How good is Prevx1r, really?

Discussion in 'other anti-malware software' started by spindoctor, May 22, 2006.

Thread Status:
Not open for further replies.
  1. spindoctor

    spindoctor Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    83
    Is Prevx1r a good enough replacement for programs like ProcessGuard (free or pay) and RegDefend?

    Is Prevx1's reg defense on par with RegDefend or can Prevx1's reg defense be disabled and replaced with RegDefend, if it's better?

    Would Prevx1r be able to effectively replace the realtime protection of programs like WinPatrol, Tea Timer, MS Defender, Pest Patrol and SpywareGuard combined?

    How about programs like SpywareDoctor and SpySweeper? Could it replace their realtime protection?

    I guess I'm looking to find out how good this program really is as a stand alone defense against malware and if it can be used successfully to eliminate most of the aformentioned security programs.

    Thanks for any sage advice.
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Opinions aside, Prevx1 does many of the same things, as well as many things those don't cover. Although those offer some additonal configurability, what Prevx1 covers is based on the malware seen in the community and can be updated to cover new areas very quickly. It currently covers around 200 areas, although most of those will not show you prompts.

    It functions similarly, blocking the request rather than showing you changes that have already been made. Other than that, I would say that "better" is quite subjective, however Prevx1 does cover quite a bit of registry areas. If you have the family license, you can fully customize the settings in Prevx1, but that is not available in the "R" version.

    Many of those apps overlap very heavily. I would say it's safe to say that the behavior blocking/detecting is very similar, however the signatures are a bit different. It's a live database online, so it's accessed in realtime instead of downloading updates. The community database automatically blocked 76% of unknown malware without signatures this month (basically heuristically and generically), and then we add several hundreds, often into the thousands, manually every day. As to comparing it with others; since we do overall malware intelligence internet-wide, we do keep tabs on what we're detecting compared to others and of the things that we detect, the next best only detected about 40% with antispyware apps in the teens. As far as what is in the database; we cover pretty much everything. Prevx1 is an overall anti-malware, and the way it all works means that we don't have to prioritize. Everyone is going to detect a little differently, but that is what we are seeing, so hopefully that gives you an idea of where Prevx1 stands.

    When it comes to replacing anything, Prevx1 is tested with as many apps as possible, so you don't have to replace anything if you don't want to. I personally like to run it with NOD32, Look'n'Stop firewall, and other things in rotation. With that said, however, if you run it along side 5-10+ other apps it's very likely that you will start to see slowdowns and/or compatibility problems. Prevx1 does cover a lot of ground, so there's going to be overlap with just about anything, but as long as you keep that overlap to a minimum you should be alright. There aren't a lot of programs that it conflicts with, mostly just sandboxing apps that use the same kinds of drivers, but you didn't mention any of those :) The last thing that I will add is that although it's tempting to use Expert mode when moving from apps like you mentioned to Prevx1, it is highly recommended that you use ABC or Pro mode instead. It's much less "noisy" that way, which actually increases your security just by not desensitizing you to the alerts. Expert mode is good for creating custom alerts or troubleshooting (if you think you may be infected), but is not meant for everyday use.

    For more opinions and experiences, you might just search the forum for "Prevx", there have been a few threads. I'm sure others will be along shortly as well.
     
    Last edited: May 23, 2006
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    im doubtful. when i tried it, u couldnt selectively disable portions of Prevx1's security. it just has three presets: ABC, Pro, and Expert.
    with all prevx covers, i believe it could.
    iirc prevx does use some form of signatures so that helps it compete with antispyware products.

    overall i think u should try prevx1 to see how it works on ur comp and how much it fits ur needs.
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    What happens if you are offline when you execute a file that turns out to be bad? The scanners with sig data bases may help, but presumably Prevx's sig capabilities will be of no use in this situation. o_O
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It does now download signatures and heuristic rules, but if you're offline and something is completely unknown it will still function as a behavior blocker.
     
  6. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    In this case, Prevx1 and Prevx1R will act in exactly the same way as they would if you had been online and the database had returned "Unknown" - that is it would ask you whether you wished to execute that program.

