Introducing, The New Prevx Edge.

I am getting hundreds of files being reported as infected on my Windows 7 laptop today.

I believe that this may not be corrrect.

Is there a problem with false negatives today? Currently my machine is reporting 202 infected files.

 

I believe you - still, that's the reason layered defense is always a must.

 

We just had a signature hit incorrectly on Windows 7 (64bit) comps - could you try either uninstalling/reinstalling or rescanning? It should correct the issue automatically, but if it doesn't, let me know and I'll take a look at what's causing it

 

Hello

Another issue that will interest you PrevxHelp:

I'm recently using a software called PC Boost from an Israeli Company called Reimage, and when the computer boots up PC Boost disables the CSIScanner Service, and I have to relaunch Prevx Edge.

Can you take a look at this software and how it can done this?

I also send a mail to the company about this.

 

Hmmm You should definitely add CSIScanner to some allowed list in PC Boost (if they have one)

 

There is no configuration. It's like a install it and forget it.

I raised the self protection of Prevx to Medium and see what happens next boot.

 

Reinstalled and rescanned and its all showing as secure now, Thanks for your help.

And yes it was 64bit w7

 

After raising the level of self protection, the Prevx service has been disabled for 2 times but now Prevx re enables it immediately.

Meanwhile Prevx reported 8 files infected in the folders

Common files \microsoft shared

and

program files\microsoft visual studio 9

but they are surely FP. After a rescan Prevx didn't considered them infected again.

 

CRAP, I believed your statement (PrevxHelp) and allowed actions through TF out of interest - Prevx did nothing and now I don't know what will happen!

 

Hmm... are you sure Edge was fully enabled? The file is still manually added as a detection in the database so it should be blocked.

 

Well, it's detected during a manual scan as I figured out I would try that, but what's the point when prevention is better than the cure and Prevx EDGE is all about the real-time protection? And how do I know the manual detection of just the freakin' executable will remove everything that's created and modified? There were atleast 3-4 pop-ups from TF with EDGE never going inbetween, before or even after!

Everything is enabled as I don't expect it to be disabled when EDGE is all green and all settings are default except for Self-Protection which is set to minimum for some good reason I can't remember... most likely incompatibility with other security software - always is...

 

I'm not sure what would have caused this, but if you want, email me a scan log and I'll see what was modified from there to help you undo the changes.

 

... and hopefully add those traces into your protection. Already did before I saw this message - trying to stay positive.

 

There was one file remaining in your system (C:\Windows\Norton2009_TrialReset.exe) - if you rescan, it should be detected now as well but after that last one, the rest is clean

 

Scanned again with following reboot for cleaning process (why is it always asking you to reboot anyway? ). Weird thing was why this file was left even in the first place. Are you sure it's malicious too? My guess would be that it's created, but not activated (the crack-fix that's) as I said no when asked if I would like the crack to apply its fix.

 

It doesn't look all that terribly malicious but it is dropped in an overly discrete manner IMO and a few other AVs detect the file as well which lends some credence to removing it.

The reboot is done to ensure everything is removed thoroughly - Edge's removal modules load extremely early in the boot process so that they can undo any changes made by rootkits/spyware. Granted, its a bit of overkill for an "infection" like this, but its still better to be thorough by rebooting than to possibly miss cleaning up something or to crash a program while trying to unhook in memory (in our opinion at least )

 

Is an option to reboot later (yes-no dialogue) on the to-do list? Seems very possible that Prevx could take care of it at a later point in time.

EDIT: The discrete manner, I would suppose is to avoid most AV's detection and most importantly Symantec's. Symantec didn't react at all, not even SONAR, even if I've sadly experienced this before...

 

It isn't, and the reason is that if an infection is active, the best thing to do at that point would be to disinfect it so we try and push users through the cleanup process as quickly as possible to get them disinfected. Edge also turns on some "lockdown" functionality when running the cleanup to prevent further infections from entering so it is recommended that you reboot as soon as possible after the cleanup actually finishes.

 

Some lockdown to system-functionality in other words... I understand. But maybe you can now understand my "yet to confirm"-feeling when there was both questionable detection and protection. The protection was not even there in this case! No footprint, no heuristics - nothing! TF detected every single move - Prevx would not do anything before, inbetween or even after. TF "old-school" so untrue IMO. It's proved itself time after time when it really counts - no shitty test-files and tests overall. In this case it would literally save the user.

 

The approach Threatfire takes is completely different to the approach Edge takes. Threatfire is going to warn about different actions like copying a file into the Windows directory but that, in itself, is NOT malicious. Edge looks at the program as a whole along with input from other times that the program is run from other users and collects that data to make the determination.

I'm not sure what caused the problem with your blocking of the file, but I ran it here and Edge immediately blocked it as "Malicious Software"

 

Most of the times *I* have got prompts from TF, they've been legit, only some FPs in its early days. It's been smart enough, but I know this has not been the case even lately for other users testing it against modification to for example system files.

Well, that was AFTER you added it footprinted into the db, correct? We both don't know if it would be detected without a footprint, but it seemed not to as EDGE sure analyzed the files. It was impossible to not see happening down to the right. The same case even after the footprint was added by you. The time when I tested to allow the actions, all the traces being created, through TF. Everything is on. Everything is active. No reaction from Prevx and Prevx comes before TF.


I mean no offense here.

 

I'm going to be asking the database team to see what could cause this because it does look like something went wrong to make you not get the blocked determination but me get it

However, as I said before, you were the first user to see it so it isn't exactly a fair infection to compare against. It is possible that the first user who sees an infection would get hit by it - the first time you saw the file Threatfire blocked it from actually running so Edge never actually got any event data from it. The second time technically became the first time because THEN it was able to actually see the file running (although, it should have been blocked anyway because I set it to 'bad' so I'm not sure what went on there).

I'll investigate it further and let you know what I find

 

I have a problem removing 3 posibles malwares from my gf PC

c:\windows\system32\wmp.dll
c:\windows\system32\xpsp2res.dll
c:\windows\servicepackfiles\i386\sprt0404.dll

all 3 are tagged as malware components i followed the removal instructions 3 times but they still comming up every reboot thanks

 

A "malware component" designation means that they are replaced system files - an infection modified them and replaced them with malicious/patched copies.

Could you please write into the customer support inbox? It would be easier to work on it with you there as this will require more research-team assistance You can get to the inbox from http://www.prevx.com/support

 

Thx for the information. So, what was happening, the event in the screenshot I took, was no event that Prevx could take determination from, even heuristically? It was only a file being created in sensitive areas?

I don't think your argument "you were the first user to see it so it isn't exactly a fair infection to compare against. It is possible that the first user who sees an infection would get hit by it" holds, as Prevx is more specifically about blocking new, yet unseen threats - but that may just be my opinion and view. That's basically the main-point about using Prevx in the first place.