Introducing, The New Prevx Edge.

Discussion in 'Prevx Releases' started by trjam, Nov 13, 2008.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :D No problem at all - I spend far too much time myself trying to find my way through the MSDN forest as well :D Always glad to help out by consolidating previous research into stomach-able chunks :)
     
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Deleted because of duplication - see following post::D
     
    Last edited: Dec 18, 2008
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    C:\WINDOWS\LMI2F1.tmp\lmi_rescue.exe > See screenshot attached:

    Just noticed this file in SSM, after I was checking the (silent) update of PrevxEdge to version

    3.0.0.199. Is it just coincidental? This file does not seem(no longer) to exist. A search of google turned up

    nothing for - C:\WINDOWS\LMI2F1.tmp\lmi_rescue.exe

    However, a search for - lmi_rescue.exe found this >

    http://www.prevx.com/filenames/1238620912960067123-0/LMI_RESCUE.EXE.html

    So I am curious as to what this means? Has my system been compromised or not? :doubt:
     

    Attached Files:

  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This file is legitimate - it is part of LogMeIn, used for remote assistance (we use it as well as a lot of other companies :))

    If you are really doubting it, send it over to me and I'll double check it, but AFAICT, that is a legitimate copy.
     
  5. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285

    LOL - Joe, I just remembered it was downloaded about 4 weeks ago for that remote desktop session that I had with you. I just had a senior moment.:)
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No problem :) I figured it would be the same one :)
     
  7. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
    False positive report:

    Program: TweakVI v1.0 build 1100 (Basic freeware version)
    Website: http://www.totalidea.com/
    Windows version: Windows Vista Ultimate SP1 Dutch 32-bit
    Prevx version: Prevx Edge v3.0.0.199
    Detection type: Malicious Software
    Heuristics setting: High

    Temp file detected during installation and uninstaller also detected.

    tweakvi.jpg
     
    Last edited: Dec 19, 2008
  8. MarkW

    MarkW Registered Member

    Joined:
    Dec 24, 2006
    Posts:
    48
    Is there an advanced settings tutorial for Edge, akin to Blackspear's famous NOD32 tutorial that I've used with joy on both versions 2.7 and 3.0?

    I just installed the full version of Prevx Edge five minutes ago. I did not adjust a single setting. This was emotionally traumatizing for me and I expect some sympathy. I decided to just "set it and go" to see how it performs. All I know is that real-time protection is enabled as my little green light is on in the center of Prevx' system tray icon. I have used Prevx and Prevx2 for almost three years, but this seems like a very different animal.

    I would love some focused education. Could anyone point me to white papers, blogs or intelligent reviews that analyze the similarities and differences between Edge and Prevx2 and, as I asked in sentence one, set-up options for a more articulated performance. I'm reading this thread front to back, but it's like a novel and a rather incoherent one.

    Take care. Oh, FWIW, my 24/7 real-time security setup is:
    1. Prevx Edge
    2. ESET NOD32 Antivirus v3
    3. Malwarebytes' Anti-Malware
    4. Javacool SpywareBlaster
    5. Netgear Router (hard) Firewall + Windows (soft) Firewall

    Comments would be appreciated.
     
    Last edited: Dec 19, 2008
  9. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Has anyone come across this one?

    Just after booting up, with the Edge sys tray icon visible the main UI opens 'by itself' and at the same time the upgrade/purchase popup appears, and every time that I try to close either of them they reappear seconds latero_O

    I could not understand or see what was prompting this other than the recent installation of IE7 Security Update (KB960714)...not that I am saying that this is the case...and in fact cannot see how such an update would do this. However, I rolled my system back to a pre-install position and the issue appears to have disappeared.

    Now this observation is not 'scientifically' analysed but I thought it worth asking the question. Hopefully, over the weekend I will have time to reinstall the MS update and check potential causality more thoroughly.:eek:
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    I'm currently unaware of an advanced settings tutorial for Edge, but that would be somewhat against the "mantra" of Edge. The core objective in Edge has been to make security simple and not require users to walk through a learning curve to use it - it will work perfectly fine directly out of the box.

    Prevx2, however, is definitely a different animal. It is much more HIPS-focused, which gives users more granular control over the reporting, etc. but a vast majority of users get confused rather than helped by extraneous popups.

