Introducing, The New Prevx Edge.

No, no - not that. I mean with it fully functional, even if - as said - the trialing model is still being thought through. For example I get this prompt for Hotbar (even if I don't know how serious that adware infection is considered as, though definitely not as much as e.g. XP Antivirus infection).

 

ok i see ?where is that sreenshot?i want to see it.

 

160 detected on scan
157 remaining

42 files remaining after behaviour-based checks.

so, is that around 87% detection?

which, for malware from the past couple of months, isnt too bad, even better if some of the files remaining turn out to be clean.

even though my test is not professional in any way, i do like to check certain things on my machine myself, so no need to hear "this test is ****, or this test is BS", i did this for myself, and just thought id share it on here.

i'll PM the prevx guys and see what they can do, they may just turn out to be false alarms.

----

id also like to hear their opinion on best possible settings for the heuristics, ive noticed quite a few False Alarms with the settings set to 'high' or 'maximum'

----


chris.

 

Yes, have actually been testing this. Actually, as a fairly advanced user, I really prefer automatic operation for things that are known and serious when it comes to security software operation. Norton being a pretty good example. - And going into the basic-user's mind think this is his preference as well.

 

Yes, you will still get the prompt regardless of the infection. However, the options are just Block or Options (which will lead to options to trust the infection in the future if you want it to run).

However, hiding the Trust options allows the user to see what option they should (as the only real button is Block).

(Also, if the user hits the X, it assumes they mean Block so it will block the infection.)

 

Here you go! http://www.prevx.com/prevxedge.asp - screenshot #2

 

That's good to know PrevxHelp (that trying to close will still block the threat).

With regards to that screenshot, it says in highlighted red 'malicious software infection prevented'. It also says, 'it is highly recommended that you block this threat'.

I think the red alert message gives the user clear direction as to what action to take (block). Giving further options allows you as the user to run a program which is flagged, but that you know is safe. The options also allow you to 'trust' a program 'just once'. I think that's a pretty cool feature, just like a firewall, allowing something just once to continue.

I've tried the block function and it actually removes the file altogether and places it in quarantine.

 

Don't get me wrong - your method is semi-automatic and a very smart approach though.

 

i see it thanks

 

Correct - this is actually an option which is ticked by default in Edge; if the user choose to block - quarantine it as well.

 

I've PM'd you with an email address to send the files I'll check out each one individually to see if there any clean files in there.

I also tend to check out detections personally as the large AV tests are highly skewed towards detecting old malware, which is no where near as useful as detecting new malware for actual users that are looking to be protected.

Could you send me the files causing the false alarms on the higher heuristic settings? It is a bit of a hit and miss, some users experience FPs on high levels while others don't - it really depends the kind of software you use and try. If you are a frequent tester of Beta products, I'd recommend the default settings or lower. If you are a normal user that installs a new product once in a while, the high settings should be fine. If you are a grandma which rarely installs new software, you can set it to maximum without seeing any problems.

If you have any questions (and don't worry, I know you aren't a grandma ), please let me know

 

I think maybe my biggest concern is how this approach will work when there's lots of malware in place; many prompts for the user to answer. Quickly taking care of all the severe stuff automatically would seem to solve those things and at the same time speed up the process.

 

When there are multiple infections, the dialog changes into a "Multiple Infections have been identified" dialog. You can then check all of the boxes at once to block every file, or act upon each file differently to trust once/trust always/block each one individually

 

Seems like you've really thought this through - haha! Oh well, maybe it's just me then. I suppose when this dialog shows up that all of the infections are ticked by default? How does it react when more and more infections are being built-up/detected in real-time?

 

We've seen some nightmare situations where users accidentally get DDoS'd by prompts from their AV, preventing them from doing anything at all so we needed to get a solution together for how to prevent it

All infections are automatically checked by default as they occur and added into the list as they come in. We've done some nice thrashing tests of it by running 5000 infections constantly for a few hours straight without having anything slip through

 

yep, would love to know your findings Joe.

i usually leave my settings on High btw for every software i use or trial, and never use Paranoid (max) settings.

 

this test is as good as all the rest in my view. Keep in mind folks, this product has only been out of beta for 3 days now. It is completely different then the current run of the mill products and very light. PrevxHelp and Eraser have made it a point that support is going to be a ongoing issue that is dealt with in a timely fashion. Another new approach.

There is a release I know of, due for next week, and knowing PrevxHelp, there might be two at the rate they go.

I said this earlier. Dont judge this product, or Prevx, based on the past, but from a fresh start with a whole new way of thinking, from this day forward. It will only get better.

 

Chris, I am running mine at Max on the heuristic, and med/med on the other two. Haven't had any issues doing this. I think Surun was the only one and I just added it to the overide list.

 

I'm going through every sample by hand to try and see why we missed them/if they are malicious and a number of them are not malware at all (there are also 5 completely blank, 0 byte files in the test set which I sure hope can't be malicious!! )

I'll get you a complete, itemized report in a little while

 

5000 eh? Yep, thats more than I threw at it at one time...

 

Ok, I finished the first pass of the undetected files and weeded out the majority of the garbage:

253, 252, 251, 250, and 249 are all 0 byte files
169/166/168 non-working sample
103 is a little less than half of a script virus
248/104/106 is an html file which downloads the malware, but not malicious by itself

223 and 228 are byte-to-byte identical, so, not exactly fair when counting
23_1 and 24_1 are byte-to-byte identical
60 and 85 are identical
258 and 266 are identical

After weeding these out, we're left with 141 undetected files.
I've not yet checked what these remaining files are but I'll be checking them out shortly and reporting back

 

yep, i aint an analyst Joe

i have about a half million samples from 2008, and i just took a little 'random' chunk for my own little testing, i simply dont have the time to keep sending loads of things in and checking things i know nothing about.

i dont pretend, like some people do, that they know everything and anything, thats what the experts are for

I do know however, that most of my samples usually turn out to be malware, due to frequent submissions to my trusty drweb.

i should state, these are not VX-collectors packs, each sample is downloaded individually by myself, or sent to me.

and in no way shared with the public or used maliciously. (before anyone asks )

its a mixture between, being curious, learning, or file submission, some could even say, a public service *lol*

 

Is 0 bytes the same as "null" bytes? Cause that's a technique that Neil at PCMag is using to create a "modified" sample of malware to see if it passes security software without any fuzz when testing them.

 

sure, do it.

just hope its not wasting your time with junk, maybe prevx got 100%

 

Yes - I completely understand Was just giving some preliminary input as to what the files appear to be. We appreciate all samples and can definitely tune our heuristics to grab these bad ones as well

One small thing is that these files are now "out of context", meaning, they might not be found as swiftly as other samples which are parts of live infections on user machines (We're able to find more malware because of behavior when its actually running on the machine in context alongside with other infections).

I'll let you know what we find in these samples ASAP