Okay, just today I bought myself a brand new licence of Prevx. Enthusiastic as I was, I wanted to test its abilities to the max. I set all settings at maximum heuristic and I set Prevx to autoblock and autodelete on detection of malware. Then I ran ***.com/***/****/***/fid.exe (~ Virus Total Results Removed per Policy ~) and sweet, Prevx prevented my computer from being infected and autoblocked the attempt. It did however not delete the fid.exe file. I ran fid.exe again and BAM, without Prevx even notifying me this time, I got infected by a rouge AV. Without rebooting, I ran a deep scan with Prevx, which couldn't find any installed malware. My solution was to revert back to an old restore point, which finally made the malware go away. My questions are now: 1) Why did Prevx not delete the file which I specifically told it to upon detection? 2) Why didn't Prevx do anything the second time I executed the same file? The installation mwent right through without even a propt from Prevx. 3) How come Prevx, which detected the malware at first, did not find anything during deep scan when the malware was installed on my computer? Regards, Gabe
can you please post the link like this: hxxp//thelink.com/therest next, make a new scan, klick right the prevx symbol in the tray, select tools, safe log. send it to: report@prevxresearch.com write in the mail your problem and the topic link. next: say us the prevx version you are using. last: its no good idea to infect your pc i think you using it, next time use an vm or other pc.
I saved the log but on on-demand scan won't detect the malware. I am not sure how I should proceed with this matter. It bugs me that when executed, the file is detected as malware... but the fid.exe is not removed and after the detection, when I run it manually again, it infects me. I've tested it three times, and all of them ended up with the malware compromising my system. I am using Prevx 3.0.5.130 with all modules active on Windows 7 x64. The log file does indeed contain: [DN] c:\users\SSSSS\desktop\fid.exe PX5: 26402D6D00EFBC38688F0363A2731B005F1595D5]. But Prevx won't stop it from infecting me when I install the second time.
@shadek I downloaded fid.exe and scanned it with Prevx So i'm not sure why there is a discrepancy between your scan and mine ? However i did NOT run it But according to VT when i uploaded it, it IS a Trojan FakeAV as confirmed by 5 vendors. Let's see what Prevx says but at least you were able to restore
Yeah, on-demand scan won't detect the malware, but the heuristic detects it when launched... and blocks it... but the second time it compromises your system (at least it did for me). I'm not sure why Prevx doesn't stop the second attempt as well... And yeah, I am super glad I got rid of it. First time ever I've actually had use of restore points Windows made.
I sent it to Prevx report e-mail, following the guidelines presented in this forum. Furthermore, even Avira set on high heuristic combined with Prevx set on max heuristic will help against this malware sample. It sure is a sneaky sample.
No one solution will guarantee 100% detection and that's Prevx also! No AV will detect everything so if you play with malware you are going to get infected! What would you do if your system restore was not working as some malware will delete all restore points If you are going to play with malware you should use a VM and run Shadow Defender with it just in case! Regards, TH
Sometimes it takes and hour or more because it's a "community database" so not many other Prevx users have seen this malware on there machines! I downloaded it and NOD32 stop it as a new variant of Win32/Kryptik.DXV trojan! Did you send it to them via this post? https://www.wilderssecurity.com/showthread.php?t=245129 TH
Wait a minute , is it behaviour blocker which detects something only based on what "community database" have said ? In either case, detecting this malware first time and then not detecting it second time is no good
I thought of that, but he said that the settings was to autoblock and autodelete Maybe the question for him would be has he cheked detection overrides after not detecting it second time
Quote Triple Helix Not just malware that does that, as i and a number of others have found out to our cost https://www.wilderssecurity.com/showthread.php?t=270069 Yeah, sometimes Good point though Quote pabrate Yes, very strange, be interesting to hear what Prevx makes of it all
It's odd indeed. Hopefully Prevx can replicate the scenario and we'll see an even better antimalware product.
Hello, We're investigating this infection further, but it looks like it may not directly exhibit malicious behaviors which would explain why it may not have been automatically found. Many of these fake AV threats sneak under the radar of antimalware software because of their reliance on social engineering rather than malicious actions, but we try to keep on our toes with regard to the newest rogue AVs. Our research team will be analyzing this sample closer and will report back with what we find. Thanks again for the help and please let me know if you find anything else! EDIT: We've confirmed protection for this sample but could you let you know what you initially responded to when the sample was blocked? If you hit the X on the warning dialog instead of clicking "Block" it could potentially respond differently in the future. Let me know what you find!
I am pretty sure that I clicked 'X' when the pop-up windows said the malware had been blocked. This because Prevx informed the threat had been blocked and I saw no other way to get rid of the pop-up. I'll be installing a virtual environment today to test a few new rouge AVs.
That is the best thing, I hate when ones get infected because they want to test malware with no virtual environment and they have no way of correcting but to do a format and reinstall the OS! I remember a few years ago helping a friend because he was so infected we formatted and reinstalled the OS and then we installed NOD32 2.5 at the time and it found 4 malware running in memory still but we finely got it cleaned up! Also download the trial of Shadow Defender 1.1.0.325 for the extra protection in Shadow mode! TH
If you don't want to use a virtual machine, at least take an image of your drive before experimenting with malware. ( I bet TH does both) I am not sure if the Prevx guaranteed malware removal (with remote support, if necessary) applies if someone infects their machine on purpose .
I'd never ask for remote help. I was about to reinstall my entire system. I was well aware of the risks when I tried to infect my computer. Glad the problem was sorted out and Prevx got a little better at the same time.