I think that Prevx has too many FPs.

Discussion in 'other anti-malware software' started by bonedriven, May 4, 2009.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Prevx detects viruses which no other vendors can. When I uploaded these "viruses" to Virustotal,the result often could be 1/41.

    Today I uploaded a "virus" detected by the updated Prevx CSI to VT,the result is "0/41".

    And in the Prevx's website,they also provide detailed virus information like what this virus do etc. So has this virus already been analyzed by them?

    I often heard that Avira has many FPs but to me it never gives a FP in my pc since version 8. But I seldom hear complaints about Prevx's FPs which is really strange to me.

    Now I'm the one who wants to complain that "Prevx has too many FPs." By the way,the GUI is not user friendly either.

    I like Prevx. But I hope you make it better.
     
  2. Dr33

    Dr33 Registered Member

    Joined:
    Jan 23, 2009
    Posts:
    103
    if they provide detail information :blink: for me seems they have analyzed it

    all products have FP

    if you never got Avira's FP is good , but keep in mind that many Prevx Costumers also never get any FP

    the GUI is under development and many more features are going to be implemented soon
     
  3. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Is this file under system32 a virus?
    File Behavior

    WLGPCLNT.DLL has been seen to perform the following behavior:

    * The Process is polymorphic and can change its structure

    WLGPCLNT.DLL has been the subject of the following behavior:

    * Created as a process on disk

    Country Of Origin

    The filename WLGPCLNT.DLL was first seen on May 5 2008 in the following geographical regions of the Prevx community:

    * The EUROPEAN UNION on May 5 2008
    * SPAIN on May 5 2008
    * CANADA on Nov 14 2008
    * KOREA, REPUBLIC OF on May 1 2009
    Vendor, Product and Version Information

    Files with the name WLGPCLNT.DLL have been seen to have the following Vendor, Product and Version Information in the file header:

    * Microsoft Corporation; 802.11 Group Policy Client; 6.0.6001.18000 (longhorn_rtm.080118-1840)
    * Microsoft Corporation; 802.11 Group Policy Client; 6.0.6002.16497

    File Type

    The filename WLGPCLNT.DLL is used by multiple object types including objects,Dynamic Link LIbrarie
     
  4. progress

    progress Guest

    I used Prevx about 2 weeks and I had 5 FPs, no problem for me so far. But ordinary Joe (my wife :D ) would ask all the time: Is it malware? Is it a virus? What have I done?

    I think a behavior blocker is the better choice for ordinary Joe :)
     
  5. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Wow... 5 on two weeks? That sounds like quite a lot... For the ordinary Joe I would rather install something that's completely automatic. If it wasn't for the FPs of Prevx, you could've set that to automatic operation in the settings.
     
  6. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    If a product has serious FPs or interruption - then I avoid that product. As simple as that. FPs is not something you can live with all the time if you want everything to go smooth - therefore it leads to interruption.
     
  7. PrevxWebDesigner

    PrevxWebDesigner Former Prevx Moderator

    Joined:
    Nov 13, 2008
    Posts:
    89
    I'm sure PrevxHelp will be able to provide a much more detailed explanation, but you should be aware that VirusTotal is using a very much "stripped down" version of Prevx, with no behavioral analysis (probably Prevx's key strength), etc. Therefore VirusTotal results will be seen to create many more FP's compared to actually having Prevx 3.0 installed on your machine and coming across these same files.
     
  8. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    With any security program you install, you run a full scan, open up all your regular programs, fix/ignore any false positives, 20 minutes later, you're away to go.

    I don't see it as a big inconvenience. Some programs on the other hand, can be so silent, all sorts of malware gets through.

    The problem is the type of user. Us here, we're always testing out new, relatively unknown programs, so a small number of FPs are a given.
     
  9. PrevxWebDesigner

    PrevxWebDesigner Former Prevx Moderator

    Joined:
    Nov 13, 2008
    Posts:
    89
    Oh also...

    Feel free to send me a PM with any suggestions for improvements to the GUI, or reasons why you think it's not user-friendly, and I'll see what we can do :)
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello all,
    The engine at VirusTotal is significantly different from the one that the consumer product contains and therefore tends to generate more FPs. The reason behind this is that at VirusTotal, we don't have the ability to analyze behavior so we have to make a "best guess" about what the file does, and that causes a lower number of real detections and a higher number of FPs, just because it isn't as accurate as actually sitting on a user's computer and analyzing files as they come through.

    5 FPs in 2 weeks is extremely high - a vast majority of our users have never experienced a FP and I'd tend to expect they're all due to some underlying factor (maybe beta software or Windows 7?)

