How good is Prevx1r, really?

Hi Frank,

We have no issue with anybody testing Prevx1 against any other AV/AS/HIPS products. All we ask is that all testing is done with a fully active internet connection. We're more than happy to work with you through this process, so feel free to drop me a Private Message with your email and we can pick-up directly.

Regards,

ghiser1
Prevx Security Architect

 

Has there being a recent change in the prevx1R policy?

 

Well, I´ve noticed that even in "expert mode" PrevX will not notify you about certain behaviour, strange to say the least.

 

That's the problem though, isn't it. The fact is when you are fighting infection you normally want to get offline pronto, before more rubbish gets loaded onto the system and stuff gets sent 'home'. With Prevx you can't pull the plug out of the wall and get the full protection of the 'community' database.

It's all very well to say Prevx can remove all the crud that gets in, but I remain highly sceptical whether ANY scanner can get rid of some of the deeply entrenched junk we see today. That is why specialist tools are constantly having to be produced, and updated, to counter specific threats.

So I'm not sure whether you can ever have a 'fair' test of Prevx with the conditions being imposed. Maybe that's why Prevx is not being recommended as part of the clean-up operation at anti-spyware Forums? Perhaps someone with actual experience using Prevx to clean machines could comment?

I'm certainly not sggesting Prevx is not a good app, it's just that I would rather hear independent opinion than sales pitch.

 

The question was with regards to normal AV testing by say AVcomparitives, in such a test scenario, nobody is talking about fighting infection, the question is merely malware *detection* before it gets going.

I don't see any advantage to PrevX having online access to database, UNLESS in some far sketeched scenario they know which computer is carrying out the test, and have their human analysts stand by and give special treatment to the samples going from that computer (or just fudging their online heuristics to give malware to every sample).

The problem I see with doing the whole AVcomparitives is that there is no "Scan" function in PrevX, so if you want to test it, you have to manually execute every file and see if PrevX recognises it. I did my own totally informal test, executing basically dialers pushed on crack sites, and PrevX nagged everyone of them, so did the standard AVs of course.

With all due respect, this sounds like the typical self justification of a HJT analyst who is afraid that he will be out of a "job". No one is saying that Prevx1 will nab everything or cure everything, I think of PrevX as a system where there are thousands of users sending HJT reports to a centralized database, using expert systems, they identify which ones are fishy, and let the human experts (the equalavant of HJT log readers) to take a closer look and analyse it further.

The system is not perfect, but nothing is. As I see it, the current HJT log reading process is a less formalized version of this, you have less skilled analyst looking at logs, and when they spot anything new or changed so it becomes difficult to handle they consult the really skilled analysts who figure out how to handle it, and then instruct the lower techs.

Again I think your self serving bias betrays you. In the post above, the question was about PrevX being tested like a typical AV, in AVcompariatives, such tests do not typically test removal ability, just detection.

I have no idea if PrevX is better or worse than a typical antispyware or antivirus at removal. If forced to guess, I would wildly say it might be about the same. But that is not earth shaking news really, that some of the toughest strains are hard to remove by automated tools! At least until the updates come in.

I don't understand why Topper seems to be so harsh on PrevX compared to other AV or AS which also claim to remove malware. Why are such products not considered a threat to HJT analysts?

 

Hi DA

Just a small FYI - Prevx1 has a scan function these days

 

Thanks vikkor, must have missed it. I didn't realise you could custom areas to scan. So test away!

 

If you've got Prevx1, the scan function is under the Advanced tab, top left hand corner, under 'tasks'. You can choose between smart scan/full scan/custom scan.

 

Prevx claims to be able to clean out infected machines, not merely prevent infection.

This is a feature that Prevx touts very loudly, and it doesn't work offline.

Then why defend something you admit you have no knowledge of?

In post #6 ghiser1 wrote:-

In post #11 he wrote:-

Statements like these invite criticism, it is placing the product in the same category as 'rogue scanners' to infer that Prevx can remove the most stubborn malware when there must surely be plenty of stuff it cannot remove.

 

Do you mean warnings like this?

Gerard

 

Dear Topper, selective quoting is beneath you, my friend.

Yes, but in the context, prevx was giving permission for AVcomparitive tests. And that form of detection test is by far the most common as compared to removal tests anyway.

I can understand why you jumped to conclusions though.

Nice of you to state a tautology, of course access to online database , doesn't work offline! The claim however is that access to online databases makes the test unfair is wrong of course ....

Here's the full quote again for those interested to see the context

I believe you were not talking about AV tests. But even in this context, whether the info is "online" or not is irrelevant, what you are doubting is the effectiveness of the removal proccess, something you believe only possible by human analysis. I don't know if i disagree, but surely you agree that whether the info is online or off is irrelevant.

Let's look at the statements shall we?

How is this different from someone saying that if you get infected an antivirus can remove the malware?
If this isn't true, why then do the people at castlecop for example recommend you scan with automated antivirus like Trends , Bitdefender, ad-aware ,Ewido etc first? Isn't that a recognition that in most cases these automated solutions will help? Is PrevX all that different?

Want to bet if you ask the same question of legimate scanners like Ewido, Ad-aware etc, they will give the same line? Does that make them rogue scanners?

Besides are you sure someone claiming that they can remove most malware is rogue scanner? Are you serious? The last time I looked at the citeria for rogue scanners, and I don't see one citeria that says "If they claim they can remove most malware using autmated means they are rogue!" Is that a new one that will be up soon?

