Introducing, The New Prevx Edge.

thanks for the information

 

According to the screenshot, all that happened was that the program copied another program into the Windows directory. We "could" detect it based on only that, but it would generate a lot of false positives because MANY legitimate programs do just that

This is the same problem with leaktests like keylogger leaktests. People misinterpret the intention/abilities of these leaktests on modern security software. It is not difficult whatsoever to detect that a program is going to be monitoring keystrokes. Frankly, it is about 20 lines of code to do that if you already have a basic framework developed for monitoring behaviors. However, it is not malicious to monitor keystrokes. Games do it, hotkey programs do it, security software does it, web browsers sometimes do it, login programs do it.... there is a LONG list of reasons to do it, which is why Microsoft provides neat, convenient methods for monitoring keystrokes If there wasn't a demand for monitoring keystrokes by legitimate applications, Microsoft wouldn't bother writing and maintaining the hooks necessary to manage them.

It is not possible to find 100% of threats on the "first sight". We can find a whole load of them automatically (thousands per hour), but it is not 100% - this is simply because we have a limited amount of information when a file first is seen. After a file is seen by a wider audience (i.e. 2 people instead of 0 ), the "shape" and dynamics of the file are much easier to analyze so we're able to make a much more educated interpretation of it.

*Steps off soapbox*

 

Explains a lot. Just another question out of curiosity: WOULD it be possible to detect a lot of completely new infections on first sight, the first time it's ever seen by Prevx? I get the legitimate-action thing, but would it probably take care of it heuristically when coming a little further in the infection process if my protection wasn't seemingly broke, and would it also take care of all the traces? ( ) My understanding is that Prevx always monitors everything that's done to your system... Weird thing is this is happening in the latest stable version, and as explained everything default, effective out-of-box settings except for the self-protection...

 

Yes, it definitely - we use static analysis to find programs before they execute, as well as server-side sandboxing of samples as they come in for analysis so we catch a lot of malware the first time its ever seen, even if it is a completely new variant/technique. A recent example is the Conficker worm - we didn't have any knowledge of it but we blocked it from the first user that saw it.

My guess as to why it was let through for you was because we have some caching in place to cut down the user's bandwidth requirements so there may be a small window if you run a program a second time before it is checked again. This is generally not a problem as running a program twice just results in two reports of the same data - however, because Threatfire blocked it the first time, that interrupted the analysis.

A solution to this would be to see if the program actually DOES successfully load and only apply the logic in that case, rather than possibly not collect any data if another AV interrupts the process.

 

i am shocked ! prevx support is really fast
i really like this program !!

 

Yes, Prevx has got a big lot of respect, both for their great software and EXCELLENT support. That's what makes a real company.

 

What's the file "qc.csi"? It was detected and deleted by BitDefender Online Scanner as malware - even if I'd set it to prompt if things couldn't get disinfected, GRRR - so, is my installation of EDGE corrupted now or what? From what I understand, it's a quarantine-file of malware, and thus also the detection.

 

Why the shock...it is their trademark and one of their key differentiators with everyone else...

Glad you approve!

 

I think that the best thing to do would be to uninstall Edge, reboot and then immediately re-install it. That is what I did when I had an issue like this early on and it seemed to work a treat...but I am sure that Joe will be along to advise (he never sleeps you know...always out there watching/listening...looking out for us! )

 

Yeah, he's awesome! ****! I think he saw that! Now the real-time protection was doing stuff, detecting traces of the crack-infection I think, so I'll leave it without a reinstall for now.

Suggestion: I want to be able to view the Prevx report; more information by double-clicking or right-clicking in the "Undo Cleanup" section as well - would be more convenient and faster than search manually after something was blocked/removed like I have to do now...

EDIT: This was the Prevx report: http://www.prevx.com/filenames/2216395111511951385-0/PREVX.EXE.html ... was that really the crack-infection? I would suppose it's and that the team has been doing more research, thus the additional detection, but I'm still not 100% sure. Then again I didn't read the report that thoroughly.

 

Hi Raven

If you are still unsure then I would definately uninstall Edge, go to the Prevx website, download a new copy of Edge (from a known safe source), reboot and then immediately install Edge again from the fresh download. It should scan your PC as part of the install and look for/find the malicious versions, if any exist.

