Hitman pro cleaning traces behind Prevx

Discussion in 'other anti-malware software' started by ako, Jul 27, 2009.

Thread Status:
Not open for further replies.
  1. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
  2. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Prevx and Hitman kicking ass. Awesome. :thumb:

    How's the system after running both, responsive, most threats gone?
     
  3. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ive got a question about Hitman, does Hitman scan files using the full potential of the AV's in the cloud (heuristic, rootkit detection etc.) that the AV's normally use when scanning or is it simply their blacklist signatures that it used like VirusTotal?
     
  4. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Interesting question. At least I think Loman is quite active here from time to time, but I dunno how frequent. What I do know is that it doesn't use the full potential of Prevx, at least not last time discussed.

    Joe, what is the status on Hitman Pro's implementation of your engine? Since it's indeed a part of Loman's software I figured you must be involved somehow in the development and implementation of your own in theirs.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    They use a very old version of our engine and I believe they choose files to scan based on their own decisions rather than what we choose which may explain some difference in detection.

    For Prevx's implementation, Hitman is in-between VirusTotal and the full Prevx 3.0 product regarding effectiveness but much closer to the full product than VT is :) I *think* they have some of their own rootkit detection but they don't use any of ours.
     
  6. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Did they not come to an agreement with you, or just the agreement to "implement" your engine and market your product on their page?
     
  7. Retadpuss

    Retadpuss Suspended Member

    Joined:
    Apr 4, 2009
    Posts:
    226
    Hitman uses its own engine on the local system. It uploads suspect files to the cloud where they are scanned by the various engines. As Joe has pointed out, the Prevx engine is an older version with reduced functionality. The other engines are all full versiona and up to date as far as I am aware.

    Puss
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Not sure what you mean by agreement?
     
  9. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I mean, how were they able/permitted to implement your engine in the first place, and so on with the technical details? I can't imagine the engine lying around free for everyone. :D
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes we aren't quite THAT open :D We have let them integrate it/interface with our cloud - they're using many of the components of the default installation, just in a different way from the normal user interface.
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,027
    Location:
    Hengelo, The Netherlands
    To shed some light on the Prevx integration:

    Hitman Pro version 2.x installed a lot of software on a computer, including Prevx CSI 1.0 and ran them after each other.

    Hitman Pro version 3.x does not install any third party software anymore. Instead it uses cloud computing to consult various anti-malware technologies from several partners, including Prevx.

    Hitman Pro version 3.x performs a behavioral scan on the PC and submits suspicious files to the scan cloud.

    It is this unique behavioral scan that can pick out of 400.000 files (on average on a Vista machine) the suspicious files. And it is this behavioral scan that can correlate registry keys and data files with the suspicious files to perform the clean up.

    It is the behavioral scan that makes Hitman Pro so fast. And it is Prevx that identifies most of the new malware that isn't yet detected by the other partners.

    And when even Prevx doesn't know it, the behavioral scan in Hitman Pro still displays a score to give a sense of the suspiciousness of a file (a score > 20 is really suspicious). In EWS mode you get more unknown suspicous files to show up when you have no connection with the internet (hence, the cloud).

    So Prevx is not used on the PC as of Hitman Pro version 3.x. But our clouds are connected.
     
    Last edited: Jul 27, 2009
  12. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Thanks, Erik. ;) Is the behavioral scan the "Early score"-thingie, or is it always in action when using HP?
     
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    The Behavioral Scan is actually my thingy so let me explain a bit on that one. The Behavioral Scan is the core of Hitman Pro 3.x and everything in Hitman Pro 3.x is based on it. This scan is actually a balanced scoring model which is based on the fact that cybercriminals scramble or minimize static and dynamic information in or relate to a file. The more barriers criminals throw in to evade or complicate research and detection, the more suspicious a file is. To get an idea, here is a very brief list of some of the information Hitman Pro 3.x tries to determine and is able to correlate:
    • where a file comes from
    • how it got on your PC
    • which publisher created it
    • what purpose it has
    • whether it can be uninstalled appropriately
    • if it is visible for the user and through Windows API's
    • if it's communicating with unreliable computers on the internet (consults public blacklists)
    • if it's compressed or encrypted (also known as entropy)
    • if it has anomalies commonly found in malicious software (we analyzed hundreds of thousands of malware files)
    • what people say about the file on security related websites (our Gossip Rating technology to detect rogue/fake AV products)
    So it is in fact an intelligent malware detection system based on association mining. Each relation/reference and static property of a file will make its score go up or down. In the end, legitimate files have a very low score, bad files always have a high score. This way Hitman Pro 3.x does not have to consult the Scan Cloud for every file on a computer and also prevents false positives. False positives are uncommon with Hitman Pro 3.x anyway: before a file is targeted for removal, the score of a file must be above the threshold, its hash signature and authenticode certificate not on our on-board whitelist, not known as safe in our cloud and marked as bad by one of the partners in the cloud.

    The Early Warning Scoring (EWS) are some extra logic rules that uses the intelligence gathered by the Behavioral Scan. EWS is meant to help somewhat experienced users to remove 0-day malware (suspicious files that none of the cloud partners could yet identify). For example, files with typical rootkit behavior will always show up in Hitman Pro 3.x, whether the Scan Cloud is or is not available or identifies it or not.
     
    Last edited: Jul 27, 2009
  14. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Thanks for the information - it was a great source of knowledge. ;)

    Is v3 just the first step and will you evolve this product to an advanced real-time protection kind of software in the future?
     
  15. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    We are (again) working on some new ideas, but I won't go into the details of these innovations at this moment. All I can say is: just stay tuned :)
     
  16. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Sorry, I don't recall that you've written that - was it in this very thread? :D
     
  17. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Thanks Mark and Erik for your most enlightening posts. :thumb:

    It'd be great to see this develop into a full-blown, real-time AM.
     
  18. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    Seemed totally clean.
     
  19. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Thanks for the testing and response ako.
     
Loading...
Thread Status:
Not open for further replies.