Introducing, The New Prevx Edge.

Yes, and, Edge will automatically recheck and clean any files which were missed as soon as the internet does reappear. If, for some reason, it can't connect to the internet to scan a file, it tracks the file so that it can clean up all traces of malware associated with it, should it happen to come back as bad.

And, if the internet is down, the file can't do anything malicious like steal identity, so, there is little to worry about

 

Something seems to have gone haywire during the install of Prevx Edge. My computer froze during the install process, I tried to kill the prevx.exe.Still my system was frozen, then I killed windows explorer.exe and that regained use of the system.

However, I have two instances of prevx.exe showing,see screenshot. Not sure whether the program is installed or running properly. There was no indication by an install wizard to show that the install was successful....It did not
ask for a reboot?

 

After installing, it should automatically start a system scan in a window in the bottom right corner. Two Prevx.exe instances are correct - it "should" start the scan, but could you try opening it from the shortcut in the Start > Programs > Prevx Edge folder?

Do you happen to have any security software installed which monitors behavior or could block drivers from loading? That could explain some of the odd behavior solved by killing Explorer, but, I'm not quite sure.

Let me know what you find with the shortcut

 

Incidentally, I got this when querying the WinPatrol database,after it thru up a warning during the install process > see screenshot.

 

Tarnak, I think it could be any number of your other applications which prevented or interferred with the install. That's a lot of layers!

You seem to have:
Rising AV
System Safety Monitor (another user reported this could be a problem?)
DefenseWall
Mamutu
SuperAntiSpyware
WinPatrol (as you just listed, this might have blocked installation)
and others...

 

Ah ouch. This is definitely a false positive. I'll get in contact with WinPatrol and Sophos to see if we can get them to fix this. I'd bet that they're blocking it after it starts installing, and that could explain some of the strange behavior some of the users have been seeing.

Thank you for your report!

 

1, If you believe that threats can only cause damage while online then there is a serious hole in PrevX technology. PrevX Edge will not protect malware spread across a closed internal network or via removable drives. If other security products can pass my "fundamentally incorrect" (as you say) test then why cannot PrevX Edge?? I have tested saving viruses with PrevX connected to the net and it didn't detect the file I/O. This would then leave the user vulnerable if they executed the program later without network connection. For a user on the move using wireless internet then this is a serious hole which other security tools protect against.

2, In regards the driver I looked more closely at pxark.sys and discovered that it can be changed very easily which then prevents the GUI detecting any threats regardless of a network connection. The driver does hook a number of SDT entries which once unhooked leaves PrevX Edge as blind as a bat. After unhooking the SDT entries it's also simple to kill the GUI using terminate process even when self protection is enabled.

PrevX Edge appears to be a process monitor as seen in PrevX V2 with a bit of on demand (not real-time) scanner from CSI. I have found no evidence of any advanced behavior monitor technology or anti-root kit protection within PrevX Edge.

~interact

 

Tarnak...did you accidently install it as "Untrusted" with defensewall? I accidently did this during testing and things wouldnt run.

 

I did go there, and trying opening the shortcut.....that is the reason(so I thought) that I ended up with 2 copies of Prevx.exe running.

I have Mamutu and Anvir Task Manager which both thru up warnings, but I gave them pernission. I have screenshots of these if you wish to see them.

 

oh brother, bet the next post is a long one.

 

It's possible that it hit a race condition while installing, causing it to not install properly. Could you try uninstalling completely and then reinstalling? This may solve it. If you can't uninstall, terminate both prevx.exe processes and then try again.

Still not sure what's wrong, but I think we're getting somewhere in finding it out

 

I think I gave it permission to run as trusted from the right click Context menu....but I will check!

 

I'm sorry to say it, but, with all due respect, you are wrong. You are looking in the wrong place when trying to find how Edge monitors the system and I'm not going to divulge where you should be looking as that is proprietary information.

The driver hooks SSDT entries only for self protection, and there is currently a bug in self protection which interferes with the realtime monitoring, so, we highly recommend not using that feature. The rest of the monitoring takes place within the engine and within the other features of our driver.

Edge analyzes the harddisk, registry, and memory on a raw level to detect rootkits - I'm not sure why your tools are not seeing this within Edge, but they are mistaken - our rootkit detection is able to find and prevent literally thousands of different rootkits.

