extra file and registry protection by default. I am interested to known whether you have defined extra's yourself.

Regards Kees

 

I haven't done so far any 'tweaking', unless proven otherwise, I hope I can trust the default settings of DW.

please tell what's your ruleset?

 

Hi ako,
I'm unsure what the source of the issue is but could you get me some details about your system including what version of DefenseWall and what browser you're using/service pack level? There may be an incompatibility causing the detection to not work properly (it definitely works as it bugs me every time we make a new build ).

And @HKEY1952: only one portion of our centralized database uses age/popularity to detect the file, the rest is entirely based on heuristics/heuristics from behavior (we don't have 1-1 signatures).

 

XP sp2 (no updates), IE7, DW 2.56, Adobe 7.08

 

Could you try a similar test with DW/WinPatrol not installed? I'm interested to see if it is related to them in particular as I just tried a similar setup (SP3 VM) and no malware got through (EDIT - said the inverse of what happened... coffee needed...)

Also, does that VM image have a full Prevx license in it? That can make a difference with age/popularity protection.

 

I have been following your Posts and you always have an definite positive answer, fix , workaround, and soon to be updated fix for every single negative Post about Prevx.
Prevx always works for you and it is always the clients configuration causing Prevx not working properly. No Program is that dynamically perfect and no human is that
dynamically intelligent.....although your performance here on Wilders Security Forums is very convincing to the average person.


HKEY1952

 

I'm sorry if I'm being too truthful... when something isn't working properly we issue a fix for it, and a fixed version is soon to be updated so I'm not sure where the problem is I'm not blaming the client's configuration, I'm just working to be able to reproduce it so that we can correct the problem.

 

Forgetting Prevx for a moment, when I look around at these and other forums, I see a mixture of users with product X; those who have problems and those who don't despite the fact it's the same product and version being used. There has to be a reason why one user has an issue, but another doesn't. The trick is finding out why, but often that's not an easy task to accomplish, which is why some users give up and move on to something else.

I came to the conclusion a long while ago that the developers cannot know the myriad configurations that exist out there, and that being the case some anomalies may occur. They can do their best to cover most scenarios, but not all. Each and every one of us has a different configuration, and, unfortunately, some software may cause conflicts.

Those that say they have no issues are lucky; the software they have installed works nicely within their configuration. Other factors to bear in mind are the fact that some of these people don't have as many programs installed, and some, like me, don't run too many things at once.

Having said all that, when the support division of a vendor tries their best to work with the customer to resolve any issues, that is to their credit. Sadly, that doesn't always happen; in this instance Prevx has to be applauded for at least going some way to try and fix things as quickly and as humanly possible.

 

But of course you're not convinced because you are not average, isn't that what you're saying? You are one of the very special people who show up now and then here at Wilders to enlighten the general population. I am so glad that I am alive during your time.

 

HKEY1952's post was rather cryptic. Not sure if he was praising Prevxhelp for finding fixes & workarounds or just working hard, seemed like he was praising all three. What an butt-kisser. JK

I think it would be legit to crucify someone for not trying.

 

Full licence.

I uninstalled DW, and closed winpatrol. This time the malware was stopped (Due to recognized as malware, who knows why. Perhaps it is in the database already?)

I just wonder: During my tests I have never seen age/pop heur. in action. Why?

Could you do a favour: download DW trial, Winpatrol free and test yourself that combo.