Prevx1 vs Prevx1"R" ?

What is the difference? Is it that one is beta for testing using us as testers and the other is already final? Is it worth paying the $20 price tag when you can use the Prrevx1 "R" for a year? Also I noticed you can still change the protection to PRO and Expert in the "R" consule, does that change anything in the free license? What is the privacy issue that one has to think about when using the "R" vs the paid? I noticed that it automatically wants to send all malware to Prevx, would disabling that be wise being that it wont help out the community database. I noticed to get better support, you have to send information about your computer to them even though it says no personal information sent.

dja2k

 

the only difference i know is that prevx1r is offered as free beta.

as for the community database, u can turn it off, but it wouldnt be the best thing to do. using submitted data, prevx1 can automatically mark programs as bad (and possibly as good as well)

 

Yeah thats what I figured. Also I think if I change from regular to pro, I can use query instead of using the community and will be prompted on unknown running software. Thanks WSFuser...

dja2k

 

Well, it's about time I let everyone know that I recently started working for Prevx doing malware research (and we all do support), so I can now give you official answers to any questions you have about Prevx1 I didn't mention it sooner because I had a pretty rocky start (I also hoped to wait for some big announcement, but it doesn't look like there's going to be any in the immediate future), but hopefully you all can appreciate (although I'm sure some will still hate me forever now) that I have made an effort to keep any mention of Prevx1 purely technical as long as I've been associated with the company. The straight out recommendations that I've made for the years up to now have been when I had no other association than being a beta tester (which was not paid or anything). With that out I will start keeping all my posts on a more technical level, but hope you all can also appreciate that I still just come here on my personal time, so if you need technical support I ask that you go through the official channels, so my PM inbox can be free for those that wish to correspond on a personal level. I'm happy to answer any general questions on the forum, though. As a personal aside, a massive Thank You to all, especially Paul Wilders and staff.. I probably still wouldn't even know about Prevx otherwise!

So, to the subject at hand. The only difference between Prevx1 and Prevx1 R is that the R version is beta, and that's it. Basically, instead of having to sign up for the beta, you can just download the R version and use it free for as long as you want to, we just ask that you submit any problems you encounter so that we can fix them. Basically, if you like beta testing then get Prevx1 R, if you want/need stability then get the regular Prevx1. We do a lot of internal testing before releasing to the R users, but there's always a chance that you'll encounter some problem, so be prepared. You generally don't even have to reinstall, but the posibility is always there. During the times that there is no public beta version available, you will be using the same version as the regular users. You can use the R version free for as long as the program is offered, not just one year, although it can be ended at any time.. but there's no plan to do so in the forseeable future.

No version of Prevx1 sends any kind of personally identifiable information. Basically the way the database works is that instead of downloading database updates, like with your AV, you just access the database online. This closes the gap between when new malware is discovered and when detection is added. Once we mark a file good or bad, you have access to that determination pretty much instantly (instead of waiting for it to update). What's reported is exactly what you see in the Protection Settings and on the website, and if it's already been seen then it just adds anohter number to the statistic. This is only information about how executable files interact with your system. Prevx1 does not have any way of looking inside files, and does not pay any attention to files that would have any personal information, there's no reason or need to (we have terabytes of data as it is, any more would be unmanagable and seriously slow down the servers). Prevx1 is primarily about behavioral heuristics. With the way that this works, Prevx1 can see and block new malware very early on. As soon as the first new file is seen on the first system running Prevx1, we can block it. Then the researchers, like me, keep an eye on what's coming in, in realtime, and mark them good or bad. This means that some new malware has detection added within minutes of when it's very first seen, and that's if it makes it past all the heuristics. We also add heuristic rules any time we start to see patterns in what's out there, there's more added every day. If malware starts using something that the protection settings don't cover, then we can issue an update for the protection settings very quickly.. in about the same time it takes for an antivirus company to put out a signature update Of course then you have the prompts if you're running in Pro or Expert mode. My personal recommendation is to stick with Pro mode unless you think you have an infection, and then it's probably better to use the Program Monitor once you know what file it is. I say this because in Pro mode you only receive prompts for what's unknown, and not programs that are known to be good. This means that the liklihood that any given prompt is malware is a bit higher, and you're much less likely to start blindly allowing things.

