PrevX: "the good, the bad and the ugly"

Re: I applaud Prevx’s openness to sharing information

Bonsoir,

As I do not wish to start a new thread I follow this one by renamming my post
PrevX: "the good, the bad and the ugly"

*THE GOOD
-value for money: for 25 euros, the end users have a very good level warranty of efficiency, much more than av users have never had (some av like Norton have been sold in the past for about 60 euros, with a colander like protection).
-reactivity: i've seen more evolution in PrevX product in 4/5 years than in some av in 15/20 years.
-HIPS for the mass: as an HIPS militant veteran, i have always been convinced that this kind of product is knowledge based discriminative, and by this way,are only valuable as a niche market.
Like Sandbox/virtualization HIPS such as DefenseWall or Sandboxie, Prevx has finally find the right mix between ease of use/usability and effectiveness..
-Good support according to some read here, close to the end customer like most small editors,
ETC.

*THE BAD: externalization of security via the in the cloud architecture
First of all a little reply to EraserHW: https://www.wilderssecurity.com/showpost.php?p=1440630&postcount=18
I do not use PrevX (sorry but I don’t need it), and have nothing in particular against this product.
My various allusions to PrevX is a condemnation of the marketing department, not of the dev. Team ( making an HIPS made simple is really a good job, much more difficult than simply monitoring Zw* or Nt* API…).
And if I do not know how it works…well I am aware of the in the cloud approach before its application for PrevX:
Some research have already been published: http://www.eecs.umich.edu/fjgroup/cloudav/
And TVRProtect (TrendMicro Engine) or AV as a service exist since about 3 years: http://www.trvprotect.com/

No need forensic linguistic: the word “If” makes your comment already lapsed or "void ab initio".
I am in the sceptic side regarding the in the cloud approach ( http://www.crn.com/security/216900442;jsessionid=ZQ4T21CWZ2DBQQSNDLOSKH0CJUNN2JVN )
As a security purist, I believe that more the level of control on the Security process is high, and more it is possible to mitigate risks of Insecurity.
Quite incompatible with Security As a Service (SAS).
“In the cloud” is currently a trendy word (http://www.maigretsblog.com/wp-content/uploads/wallpapers-windows-seven-hd-57.jpg
no doubt that it will be used also for in the cloud sex by space tourism agencies!) which has seen the foundation of its corporation recently. This approach is just an evolution, and not the revolution that is presented by some marketing departments. This server/side security architecture makes the impact of the product more light on host client machines, and reactivity to zero day malwares /threats much more fast. No doubt.
But there is some real things about we need to worry
-impact on bandwidtch,
-privacy invasion that make this approach uninteresting for critical and high tech firms and infrastructures (no trust in any firm since there is no independent inspection of the data centers),
-legal implication of the required connection (real case that occurred to a columnist and translator friend: a client has given a usb key for translation, and when working during a train trip, he was infected by an autorun worm: as there was no internet access in all TGV 2 years ago, what could be the responsibility of the SAS provider/PrevX in such case?
What about possible DDOS against PrevX as it was the case in the past for more larger antimalware editors and giant companies like EBay , Amazon or MST…
More over is it really credible to think that any sophisticated heuristic engine helped or not by an in the cloud “technology” can be a replacement to human decision, or can be more effective than locked systems in an isolated network architecture?

 

Re: I applaud Prevx’s openness to sharing information

Prevx 3.0 is a good product. I still want to see where they take it. But they are doing a very good job in all areas of what it takes. I love Eset, but Prevx and Vipre quickly follow.

 

Re: I applaud Prevx’s openness to sharing information

OUPS...i really need to practise my english, so...

*THE UGLY

-Bling-Bling , pretentious and dishonest marketing
The English word Bling-Bling is in highly vogue in France and does not rely on the Gangsta Rap, but refers to anything ostentatious.
I’ve seriously analyze the AV/HIPS testing dilemma in theory and in practice (I guess that PrevXHelp would certainly appreciate my approach of testing done for Kaspersky: http://ssta.over-blog.fr/article-10792223.html
And i am finally convinced of the emptiness of comparative testing.
And I applause the objectivity of PrevXHelp regarding AV tests and organizations: real objectivity is quite impossible (or only with adepts of Sacher Masoch and with suicidal tendencies) for any av developer for evident interest conflicts reasons.
The PrevX marketing is not worse as what have been practiced by the av industry since years: the VB100 is one of the most B***SH*T and vicious marketing logo never used for software, if I could even say product…
When the potential customer buys the av box at WalMart, Carrefour or Tesco, he/she expects that it will stop 100% of virus (malwares in general).
But in practice, none VB100 certified av has never or can stop 100% of malwares.
And worse, the license/Eula of most av includes a special alinea where it is said that the product can’t stop 100% of malwares…
I let any lawyer or customer advocate naming this a "fraud" or simple misleading advertising.

