"Detection Overrides" overriden?

As was suggested to me in this thread (now closed), I tried to use the "Detection Overrides" feature to exclude the C:\$ISR\ path folder from PrevX scan.

​

But it seems to be not working for me:

[BP] c:\$isr\8\program files\_nirsoft tools\asterisk logger\astlog.exe [PX5: 98BDFDE000DC9C5B567A003AF347E10095B6C47A] Malware Group: Medium Risk Malware
[BP] c:\$isr\8\program files\_nirsoft tools\regdllview\regdllview.exe [PX5: AEFFA50A00BA5DE9865F00FD3830D300955C8485] Malware Group: Medium Risk Malware
c:\$isr\8\program files\_nirsoft tools\asterwin\asterwin.exe [PX5: 1F77BBDA00B1A9FC2258007D290DA20072207A76] Malware Group: High Risk Cloaked Malware
[BP] c:\$isr\8\program files\_nirsoft tools\iconsextract\iconsext.exe [PX5: 819C9EEB0075301766A40016F1AE510026D55842] Malware Group: Medium Risk Malware
[BP] c:\$isr\8\program files\_nirsoft tools\mail passview\mailpv.exe [PX5: DCA3068E00844682B8A80085DFB813006929EC87] Malware Group: High Risk Cloaked Malware
c:\$isr\2\program files\winhttrack website copier\httrack\winhttrack.exe [PX5: 018A503E001CC18F907D06B370420700DF4EF820]
[G] c:\$isr\$app\isrcontrol.exe [PX5: 4268688A00D3907DA00B01A951A54300ACCE0605]
[G] c:\$isr\$app\isrviewlogs.exe [PX5: 75952E8F008D3F3350FB016B1B4AD700BED34A43]
[G] c:\$isr\$app\isrmonitor.exe [PX5: 6828C6720070C7EB00A90148714A8900CD0F4588]
[GP] c:\$isr\8\program files\_nirsoft tools\shortcutsman\shman.exe [PX5: B07CE54E00DB3A2C82A400FF8B691F002180717C]
[G] c:\$isr\8\program files\_sysinternals tools\pagedfrg.exe [PX5: 99DE6BD1789DFEAE4BA7032630113B00C9C2FB24]
[GP] c:\$isr\2\program files\safarp\safarp.exe [PX5: 807B1EDD004C9876BEEE00755847A700384345BC]
[GP] c:\$isr\2\program files\regseeker\regseeker.exe [PX5: EA42CF2500B8574EC44F051E8A8E0100C5356EC2]
[G] c:\$isr\$app\isrcmd.exe [PX5: 3EB000760013E471C098016C05C76B0098937D29]
(...)

Could you please tell me what I am doing wrong?

View attachment prevx_scan(1).log ​

ps. And where could I find a list of those [LETTER]s (G, U, BP, et al.) and their means?

 

i don't think you are doing anything wrong but because of Nirsoft classification as riskware/malware you can't exclude it (Prevx has to)
https://www.wilderssecurity.com/showpost.php?p=1665061&postcount=2

 

Send a scan log as Cudni posted in his link! And ask Questions in your email to them! But as for the override it's best to let Joe explain the proper procedure for this one!

B, BP are "known bad" - the file would be found regardless of your
heuristic level

G, GP - Known good - these files are definitely clean and malware free

U, UP - Untrusted - we aren't blocking this file but we don't fully
trust it just yet (although it is most likely safe)

HTH,

TH

 

First, thanks both for your replies.

@ Cudni

Ok, but I will first wait a bit more for Joe's reply here to tell me if he need it because this scan result would be the exact same as the one I send to him yesterday (but no more FP on XP Syspad ).
But, Nirsoft utilities tags are no problem for me and quite frequent with many security apps. What I don't understand is why PrevX continue to scan in the huge FD-ISR folder after I input this path in its Detection Overrides...

@ Triple Helix

I will see then what's Joe's word on this feature and how to use it efficiently in my case.
Btw, I don't understand why some specific G & GP labeling are included in the report if the files are known and certify cleanly good!

 

In the current implementation of Prevx's detection overrides, they are just that - only detection overrides. The folders will still be scanned which is likely the cause for the slowdown and we currently don't have a feature to fully exclude a folder from being scanned because of the security implications of it. However, if you could send a scan log to report@prevxresearch.com, we should be able to speed this up. It may be worth asking if you're using the default "Deep Scan" feature or if you're using the full system scanner - the latter is largely unnecessary because the Deep Scan (the normal Scan My PC Now scan) will scan all active programs and programs that can become active.

We do tend to include some of the G files in the log as well - primarily for analytical purposes (i.e. if the user is using a legitimate version of Java but it is outdated/vulnerable).

 

Well, with that, it appears that I passed along some bad advice to
ruinebabine in this thread, for which I apologize. I honestly thought the feature could be used as an exclusion method, as it seems to accept paths without there having been a detection.

My bad.

 

No problem at all - I agree that the feature isn't logically in line with what other products do and we will be changing this but because of how Prevx scans the system, it currently doesn't support excluding folders from the scan (only from the reporting).

 

Yah! Really no need to apologize Page42. I know and apreciate you're trying to help. Only those who never try to help others are imunized of any error. So I can only ask you to please continue your right doing around here!

I should follow your advice and send my scan log there next days. I'll see then what gives...
Btw, I was always using the default normal scan.

Thanks for info. I can understand the logical of this now.