    In Edge, we do offer some fine tuning for the heuristics settings if you click Edge Settings > Heuristics Settings. In here, you can configure the strengths of three different heuristics engines which feed into our database rules. We do have a number of other heuristics besides the ones you can see there, but they are all maintained in the database centrally so that they can protect based on the knowledge gathered and analyzed globally.

    If you have any further questions or if you want more clarification, let me know - this thread is definitely a novel and I hope you survive past reading every post to read this reply :D
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I haven't seen this, but by any chance is your system status "Infected"? If so, the GUI will open by default on bootup to prompt the user with any problems that were identified.

    If not, let me know and we'll try and investigate further :)
     
  12. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Hello,

    please check again :) It should be now fixed :)

    Thank you for your help :)
     
  13. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Hey Joe

    Is the scheduler running correctly?

    Edge seems to be scanning out of whack with the scheduler. Mine is set to 9pm daily but the capture shows the time of last scan as at 10.04 tonight.

    I can replicate this at work on XP - various delays after scheduled time of up to an hour before the scan kicks off according to later reference to the GUI.

    Not critical for me, but maybe for others?

    philby
     

    Attached Files:

  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    This is the intended behavior - we stagger scheduler execution times so it could be delayed by up to an hour (intentionally). This is generally to keep load on a network down. For instance, if a company has 10,000 PCs and they all are scheduled to scan at 8am when the work day starts.... that would spell some bad trouble for the network throughput. So, we stagger randomly which could cause it to happen up to one hour later than the configured time.

    Hope that helps! :)
     
  15. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Another clear answer.

    Thank you.

    (Apologies for unreasonably massive window capture - can't seem to shrink image using vista snip...)

    philby
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Does Prevx Edge audit the expansion ROM in memory?
    Possibly comparing against a list of known good ROMs.
     
  17. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    436
    Location:
    The Netherlands
    Fixed indeed. :)
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No it does not, however, if you happen to come across any piece of malware which hides itself in there, please let me know :D Edge does, however, analyze the boot sector and master boot record to find malware or any obfuscation in the bootstrapping code.
     
  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Is it possible to get the Expansion ROM code loaded into system memory or from the card itself?

    "The (Expansion) ROM can be retrieved from system memory, or from the card itself. In order to carry out an audit,"

    Would it then be possible to do a checksum of the loaded Expansion ROM code that is now in physical RAM comparing to a community checksum data base of manufacturer checksums?

    "Having obtained the ROMs from system memory and the card itself, these should be compared to known good ROMs obtained from vendor websites."

    By the two Q&A's above, Could Prevx be designed to carry out this memory check of Expansion ROM code for verification?

    "After enumerating the PCI bus and copying expansion ROMs to memory, the system"

    "The author determined that by hooking interrupt 10h via an expansion ROM,"

    "If a Legacy card’s option ROM code hooks INT 19h during its initialization call it controls the boot process."

    "With modifications to the base code, or by supplying alternate base code altogether, it is possible to subvert PXE in order to carry out a pre-boot update of a rootkit."
    Detecting PCI Rootkits-Heasman

    Is Prevx Edge able to detect the hooking of interrupt 10h or 19h or does the Prevx Edge detector load later?
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is possible, however, as mentioned in the article, hardware vendors do not have an established database of legitimate ROM code so it would be inexact to detect and possibly cause more trouble than it's worth. Frankly, if something is loading that early in the system it would have absolute control over everything which happens and even if we were to be able to detect it, they would be able to just block our software from running in the first place.

    And, it is also a theoretical rootkit rather than a real one - the difficulty of producing a functioning example would be so immense that it would be completely hardware+OS dependent and probably not work far outside the test environment.

    I'd honestly be more afraid of someone coming into my house and destroying my computer with a sledgehammer (and unfortunately we don't have any software to prevent that :D)
     
  21. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi Joe

    No, I am fairly certain that it was not infected. I ran a scan with SAS, MBAM, KIS & CureIt...all turned up negative.

    As I said, the only thing that was different from the system that I have ben running Edge on since it was released is the MS Update for IE7. Weird or what.o_O
     
  22. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    So I guess I have a better chance of finding a rogue win3.1 install than an Expansion ROM compromise.
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree :D However, if you do find malware actually exploiting the Expansion ROM successfully, please let me know and I'll make sure we do a detailed public analysis of it notify the other vendors as well :)
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That is quite odd... really not sure what would cause it. By any chance had you made a shortcut anywhere on the system to Edge?
     
  25. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Last edited: Dec 21, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.