Can you PLEASE make it easier to submit suspicious files to you!

Discussion in 'Prevx Releases' started by OliverK, Mar 8, 2010.

Thread Status:
Not open for further replies.
  1. OliverK

    OliverK Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    34
    I recently came across a file which two other products identified as a malicious trojan. I then did a scan with Prevx and ... nothing bad was detected.

    Well, I thought I would then do the right thing and send that file to Prevx Corp so that everyone else using Prevx could benefit from what my other two programs had detected.

    So, I thought, I'll just press the button which allows the file to be sent to the Prevx programmers, so they could add it to the database, and then hunted for that little button, and hunted, and hunted. And found ... nothing!

    So I just gave up and let the other security programs delete the file.

    QUESTION: Why can't Prevx be given a simple button, on one of its screens, or menus, to SIMPLY allow a file to be uploaded to the Prevx experts for analysis?

    From what I read on this site, it seems the only way to send a suspicious file to Prevx Corp, is to "pack the undetected file in a password protected RAR or 7z archive and use this password: 'infected' (without quotes)" !!!

    Are you guys serious!!! Who can possibly be bothered jumping through all those hoops!

    Can I please ask the Prevx programmers to put on their 'to do' list, a SIMPLE way of sending a suspicious file to Prevx Corp, FROM WITHIN THE PROGRAM ITSELF, that doesn't involve the ridiculous need to zip up the file with some external program, apply a password in the process and then send it via another external program (e-mail) to the recipient! PLEASE!!

    It doesn't take an Einstein to realise that making the process of submitting suspicious files MUCH simpler for the end user, can only increase the benefit to all Prevx users, of those files being added to the Prevx database.

    Thanks.
     
  2. rockdj99uk

    rockdj99uk Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    24
    +1. Definitely a good idea.
     
  3. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    100% - this needs improving.

    I remember a link on the prevx site back during Prevx 2.0 i think, where you could browse the file and upload it directly to prevx.

    is this still there, if so, why isnt in public knowledge on the site?

    (cant check, as obviously, ive forgotten the link) :argh:
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Definitely a good idea! :) :thumb:
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    The difference between Prevx and conventional security products is that if you've scanned a file or have a file on your PC, Prevx already knows about that file. While we may not be able to immediately condemn every piece of malware, chances are if that program is seen active on any other PC, we will be able to quickly flag it as malicious.

    We do, however, encourage manual sample submission, but we feel it would confuse the user if they had extra options within the GUI of Prevx to upload samples, as the data about the samples would have already been submitted.

    In the meantime, submitting them to report@prevxresearch.com is probably going to be the best way if you want to send physical samples. I know it isn't the most friendly system to work with because of how we have our attachment filtering set up but if it's any easier, you could also just send a scan log or just the unique PX5 identifier from a scan log to me via PM and I can add detection from that alone.

    Let me know your thoughts! We're definitely open for input if there is a significant amount of interest in a dedicated submission tool or other means for submitting samples.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Hi, well you asked :D

    Numerous harmless and malicious new files will be seen by Prevx every day, but unless you actually have them to analyze how will you know which are definately nasties or not ?

    I don't think it would be confusing for most, but it still could be an option for those who want to. Of course it would also help you to get brand new nasties faster, and therefore be able to identify them in Prevx and protect others sooner. An alternative, or as well, would be to have a specific upload page like for eg Avira http://analysis.avira.com/samples/index.php
     
  7. pkidza

    pkidza Registered Member

    Joined:
    Oct 27, 2009
    Posts:
    26
    Hi

    I have had a couple of false positives. Prevx have always reacted quickly when I e-mailed the scan log so that is great! :)

    It would be cool if it was easier to send through submissions though and so I vote for this feature request. I would like some more info in the exclusions list inside the program itself. So you should be able to right click and say report false positive. Then the status should change to "waiting analysis" or something like that. Once it has been confirmed as a FP the status should change to "confirmed false positive" or something like that. Makes it easier to see what is happening and I don't think it will confuse people. Just my 2c.
     
  8. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I support this :)
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Here's an example, just found this whilst surfing d3exe.gif

    Did a right click scan with Avira and Prevx

    d3.gif

    Avira detects it heuristically, but no show from Prevx. That's ok though as nothings 100%. With Avira i can send it to quarantine and then upload it directly to Avira. If we could do this with Prevx it's gotta be quicker/better for both you and us, yes ;)
     
  10. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    464
    Location:
    UK
    If PrevX is already detecting a file as "bad" there's no point in having a method to send it to them (is there?). They must already know about it!