As for copying files across a network and then immediately disconnecting from the network - sure, this might be a bit of a vulnerable area if you are not immediately connected to the internet, however, as soon as you reconnect, Edge will find the threats and prompt to remove them. It is exactly the same as if an AV didn't have a definition for a threat and then downloaded a new update and rescanned. I don't see the real-world flaw here.

 

Is it possible to use prevx and only prevx?

I don't want to use AV's anymore and its an added bonus it has heuristics.

 

Yes, while you can always use another AV on top of it if you want, Edge will protect you against everything a normal AV will and more thanks to it's community database

However, of course, no AV is perfect and neither is Edge but for a vast majority of users, Edge will be more than adequate for protecting them against today's threats.

 

Thats all I am using now Coolio. I do have Returnil installed but only really use that for testing stuff. Given that my usual surfing is pretty tame, I feel well protected. And even if I do go "hunting", I am sure Edge will be able to handle it.

 

same here, Edge is good enough for me.

 

Thanks, also good job keeping up with all the answers. Even ones you shouldn't have to answer you do .

Never seen a thread go to 12 pages in 2 days.

Except mybb's last post competition for money. They are up to 459 pages and still counting. A good way to see how many pages their forum script can handle .

 

This sentence leave me a bit astonished.

APIs hooked inside SSDT are hooked just for self-defence protection, and if you investigate a bit, you'll find that *a lot* of security softwares are using similar self-protection techniques.

It's totally secure? No, it isn't. If you know a bit about kernel developing, you'll find some ways to bypass it. But that's not a problem of us, it's a common problem. It's enough? Yes, it is. It'll prevent most known terminating process attacks.

Every security vendor knows that their security solutions could be bypassed in some way by someone, but that would mean 1 person out of 1.000.000.

There are other ways to protect our processes? Yes, there are. But they would mean tampering Windows kernel in a really low level, and that could result in a system instability.

By this way, we're preventing most common attacks and we assure you a system stability. Our hooks can be unhooked? Yes, sure...then what's the goal? When you're in kernel mode, and you're able to touch SSDT, why just unhooking our hooks? You've the power in your hands. If you're in kernel mode, you basically own the system.

 

Just because there have been too few analogies used thus far:

Malware loading into kernel mode and then only unhooking an AV's SSDT entry is like using a steamroller to squash an ant. At that point, it would have free reign over the entire system, so, why even bother terminating the AV

 

Hmmm....I have used a 14 cu yd loader bucket to terminate an ant.

But really, I don't think the internet is teaming with malware that can do this....if any even exists.

 

OK I've coded a program to do the following:

Inject code into a running process, map a system file in mem then inject code and finally write code directly to a system file on disk. This emulates a new threat which is not in your signature database. The three tests were not detected in real-time or via a scan. The target files were damaged and the files were not repaired these test were undertaken with and without an Internet connection.

~interact

 

Sure, no program is perfect - not making any claim that Edge is perfect at all. (Also, do you have heuristics enabled? I'd bet that Edge would have blocked it with heuristics on )

Ironically, I just came across a piece of malware which modifies dozens of system components and patches them with its own code, loads a rootkit and hides its service, then proceeds to collect personal information from the user and send it out.

I then proceeded to test it against identical system images of 20 odd AVs, all up to date, all with maximum heuristics enabled. None of them found it on demand, and none found it on access during the infection.

I then ran it against Edge (after making sure it was not already marked in our database to have it be a fair test) which blocked it before it installed, so, for good measure and out of curiosity, I allowed it to install, despite Edge's recommendation, and then Edge subsequently blocked the driver as it was attempting to load - citing first a 'Cloaked Malware' infection, followed by an "Age/Spread" violation (one of our heuristics) on the driver.

We can go back and forth all day, but, Edge provides real protection to users against real threats. It may not be 100%, but if you do happen find a program which blocks 100% of threats with no false positives, I will happily buy hundreds of licenses and use it on all of my computers and pass it out to everyone I know so that we can finally, once and for all, rid the world of malware!!

 

but isn't that what the guy is saying. malware will seek to neuter the protection by severing it's supply line (the network connection)?


Mike

 

thats where a hips program come to save you in real time by protecting your
host file