Prevx RC 183 Behaving Strangely (Badly?)

Discussion in 'Prevx Betas' started by simmikie, Sep 13, 2009.

Thread Status:
Not open for further replies.
  1. simmikie
    Offline

    simmikie Registered Member

    hey Joe & others, i decided to test P3RC's web security further. using the MDL Malware Domain List, i began just working my way down the list. the first site P3RC alerted and i closed the browser (highly annoying, is there anyway Joe to simply close the offending tab instead of the browser?) and P3 stopped the malware from loading.

    the second domain on the list provided similar protection, but i was curious to see what was on the other side so i clicked Ignore, well P3 killed my connection, would not allow me to connect to anything, so ended up closing the browser and restarting it to regain my connection. wth!?! why even bother having an ignore if one must restart the browser to regain control of ones connection?

    the 3rd malicious domain on the list P3 did not alert on, it allowed me to download the file (toolbar_uninstall.exe) and execute the file. thinking that it was not malicious, i uploaded to Virustotal, and saw something i have never seen there before, a perfect 41 of 41! including Prevx! i then attempted to right scan the file and could not. instead of P3 starting a scan, the run file dialog box would appear (several attempts were made). thinking the dreaded P3 MIA issue was in play, i did a full system scan (which P3 did perform) and the file was found!

    a couple of maybe related notes.

    1) i used DFW (Defensewall) file status to ensure the file was untrusted. it was/is.

    2) when i ran the file it was not in DFW's untrusted files list, or thank-goodness in the trusted running processes list, and i did in fact go through the install routine. that is a little strange, unless due to DFW's policy restrictions the file could not in fact actually install. i dunno.

    all in all i am not very pleased with P3RC in this little experiment.

    Mike
  2. ako
    Offline

    ako Registered Member

    I agree, closing the browser is annoying. But on the other hand, you meet such websites very rarely in real life. I did myself testing too. In the first test everything was blocked. Later I HAVE SEEN MALWARE coming through ALTHOUGH ALL HEURISTICS SETTINGS ARE MAXIMAL, even age/pop heuristics.
  3. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    The chances of a stray malicious website opening out of the blue are extremely rare in real life, which is why we have decided to close the entire browser. Chances are, the user either just clicked a link from another website or some website has opened a popup window which is causing the infected website to start. Therefore, in order to block any other attempts from websites we currently don't know as malicious, we deem the entire browsing session as malicious and block/close it immediately.

    This is a known issue with build .183 and will be fixed in the next update.

    The "run" dialog box is a known quirk which I've explained in more detail here: http://www.wilderssecurity.com/showthread.php?t=252760

    I'm not sure why the file wasn't found immediately but it is possible that detection was added in the time between you first seeing it and VT scanning it. The files on MDL tend to be very new by the nature of the website so they would have most likely been seen by a very small number of users right at the start of their life which could explain the initial missed detection.

    If you still have a copy of the file, could you please send it to me so that I can investigate it further?

    Thanks :)
  4. simmikie
    Offline

    simmikie Registered Member

    thanks Joe for the reply as usual, and Miss America is on her way to you. you two play nice together! :p

    Mike
  5. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    Thank you for the file. I've checked it with our database and it has been known bad since May 2007 o_O

    I know it is illogical, but when you get a chance, can you try right click scanning again and click Run to the Open File warning (the one produced by the right click scanner itself to trigger the scan process?)
  6. simmikie
    Offline

    simmikie Registered Member

    well you were on a roll so i did not want to mention that when i uploaded toolbox_uninstall.exe to Virustotal, the file had already been analyzed with a full-house detection!

    also i already did another right click the file, received the open file dialog, clicked run, P3RC scanned, found the file and did away with her. was there something in particular you needed for me to observe? while P3 killed her i still have the zip i sent you.

    Mike
  7. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    I'm curious as to if it is a DW incompatibility causing Prevx to not block the execution of the file in realtime. The scans definitely seem to find it fine so it might be worth trying to run the file to double check that Prevx will block it.

    If not, I suspect DW is changing something in the execution path of the program which would cause us to not see it properly.
  8. simmikie
    Offline

    simmikie Registered Member

    okay, here is what i did:

    1) ran the file untrusted with DFW protection active. the file initiated it's installation routine, i went through all available steps to install, no untrusted showing in DFW's list, but the file even closed and restarted Explorero_O Prevx absolutely silent.

    2) i ran the file as Trusted and with DFW's protection running, just not securing this file. the exact same as #1 Prevx silent.

    3) i shut down DFW's protection, all Untrusted processes shut down. i ran the file, went through all of the available steps, Explorer shutdown and restarted, not a peep from P3.

    i am presently scanning with P3, started via right click the taskbar P3 icon, P3 found the file, but i am wondering did it find the infection? it is only showing 1 file.

    i am a little nervous because my system is with the exception of Shadow Defender running, completely naked. so i am going to flush my system by restarting, revert to a 6pm image, and do some scans with MBAM & Comodo AV, which btw found this infection, i just excluded it. so ciao for now.

    Edit: as i was ready to close the browser, i noticed the websecure icon is now green. it's my Opera browser which always shows the blue icon!?! i wonder if disabling DFW is the reason?? well anyway i am focusing on ensuring my box is viri free....CiAo


    Mike
  9. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    Hi simmikie,
    If you have some free time, I'm available for remote analysis to try and diagnose what is going wrong with this as it definitely sounds like something is incompatible here.

    Send me an email or a PM if you're interested - we'll definitely get to the bottom of it :)
  10. ako
    Offline

    ako Registered Member

    Hi Joe anytihng to say os my comment above:

    I did myself testing too. In the first test everything was blocked. Later I HAVE SEEN MALWARE coming through ALTHOUGH ALL HEURISTICS SETTINGS ARE MAXIMAL, even age/pop heuristics.


    Is this still expected?
  11. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    I'm not sure what would cause that - it could just be a missed detection or an incompatibility with other software.

    If you'd be willing to have me diagnose it remotely, let me know and we can schedule a time :)
  12. ako
    Offline

    ako Registered Member

    Always willing. However, it is very difficult to test, as now Prevx at least usually seems to work ok in my VM.
  13. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    An update on the issues: the issue was caused because of an incompatibility with Comodo. We will have this fully corrected in the next version (not .191 which is being released now but .192 or higher).

    If you are having issues and are not using Comodo, let me know - otherwise, simmikie's issue and a couple other users who I've fixed remotely today are all related to Comodo's realtime protection clashing with Prevx's (but can be easily solved :))

    Thank you everyone for the testing!
Thread Status:
Not open for further replies.