I think that Prevx has too many FPs.

FPs are sometimes the price you pay for high detection capability.

A2 is about the best signature based scanner available, but it has a few FPs.

In my experience, Prevx has fewer FPs than A2, but its as good or sometimes better at catching new malware.

I would rather have a couple of FPs, than have someone fleece my bank account!

 

you tell um Puss.

 

I think you can reduce FP's by reducing heuristics strength.

 

I've still gotten too many with heuristics on medium. Just because some don't get FPs doesn't mean that others don't get an annoying number.

 

It really is dependent on the software you use. If you have any outstanding FPs, please send them to me (and if you're receiving recurring FPs from certain programs, let me know and I'll get the research team to write a rule to prevent them in the future).

 

A lot of NirSoft's software is sadly used by malware very frequently - if you would like, send me an email with a scan log (to the address I've PM'd you) and I'll see if we can do anything to prevent it but their software is more popularly seen from infections than from normal downloads

 

I think mine have been fixed up to now. Good job on that! But will future versions be more "intelligent"?

 

Without trying to sound cliche, we do try and please everyone if possible. I know some users complain about FPs, but really the entire volume of FPs is extremely low compared to everything else.

If you have any other complaints, however, let me know and I'll see what I can do

 

Yes, we're working on new technology which runs alongside our behavior monitoring drivers that will allow us to much clearer differentiate between good/bad software, reducing FPs and increasing detections.

We're still 2-3 weeks away from having this completed, but from what our preliminary testing has shown, it will have a significant impact in both directions.

 

Great! Thanks for the info.

 

I have.. well let's see, 12 fp's in one week. I am a registered user and all of my settings are at recommended levels. So far, Prevx "caught":

- idmmbc.dll (Internet Download Manager's dll file which is extremely dangerous according to Prevx's file info web page),
- lbtwiz.exe (actually Logitech's bluetooth control panel, the funny thing is my keyboard and mouse were having weird problems for over a week, now i understand why),
- rhttpaa.dll (Microsoft's http runtime),
- agcpanelspanish.dll (Nvidia Phsyx string table),
- mscorjit.dll (Microsoft .NET compiler)
- msonsext.dll (SharePoint Portal Server)
- wmstream.dll (Windows Media Server)

etc. etc... All of these were identified as "serious threats" according to Prevx's file info web pages. (Not now, they seem to be reviewed again now.) So far, i am disappontied. I know real malware uses same filenames too, but still, too many. I am getting "infections found" messages nearly everytime i boot my computer.

P.S. Sorry for the bad english, i am trying

 

Hmm... that volume seems like there is a file infector involved. I've PM'd you my email address - if you could send me a scan log, I'll be able to see why they're being found.

 

Scan log sent!
I would like to add that i am also using Norton Internet Security 2009 and this was a computer newly formatted. (Actually i installed WindowsXP one week ago, installed Prevx/NIS2009 the same day, only trusted software and only one game -which happens to be WoW- installed, and i really am a paranoid net user

 

Hello,
I've checked your log and only one of the files is an actual detection in the database and that looks to be a correct identification of malware (or at least riskware as its found by 4 other vendors) (filename of patch.exe).

I can't see any FPs now but your log shows that you have overrides in place. Could you try removing them and running another scan? Chances are that the FPs were fixed automatically as I don't see any actual human interaction involved in these entries, however, we'll see once you scan

Also, if you do believe that the patch.exe file is non-malicious, feel free to send it to me and I'll manually analyze it - at this point I've left it as being detected as it does look suspicious (but only 5 vendors find it so its possible that it is actually clean).

 

FPs are common for any new product until it is finely tuned in. Show me any new AV that did not have this issue at the start. Some oldies, still do. Prevx 3.0 is coming along fine and in a short time, some of you are going to be amazed at what it has added. I agree that FPs can be dangerous, but a product has to have the ability to detect first, some dont, and then you work on the FPs afterwards.