I was allergic to PrevX Bling-Bling and pretentious marketing since years, and this in fact the mean reasons of my PrevX condemnation in some posts.
Since a long time; PrevX claims protection against zero days.
This is here a lie. And sorry again for posting one of my sophism:
"Software is composed of line of code,
But any line of code can theorytically be broken,
Then any security soft can be defeated."
I guess that the serial zero day posters Luigi Auriemma and r0t could not be disagree with this sophism (http://blogs.iss.net/archive/2008Top10VulnResearc.html )…
This sounds more funny when the PrevX version checked 2 or 3 years ago uses shared section of memory, a bad idea in secure coding ( http://blogs.msdn.com/oldnewthing/archive/2004/08/04/208003.aspx )
The terminology zero day malwares, different from zero days (=attacks) is more correct and appropriated.
But as this pretentious argument has disappeared with the version 3.0, the Simple Minds theme-song “promised you a miracle” is not for PrevX anymore , but maybe for F-Secure (http://www.f-secure.fr/news/fs_news_20081217_01_fra.html ), the French StormShield (http://www.skyrecon.com/en/Stop-Zero-Day-Attacks-Endpoint-Protection-Software ), and certainly many others for corporate use like the recent forensic solution CXI (http://www.imaginelan.com/insdisc/cxi.html )

Dishonest marketing:
This criticism concerns mostly the antivirus comparative testing and the affirmation “we detect threats that other missed”.
This claim is dishonest towards other av/antimalwares editors and towards the potential customer.
For various reasons that make this comparative test totally lapsed.
1/the methodology must be equal: all product should start on the same line .
For instance it is not serious to test comparative performances of Subaru Impreza vs Hummer vs Smart vs Caterpillar vs Toyota Camry vs Bugatti Veyron
In a few words only compare the same category of product, not only the same family.
In this case, some product are pure blacklist scanners, some other are real antimalware suite which integrate an hips module like KAV .
2/a reliable test must demonstrate the full potential (push the limit) of a product.
This is not the case here.
Are you sure that the installed av is active? Well configured? Updated?
Are you sure that the HIPS module (for kav for instance) is enabled and set to the highest settings?
I ‘ve evaluated Kav vs rootkits, and have a big collection (stored in an online non French server of course) of rootkits (a must know in computer forensics) and the number of rootkits missed by Kav is quite funny.
Well I’ve caught new rootkit in February and here’s the scan on VirusTotal:
http://www.virustotal.com/fr/analisis/e5fceb1d2775f9ee3c062911ad489ca5
It seems that BitDefender, Avira and many other AV detect threats that PrevX missed isn’t it?
And I can give many examples…
Comparative testing via online scan are not serious would you say…but comparative testing via in the cloud hosts is not serious too…it is like "l’Arroseur Arrosé" (http://en.wikipedia.org/wiki/L'Arroseur_Arrosé )
3/ Test must be repeatable and verifiable; quite impossible with the” in the cloud “architecture.
In order to be verifiable and repeatable, the test environment must be under control.
But controlling client hosts means that PrevX is firstly backdoored…
But off course network talkative products does not mean backdoored products.
4/ test must be independent
I’m already surprised about Pleonasm who considers some well known av test organizations as independent (financial deals between testers and editors), but in our case it is the editor itself who provides the test (who can better serve ourselves than ourselves).
Such comparative tests are published by other editors but only on their datasheet pdf papers, and more than serious tests, can only be considered as advertisings.
ETC.

