Introducing, The New Prevx Edge.

Hello,
The license is limited to the actual Windows installation as our identification system is dependent on unique identifiers generated when Windows installs, therefore, you would require a separate license for each the XP Home and Vista Home Premium installations.

You can, however, scan the opposite Windows installation from the other so you will receive some "protection" for both with one license (however, the protection would be reactive rather than proactive).

Please let me know if you have any further questions.

 

Does this product really work ? Its hard to tell without the real-time protection. My system was badly infected with the minimal tests which I did.

 

Hello,
You will need to obtain a test license to actually enable trial protection as otherwise your system will get infected if you run it against live malware. If you're interested, drop me a PM and I'll get you a license shortly.

 

I spent some time testing this after receiving the real-time protection license key and to summarize I would want to stay far away from it for the time being.

I tested with some 100 URLs that are known to exploit browser vulnerabilities. I have a number of concerns
1. This product does not have any sort of browser exploit detection. This makes the problem of keeping the system clean that much more difficult because now they have to detect every single PE file that gets dropped on the machine. All it takes is one to slip through and you are screwed.
2. THIS ONE IS SCARY - I was running the test on a VM. I browsed to the infected URL and when the dialog popped up to BLOCK gameeeee.pif, I clicked on OPTIONS and chose "TRUST ALWAYS". Then I reverted the snapshot. I tried the same URL, and through Process Explorer I could see gameee.pif start running (the same Md5), but there was no alert from Edge. Did the backend remember the fact that 1 user chose to always TRUST this exe and therefore used that decision for subsequent users ?? If so thats a pretty crappy design. This happened for many other exes as well. Scary!!
3. It missed a ton of malware, but thats not surprising.
4. It suddenly became disabled all by itself.
5. It doesn't appear to have a synchronous design. The process has started and stopped by the time the alert dialog appears. This means that the application has done its damage by the time PrevX even detects it.
6. I noticed some FPs on files from www.ieaddons.com
7. It mainly prompts the user to block!! Why. Why not automatically convict. I think they are concerned about False Positives. This makes this product not suitable for general use.


Overall, I think other products that have both browser protection and Heuristic detection have better protection than PrevX Edge.

 

False positive hstart.exe
http://www.ntwind.com/software/utilities/hstart.html

download: http://www.ntwind.com/download/hstart.zip

 

Hi There,

This is technically not a "false positive" more like an error in classification. We have 3 examples in our database of this file being used to launch malware. Thus we have reverted it from "Bad" to "Caution". Obviously i can see the legitimate use of it, however, it's a grey area. You can locally trust this file and it will not bother you anymore.

I hope this helps.

Regards,

Jacques

 

Hello,
First, I have to point out that if the protection appeared to be non-synchronous, then something is wrong in your installation. This would tend to coincide with the disabled status you received as well. On the image, are you using any other security products, and, are you using XP SP2 or higher?

We also do not take one user's opinion on a file at all - the fact that the user disagreed is logged, but nothing is actually done on the backend. In your case, it appears that it recalled the fact that your client disagreed that file and then applied those options.

In the end, you went to 100 exploiting URLs - do you really expect any antimalware program to protect you 100%? Browser exploit detection, while useful in some instances, is hardly a panacea to block threats. Recent independent tests found that most AVs have a 3% or lower detection rate on the exploits themselves, therefore, they are blocking based on the PEs that are dropped.

If you do have the samples/a scan log from your tests and if you could give me any more information on events leading up to the Disabled status, please let me know.

 

The disabled status was on separate run. I restored the snapshot and tried another test and thats when I noticed the non-synchronous behavior. This is on a clean XP SP2 image that is unpatched. There is no other software on that image other than Windows and PrevX.

So are you keeping tracking of every clients response to every MD5 individually ?

I dont expect the product to protect me 100%, but browser exploit protection is extremely effective at blocking unknown exes. Btw.. NIS2009 had a 30.95% detection on the Secunia test mainly in part due to is good browser protection. That number is low but that is because its being tested against vulnerabilities that have never been exploited. In reality, only a small fraction of those vulnerabilities have ever been exploited. Detection of "exploited" in-the-wild vulnerabilities was close to 98%.

Wrt PrevX most malware today is singletons.. that is, there is one and only once instance of that hash ever seen. Any form of community based system falls apart since you dont have enough data to form an opinion.

I also saw a few FPs on applications from ieaddons.com

 

Thank you for your further information. We will investigate the non-synchronous behavior closer to see why it happened on your system (as that is most definitely not desired behavior).

We do not use MD5 (or SHA-1, etc.) for program correlation as you are exactly correct - infections are far from constant, most being server-side randomized (i.e. the Storm worm which would render any one-to-one cryptographic hash useless). Rather, we have a number of our own correlative signatures which allow us to relate programs to one another with far more accuracy than a straight hash. Therefore, rather than requiring one signature for every individual file, we can relate literally thousands/millions of files to one another with a single signature. We are also able to correlate program similarities based on behavior, comparing the behavior from a program on a single user's system to the behavior on another system to relate the two if for some reason the other correlative signatures fail.