I know that's a little more info than you asked for, but I hope that gives a more complete picture of how it works and why it does what it does. It's been a challenge to try to really convey what Prevx1 is all about to a general audience. It's not purely a HIPS and it doesn't rely solely on signatures either (they just make it more user-friendly). It's something of a mix, without the downfalls of either, but taken in a slightly different direction. The live database is what really allows that.

 

Notok,

Congrats wrt Prevx.

I have a question regarding Prevx thats been on my mind for awhile. Some brief background. I started using Prevx Home well over a year ago and soon upgraded to Prevx Pro 2005 on both my PCs. As I also run ProcessGuard, I have been in no hurry to upgrade to Prevx1. I have read various posts, some by yourself, here at Wilders and elsewhere regarding upgrading and they go both ways. I remain on the fence.

Here it is: Prevx, relative to most security products, is data rich. I have always allowed data to be transmiited from my PCs to Prevx with little concern. My question is, does Prevx currently or are they planning in the near future to mine the data they collect? This seems like a real opportunity to harness all this data that would likely overwhelm human analysts, not that they would be precluded from doing top-down analysis of the data. Note that I am not asking for any trade secrets on algorithms, etc.

I have done some Google searches on "prevx", "data mining", etc. with no conclusive results.

Regards,

bktII

 

great to hear ur working for Prevx, Notok. congrats and thanx for the details info as well.

 

Thanks for the kudos, guys, I appreciate that

bktII: I guess it depends on what you mean by data mining.. the agents collect a LOT of data every day, for the past couple weeks it's been over 100k new and unique files every single day. As you can imagine, that's more than anyt but the largest team can manually determine. So we're continually figuring out new ways to look up and determine large amounts of files and making up new heuristic rules that will do it automatically (the heuristics catch a lot, but there's still a lot more).

Now as far as statistics; sure, some. Prevx is in the "malware intelligence" business. The way Prevx1 works allows us a sometimes unique view of the spreading of malware. When you see an article or interview with a malware analyst about a particular malware variant, and they're saying "We think it's coming from [X], but we're still researching", we already know.. the data is right there in front of us, I can just look it up. We do communicate some of that with organizations like SANS. What exactly will happen in the future, I'm not sure of.. I'm not real saavy on the business stuff. It's entirely possible that we could partner with other security vendors and/or firms, and may have a need to correlate that info in new ways, only time will tell. Right now we collect the data and use it for protecting Prevx1 users in any and every way we can, correlating that data in other useful ways is certainly a very real possibility.

 

Notok,

Thanks for your prompt reply. I will continue to keep my eyes open wrt Prevx and data mining. Given the data volume you have described, I cannot imagine Prevx not employing data mining. But not just the files; also their behavior, what they do, how they interact...

FYI. Here is a good site for data mining http://www.kdnuggets.com/ I'm sure there are others.

Please note I am not suggesting that you have lots of free time!

bktII

 

Hehe, I know what you mean

Just keep an eye on http://www.prevx.com/ , things are always developing. You can already do searches for specific files. Also take a look at "Prevx1 Insight" for realitime lists by behavior, and the File Info Center for new files. I get the feeling that at least some of what you want is already there, even if a bit limited.

 

Notok,
I just installed Prevx1 to see the reaction of my new computer.
The installation ran without any problems, no malwares were detected and I have a green status LOL.

Question : can I install Prevx1 OFF-LINE and connect to internet AFTER installing Prevx1 ?

 

That's good to hear, Erik

You can install it offline, it just needs to be online to activate the license/trial and do the verification (after the disk scan).

 

Just a quick post...... I don't use Prevx at the moment, but if I was borderline, then knowing Notok was there would certainly edge me over into buying this product.

Congrats

 

That's good to hear too, because I prefer to install new softwares off-line on my computer, especially when I want to install my computer from scratch.
I will try to install it off-line next time.

The trial period of 60 days is very good, I wished image backup and snapshot softwares had such a long trial period.

