I was wondering, PREVX when it was its own product was great, and had detection rates even in its infancy. Now its a part of WSA, WSA does not do even half as well. I am wondering why, as by rights it should do better as to my knowledge it is PREVX with webroot signatures/prevx's own, and extra webroot secureity tools. I have found this to be very un-true, and wonder how seemingly the webroot team has cut the prevx base detection by half? I am generally interested, as webroot could have done nothing, recolored the PREVX window, and re-sold PREVX with better detection.
I'm mot sure where you get "cut by half" idea from. Recent tests show Webroot to be doing well, although by their admission the last couple of AV-C test results could have been better. Some corrections have been done to the database backend following some internal investigations so we should start to see even better results in future tests.
This is untrue I don't know where you get your information from? WSA is a superior product and all Prevx users will be upgraded to WSA at some point! TH
Its my own personal opinion, from self testing and looking at other independent results. I know the prevx team are great and are working hard as always. I am just curious as to how supposedly the database back-end got in to trouble in the first place.
Nothing has cut the detection rates in half - the Prevx database/logic exists exactly as it was within WSA's backend but now with massive improvements all around. The "issues" in these tests have never been in trouble for actual users. The lessened results only occur when someone tests a great deal of threats in a short period of time. The database was using a subset of rules to prevent a cascade of false positives if a rule wasn't selective enough. This was relevant when many new infections were seen in a short period of time - something the average user doesn't run into, but something antivirus tests do by design.
This makes sense, thanks. I can understand how having something to stop a cascade of false positives could have such a detrimental effective on traditional testing, I do find interesting though as it could be used as an attack vector against WRSA, for example a simple code that replicates itself slightly different every time in quick succession. If i'm understanding correctly, even if it looks like a threat that there is some level of replication that WRSA would just ignore the files actions?
They wouldn't all be unique threats - it would be copies/new versions of the same threat, which doesn't get caught in this logic - only fully different threats.
True, but what if they are a cluster threat, I am talking many small ones. If for example someone took code from other threats, and created a portal on the computer, or even multiple where many small threats are downloaded from a server somewhere, and with that also a completely unseen threat that wont get picked by WRSA as its non-recognizable, and also bundles with so many other threats WRSA considers it suspicious but ignores it because it feels that its pulling FP's. Yeah, WRSA will get rid of all the other threats and fix the problem, or someone will use other software, but that one threat that could have been caught goes away in the wind. I know its an out there situation, but maybe one you need to re-asses. I know that people are clever, and if this would work then it will be done one way or another, you guys have made it easy by explaining the problem.
Uh, well first of all, Prevx 3.0 was NEVER tested by the major organizations that release test reports...so we don't know (nor will we ever) how Prevx 3.0 would have done on AV-C/AV-T... ...Therefore, saying "cut detection in half" is a completely invalid and incorrect statement.
Well, in any case, we removed this logic in favor of a different FP-prevention approach so it won't have any risk of this type of attack
Also, from what I saw, when it encountered such a cascade detection, it would alert the user very thoroughly to contact support for a human being to see what's going on. In a test, they would fail it because "the program didn't handle it on its own". In real life, such an exploit attempt would do nothing but get threat research professional eyes onto the situation.
I think it's as STV0726 said; Prevx aced all the tests it was in whilst WSA hasn't, but that's because WSA has been in more demanding and a greater variety of tests. So although it feels like a deterioration it's more that Prevx has moved up to the big league as a sole-security application so is under greater scrutiny.