 

Patch.exe is a no-cd patch for a game i legally own. Sure, will send it too.
I am not sure what you mean by "i cant see any fp's now, only overrides". I'll try to explain a little more. Prevx gives me huge warning about infections and shows the files i explained in my post. I right click on them and select "report this to prevx if you dont etc. etc." Then, files automatically ignores.

Will do a fresh scan after i remove them and inform you.

Thanks for the answer, actually it is a very nice and kind thing to see a developer post. That was the first reason i choose Prevx.

 

Another problem is that Prevx's malware information is misleading when it comes with FPs. When it detects an FP unfortunately,it leads the user to the real malware information page. I think it is really really confusing.

 

I am getting too now too many FP's.
I am programming in Delphi (Delphi 2007 to be exact), and every time I compile an exe and run it, its flagged again, and I cannot even test the exe.
This time, it get flagged as Low Risk Adware...
This is annoying. I am thinking of just ditching it.

 

softtouch, I noticed emsisoft a-squared picked up a few of the programs listed on that freeware site you post to.

I think it's best to report the Delphi programs as fps to prevx and emsisoft, as ditching the software doesn't help other users using these security programs who might want to download your work.

 

I did report them to emsisoft... but they seem not to care.
The problem is, every line of code added to a delphi program let the exe look different again, and it is again flagged.

Every time I compile a delphi program (and that is the whole day, I am programming in Delphi), I have to upload FP's to them. That takes more time than actually working on my projects. Thats not a solution.

The scanner can just not distinguish between normal functions and malware behavior in my opinion.

If they see that you access the web, and download something and display it, it is flagged.

Of course, some of my programs check for updates online, and inform the user if there is an update... and this is for some scanner "Adware behavior"...

I think prevx is going crazy now...
Its since 15 minutes "downloading disinfection files... please wait" and nothing happen anymore...

Also, I have a program (delphi), with the filename bachresize.exe, which resize images. It is not flagged, is clean. When I rename it to bir.exe (short for batch image resizer), it gets flagged immediately as "Low Risk Malware". When I rename it back, it works again...
Don't tell me prevx flags files because of their filename and not of what they are doing??

 

It gets better...

I compiled an empty delphi project (no code added), twice, one I created under the name bir.exe, the 2nd. under the name abc.exe

I then compared them with a hex editor, and they are binary identical, bit by bit.

The bir.exe get flagged as adware by prevx, the abc.exe not.

What is going on with prevx?

 

Appreciate your reply. Joe will be reading this thread shortly.

I'll sign up and post your issue on the emsisoft forum (later on), as it's the scanner I'm using at the moment, and was interested in a few of those programs.

Keep up the good work with the programming. Wish I had more brain power to do that.

 

Thanks for your help with that.
I can guarantee the freeware on my website is malware free!

I don't know what the scanner have against borland executable...

I just did the same test with delphi 2009, and C++ Builder 2009, and even the C++ program is flagged identical to the delphi program, as ADWARE.

 

Hello softtouch,
I checked out the bir.exe file you sent - it is indeed encrypted/compressed and has suspicious attributes because of that. If you want AVs to stop detecting it, the best way would be to move away from using PECompact2 and molebox - two packers used primarily by malware, especially when combined.

We are more than willing to whitelist software as you release it, but the heuristics involved to block these programs are valid - when you are first testing the files, you are the only user to have ever seen them and they are packed/encrypted/obfuscated.

And note that we don't scan by filename but you're feeding the heuristics by showing that the program appears with different names/locations.

You should consider getting a digital certificate from Verisign and signing your software with that - we can whitelist by specific digital certificate but your software is too suspicious to be whitelisted by itself because of the way that you obfuscate it.

 

It happen also when not packed.
I only pack them to reduce the size.

PECompact2 and molebox are legitimate programs.
People who create malware also use winzip and winrar to pack their malware, does that mean that in future all packers will be blacklisted?
And upx/pecompact2 are widely used by many freeware author to reduce the filesize on disk.
But packing is not the point here, delphi programs are getting dlagged packed or not, thats my problem.

I am sure not going to purchase a digital certificate, which cost a lot of money, because of FP results.