Future Changes to Prevx

Discussion in 'Prevx Releases' started by Triple Helix, Jun 13, 2009.

Thread Status:
Not open for further replies.
  1. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    The aim of this thread is to give feedback to Prevx as to changes we would like to see in future upgrades of Prevx.

    TH
     
    Last edited: Aug 31, 2010
  2. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    1) The "Save Scan Result" does not work fine if the SelfProtection Setting is at Maximum. I would not like to see that behavior in the next upgade
    OS is Vista HP SP2.

    2) I would like to have a real behavior monitor/blocker implementet in the next upgrade. (PrevX installs a file system filter, a Process Creation Notification callback and a handful of hooks to prevent processmanipulatation. But i cant see a real BehaviorBlocker. So in fact PrevX is a very powerfull Cloud based AntiVirus Produkt but it does not prevent the user from beeing owend by a Targetted Attack. That could be better.. ;) )
     
  3. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    1. keyboard suport :)
    2. multilangual. German would be nice :)
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This will be fixed ASAP :)

    Although Prevx may not look like it hooks much in the system, we gather more then enough data (you can't see a majority of the analysis which exists server-side and you also can't easily see the protection which is loaded on the fly as suspicious programs run ;))

    Targeted attacks are even easier to protect against - our community view can see how popular a program is so if a program is trying to enter your system which is a targeted attack (i.e. - only seen by your system across the entire community), it can be immediately blocked by Age/Spread heuristics (Settings > Heuristic Settings).
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Ok. :)


    That's too easy Joe.. ;)
    So how do you analyse the file at the server? Only a checksum is submitted to the server so how should the server analyse the behavior of the file?
    And how can the PrevX Client analyse the behavior of a file without having an emulator included?

    Witch Settings are necessary for that detection? Cause a friend of mine wrote a test malware sample an tested it on his maschine. The file was not detected!
    About 5min later he again tried to execute that test file. Now it was detected by the cloud. He tested that with several samples.
    Settings were at default. So where is the zero-day/first seen proactive protection?

    my best regards

    PS:
    Yes! German would be very nice! :)
     
    Last edited: Jun 14, 2009
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The server does not only receive a checksum - it receives a large amount of data about the program itself and we obviously can't go into full detail of our technology as to how the client/server is able to analyze the file ;)

    You can increase the settings to Maximum in the Settings > Heuristic Settings page which will block programs as you've described. The default settings are strong enough for virtually all real-world threats, however, but Maximum makes it nearly into an "Anti-Executable"/whitelisting protection system.
     
  7. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Ok no problem about that. I trust your statements.


    That is no problem for me cause i will use PrevX with highest settings.
    So Prevx with increased settings will definitely protect me against Targeted attacks?
    Every AV product has gabs in its protection and i just want to know where Prevx's gaps are....
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, it will tend to produce more FPs as well (just because it is conceptually blocking untrusted programs) but it will block any targeted attacks. You mentioned something about writing software - if you are a software developer, you're going to want to add your build directories to the ignore list in Prevx - otherwise we may get quite annoying for your testing :D
     
  9. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Many thanks for the detailed reply on this sunny sunday!

    Do you have no real weekend? =)

    ^^ i will definitely do so... :argh:
     
    Last edited: Jun 14, 2009
  10. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Faster processing of data as full-screen detection is already on the list. I know that you've already mentioned the Age/Spread heuristics are being improved, so... ;)

    Don't remember... would the full-screen detection be default, or is there a really good reason not to?
     
  11. scmp

    scmp Registered Member

    Joined:
    Jun 14, 2009
    Posts:
    3
    Hello,

    I'm a Systems Engineer working for a nationwide (US) IT consulting company and several months ago I ran across your product. Now, I'm recommending PrevX left and right even against my company's policy (those in charge of selecting technologies that will be recommended to our clients and supported by us, are still stuck on the usual bloatware - Symantec, Trend Micro, McAfee, etc). Luckily I have room for decision when my direct accounts are concerned and they will not see any trace of Symantec "security" products on their computers. If I need to clean an infected workstation, I give them the option to either pay us for several hours to clean it or maybe rebuild it or pay $29.95 for a 1 year PrevX license and have their computer cleaned in minutes.

    That being said, sometimes it is difficult to implement and manage PrevX at certain clients. The agent-server model needs to go away since most businesses have remote users that rarely come back to the corporate network to update the AV client and report back to the server. Here the cloud model works perfectly, and in the PrevX case the MyPrevX console is more than enough to check on overall status. What is missing though is a more granular control on deployed agents, mainly whitelisting. If I roll out PrevX to 50 computers and something generates a false positive on all of them, I have quite a situation to deal with. But, if I could whitelist it from MyPrevX, then I wouldn't have to worry about much. Deploying the agent directly from MyPrevX and licensing it at the same time would also be a good feature to have.

    So, I want to congratulate you for this great product and submit my wish list:

    1. Granular agent control from MyPrevX
    2. Possibility of deploying it from MyPrevX, already tied to the license.

    Cheers
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    We completely agree with your suggestions and I will forward them onto the MyPrevx development team. We have planned on adding the ability to put overrides in place in MyPrevx as this is definitely a very powerful tool.