    Now clearly you could get it wrong and you could let this "bad" program run. Now, while it's running Prevx1 will be tracking what this program does in terms of breaking the heuristics rules. If you're running in Pro or Expert mode you will be asked to approve many of them as a behaviour blocker - like Notok says. So if you know what you're doing you may be able to block some aspects of the attack - and you can terminate the process in response to any of those behavioural questions. But, as the statistics from Prevx Home/Pro proved 50% of users get these questions wrong and allow Bad things to happen rather than risk breaking their PC.

    Now, the important part is what happens when you go back online. At this point, Prevx1 will report the behavioural triggers that this "bad" program has performed back to the Prevx database. If this program is known to be Bad in the central database, the very first trigger reported will return a Bad marking for the program. At this point, Prevx1R will immediately terminate that program (if running), detain the program in the holding cell and cleanup can begin. If the program is currently marked "Unknown" in the central database any one of the behavioural triggers reported may make the database make up its mind that this process is Bad - once again it will be terminated and detained and cleanup can begin.

    So, the bottom line is, if you're offline and you choose to run an "unknown" program that turns out to be Bad, that program will be hosed by Prevx1 as soon as you go back online.

    Compare this with traditional AV where you could have a bit of malware for months before they put out a signature update for it. To put this into perspective here's a few myths about AV (and AS for that matter) we detail on web-site:

    My weekly scan was clean I cannot be infected.
    A clean scan is no guarantee that your PC has not been infected. The scan only searches for infections known to the vendor. New infections and variants of old infections may not be seen by your vendor for weeks or even months. During this time you are not protected.

    My PC was infected this week. It must have happened in the last few days.
    If your scan detects an infection you cannot assume it only hit your PC since the last clean scan. The truth is it could have been on your PC for weeks or even months. The only difference this week is that your security vendor added its details to the signature database used for the scan.

    My security vendor hasn't issued any warnings I must be safe.
    Vendors can only inform you of new threats that they know about. There are hundreds of bad programs that emerge every day. Some are brand new infections, others are variants of older infections.

    For the average user, they are not interested in known or approving each potentially damaging action by an individual program. What they care about is "Is this program Malware?" If it is, it should be hosed. If it isn't it should be allowed to do everything that its designers intended it to do - else it will likely malfunctions and cause accidental damage. This is the beauty of ABC mode in Prevx1 - its simple. Everybody knows that with traditional AV somebody has to get infected before the vendors can get their hands on the malware. This will always be the same for some malware types. Prevx is no different in this regard. The power of Prevx1 is the community. With the community in place 76% of all malware can be detected and hosed immediately. You may be unlucky and be the poor guy who gets the first infection (which you allow to run), but at least with Prevx1 you get protected as soon as the database determines it to be Bad. Unlike traditional AV where it could be months.

    In recent releases we've started to move some of the central DB heuristics down to the desktop - this means that in some cases Prevx1 will automatically determine some programs as Bad even when offline :thumb:

    Your call as to what you deploy, but personally I run this for security:

    Prevx1
    Windows Firewall (for inbound when roaming on dialup)
    Firewalled NAT router (for inbound when connected over broadband)
    Common Sense

    Hope this helps,

    ghiser1
    Prevx Security Architect
     
  7. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Hello,

    Do I understand it well that Prevx works like this: when I o.k. an unknown program in my pc, this will be put directly in the community database as trusted. If this is so the community database can be influenced. I mean this: (suppose I am one of those hacker types and I'm running Prevx on my pc) I know I have a malicious program in my pc and I give this malicious program an o.k. thus it enters your community database as trusted. How you cope with this ? o_O
     
    Last edited: May 24, 2006
  8. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    No, it doesn't work like that at all. When you o.k. an unknown program on your PC it is allowed to run on your PC only - that's it, end of story. If somebody else sees the same program, they have to approve it on their PC too before it can run. The database now knows its been on two PCs and it keeps track of this. As more and more people see the same program its distribution, behaviour and speed of propagation is tracked by the central database.