I was very pleased with the GUI of Prevx1. I remember that Prevx had a very ugly and very dark GUI in the past, but the new GUI looks very good.

 

Wow that sure was a detail posting on Prevx1. Thanks as always Notok, I appriciate the fast response. Also congrats on working with Prevx. Talk about moving on up and leaving us little people behind But anyways, I too have isntalled prevx1 "R" and set it to Pro mode. The only thing that i had to set to probation was my Nvidia Driver cause it was giving me a red light maybe because its an NGO optimized driver.

dja2k

 

Hey Notok, what can you comment on people saying that Prevx1 slows down systems if you are using similar products? - what products are considered similar to prevx1 HIPS since some HIPS cover a little different than others. This information would be useful so I wont overlap them exactly to what prevx1 does and to know what to drop in my list so that prevx1 doesn't overlap. I mean is Online Armor considered overlap? Does other malware scanners in realtime like Ewido considered an overlap as well? Do sanbox programs interfier with prevx1? Any others that you know of that do overlap and are known to slow down prevx1?

dja2k

 

Hey, great news! Congratulations, Notok

nicM

 

lol, I'm still here, aren't I?

I thought we got all of those. Double click on the file and copy the line at the top of the page that brings up that says "Description of the product known as xxxxxxxxx", PM it to me (or click the "Disagree?" link on that same webpage) and I'll fix it for you.

The ones you'd really want to watch out for are programs like CyberHawk. A lot of it really has to do with what kind of driver they install, mainly a file system filter driver. The problem is that Prevx1 covers a whole lot of ground, so there's likely to be overlap with just about any behavior blocker. Online Armor would probably be an exception since it doesn't use the same kind of driver at this time. However they're always fine tuning Prevx1's performance with every release, so it may not be as much of a problem now as it has been in the past. Of course with any similar apps you always run the risk of conflicts in some way, so if you're going to go that route then just be careful and have a disk image/snapshot ready.

Scanners are no problem, they're totally different, although some people get slowdowns with Ewido anyway. Prevx1 still basically functions similar to a behavior blocker on a technical level, but what's done with it is different. It's still not really a HIPS or a scanner.. Prevx1 is actually a CIPS (community intrustion prevention system), it prevent intrusion into the community, not just the hosts that choose right. That's probably the best way to think of it.

 

Thanks nicM, and eyes-open!

 

Notok,

Regarding our brief discussion of Prevx and data mining above, a poster by the name of "PrevxCares" has posted on another thread at Wilder's here:

https://www.wilderssecurity.com/showthread.php?t=129548

Not quite admitting to data mining, but certainly hints at it. The term "data mining" may be something that Prevx management wants to avoid using as it is a has, unfortunately, become a hot-button privacy issue for many people and orgs. Like most things, data mining needs to be understood and evaluated based on how and for what purpose it is used; there are "good" uses and there are "bad" uses (clearly subjective).

bktII

 

I guess I'm still not entirely clear on what you mean by 'data mining', can you elaborate on what you have in mind? We don't just collect the information for the sake of collecting it, we do use it to implement protection. We mark them good or bad as appropriate, we also look for patterns for creating heuristic rules and such, and generally do intelligence on malware in general, seeing where it's coming from, what it's doing, how it's spreading, and so on. What this does is resolve both the problems with pure behavior blockers (you don't have to make decisions about cryptic alerts nearly as often) as well as the problem with pure signature scanners (the live database means the turn-around time on blocking new malware can be minutes, if not instantly by heuristics) and add different kinds of proactive protection whenever we can. This also means that you don't have to handle the malicious files or worry about sending them in yourself, it's analyzing it's behavior as it happens, so we don't have to worry about getting the files and analyzing them manually before we can see what it does and protect against it. We still do that to some extent, but your protection doesn't depend on it.

As an aside, just wanted to clarify that we don't collect actual files (unless you have the "Protection Plus" option enabled, which just sends small files that have been identified as malware.. we can also request specific files, for which it will ask your permission before sending), but just some hash information and some of the same stuff you see when you right click on a file and select Properties.

 

Notok,

"We don't just collect the information for the sake of collecting it"

I was never implying this. There is very clearly a great deal of intelligence in Prevx's approach. This high volume data-based approach is a primary reason I use Prevx on my computers.