Also Why then , do I note that on say Castlecops wiki for malware removal they recommend people go through automated cleaning first (through ewido, Ad-aware, Trend etc)? Isn't this a sign of faith that most problems can be resolved by that first?

Does that make Ewido, Ad-aware etc 'rogue scanners'?

Why then are you ripping apart something you have no knowledge of since as you claim you haven't tested it? Besides in the context of my remarks I was talking about AV tests for detection....

My friend, I hate to say this, but are you sure you are being objective here ripping apart Prevx, when most other antiviruses and antispyware make the same claims?

 

To state that the 'community' feature does not work offline is not tautological - perhaps to could check the meaning in a dictionary!

No need to bet on it, just point me to the thread in the ewido section where employees of the company have made extravagent claims like these.

In the quote given, they are not claiming to remove "most malware", they are claiming to remove "the most stubborn classes of malware after the fact" which is a very different proposition and is likely to be misleading.

That is the point though isn't it? They never recommend downloading a trial of Prevx to scan with - yet if Prevx could really "remove the most stubborn classes of malware after the fact" they surely would make such a recommendation and save everyone a lot of bother!

There is no ripping but there has been a lot of sales spin and since this thread is supposed to be about the pros and cons of Prevx we are entitled to discuss possible cons. One con I see is that we have to be online to gain full benefit of the product and I consider that as a potential disadvantage.

 

Okay you are right, you have convinced me that Prevx1 should be placed as you say within the categories of rogue scanners!

Time to get the team of Eric L. Howes and company to take a closer look at this product......

 

Prevx1 has only been going just under a year? It's removal capabilities have been around much less (it used to only 'Jail' malware). I doubt that moderator at a security forum is going to recommend to people (who need malware removed) a program that to them will still be an unknown quantity.

There is no problem at all being cynical about the malware removal capabilities of a new security programs....but cynicism doesn't mean that your views are right (or wrong)...it just means you have cynicism...no more, no less.

However to call a program a rogue without knowing whether your opinion is right or wrong is just silly.

It may be that what the staff of Prevx claim is correct, it may be that they are wrong. Only time will tell.

Given that it's basically a new method of detection and classification of malware...their detection methodology 'may' (or may not) also lead to better removal methodology.

As for other objections - like the one about Prevx1 requiring a constantly on internet - most computers on broadband download at (guessing) 1.5mb/sec? Some even faster...I doubt most people would even have time to pull the plug before malware downloads (especially given that it's likely take a second or two to think 'hang on...I haven't gone to a new web page, and I'm not downloading anything')...and then many malware come through email, or internet downloaded programs (so you're not going to know that it's malware downloading...if that's what it is)...so I think that you lose almost nothingl by having a security product constantly online.

In the end, personally I think Prevx's constant connection is very worthwhile.

 

Well the key here is that ghiser1 and the Prevx dudes seem willing enough to put their product to a test if the test is set up in a way that allows Prevx to compete on equal ground. No problem with that.

As far as working with me through the process..... .... I've just barely gotten to the point that I can read these forums and understand what the heck people are talking about... much less attempt to test software.... although ironically, I work for an organization that has 'tools' that can get through most computer security defenses...

The security community needs to get a good test going of the non-traditional AVs.

 

I consider Prevx to be the best HIPS for average user. At least when u are connected it will tell u the detail of any malwrae/ suspicious programme( while other HIPS will just tell u the name-- xyz is trying to do this, this , ... and most peopel don,t know what is this xyz- their own OS or some malwrae) and when u are off line it will work like any other HIPS. So in thsi regard it is far superior to otehr HIPS. Also it scans ur PC on install and no learning mode needed. Mpreover they also claim to remove malwrae while other HIPS mostly just block the malware rather than removing it.
I think its, a nice add on.

 

Hi TopperID,

That's an excellant point and one we've thought of. Remember that Prevx1 is also an outbound firewall. For this reason, when we begin cleanup, we automatically block all network connections untill clean up completes.

In essence, you're online to the Prevx database, but your off the net as far as the malware is concerned.

Regards,

ghiser1

 

@ gerardwil

Yes I mean warnings like that. I thought that in expert mode you would get alerts about all possible dangerous behavior, but that does not seem to be the case. And another thing I´ve noticed: Prevx1 seems to have the same quite serious bug that KAV also has, it can not always stop a driver from running even when you click on "do not run". You can test this yourself when running IceSword.

 

Out of curiosity, when you tested this, was IceSword already installed?

 

Well, if I´m correct you don´t have to install IceSword, when you run it, it will try to load a driver and that´s it. And Prevx1 will alert me about this (so it knows this driver might be dangerous) but it can´t stop the driver from loading, a major bug if you ask me.

 

Ah, so it's a little like Rootkit Revealer in that respect. Thanks for the info.

 

Icesword does not unload the driver from a previous run so - so if you allow it once then then try and block it will still work.

Had this problem with Defense wall and PG - the driver was already in memory

could this be the case?

 

@ starfish_001

You can test it yourself, IceSword does not install a driver, so after reboot the driver is gone. So everytime I start up IS, a HIPS will and should notify me about the IS driver wanting to run. For example ZA Pro, SSM and ProSecurity (the last one with troubles) are all able to stop the driver from loading, but Prevx1 and KAV 6 can´t. I have alreadfy pointed this out on the KAV forum, and it at least one person confirmed this problem, but so far no fix.

 

fair enough - not tried it with Prevx - only PG and defensewall

 

Don't suppose we might be seeing any freeware versions of prevx1 down the road.....