prevx malware submission fail

i submitted a zip file containing about 150 pieces of malware to prevx as none of the items were being detected, a day later i checked the zip file again and only 9 items were being detected, something was not quite right here so i was liasing with prevx support for 2 days, after 2 days still only 9 items were being detected, all other files get 25+hits on virustotal so they are definately viruses (and i have tested them myself).

what's going on here?

do you guys want me to post the conversation i had with prevx help?

 

If prevx help doesn't mind, why not?.

But first, did you try tu run the samples or did you just perform a scan?.

 

i ran the samples and uploaded most of them to virustotal where they got plenty of hits, will post prevs support log now

 

It has been said many times that Prevx's strength is in detection on execution, and not on right-click scans. Sure, some things will be detected this way, but the running of a program is where it reportedly excels at.

I also believe it will not detect files that are archived; the files contained therein are dormant until executed.

 

PLEASE NOTE, START READING FROM THE BOTTOM OF THIS POST

~snip~ Private support conversations are not allowed to be posted

 

and i ran the executable in question but only the dropped file was detected, not the initial file

 

It's against Wilders Forums' policy to post direct links to malware.

 

I don't think you should be posting private support conversations on the forums without there consent?

TH

 

read the full thread again, there are no links, i have blanked them out

 

as far as i am concerned, i am a paying customer who has a right to answers, prevx help used to be very helpful to me but they have been very unclear and incompetent this time around by not adding this EXECUTABLE to their database of signatures. i really love the prevx software though, its second to none

 

Hello,
It is likely that these samples are not spreading throughout the Prevx community. Many users send in samples like this, sometimes including infections that are upwards of 25 years old and definitely not a threat to anyone using a modern OS so we don't focus on adding them. Right clicking and scanning a file within Prevx.

Our research team said that they would be looking closer at it but if you'd like, please send the archive or a link to it to report@prevxresearch.com and we'll take another look at the archive as a whole.

 

Read your post again. You asked if it was OK to post a link and I just answered you.

 

what are you talking about? i copied and pasted the (now removed) comment from the prevx help website, i was not asking you, i was asking the prevx guy.

 

cheers

 

Then I strongly recomend you the use of a new development called "quotation marks". It feels a bit like cheating but helps a lot when posting past comments.

 

i strongly recommend you read the last sentence of my first post.

i dont know if you know this but i dont need to put quotation marks in a post where in the previous post i have already stated that i will copy and paste A CONVERSATION I HAD WITH PREVX SUPPORT.

please only post things that will be of benefit to this thread, please

 

treehouse786 i know the feeling I've sent undetected samples before which never got acknowledged and remained undetected for some time afterwards ?

Yesterday i found ro.exe on the web



which most at VT detected but Prevx didn't. I thought about sending it, but then decided not to bother due to previous experiences.

Another no detect here for Prevx if they want it https://www.wilderssecurity.com/showthread.php?t=274520

I and others have asked for a direct way of uploading malware to Prevx via the GUI to make it easier/quicker for both of us, but as yet it hasn't happend. Other vendors do provide this method. Also by submitting to VT etc, Prevx should already have them and then detect ALL of them, but obviously don't ?

Quote PrevxHelp

25 year old stuff "might" not be a problem, but what about ALL the other samples that are not spreading throughout the Prevx community but still ARE malware. Shouldn't everbody be protected as much as possible, even if it's only one of us who gets hit first. Someone always is first anyway. It sounds like you wait until more people get hit before you fully protect ?