    We have a kind of radar that tracks emerging programs in real time so we can see at a glance programs that are propagating quickly or have malware-like behaviours. This guides our analysts to look at programs that are effecting the community the most. Only our database heuristics and our analysts can change the status of a program from Unknown to Trusted.

    Nobody outside of Prevx can influence the status of a program.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    By which time it will have loaded its .dll into important system files, written to the Registry and otherwise installed itself. By the time you get back online it will be problematic as to whether Prevx can 'hose' it at all. Aside from the behaviour blocking features, which are found in other products in any case, surely the online database is likely to be less value in this situation than a traditional scanner with its own, regularly updated, Sig database?
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    The new version with cleanup abilities has not had any problems in removing any of these kinds of things, although it does often require a reboot, and once in a while you'll have to run it more than once. A good example is SpyFalcon, which most other anti-malware programs have had trouble with. We continue to receive many compliments on the ability of Prevx1 to remove this completely. Another example is vmmswm.exe. This file hides itself quite well and injects DLLs into every process that it can, which it uses to resurrect itself if not removed properly. It also has polymorphic components, but we have had great success in removing these things without much trouble. This also includes stealth keyloggers and rootkits (running). IF you know what you're doing, you can test this with hacker defender. Just shut down Prevx1, install hacker defender, then just run Prevx1 again and it will pick it up and remove it when it does the initial analysis of running programs, then it will remove any remnants in the subsequent scan.

    Of course there may be things that go undetected, as with anything that identifies malware specifically, but the ability to keep the heuristic rules locally (and I still believe at least some signatures), combined with the heuristic capability of the cleanup routine and the behavior blocking (this is the kind of situation Expert mode is made for, if you're an advanced user) still provide some benefit over the traditional solutions in many ways. Remember that these heuristic rules are blocking 76%+ of the malware that we see automatically, where the AVs are stopping less than 40% of the same stuff.. consider that in less than a year we've gotten detection rates up there along with, and sometimes better than, the AV companies that have been doing this for years, and there's only a few of us in research. Just one of these rules caught the entire class of Tibick worms (we've seen thousands), for example, where others had to release several updates. These capabilities are only growing, and there are some pretty cool things in the pipieline for detecting malware heuristically and generically. Of course, if anyone ever does have problems cleaning something up support can always help, and we can usually get it sorted out fairly quickly.

    Of course the point remains that if you wish you can still use Prevx1 along side your AV, AT, and/or AS.
     
    Last edited: May 24, 2006
  11. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    As Notok has said, we've not had any problems removing the most stubborn classes of malware after the fact - actually 50% of the new Prevx1 users we see each day already have pre-existing infections before we are installed. Obviously, prevention is always better than cure when it comes to malware and you are quite right that when you are offline a regularly updated signature database of known-malware is extremely helpful. It is exactly for the offline case that Prevx1 holds a copy of the most common 50,000 or so malware items at all times. Whenever Prevx1 updates itself it oads the latest software, heuristics AND signatures - you may have seen it "Building local database..." as it starts up, that's the latest malware signatures being installed.

    So, in the worst case scenerio (when you're offline) we're just like you're good-old AV apart from the fact that we see more malware, we see it faster and so protect you better.

    Notok has mentioned the performance of other AV/AS products compared with Prevx1 a couple of times, but I'd just like to make it a little clearer. Each week we test the latest malware that Prevx1 has discovered against the top-10 AV/AS products to see what percentage they detect. The results are not good for them - I will not name names to protect the guilty. What we are seeing in these weekly tests is that the best of these products detects not 90%, not 80%, not 70% but 63% of the malware detected by Prevx1 - that's right just over half and they're the best. The average is jst over 40%. The worst scores just 11% - to be far that's an AS product that doesn't claim to deal with tradition AV. However, if you take ALL top-10 products and install them on the same machine (which even the most paranoid wouldn't do) they collectively score greater than 90% - which means that 1 or more security vendors agree with Prevx1's view that the file is malware. What is worst is each week the vendor scores are trending down - so they are getting worst not better.