We do log user responses to files and they are entered and prioritized to our researchers who then manually (with help from server-side sandboxing) analyze the samples and make a decision as to if the program is truly legitimate or not. The user's responses are not actually automatically fed to other users at all, and even if 1000 users say "Trust Always" to a file, we will not trust it - we force it to go through a tightly controlled process first.

We all agree that browser exploit detection is an area which needs closer consideration, however, merely detecting exploits mid-stream or mid-operation is not good enough and not generic to be a completely viable solution. We are in the process of developing different techniques to analyze browser behavior which should dramatically reduce the effects of browser exploit-based malware. This is, however, a difficult area to work in because browsers DO require system access in some cases so, a blatant "block everything coming from the browser" will not work for a majority of non-techie users.

However, we will keep updating and improving our technologies to hopefully get closer to the perpetually-eluding 100% mark (and I have forwarded ieaddons.com to the research team to get them whitelisted).

 

I found a couple of issues with my first trial of Prevx Edge. Upon finishing scanning and installing, Edge found a few suspicious file and show them in a dialog. In that dialog I could only right-click on a single suspicious file and mark it as a false positive. However, right after I did this on one file then Edge would immediately ask me to click OK and then it would start a full scan of my PC again. It would be much more convenient if the user could select multiple files and then reported them as suspicious and finally just one single additional scan by Edge afterwards. I aborted the scan and then I could not see which files were suspicious anymore. Only under Detection Overrides where I could see the single file which I had previously reported as a false positive. I could still select Save Scan Results even though I aborted the scan. The good news was that so far Edge ran fine with my KIS and SAS.

Cheers.
Lu Chin

 

Hello,
I agree that this is not very userfriendly. We will have this behavior changed in the next update

Thank you for your report!

 

my only nag is, if i have a folder of infected files on my desktop etc.

a scan will find 'some' and clean > reboot

then the scan after reboot will find 'some more' and clean > reboot

then the scan starts again, finds some more......

its a very long process, and takes bloody ages to get it to say nothing detected.

also, ive tried twice to update to the newer version with errors both times, prevx shuts down, both times when testing i have to un-install > and download the new version manually, kinda made the updater in the program pointless.

 

The folder on your desktop most likely either has too many pieces of malware in it (we will only ever report 255 infections at once to conserve memory, but continue blocking the others), or it is being slowly populated in the background which is causing other processes to access the files and in turn, causing Edge to scan them.

We have reproduced some similar issues as well, but they should be corrected in 188 so future upgrading should be seamless again.

 

Hello
It's been said more than once that Edge's capabilities overlap that of Prevx2, but some people are running both. Can you explain how much of an overlap there is? Is there a comparison chart? I'd like to know just how much benefit there is to running both side by side.

Thanks

 

We don't have a comparison chart of both because it will most likely confuse a majority of the user rather than help because they both overlap in so many areas.

Edge has superior malware removal, rootkit detection, and heuristic protection to Prevx2. However, Prevx2 DOES have malware removal, rootkit detection, and heuristic protection - however, Edge's is just significantly improved.

The primary benefit of running both is that you can get the granularity of Prevx2's prompting next to the new Edge heuristics if you want. Some technical users find it important to know what is going on in the system so they want to be prompted/notified of each action - Edge works to hide all of the prompting and only talk to the user when it is absolutely necessary.

Running both side-by-side will only help if you are interested in the granular details coming from Prevx2, otherwise, you will be fine with just Edge

Hope that helps!

 

That does indeed, thanks.

 

Does Prevx protection load very early on after Windows starts? Some security software still have slight delays on Vista before the service starts.

 

Edge's core driver loads immediately after the filesystem itself loads and malware removal loads before the file system or registry are loaded. However, we have delayed the loading of the tray icon/splash screen by some seconds after bootup to ensure that we are being loaded properly into the system (so, protection loads long before it visibly loads).

 

I received my trial license for the week but after a couple of days I got this error.

Error:L016: License is in use on another system, you can fix this using the MyPrevx web console.
I didn't touch anything on my computer, only thing running is Edge and Sandboxie

I'm interested in purchasing Prevx Edge but what happens if say I happen to reformat my computer or do an image restore will this error occur also?

 

Hello,
We will investigate this error further - is your license working now or does it still produce that error?

If you reformat your computer, your license may become invalid for that system, but just come into our support inbox or PM me and I'll get it reset for you

 

Yes it's still producing that error.

Anyway, I will send you a PM, thanks.

 

Prevx Edge v3.0.0.188 detects zlib1.dll in the folder C:\Program Files\XBMC\ belonging to the mediacenter program XBMC v8.10 for Windows XP/Vista from the website http://xbmc.org/ as malicious software with medium/recommend heuristics.

I uploaded zlib1.dll to:

http://www.virustotal.com/
http://virscan.org/
http://virusscan.jotti.org/

All 3 scanning websites gave zlib1.dll a complete clean bill of health. So I guess Prevx Edge falsely detects it as malware?

 

yep, probably.

but with a product like prevx, over time, lets say in a few weeks or days maybe..... detection would have significantly increased and FP's lower, at least i think it should, this is what i like about an on-going real-time community-based-detection. lol

 

Please try again

It should be now fixed

 

Nope, not fixed.