    If anyone has any FPs which are still detected, please send them to me via PM and I'll get them fixed ASAP :) Regarding WLGPCLNT.DLL, there are pieces of malware named WLGPCLNT.DLL so searching for that filename itself doesn't necessarily mean you're looking at the one you're looking for (if that makes sense :)). In another example, there are many infections named svchost.exe so a search to a Prevx Filename page would show that it could be malware, while it is also a system component.

    Hope that helps! As always, let me know if you have any other concerns, questions, etc.
     
  11. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    No,the result is that my Prevx CSI detected a "virus" while the Prevx on VT says "negative".
    I tried Prevx on Vista before and now use it on Windows 7.
    I usually get 2 or 3 FPs on my system from Prevx while Avira give none. And Avira saved me several times from real viruses.
    I didn't search for the file on Prevx. Prevx told me that wlgpclnt.dll under my system32 archive is a virus. I clicked the link for more detailed information. And I see those descriptions for the file. I uploaded it to VT and the result was 0/41.

    For the GUI:
    1. Too many clicks in settings.
    2. Too many steps when I want to quit Prevx from Real time monitor.
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We have been generating a few FPs on Windows 7 builds just because there is so much new data coming in and a lot of Microsoft components do perform suspicious actions. If you could send me a scan log (by clicking Tools > Save Scan Results) of any FPs you've experienced, I'll be able to correct them immediately and tell you why they've happened :)
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We're considering making it easier to disable the realtime protection, but this is a one-time-action which very few users ever use.

    What steps are you finding too numerous in the settings? Short of making the status screen a list of checkboxes, I'm not sure we can minimize it much further :D
     
  14. PrevxWebDesigner

    PrevxWebDesigner Former Prevx Moderator

    Joined:
    Nov 13, 2008
    Posts:
    89
    You can achieve this by right-clicking the system tray icon :)
     
  15. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Early days yet, but I have yet to see one FP in nearly 2 months of use.

    A lot will depend upon your software mix and the heuristic setting.

    Brings back memories of complaints of high FPs against Dr Web, VBA32 and Avira. I see/saw very few FPs with any of these AVs in years of use.
     
  16. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
    I don`t see many FP`s in Prevx. In fact i think heuristics just does what it is supposed to do. "Hey, check this out, it could be dangerous". That`s not FP`s in my opinion. Yes, you could remove many of these detections, but you would lose a lot of security.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I've fixed the FP reported by bonedriven - it is a legitimate FP and it does indeed share many characteristics with a large group of infections, most likely because of the software protection they have on the program itself.

    I've checked the heuristic rule to see if there are any other similar FPs and there were a few (granted, they had only been seen by a small number of users). One of the triggers which set off this detection was an identification of remote code injection (process hijacking) which looks to be accidental because of the software protection but because of this and a handful of other factors including registering itself to load on bootup, modifying IE's memory/registering a BHO, and making some obscure outbound internet connections, we flagged it.

    This is one of the many cases where good software can really seem quite bad, and its very difficult to differentiate between them in some cases, which is the main reason why AVs generate FPs.

    Hope that helps clear up some of the confusion :)
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    It has no more then others.;)
     
  19. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Yes, I think the FPs could be lower. I get more than any AV I have had. I think they will continue to work on this, though.
     
  20. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Thanks for the quick response.

    An anti malware program that wants to detect those other AVs miss may certainly result in more FPs.

    I just want to let you know that there are unsatisfied customers when most of the sound comes from applause.
     
  21. Yoda1953

    Yoda1953 Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    162
    Location:
    Netherlands
    I've an insisting FP on Nirsoft's regscanner. It has stayed that way the last week.:thumbd:
     
  22. Nunes

    Nunes Registered Member

    Joined:
    Apr 4, 2006
    Posts:
    103
    Location:
    AMADORA,Portugal
    I don't think the number of FP's is an issue with Prevx.

    I think from my experience that it depends greatly on the frequency of new installations you do and what kind of software you install.

    There is quite a lot of software nowadays that have behavior of malware.

    My last example are the Nirsoft Utilities. There are quite a lot of them that trigger the warnings of Prevx what I fully understand why.

    Usually what I do is to exclude the files or folders involved.
     
  23. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    It does depend on the software involved, but Prevx can still do a better job of differentiating - in my experience.
     
  24. Yoda1953

    Yoda1953 Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    162
    Location:
    Netherlands
    Thanks for your reply.

    OK did so (exclude files)

    Can I reduce the FP's by other than default settings in Heuristics then?
     
  25. benton4

    benton4 Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    158
    Location:
    Oregon
    The reality is that there will always be someone somewhere not happy with a product. :( I have yet to have a FP. Great product, great support.
     
Loading...
Thread Status:
Not open for further replies.