Introducing, The New Prevx Edge.

I'm not convinced Trying to determine the intent of a file by filename is not reliable, but: http://www.threatexpert.com/files/iedfix.c.exe.html

If you could send me the file itself I can analyze it

 

Thanks very much!

I will try the full programm out and will give a feedback later this week.

Thank you that you've explained the logfile. That helps me a lot to understand how your product works.

I'm really looking forward to the Q3 release!

Very well done so far Prevx! Good Product (after the Q3 hopefully my first choice) and a very good support. My thumb's up!

 

I've analyzed the file and it is indeed legitimate, however, I don't blame our engine or any of the dozen other engines for flagging it as this It does quite a lot of suspicious system modification actions so I think this is one of the one-off cases where the file looks like a duck, sounds like a duck... and isn't a duck

FP fixed! Thanks!

 

Thanks! We appreciate all of the upward facing thumbs and the downward ones as well as it helps keep us on our toes to turn those thumbs around

 

PrevxHelp, what exactly is the false positive rate for Prevx – and, what is the methodology for computing that rate?

I don’t agree that the false positive rate should be measured as the number of (a) files initially and incorrectly classified as malicious divided by (b) the total number of files on all users’ PC examined by Prevx, each measured over the same historical time period. This method of computation obviously minimizes the false positive rate.

In the case of a cloud-based tool such as Prevx, I believe the false positive rate should be quantified as the ratio of (c) the number of files initially and incorrectly classified as malicious to (d) the total number of new files classified as malicious, each measured over the same historical time period. This method of computation is more closely aligned with the “user experience.”

 

Wow u analyzed it pretty fast.

Thank for confirming that it is indeed a false positive.

 

On a daily basis, we find around 20,000-30,000 new malicious programs (these are new infections, not just infected files from a file infector as we drop those before they reach the central database to reduce the pollution in the database with unnecessary data). As for the number of actual detections we perform every day, I'm not sure but it is quite high - the 20-30k is new detections of new threats. Across our entire community, we fix on average between 5 and 10 incorrectly identified files every day, as reported to our customer support inbox/Wilders/other AV vendors/ISVs.

It is a holiday in the US and the UK this weekend so the volume is a bit lower in the support inbox than normal, but so far this weekend (since Friday) we have had three FPs reported to the inbox and then the unusually-large handful reported by a few users here at Wilders (and one to me by email ).

Note that in the past (> 2 years ago or so) we had a much higher volume of FPs every day, well over 10x what we have now but we have significant measures in place to prevent them today and have done a great deal of optimizing on our engines for accuracy.

 

Hi,

My Prevx Edge is still detecting Kaspersky version 9 on installation. I just sent the scan log.

 

did anyone test Prevx 3 real time protection against the malware discussed in the thread "some test" (htaaa.exe, stop2.exe etc.)? did it block all malware?

 

Fixed

 

Yes Joe is fantastic in support here,so why do you keep the FP picture link in your siggy line?

TH

 

all but one

everest_icons.dll
CRC32: C1ABB74C
MD5: 930D3E9A79B82856D187F5631CC7F1F2
SHA-1: 7EA22BB608616F11BDE42E50D406EB87544038D2

still reported as medium threat

 

Sorry about that! Fixed now Thanks

 

got a question , Prevx wrote on there site this


"Here's a list of recent viruses, spyware, rootkits and other forms of malware Prevx 3.0 found on PCs that other products completely missed"


that mean all vendors names in the chart missed the malware after full deep scan and previx pick it up and clean?

10x

 

Yes - the infections listed were found on computers protected by other security products and the presence of those infections found by our scanner (which focuses on malware which is active or can become active via a registered boot entry or is obfuscated by a rootkit) shows that the infections were in the system and not just idle on disk

 

what is about the rightclick menue: "report as a false postive"? Is that reported to your Lab?

 

Yes, this will send a report to us but you may want to send me a PM or contact us through our customer service inbox if you experience a FP as the "report as a false positive" feature is abused in massive volume by malware authors trying to get their creations automatically allowed.

 

so that mean i can use ONLY prevx instead my anti virus?

 

You can, but we always recommend using a layered approach. Prevx doesn't protect against 100% of threats so we've engineered it to work alongside all major security products so that you can layer up your defenses to give you the best chance possible to achieving as close to 100% as you can

 

Question, you state that Prevx checks the security center for presence of an anti-virus. Do you also use this information to make sure it's up-to-date? I realize this information cannot be obtained about the build/version of the anti-virus, but I'm sure it's obtainable about whether the signatures are < a month old (if I remember right).

 

Our logic is based around the fact that it is the job of the antivirus program itself to keep up to date and not necessarily update the security center with every new version/update. There really isn't a valid reason for an AV to not be up to date and in the end it is the fault of the AV model of having to download every new signature update to detect new threats (so users are immediately out of date after updating).

If a user is using an AV with signatures that are more than a month old... they aren't using that AV anymore Threats today tend to live for less than 48 hours - an AV which doesn't update on a less than an hourly basis is virtually useless against new threats.

 

That doesn't sound very logical to me, you state you already have code in place for querying what anti-virus is there yet you don't query whether it's updated and just go on an assumption? Do you realize the massive amount of people that buy computers with 30 day trials of security, or just buy a year and forget about the fact it expires?

 

Yes, but this is the root of the problem - the people think they are secured and they aren't. We aren't assuming it is updated, but we don't factor in the state because the program should always be updated and protecting if the user is under the impression that it is. In the case of people starting with trials or subscriptions and letting them lapse, it is a fault of user education on the part of the AV vendor which is just as bad as letting a piece of malware through.

Users can't be expected to read up on the newest technology and click "Check for updates" on an hourly basis to ensure they are using the latest protection - that's what they are paying the security company to do for them.

(Also, from what I've seen, vendors do not put their entries in the Security Center until the user has configured the AV when purchasing a computer with the AV installed from the OEM.)

 

So, full Programm is working great on Vista. But i expected less RAM usage. It's 7.100K for me.

FullScan of all drives testet for the first time. Thx for the full working trial!


Some possible False Positives: (Advanced Heuristics ist Max, Age Heur is High and Popularity is High)

WinRar default.sfx: http://www.virustotal.com/analisis/...516678f3ee6ba0f342b71370470ecde77e-1243205049

WinBuilder Tool drv_index.exe: http://www.virustotal.com/analisis/...84c859e233d0cb743b902a02f39fefd4c1-1243205274


Winbuilder VistaPE Core ftpserver.exe: http://www.virustotal.com/analisis/...8ca24aebe56a4c1a93d43e0b55719b2969-1243205526


False Positives:

gmer's MBRfix: http://www.virustotal.com/analisis/...e430d85f2f5e79179b46bae6f978cb1513-1241494251



PS: It would be great if it would be possible to see the whole filename in the "Scan Result" section even if it is very long...

 

RAM usage varies and we do hold a lot of data in memory to improve performance so in the end its a tradeoff of CPU cycles versus RAM usage and CPU cycles are what really matter to performance.

I've sent you a PM about the FPs - most likely due to heuristics being maximum but I'll get them sorted ASAP

I agree Currently the GUI isn't very friendly for trying to display long filenames but if you want the full filename, you may want to just save a scan log to get all of it