    Now eventually all the file marked bad by Prevx1 in a given week are detected by the other products, but the time it takes them is worrying long. We have malware that Prevx1 detected on its day 1 - Jul 15 2005 - and some of the top-10 AV/AS products still don't detect them - though most of them now do. In many cases, its weeks or months before malware is detected by these products.

    Now also, bear in mind the size of user-base of these products. At the moment Prevx1 has around 250,000 users. So we're beating the best of the rest with the intelligence from this few users - the bigger the community gets, the faster we are detecting malware. 99% of the malware we detect is marked Bad with 24 hours of the very first time we ever see it and 76% on the very first time we see it. The moment we have marked Bad, the community is protected.
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Nice PR job boys, but this all sounds a little bit too good to be true. I mean, what is the point of going to a spyware cleaning Forum, and jumping through quite a few hoops, if all you have to do is install Prevx and all your problems will be solved?
    We know all about these fgures, some testers are not so shy about naming the guilty:-

    http://spywarewarrior.com/viewtopic...&start=0&sid=6ccd8bee78d3977d590a9f10c788ef39
    Yes, and I'm willing to bet that if the top scanners tested their weekly malware findings against Prevx, the Prevx results would not be nearly so good as the picture you paint. How can you test your own database against other scanners and expect to get meaningful results?

    There is an old saying that if something is too good to be true then it usually is too good to be true - I need to see independent and reliable test results before I can believe all this hype.
     
  13. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    That's a great point TopperID. Nobody can say they have 100% of all malware - it simply isn't possible. I'm sure there are malware items being detected by other products that we don't currently know about, and we wouldn't pretend otherwise. Afterall, we will only know about the malware that our community of users see - which are presumably the most common out there. Our point is that when we do see new malware (new to us that is - and possibly other vendors) we respond to it in a manner which traditional AV can't hope to keep up with. And, of course, the more user's we get to join the community, the more malware we will see.

    We're not saying we have a magic bullet here, just a better one. "Too good to be true..." - isn't that what they said about Viagra :D The truth is in many cases installing Prevx1 is all you need to do to clean up some pretty nasty infections.

    We're more than happy for anybody to test Prevx1 against their own malware samples, and we'd be pleased for any feedback on things we miss.
     
  14. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    I am not trying to put anyone on the spot here, but could some like 'Notok' or 'ghiser1' comment on this http://www.dslreports.com/forum/remark,16150798. I was intrigued by this new service offered by 'Prevx' until reading the comments in this thread.Do you feel the comments are inaccurate or agree that this service is a beginning and still needs much improving?.Thank you.
     
    Last edited by a moderator: May 25, 2006
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It is agreed that the much vaunted online database of Prevx is not going to be available to those fighting infection offline (as will often be the case) and in these circumstances consumers will have a clear choice: either they can use Privx with its 50,000 sigs, or they can use ewido (for example) with its 333,000 sigs.

    Leaving aside the arguments as to how you calculate sig numbers, and pending any objective tests as to the relative merits of the respective clean-up capabilities, I know which I would choose.

    Behaviour blocking is another issue of course and there are a variety of alternatives available.
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    There are a number of HJT analysis sites available:-

    http://www.hijackthis.de/index.php?langselect=english

    http://hjt.networktechs.com/

    http://www.help2go.com/component/detective/

    http://www.spywareguide.com/contribute/parser.php

    However the author of HJT has himself expressed disapproval of reliance on such things as they lead to false positives and false negatives.

    A2 has its own HiJackFree, which offers analysis of a similar type to HJT. I am very sceptical as to how useful the Privx version will be for the ordinary user.