I'm not been funny i assure you, but i believe a rethink on these points would be welcome asap

Edit, more info

 

excellent post CloneRanger, i was just about to post something similar, they really do need to rethink their user malware submission and malware testing methods. in fact i was quite shocked that that they wont consider adding signatures for malware if not enough people are infected by it. prevx is already a top product but just imagine how excellent it would be if they actually added all the user submitted malware to their database regardless of how many people have 'seen' the file. please prevx sort something out

 

This isn't our policy - we will add any malware submitted but if some samples aren't seen by our community, we logically wouldn't find it (i.e. old DOS samples). We obviously want to detect all samples if possible and every sample submitted through VT or other sources is analyzed but be mindful that we see more than 250,000 new programs every day and more than 30,000 unique new infections every day so testing against small groups of samples is not statistically significant. Many tens of thousands of infections are blocked every day on the first user seen.

We check every sample sent to report@prevxresearch.com but we generally don't respond to false negative submissions because most users who submit samples just submit samples in bulk and Prevx already finds almost everything that gets submitted to our submission address.

If you are seeing samples of a certain type get past Prevx and would like a more direct line into our research team, send me a PM and I can get you in contact with one of our researchers directly.

The reason why we don't have sample submission implemented in the product has been discussed quite a few times already on the forum, but it is primarily because the product itself already sends all of the relevant information up to the Prevx database. At times some samples may need some additional coaxing by manual researchers to add detection but this is extremely rare in comparison to the massive number of threats automatically detected by Prevx. Including a discrete sample submission tool within the product would complicate this when simply sending in the 40 byte PX5 checksum would suffice or adding a detection override to block the file (which submits the override directly to our researchers).

Let me know if you have any questions

 

From your screenshot, it shows that you're using the SafeOnline version. The discrete SafeOnline version dilutes the malware protection aspects of Prevx to make a more user-friendly experience by dialing out false positives almost entirely. It may be worth increasing your heuristic settings to get detection rates similar to Prevx 3.0, but note that it is still focused on malware evasion from banking threats rather than focused on malware prevention/detection like Prevx 3.0.

 

It would be good to post a FAQ in the form of a sticky thread to deal with recurrent questions about Prevx policies from new users like this one.

 

I agree - definitely will save having to rehash discussions

 

thank you for the clear answers PrevxHelp, much appreciated. i genuinely believe that prevx 3.0 is the only 'antivirus' worth forking out money for. hell, you a plc? might buy some shares

cheers everyone

 

@PrevxHelp

I do realise and empathise that you and all the other vendors are swamped by the amount of new malware EVERY day, and i don't envy you. But as you say ALL new files, malicious or otherwise, are auto PX5'd and analyised for malware, then i would have thought that even one new dodgy file must alert you for either auto inclusion, and/or manual further analysis ? And therefore after positive ID of malware, get included, even one new file, so i don't understand why it/they are not ? Unless it's down to our settings, as in heuristics settings etc ? But even so, i would have thought this should only be appilcable to unknown files. And after auto etc confirmation as real malware these should be detected ?

Well you learn something new every day i wasn't aware that Prevx and PSO were so different, i thought PSO was an add on to Prevx I originally had Prevx3 and just installed the Facebook PSO over the top, thinking it was extra code that got included into P3. It now sounds like P3 was auto uninstalled as in installed PSO ? According to what you said, i and others in a similar position, now have less protection in some ways than before

Alerting people to this happening and why etc etc in future before install, and offering them a choice of halting the install if they chose to, would be better i think.

 

Yes, indeed details on every file are already sent up to Prevx automatically but not all software can be deemed malicious immediately. After determining a file as malicious or writing a rule to do so, it will be automatically blocked across our entire userbase but there are indeed difficulties with detecting some samples (server side polymorphism, etc.)

PSO is an add-on to Prevx 3, but when PSO is downloaded as a separate version, it will function differently. You'll notice that the initial learning scan will not report any infections and scheduled scans won't pop up warnings. Malware will still be blocked but only when it is verified as not being a false positive. However, if you use the main Prevx 3.0 product, you will receive the best of both worlds - the full antimalware protection as well as the SafeOnline layer on top. SafeOnline by itself is positioned to our bank customers and other users who just want to bank safely online without having to deal with complex things like malware cleanup and interpreting detections.

Hope that helps!