Therefore, for all these reasons, the comparisons between PrevX and some other editors is just a statistics overview of what infections occurs in the wild on PrevX clients hosts, at date D and time T.
These statistics do not demonstrate in any uncontestable way that PrevX is better or more effective than the other products.
As I suggested in another post, if PrevX is the so called wonderful product claimed by your marketing, then just launch a rewarded defeating challenge and we’ll see…
Or put these statistics on your datasheet papers only instead of your site.
This post is only motivated by the defense of Ethics and Deontology, it is not against or in favour of PrevX.
And as I do not wish to practice “Muay Thai air “ on this area, I hope that your arguments will be more valuable than the last sentence ( https://www.wilderssecurity.com/showpost.php?p=1440650&postcount=21 =level 0 of evolution, far but so far from the Monkey Era) of one of your defender against my avatar ( for sure a Sun page 3 based avatar would certainly be more appreciated!).
Best wishes for your product as I could say for any HIPS editor.

Rgds

 

Re: I applaud Prevx’s openness to sharing information

Hello,
I will respond to each one of your thoughts

We've had in-the-cloud products released for 4+ years and have been developing our technology for the last ~7 years and frankly, the "externalization" of security by protecting from the cloud is the best way forward. Shipping out definitions to end users is actually FAR more "externalized" than a centralized approach - the AV vendors have no concept over what data they're actually looking at on the end user's systems.

Depending on the frequency of scans, our bandwidth usage is around 2MB per month, on top of the 800KB download. This is in comparison with other AVs which have ~70MB product downloads followed by 100MB definition downloads, and then updates on top of that. At this rate, it would take Prevx 7 years to use more bandwidth than the initial install of a conventional AV, and bandwidth usage decreases after it has been installed as it trusts the data on your system more.

This is always a possible concern, but we have many large enterprise customers and in the end it is a case of trust - we are a legitimate company and not interested in private data from the end users, only information to help protect them. Our data storage and collection is in full compliance with the Digital Data Protection Act.

We're working on ways around this when offline, however, the threat would be immediately detected and removed as soon as the internet was restored.

We're always under DDoS attack, most famously by the Gromozon rootkit a couple years ago. Our datacenters are highly redundant and linearly scalable so in the worst case, we would fall over to a less powerful server and scan times would be slightly longer.

It isn't a replacement for all human decisions - our heuristic engines are guided by humans and our researchers frequently write additional heuristics to help tune the systems. Locked systems in an isolated network are of course the most secure way to run a corporation (and our Enterprise software offers this functionality as well) but that is not a solution for the average home user.

 

Re: I applaud Prevx’s openness to sharing information

We offer protection against zero day threats, we never say that we protect against ALL zero day threats. No security is 100% and everything can be broken, and we openly say this everywhere possible (you'll find many posts from me which say this )

I wasn't involved with the older Prevx software, but indeed there were some issues, not to mention the performance overhead. In Prevx 3.0, we have removed literally EVERY line of code every written before and started completely fresh. We don't use shared sections at all and I'm surprised that we did in the past.

Zero day malware (malware spreading on the first day it is released) and zero day attacks (malware spreading very quickly via some exploit, etc.) are different concepts entirely, however, we offer controls to the user to help combat these with great strength. In the Prevx 3.0 Heuristic Settings page, you can configure it to automatically block any threat that is < a certain age, meaning, if a zero day threat is spreading to 50 million computers TODAY, we would block it immediately by concept.

I don't see how this is dishonest at all. We see more than 10,000 infections on user's PCs which are protected by existing antimalware solutions, so indeed we do see threats that the others have missed.

We deal with average, every day users. In a real antivirus test, heuristic settings should be at the default that are installed by the average, every day user. It is possible that some of the users are outdated, but in the end they are relying on their installed AV solution to protect them and the fact that infections still exist shows a failure of that.

Sure, this is definitely true. No solution is 100%, we aren't 100% at all.

If any vendor wants a copy of the data/samples used in the tests, they are more than welcome to contact us (and some have, whom we are now working with to better eachother's products).

We would not do this, nor would any other AV/security solution because it would be broken.

We offer this data to the general public to help show that no AV is 100% - the one that they're using can fail them. That is the intention behind these comparisons, it really is for public education - not to try and say we're better than the others.

Let me know if you have any other thoughts!

 

What, don't tell me it's allready finished! Or did it all happend when I unfortunately felt asleep?