    One feature which is not self-evident is the ability to run a silent installation/scan/report to MyPrevx if the installer executable is named with the license key as the filename. I'm not sure if this will help with all of your clients, but if they name the installer exe, for example: 12345678-1234-1234-1234-123456789123.exe, it would then automatically use that license key and report into MyPrevx with the associated scan results.

    We will work on automating this process, however, to try and make the deployment/usage as seamless as possible.

    Thank you for your suggestions! :)
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It will be default and there really isn't a good reason not to :D
     
  14. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    @ Habacuck:
    Despite what everyone else is saying, PrevX is NOT a 0-day protection product per se. It relies on cloud-based signature and behavioral cross-referencing; if both of these criterias fail, you will get infected (just like your friend with test program he wrote), even though behavior analysis KNOWS the process is malicious. So when a true 0-day comes out, you better hope you're guy #2 in line, as if you're #1, you will get infected and will need to wait for signature and/or behavior analysis to be available via the cloud. You will probably get new signatures pretty quickly and everyone after you will be protected, but you WILL get infected nevertheless.
    To be fair to PrevX, however, true HIPS with 0-day protection is VERY labor-intensive to configure and maintain, and close to impossible to deploy in dynamic corporate environment. If your environment is balanced and somewhat static, products like Cisco Security Agent (formerly Okena) would suit the bill better.
    This brings me to my request which I posted in "delayed detection" thread: I would like to see an ability to configure how much the behavioral engine relies on cross-referencing behavior with the cloud. I want to be able to control this option based on what I feel is necessary in my particular case, and not have PrevX decide for me across the board. My understanding, it was an option on v2.0 but has been dropped in v3.0.

    @scmp: I disagree on dropping client/server infrastructure in favor on portal-based, hosted management. This may be a desirable option for smaller consulting companies, but for large enterprise, hosting security products like this usually is not an option for variety of reasons. Again, as in my point above, this is probably something you want to have control over, versus vendor-controlled situation.
    On third-party tools, we had a sales guy call Symantec to help them troubleshoot infection that was coming back after SEP could't clean it. After about two hours on the phone and desktop sharing, Symantec tech downloaded Malware Bytes and cleaned machine in a single scan. Talk about faith in their own product! :)
     
  15. scmp

    scmp Registered Member

    Joined:
    Jun 14, 2009
    Posts:
    3
    @PrevxHelp Thanks for the follow up, looking forward to v.4

    @dlimanov I understand your point, however even with server/client you still rely on the vendor to provide the signatures and scan engines. Clients will get them from the server instead of directly from the vendor but it still the vendor that has to make them available in the first place. For offsite users that's a problem - from what I see they rarely have updated definitions. For remote users, their connections to the corporate network are usually slower than to the internet so why tie up the WAN links getting AV updates? About SEP and their use of Malwarebytes, that's funny... not very surprising though :)
     
  16. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I would like to refresh my claim number 2).

    I think PrevX would be a perfect, complete product if there is a HIPS, IDS or real behavior blocker implemented.
    I would really like to use PrevX as a stand alone but i cant trust it up to 100% cause it has, in my opinion no real protection against threats witch are unknown in the cloud.
     
  17. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Thanks for allowing this thread to run:
    @PrevX Help:
    ;)
    An "advanced module" to fulfill the need to block all/any if wanted
    ??
    I'm stumbling along here:always want more ;)
    That comment might be harsh but close to reality ??
    Pertains to above and 'the lost functions' for those who want them.

    I really do appreciate the current implementation, but, as noted, targeted at those who don't wish to interact so often, and, for absolute ease of use. However, then might be dependent on 'second look/second run' after install and from the cloud analysis.

    As noted elsewhere, some current 'rogues' have no malware characteristics and so succeed in getting installed.

    What about a 'block and send to Px' module for those who might need it ??

    Regards
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Trying to trust a single product 100% is the fault here :) No product, Prevx included, is perfect. We detect more than 20,000 new bad programs every day, thousands of which are detected on the absolute first time they are seen but yes, like everyone else, we periodically miss threats - however, the benefit with our protection is that we then detect them quickly because we can still analyze the data and correlate it to other new programs/techniques.

    You appear to be looking for a pure HIPS/behavior blocker which Prevx is not. While we are planning to add in more techie-oriented controls in the future, a basic behavior blocker is not what we're trying to develop.
     
  19. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Dont get me wrong. PrevX is the most powerfull AntiVirus solution i know and i will definitly buy several licenses but i would like to have a proactive detection in the next upgrades. What's wrong about that?
    I just said: prevX would be perfect if it blocks totally unknown malware by blocking malicius behavior.
    Implementing that would turn PrevX to a very very good stand alone application and that would be absolutely fantastic.

    PS:
    Go on please... :)
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,951
    Location:
    USA
    I would like to see the HIPS protection offered by Prevx 2.0 Expert Mode integrated back into Prevx 3.0.
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I want to see the active number of processes being protected by Prevx in the GUI, and, I want to see a tray icon like version 2.o_O
     
  22. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Can someone post v2 screenshots, mainly the HIPS part of it? I am mighty curious what is missing from v3.
    :p
     
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    for dlimanov:
    from PX v2 help file : quick summary, if you want more pm me

    Screenshot of control options.
     

    Attached Files:

  24. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Dammit, this exactly the things I wish v3 had.
     
  25. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    same here! :argh:
     
Thread Status:
Not open for further replies.