Hpoe that helps?

 

Ok, announcement for everyone

We have received many reports of antivirus softwares detecting qc.csi file. This is the quarantine file used by Prevx CSI/Edge, where infections are stored after cleaning.

Our quarantine feature makes use of a simple algorithm to encode infection files inside our container. Even if simple, it's obviosuly more than enough to securely disable and store all infections found by Prevx.

Some antivirus softwares are able to decode our quarantine file and they could find signature of malwares inside it. Some other softwares simply detect the encryption algorithm as suspicious and report it.

This doesn't mean qc.csi is infected or Prevx software has been corrupted/infected or Prevx drops infections inside the system.

This statement just to assure our customers there isn't any infection inside qc.csi Or, better, there are encrypted and disabled infection files removed by Prevx after a cleanup routine. Tho, it's not a false positive of other antivirus softwares. They are right

 

Thanks for the heads up Eraser.

Edge is the only detection app I run on my computer now so I got no worries.

 

me too

 

Definitely a good idea - I'll have us add a double-click on the 'Undo Cleanup' screen to open the filenames page (I thought that WAS in there but it definitely isn't )

Based on the page you opened, it does look to be malicious - if you look at the "File Name Aliases" section, there are a number of filenames which are from this same program.... definitely not up to any good

And Eraser is exactly correct about qc.csi as well

 

Is anyone using this on Windows 2003 Servers?

Curious what the overhead is on things such as file and Exchange servers where I don't want to be monitoring/scanning every file read to/from disk (with Exchange we have dedicated Exchange-aware antivirus), but do want to be sure the OS of the server hasn't been compromised remotely via some exploit rather than through someone doing something from the console.

 

We have a number of corporate users running it on Windows 2003 servers - Edge doesn't scan every file as its written so its overhead is very light: it scans code as it is loaded into memory. A file being written can't actually infect just by being written so we decided to not bother scanning them, which dramatically reduces its overhead Edge will, of course, block an exploit which would come through or malware which enters by other means.

Hope that helps

 

Thanks, looks worth a try - happy enough with our current desktop A/V but not delighted with their server offerings.

I guess being paranoid I have to ask - what sort of issues, if any, have you seen on things such as Exchange servers which might be running/loading all kinds of "on the fly" processes into RAM (stating the obvious but with Exchange/SQL these executables can easily grow to over 1gb) as they cache database data?

Also any plans for centralized monitoring/management? I don't see a manual on the website but from what I could see with Edge, it's not possible with a couple dozen servers to monitor them all form one central point?

 

We honestly haven't had any problems from our users of Server 2000, 2003, or 2008. The only thing they're asking for is centralized management Right now, we have CSI Enterprise which will allow you to scan computers on a schedule with a centralized management console (http://www.prevx.com/securitybreachmanagement.asp) but we will be releasing Edge Enterprise in the next couple weeks which will give all of the features of Edge and allow them to be managed centrally.

 

And just to be crystal clear, the price doesn't differentiate between "Desktops" and "Servers" as I only see the option/pricing on your website for "PC's".

Not complaining but the business pricing almost looks too good to be true if it does cover servers?

Is there a PDF manual I can grab or just download it/install it and use the Help?

Oh and P.S what host(s)/ports does it need outbound on a corporate firewall to work?

 

At the moment, we don't charge an extra fee for server installation or console installation, unlike most of the other companies We feel that it is largely unnecessary to charge an extra fee for the management console. The business pricing does include access to our online management, which you can use on a server or client - we currently don't have any distinction between a client PC install and a server PC install as in the end they are both PCs

You can learn more about our enterprise offerings by visiting http://www.prevx.com/securitybreachmanagement.asp and clicking "Downloads & Documentation"

 

I believe you can configure a port to be open, but I'm not positive. The documentation would probably be more helpful there

 

perhaps off-topic, but would it be possible to add a search function to the online database? there have been many times i wanted to see Prevx's determination on a random file, but no way to input it.


Mike

 

Joe, is Vipre Av compatible wiv PxE?

 

I like that idea.