 

Re: I applaud Prevx’s openness to sharing information

Before its application for Prevx? TVRProtect? As PrevxHelp already told you, we're using this approach for more than 4 years, far more. This is why I proposed you to ask before doing some comments.

You've already given the answer to your question, and this is more true than ever if you talk about rootkits.

We said we can catch threats that other miss, we never said we can do any kind of miracle

Doing a detection test does means that you check how good is the software installed in your machine to detect malicious softwares. If the software has a local signature database or a centralized one with server side heuristic (and much more I won't listen here now) this is not a problem at all. Controlling client hosts? Why would you need to control client hosts? With what goal?

 

Re: I applaud Prevx’s openness to sharing information

PrevX,

First let me say that I think PrevX really is an innovative company both in marketing and software development. To my knowledge one of the first company to offer a full lisence model until infected. Also the smart age/popularity control of your product (age: looking at most likely suspects, new installs, popularity from blacklist to whitelist) really appeals to me.

The point on which I agree with Kareldjag is that since no security is 100% every security product is likely to catch malware others won't find (virus total is the living proof of that). This is no unique selling point, marketing it as a unique selling point is dodgy (to say the least). No I know your not litterarely saying that, but you hint at it at an obvious way. So it ican be easily interpreted as a promise or claim.

Transparency is the key word. Internet increases transparency, it was the main force behind the high demanding consumer trend which rised in the end of the nineties. So for a company whose core business is electronic business, this so called publication is against all rules of thumb in webmarketing. I am a marketing sales director (last five years in branding business, but 18 years before that in ICT, before that I was a DataBase/Communications/security specialist in the days a mainframe program had to be limited to 64KB) and every marcom specialist who would propose such a stupid webpage, would get the following reply: Yeah great idea when you want to get sacked.

According to my profession, this is not a bit off, but way of track. Therefore I understand why you trigger so much emotion from a knowledgable person like Kareldjag. The reason for posting this, is that Kareldjag makes a good point, but he wrappes it up in so much nerd like argumentation, that I fear his point is not likely to be addressed by PrevX.

So do yourself a favour and think of other means to market your product. I understand that a small company has limitations and has to do something which breaks the borders to get attention with a limited budget. But please this is defintely a wrong border, when you sell trust on the Internet.

Regards Kees

 

Kareldjag, I am not in a position to “audit” any anti-virus testing organization. When I spoke of “independence,” I was referring to the minimal criterion that the test was performed by a group that is external to the anti-virus vendor under consideration. Beyond that basic condition, adherence to standard scientific principles in the testing methodology – e.g., repeatable and verifiable – is, of course, also essential.

* * * * * * * * * * * * * * * * * * * *​

The issue of the potentially misleading nature of the Prevx marketing practices has been explored in some detail in this thread. From my own perspective, the bottom line, unfortunately, is:

* * * * * * * * * * * * * * * * * * * *​

Kareldjag, your observation may be true, but it still is not a justification for the Prevx marketing practices, in my opinion.

* * * * * * * * * * * * * * * * * * * *​

PrevxHelp, strictly speaking, by the “letter of the law,” you are correct. Rather than “dishonest,” I might be inclined to use the word “disrespectful.” As I noted previously:

* * * * * * * * * * * * * * * * * * * *​

Kees, I do agree – there is a lot to like about Prevx. However, the company may be well advised to “think of other means to market your product.”

 

Excellent. Same here.

Why start now? Your security methods worked for you for 10+ years prior to working for a software company.

 

Because users everywhere are getting infected by the millions and the AV companies need as many hands as possible to protect them Myself and the other Wilders users here are not the average user.

 

I respectfully disagree with the points made that our marketing is inaccurate/dishonest/disrespectful. Looking at other companies which have the phrases "Total Protection" or "Total Security" in their title... that is the epitome of dishonesty.

What we're trying to do with saying we detect threats the others miss is show users that the other vendors are lying when they say "Total" anything. When an average, every day user goes to Best Buy to buy a shiny new AV, they pick up the box that says it will protect them better. Slapping the word "Total" in front of the name is a great way to draw those users in.

However, in a few months, those users frequently get infected with something or notice that their computer is slowing down/showing warnings or that their bank accounts are now completely drained from identity theft due to malware.

