High heuristics FPs

Discussion in 'Prevx Releases' started by Page42, Sep 28, 2009.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I run Prevx heuristics at maximum, and I understand that this can create a lot of FPs. That said, I thought you might be interested in this...

    A few days ago I installed an avast! upgrade (to v4.8.1356). I run a scheduled daily Prevx scan and it has not alerted on any avast files.

    Just now I ran a Hitman Pro scan, with Prevx Edge protection active during the scan, and Prevx lit up on about a dozen avast files. This same thing happened about a month ago as noted here.

    At the time I was asking if you would consider a 'Select All' choice in the Detection Override section. I'm dealing with the same situation today.

    I don't understand why it takes a Hitman Pro scan to make Prevx hit on these avast files? And as I said, I am sure the FPs are due to my heuristics settings being high... but don't you guys make adjustments for new versions of programs like avast?

    Anyway, I wanted to document these Age/Spread Criteria Violation FPs in case there was something you wished to do with them.
     

    Attached Files:

  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The cause of this is most likely due to the way that Hitman Pro loads files. Hitman Pro and MalwareBytes both load files in a way which can trigger extra analysis in our engine and when our behavioral analysis components see a different program (i.e. Hitman Pro) loading the drivers, it triggers extra red flags which could be causing the FPs to be found outside of the normal scan process.

    However, heuristics at high or maximum levels intentionally warn on files like these - drivers which modify low-level areas in the operating system. I'll see what we can do to add exceptions for Avast in particular but we aren't planning on diluting the heuristics for drivers like this as once something loads into kernel mode, there is technically nothing that any software protection can do, so Prevx is very suspicious of anything new or mildly threatening loading into kernel mode.
     
Thread Status:
Not open for further replies.