    However judging from the tone of the rest of this thread, the Privx HJT analysis site should be entirely redundant, because we are being led to believe that Privx is a panacea for malware removal, so that no user of Privx should ever need to use such a site. :D :D :D
     
    Last edited: May 25, 2006
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    tobacco: It's essentially an online scanner that offers you a little more flexibility in what you can do and operates much faster. It returns results in the form of "You're infected with trojan-x", and then gives you a link to everything we know about it. If you're an advanced user you can use that to disinfect yourself, or you can send the log to us or a dedicated HJT analyzer. It's not meant as a replacement for a proper HJT log analysis (or anything, really), whether we do it or someone else. It is indeed still in the very early stages, so in some respects it may be best to treat it as beta, although I think the bulk of what it needs is disclaimers. It's also going to be prone to the disadvantages inherant to detecting solely by file name and path, and won't have the same kinds of heuristics, but it is still there for all to use as they see fit. I don't see it as useless at all, I think if you think about it there are plenty of ways that it could actually lend a little help.

    Regarding cleanup, I would really encourage you to give it a try. The cleanup has heuristic capability to remove things that it doesn't specifically detect, plus the heuristic rules are nothing to scoff at; they catch most of the malware we detect, and the sigs that you do download are based on what we see the most. No, it's not perfect (Prevx1 or the online tool), and we never intended to insinuate otherwise, but to the question as to whether Prevx1 is worth it or not; we do cover quite a bit of things that the others do not, and our cleanup is removing a lot of things that people are really having problems with. Whether you take that to mean that it's worth running along side something else, or by itself, is completely up to you. If you'd like I can even take a screencast of Prevx1 removing hacker defender and posting it to my personal webspace. Hopefully the time I've been around here will give some confidence that I'm not going to try to pull any tricks. Testing the cleanup ability has been my (personal) primary focus for the past couple weeks, and the results have shown. For the rest, just give us a hollar, we're there to help and do our utmost to be as prompt as possible, someone is around more often than not, especially with how many nights I log in to help just because I enjoy it :)
     
    Last edited: May 29, 2006
  18. spindoctor

    spindoctor Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    83
    Wow, this discussion really took off, not that I mind. Just wanted to say thanks to everyone who responded to my original questions. :)
     
  19. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    Am I right that Prevx1 doesn't have an inbound firewall function? Would it be unwise to run Prevx1 without also running an inbound firewall?
     
  20. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    yes, prevx only protects against outbound connections. u should run either a software or hardware router for protection against inbound attacks.
     
  21. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Prevx1 has got my attention.

    Is Prevx or has Prevx been tested independently by somebody like AV-Comparatives?
     
  22. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Personally I think community IPS are the way of the future...simple logic dictates that Prevx's method of detection should lead to a quicker response time.

    I haven't seen Prevx1 in any comparison (like AV comparatives does), but I would certainly like to see Prevx offer their product to them for testing.

    If I'm right, the one area that Prevx1 will fail in, is in the detection of the traditional virus (as opposed to worms, trojans, spyware etc)....but I could be wrong on this score (just haven't seen anything that suggests they cover the traditional virus)

    I've had Prevx on my system since before Prevx1...'unfortunately' (not really) I haven't had any infections on my machine in that time (I run enough ondemand scanners too), so I can't truly comment on it's detection capability...just that it's detection method seems to be probably one of the very best.
     
  23. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    So are you Prevx people willing to be tested by AV-Comparatives and similar?
     
  24. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Well, IF I'm right about Prevx1 and the traditional virus...then one of the problems with allowing AV comparatives to run a test on Prevx1 would be the end result...they could score 99.99% on all backdoors/trojans/worms etc...but get 5-15% on the traditional virus...and still end up with an overall score of just (guessing) 17%...which would be a very misleading result, and a very bad marketting move.

    (the result would end up around 17% or so because of the sheer number of traditional viruses that AV Comparatives uses...as compared to trojans, worms, etc)

    Misleading because the traditional viruses don't get around much these days.
     
  25. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Dear Prevx guys,

    Would it be appropriate to test Prevx with the AVs in AV-Comparatives?

    Will you consent to this?

    Are there other comparative tests available?

    I'm on the edge of buying your product, which makes intuitive sense to me. I just want a little more data...

    Thank you,

    -ftp
     
Loading...
Thread Status:
Not open for further replies.