    AFAIK PrevX will allow you to send them "suspect" files by email when they go undetected by PrevX. I suppose these could be files identified by some other scanner (MBAM, AV program etc).

    It's difficult to see how PrevX can make reporting of such "missed" files convenient through the GUI (it can't distinguish between harmless files and files it thinks are harmless). Any button placed on the GUI would just be for uploading files, so would be a bit divorced from the main aim of the application. A button on the website might be a reasonable approach though. Alternatively, a separate application which let you browse and send a file; this could package the file up as required and email it so the people at PrevX Research wouldn't have to change anything (I could write one if anyone is interested).

    However, one thing that could be better in the GUI is the reporting of FPs. Currently you can right-click a detected file and choose "report as false positive" but it just gets added to the over-ride list and I don't think the file's signature is uploaded.

    Just my thoughts.
     
    Last edited: Mar 16, 2010
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It isn't immediately changed across all users, but a flag is set against our entry in the database. We know exactly how many PCs have detected a file and how many have overridden it - if any file passes a certain threshold, it is sent to manual review. This same thing happens with files added for detection as well.

    I believe our existing systems of using Detection Overrides are quite effective for managing actual threats. If you've let a malware sample run on a PC protected by Prevx, a significant amount of information will be gathered about the infection which is how we will learn how to detect it. The context menu scanner in Prevx will find only a fraction of the threats a normal scan will find, and it doesn't learn any of the data about the file either, which is why it will have a lower detection rate (and likely a lower re-detection rate if scanned later as we wouldn't have received the necessary information to condemn a file).

    Finding one-off files is useful for AV tests but not really effective in the whole scheme of things, which is why we don't have a sample submission form in place. We would much prefer to write generic rules for wide ranging classes of samples rather than add a single sample to our database - and in almost all cases, all that we do when we receive a sample is run it through our in-the-cloud sandboxing/scanning systems. Our corporate/enterprise users can have access to tools to analyze samples on their own networks or submit them to us directly, which is where we see the most volume of submitted samples, but based on what we see to our report@prevxresearch.com address, accepting any range of samples generally creates "white noise".

    For instance, we just had a submission of 1,500+ DOS-era infections to the report@ address and we receive multi-gigabyte archives of infections which we already detect on a daily basis :doubt:

    If you have been infected or a file tried to infect your PC while you were using Prevx, we will already know about the sample so there is not much else that we can learn from having the physical file. In some cases it is useful to get the specific binary if we don't have enough information on the file (i.e. if it was only scanned with the right-click scanner) but the benefit of the Prevx architecture is that if a threat was actually seen by a user, we already know about it and can condemn it by just being told the "PX5" signature (a unique signature which we use to identify specific files, not signatures ;)).

    Let me know if you have any questions on this :) It is significantly different from a conventional AV, and significantly different even from the other cloud AVs so we're definitely keen to clarify any misconceptions.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Excuse me if if i appear not too bright :D

    I don't understand how you can know about a new malware, if it is new and you, or nobody else, don't have the specific binary yet ?

    In such circumstances when would know it was malicious ?

    Otherwise, i'm thinking, as far as Prevx is concerned it could just be a new legit file, and damage etc could be done in the interim period.

    This is why i think the upload suggestions would be useful.
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Prevx will collect the behaviors and contextual information from a file even without it being submitted. Centrally, we collect this information and store data to be able to undo infections if they were to start spreading. Sample submissions are still useful, but we receive the contextual information on infections immediately as a program runs, as opposed to a sample submission which would come out-of-band.
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Hi Joe,

    Can you explain the automation procedure that might help them understand how Prevx works! And Just say that I have a couple of confirmed malware files .exe sitting in my download folder and I do a Regular scan will Prevx mark those as malware at some point in time and some may think OK I have these files that I uploaded to VirusTotal and many scanners detect them but not Prevx and weeks can go by and still no detection of these confirmed malware files are still sitting in my download folder and Prevx stills does not detect them but when I send them to report@prevxresearch.com they get add sooner rather than later! IMHO Also you said that you get all info from VT when samples are uploaded and confirmed by say half of the scanners why does it take so long to add detection of that file?

    TH
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    That's my point, IF. We don't want them to :D

    As we wouldn't be protected with an unknown malware, then us trying to be helpful to you, and others you want to help protect ASAP, providing a simple/quick way of uploading them ASAP would, i would have thought, be beneficial all round. Maybe i'm missing something ?
     
Thread Status:
Not open for further replies.