"Detection Overrides" overriden?

Discussion in 'Prevx Releases' started by ruinebabine, May 14, 2010.

Thread Status:
Not open for further replies.
  1. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    As was suggested to me in this thread (now closed), I tried to use the "Detection Overrides" feature to exclude the C:\$ISR\ path folder from PrevX scan.

    over.png

    But it seems to be not working for me:

    [BP] c:\$isr\8\program files\_nirsoft tools\asterisk logger\astlog.exe [PX5: 98BDFDE000DC9C5B567A003AF347E10095B6C47A] Malware Group: Medium Risk Malware
    [BP] c:\$isr\8\program files\_nirsoft tools\regdllview\regdllview.exe [PX5: AEFFA50A00BA5DE9865F00FD3830D300955C8485] Malware Group: Medium Risk Malware
    c:\$isr\8\program files\_nirsoft tools\asterwin\asterwin.exe [PX5: 1F77BBDA00B1A9FC2258007D290DA20072207A76] Malware Group: High Risk Cloaked Malware
    [BP] c:\$isr\8\program files\_nirsoft tools\iconsextract\iconsext.exe [PX5: 819C9EEB0075301766A40016F1AE510026D55842] Malware Group: Medium Risk Malware
    [BP] c:\$isr\8\program files\_nirsoft tools\mail passview\mailpv.exe [PX5: DCA3068E00844682B8A80085DFB813006929EC87] Malware Group: High Risk Cloaked Malware
    c:\$isr\2\program files\winhttrack website copier\httrack\winhttrack.exe [PX5: 018A503E001CC18F907D06B370420700DF4EF820]
    [G] c:\$isr\$app\isrcontrol.exe [PX5: 4268688A00D3907DA00B01A951A54300ACCE0605]
    [G] c:\$isr\$app\isrviewlogs.exe [PX5: 75952E8F008D3F3350FB016B1B4AD700BED34A43]
    [G] c:\$isr\$app\isrmonitor.exe [PX5: 6828C6720070C7EB00A90148714A8900CD0F4588]
    [GP] c:\$isr\8\program files\_nirsoft tools\shortcutsman\shman.exe [PX5: B07CE54E00DB3A2C82A400FF8B691F002180717C]
    [G] c:\$isr\8\program files\_sysinternals tools\pagedfrg.exe [PX5: 99DE6BD1789DFEAE4BA7032630113B00C9C2FB24]
    [GP] c:\$isr\2\program files\safarp\safarp.exe [PX5: 807B1EDD004C9876BEEE00755847A700384345BC]
    [GP] c:\$isr\2\program files\regseeker\regseeker.exe [PX5: EA42CF2500B8574EC44F051E8A8E0100C5356EC2]
    [G] c:\$isr\$app\isrcmd.exe [PX5: 3EB000760013E471C098016C05C76B0098937D29]

    (...)

    Could you please tell me what I am doing wrong?

    ps. And where could I find a list of those [LETTER]s (G, U, BP, et al.) and their means?
     
    Last edited: May 14, 2010
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Send a scan log as Cudni posted in his link! And ask Questions in your email to them! But as for the override it's best to let Joe explain the proper procedure for this one!

    B, BP are "known bad" - the file would be found regardless of your
    heuristic level


    G, GP - Known good - these files are definitely clean and malware free

    U, UP - Untrusted - we aren't blocking this file but we don't fully
    trust it just yet (although it is most likely safe)

    HTH,

    TH
     
  4. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    First, thanks both for your replies.

    @ Cudni

    Ok, but I will first wait a bit more for Joe's reply here to tell me if he need it because this scan result would be the exact same as the one I send to him yesterday (but no more FP on XP Syspad :thumb: ).
    But, Nirsoft utilities tags are no problem for me and quite frequent with many security apps. What I don't understand is why PrevX continue to scan in the huge FD-ISR folder after I input this path in its Detection Overrides...

    @ Triple Helix

    I will see then what's Joe's word on this feature and how to use it efficiently in my case.
    Btw, I don't understand why some specific G & GP labeling are included in the report if the files are known and certify cleanly good!
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    In the current implementation of Prevx's detection overrides, they are just that - only detection overrides. The folders will still be scanned which is likely the cause for the slowdown and we currently don't have a feature to fully exclude a folder from being scanned because of the security implications of it. However, if you could send a scan log to report@prevxresearch.com, we should be able to speed this up. It may be worth asking if you're using the default "Deep Scan" feature or if you're using the full system scanner - the latter is largely unnecessary because the Deep Scan (the normal Scan My PC Now scan) will scan all active programs and programs that can become active.

    We do tend to include some of the G files in the log as well - primarily for analytical purposes (i.e. if the user is using a legitimate version of Java but it is outdated/vulnerable).
     
  6. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Well, with that, it appears that I passed along some bad advice to
    ruinebabine in this thread, for which I apologize. I honestly thought the feature could be used as an exclusion method, as it seems to accept paths without there having been a detection.

    My bad. :(
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No problem at all - I agree that the feature isn't logically in line with what other products do and we will be changing this but because of how Prevx scans the system, it currently doesn't support excluding folders from the scan (only from the reporting).
     
  8. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Yah! Really no need to apologize Page42. I know and apreciate you're trying to help. Only those who never try to help others are imunized of any error. So I can only ask you to please continue your right doing around here! :thumb:

    I should follow your advice and send my scan log there next days. I'll see then what gives...
    Btw, I was always using the default normal scan.

    Thanks for info. I can understand the logical of this now.
     
Thread Status:
Not open for further replies.