That is where we come in - "we find threats the others miss". It is a fact and therefore not a lie. Sure they may find threats that we miss, but in the end, a user isn't going to buy our software unless they get some benefit from it. If it actually finds the issue they've been having (which their current AV missed), then they'll come to us for help. If we miss it, they'll uninstall us or keep us "just in case".

We don't provide "Total" protection, and neither do the vendors that say they do right on their boxes. Our homepage charts are there to help debunk this myth that security can be bought in a single product.

 

I think the bottom-line is: there's nothing that can protect from everything. Something can however detect something another product missed, and that's why you run a layered solution which can even include restriction based software like through sandboxing - that's, if it suits you, the user.

 

PrevxHelp, two wrongs do not make a right. You are correct that the use of the “total” word by other anti-virus companies is possibly “dishonest.” That does not, of course, justify another action that may be equally troublesome.

PrevxHelp, I for one have never called it a “lie.” Strictly speaking, the claim is accurate – but, I maintain that it is also misleading, nonetheless. Indeed, every anti-virus vendor could also state with confidence that "we find threats the others miss."

Marketing is about creating perceptions in the minds of the target audience. Clearly, as you have seen in numerous posts in this forum community, the perception of your target audience is that the “missed threats” statistics on your home webpage are perceived as misleading by some individuals. Your intention about how the statistics should be interpreted is, in a sense, irrelevant. The only thing that matters is the perception.

More importantly, Prevx seems unwilling to take any steps to ensure that these statistics are in fact correctly interpreted. My suggestion, previously offered, is to “clarify the situation by explicitly stating in the ‘explain this chart’ section of your home webpage that (1) the statistics do not allow a reader to make an informed comparison between products; and that (2) Prevx also misses threats that the competition does not, to an extent that may be less, the same or more than other products.” For those users who interpret the statistics in the way that Prevx intends, no harm is done. For those users who may misinterpret the statistics, however, Prevx would be proactively educating them. Why is Prevx opposed to this simple solution?

 

Can this software detect and remove the WINBLUESOFT trojan/virus? How bout the worm/autorun on USB Flash/HDD and Primary Master/Salve - Secondary Master/Slave HDDs or RAID SATA HDDs? Without crashing?

 

Just curious, when can we move onto another company? The past few days this board, led by you, has done a wonderful job of finding fault with the way Prevx advertises and the privacy statements. I personally would like to move onto ZoneAlarm when you are through fixing all that is supposedly wron with Prevx.

As you stated, the perception by some is that their advertising is misleading. Well with over 5million customers there seems to be many who disagree.

And the perception by some here is that you appear to have a vendetta against PRevx.

 

Yes we do, and to answer the problems you were having before - that was a rootkit affecting the install of Prevx (as well as any other security program you would try). To avoid that in the future, you can install using a randomized filename by clicking Options before installing and you should set the self protection level to maximum.

 

Protect their jobs.

 

No let me make this clear to you. I didn't get this WINBLUESOFT, I got a call telling me hey check out this software, but when they didn't' call me first it was too late to stop them. I'll recommend this software to him but I needed to know if it could find this threat and was able to remove it without crashing from the pest trying to stop it from removal. I've alerted Rising also about this threat too. In the mean the the guy doesn't know what to do as this bug is doing strange things to his PC.

I tell them don't download anything you don't know? Don't go to www.2xxxx.com Just don't go to places you don't know of. Anyway thanks for the feedback..

 

In the event that it doesn't work properly for some reason, we guarantee malware removal so we'll help him fix it manually if needed

For what its worth, no other user has ever reported the crashing problems you were experiencing so I'd err on the side of it being a one-off issue rather than a real problem (which should be able to be solved by installing with a random filename and enabling maximum self protection as well).

Let me know how it turns out!

 

How does having a high number of customers imply that a companies advertising is not misleading ?

 

The Prevx Team must be doing something right. They are under gang assault.

The Provocations have most likely increased due to changes that force impotent attackers to work harder. Out of frustration they pick apart ideas instead of softwares.

Nudge, nudge. Wink, wink.

 

Ok. Maybe not directly but I as a consumer would never buy a product if I thought the company used questionable tactics, even if those tactics are deceptive advertising. Especially a security product.

 

Happening a lot altely

 

Indeed therefore it is not a unique selling point. It is the same when a car company advertises, our cars have wheels!

A valid point when you made this explicitely clear on that page, omitting that is what obfuscates it.