" ... we also look for patterns for creating heuristic rules."

This can be done in a "top-down" manner by human analysts who have great knowledge of malware. Humans are very good at this. In this case, the analysts look for patterns in the data using a variety of tools. However, when there are huge volumes of data coming in, the phrase "drowning in data" often applies to human analysts. In addition, it can be done in a "bottom-up" manner using machine-learning and statistically-based algorithms that generate rules from the data. These algorithms excel at high data volumes. In this latter case, data miners (or modelers) "drive" the algorithms that use the data, and human analysts work with data miners to harvest new rules and improve existing rules to achieve some objective. In Prevx's case, I would guess that objectives would be identifiying something as a class of malware, classifying something as malware vs. legitimate, etc. Also, "bottom-up" and "top-down" approaches can be used simultaneously. It does not have to be one or the other.

The results of these efforts most likely map to "heuristic rules" that I would guess are applied to (1) the incoming data streams that Prevx receives from it's clients and (2) behavior on individual computers that have Prevx installed. Here I assume that Prevx updates provide, among other things (like this file is OK and this other file is not OK) new and modified rules to its clients.

Lets consider Microsoft's recent release of verclsid.exe, Prevx initially identified this as a rootkit (presumably a false positive). Later it was changed to safe. Please note that I can only guess at the rationale behind the initial classification and the rationale for later changing it. However, given the recent Sony fiasco, I am glad to see Prevx take a data-driven approach.

 

Actually it seems you have a better appreciation of what Prevx1 is about than most Just to clarify one point; the heuristic rules are actually on the server, so you benefit from them the instant they're added, rather than having to update. The latest "R" version will download some of the heuristic rules and file determinations, though, so that you will still have decent protection while you are offline, but mostly the updates that you get are for what kind of data is collected and in some cases what you are prompted on. Basically just what you see in the Protection Settings. So, for example, when the WMF exploit came out, an update was issued so Prevx1 would monitor WMF files.

To the subject at hand... Yes indeed, some of that stuff is done automatically. At this point it is somewhat limited just because we have to be careful to not end up with too many false positives or negatives, but this will surely be improved, especially as we implement new ways of getting different kinds of data.

I'm not 100% clear on all the technicalities of how these things work but our 'database gods' (with ever-growing portfolios of miracles) and low-level gurus, with a lot of very in-depth knowledge of these things, are always hard at work coming up with new ways to do just what you're talking about in a variety of ways and on several levels. Basically the Prevx team consists of a variety of specialists contributing each of their areas of expertise to the product to combine many layers into a smoothly working whole. Ultimately the goal is to make Prevx1 as automated as possible. We hope that one day the researchers, like me, will just be monitoring what's coming in, and not having to do many (if any) manual determinations. There's a lot of layers to the protection, some of it is over my head. So yes, and that applies to not only practical application of the data but also intelligence gathering.

If nothing else, just consider the fact that in under a year the detection has gotten up along side the AV vendors that have been amassing their databases for years, and in some cases even surpassing their detection rates for some things, and most importantly with a fraction of the number of staff (and the small number of staff is intentional). Also consider that when a program is being verified online, in that split second that it takes to return the verdict, the servers are sifting through many terabytes of data and applying it to hundreds, if not thousands, of rules. It does take quite a bit of sophisticated data manipulation and application to acheive that, for sure. In the end some of that will be done on the agent, some automatically on the server, and I'm sure there will always be some done manually, just with some tools to do large amounts fairly easily.

So in short; yes, the way the database works is very robust and complex, and is being continually improved and refined on all levels towards the goal of making better use of the information in the database. Although not everything will be openly available to the public it should become noticible in the product's performance, if nothing else. I'm also sure that at some point in the future this information will be used, in some way or another, by other anti-malware companies as well, and I'm sure they will need to be able to use large chunks of useful data without having to sift through it manually. Exactly what the future will bring, only time can tell.

Hope that helps, if I missed anything just let me know

 

Notok,

Your explanation does indeed help and is appreciated.

I look forward to seeing Prevx develop further.

bktII