All heuristical settings set to Max - no prompt on new malware?

Discussion in 'Prevx Releases' started by raven211, May 30, 2010.

Thread Status:
Not open for further replies.
  1. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I'm testing new malware on MDL with no luck whatsoever to get a single prompt from Prevx, all heuristical features set to Max. I even tested to make the heuristical analysis AFTER Age and Pop. Nada o_O :doubt:
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Please send the files to Prevx as stated in this post: https://www.wilderssecurity.com/showthread.php?t=245129

    Thanks,

    TH
     
  3. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Upload some to VT and give us the results only like how many out of 0/41 but Please send them to Prevx as I stated in my first post! Or send me a PM with some of the links and I will test them in my VM!

    TH
     
    Last edited: May 30, 2010
  5. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I've previously checked many rogues with the same result - brand new, no prompt, validated to be fake AVs. See PM for a trojan link. I ran it inside SBIE before with no luck (no prompt).
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I have a prompt when I execute with the link you sent me: Capture30-05-2010-6.53.57 PM.jpg

    And this is my settings: Capture30-05-2010-6.57.43 PM.jpg

    And VT results: 7/41 And it could be SBIE conflict?

    TH
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Running samples inside SBIE would likely cause them to either not show any behaviors to the underlying operating system or would cause them to not be scanned by Prevx unless they tried to execute outside of the sandbox.

    Could you try running some of the samples on a virtual machine without Sandboxie limiting the execution?
     
  8. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I'm frequently testing new fake AVs over time OUTSIDE any sort of virtualization/box and have always got the same result, or I wouldn't be reporting this in the first place :D (if it was just run in SBIE/similar all the time).

    Something is screwed with my current installation I think since COMODO causes serious and weird problems. SafeOnline will do fine for now, will test more once I've reformatted unless you've other suggestions.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I took a look at the sample you sent and indeed it doesn't do a whole lot on the system. (TH forwarded it to me :)) I suspect that Prevx wouldn't capture enough behavior from it to condemn it as malicious just because it only created a batch script which then deleted the file and made a few innocuous changes to the system.

    Let me know what else you run into - I haven't heard of anything specifically producing incompatibilities between us and Comodo but if you are in a scenario where Prevx isn't blocking known threats (the Trojan Simulator sample is probably the most reliable one to test with), I can definitely try to reproduce it here on one of our internal testing PCs so that we can correct the issue.

    Thanks for the help! :)
     
  10. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Just wanted to report that the newest beta (159) seems to fix the Age and Pop. protection bug. At least it prompted on the new Opera beta when I started it after a reboot (didn't before restart?). Opera doesn't start at boot, so once I started it shortly after, it prompted me in other words - not the previous session.

    Hope that gives any clues.


    Can't find any new pieces of malware to test safely. A trojan which I believe was some hours old got blocked by Norton DNS. :p
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Did you end up doing a OS reinstall?

    TH
     
  12. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Personally, I've experienced a very bad detection against rouge AVs. But any other threat, Prevx will stop (literally speaking). I heard Prevx 4 will get improved detection against rouge AVs, which will greatly increase the overall protection IMO.
     
  13. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Not yet - too busy chatting with my gf. :D

    @shadek: Good to know, but as long as it's not bugging EVERYTHING new will be prevented in the first place.
     
  14. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    yer the rogue protection must be better in the future!
     
  15. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Prevx (and I'm sure they'll correct me if this is wrong) relies mostly on behavioural detection, and the problem with rogues is they don't exhibit much in the way of malicious behaviour - all rogues are after are you to, of your own accord, enter your credit card details and send it to them - again of your own accord.

    Seriously, if you stuck to reputable companies, or bothered doing some research before buying, or simply used some common sense, you'd never need an AV to tell you 'don't give your credit card details to a box that pops up on your screen without your permission asking for your credit card details.
     
  16. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Some of us have said time & again, fake AVs et al (not counting the ones that may include trojans) don't generally contain malicious code per se so it is more difficult to add detection routines for this class of unwanted program. Anti-malware programs are getting better at detecting these rogues, but there's so many and new ones keep popping up that don't get detected. :/
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Exactly true (Vikorr's comments as well :)) Rogues are non-trivial to find in the wild and sometimes not even malicious to begin with. We had a long dialog with a company who's product was considered to be rogue by most security products and we convinced them to make some key changes to their messaging which have now allowed them to be considered legitimate by us and other vendors. It is a difficult balance and unfortunately these products generally are not doing anything malicious which is where the problems occur.

    Imagine trying to find a rogue text editor where the only rogue aspect is that its spell check finds too many words as incorrectly spelled when they are correctly spelled... that is exactly the same scenario with rogue antimalware products but rest assured that we do have at least a partial solution in the works for Prevx 4.0 :)
     
  18. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Well then I guess MS Word is screwed since long then. :D :argh:
     
  19. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
Thread Status:
Not open for further replies.