Introducing, The New Prevx Edge.

No, that is different. These files actually have no content whatsoever (i.e. - open notepad, don't type anything, and click Save As )

 

Not a waste of time at all We definitely did miss some of these, just looking as to why and improving our rules to find them in the future

 

sure, id love to know.

but you dont need to convince me with your product

for those that know, my setup did used to be drweb + prevx, but vista arrived and beta was all there was, but edge arrives, and i can 'finally' continue to use my subscriptions

anyway, when your done with this, i wouldnt mind a private word with you, for some support

...so let me know

good, so it can improve the product further hopefully

ive not had my laptop back long, as its been away for repair and already got back into sending samples away. *tut tut*

also, been a seriously bad week for me.

1. crap week at work (more than usual)
2. victim of credit card fraud
3. dog ripped up my trainers, had to buy a new pair
4. lost my bank card TODAY, had to cancel it before anyone used it.
5. .... 5 days for a new card to arrive. *sigh*

next week had better be a better one.

 

After seeing all the comments I've just tested PrevX Edge using the Virus samples from my AntiVirus shodown videos.

In the test 8 out of 10 threats were detected when running each virus which was a good result. I noticed that some of the warning pop up's displayed the virus name which I assume is coming from PrevX online database. Normally I try and test all security products without internet or malware database. This tests the real core of a security product because it demonstrates how good zero-day (new virus) protection a program can offer.

I disabled network connections as this scenario could easily be replicated by:

a, Loss of network connection e.g. wireless.
b, A virus blocking network connection.

I then re-ran my samples and not one threat was detected. I have performed this same test with other popular products e.g. Threatfire, Drivesentry, Rising and Twister which still protect the system. I even put up PrevX Edge Heuristics settings to maximum with the same results!

After doing some research the driver is from CSI and hooks a number of kernel APIs and also calls into the filter manager. I assume this is a client version of CSI which is a basic scanner hence why it's 800kb. I can see no evidence of any heuristic / behavioral engine (e.g. Threatfire ) or any pro-active protection. In summary it offers no security if you're not online or malware has blocked network access and you would be crazy to run it standalone.

I will upload the latest video for PrevX Edge to my YouTube channel in the next few days.

~interact

 

Hello,
Your test is fundamentally incorrect with how infections can enter. First, you would have to be connected to the internet to contract the infection in the first place, so, before the infection would run, Edge would scan it (using the internet connection you just had open to download the infection).

Therefore, if the internet is actually active for the infection to come through, Edge would be able to scan. All of our scanning takes place within our community database, which is hosted completely online, so, it does require an internet connection.

Also, you don't need to hook SSDT entries to monitor behaviors or protect the system We use the minifilter framework which is the Microsoft-specified approved way to hook into system behavior.

Please let me know if you need any clarification.

 

I obviously suppose you still changed the extension to *.bat or something and checked through "edit" on those files, regardless of what it was originally?

 

Out of curiosity I entered an unused key that I won from Castlecops 5th Birthday prize giveaway in 2007, and guess what!....I now have a Prevx Edge key,.....How cool!

However, what does this mean ?......"Register for your My Prevx Web Console Now"

 

We have internal tools to analyze the files I was giving an example of what kind of 0 byte file I saw in the archive of samples.

 

As already said by PrevxHelp, that's different.

I don't know exactly the technique used by Neil, but I think he's just adding/changing some unused bytes of malwares to null byte. By doing so, he checks if the signature used by some antimalware solutions are just based on full body checksum (like MD5). If so, the antimalware software would not find anymore the malware, because it's a "new variant" (different checksum)

 

PH, there is a little bug involving tray icons. When rebooting from one snapshot to another, it killed my FD-ISR tray icon. And we cant have that.

 

That's odd... it actually killed the FD-ISR tray icon without killing the program?

I'll take a look at it

 

The My Prevx Web Console is a way to centrally manage and view all of your computers registered to any of our products.

There are still a few more things to be completed in it, but it is an easy way to overview a number of computers at once

 

Well, that then does not apply to me, since I only have one computer.....poor me!

P.S. Can you provide me with the link to download the progam, thanks!.....save me going looking for it.

 

Here you go: http://info.prevx.com/downloadedge.asp

 

Ta!

 

That could be a wrong idea. Most security companies, antivirus developers are moving to community database technologies (F-Secure DeepGuard 2.0, Norton Community Watch, Panda's Collective Intelligence, McAfee Artemis and so on) in what is called "in-the-cloud" technology.

There's a reason why they are moving to these new technologies: because this "new" technology can really improve your detection rate and it can help you in catching up zero-day threats and new malwares.

By cutting off internet connection, you're cutting off a a large number of detections, because almost all security suites are now starting to use these community technologies.

 

Hmmmmm they are "Starting" to use these new technologies. Correct me if I am wrong but isn't here a program called Prevx that has been using this technology for several years now.

 

It looks so

 

Never heard of it.

EDIT: Ohhh right! Yes We have Ironically, I think other AVs finally realizing that the community approach is completely necessary for protecting users will end up helping us more. We were a bit "ahead of our time" when we first came out with it and received a lot of backlash with users thinking our approach was impossible... In a couple years, everyone will have to download 20gb of definition updates if they stay with the same model This way we host it all online

 

The point of cutting the internet connection was to simulate a real-world situation, i.e. where you get infected and the infection either kills the connection or you have to use "SAFE mode without networking" to gain control of the system. The use of an online database is part of a prevention strategy, not a disinfection strategy.

 

Then you can't talk about testing detection capabilities of an antivirus software You're talking about disinfection capabilities. If so, you can't either talk about testing detection of 0day threats

 

your situation would be correct as long as your AV had that piece of malware in its sig base and was updated, or you would be hosed that way to.Because you have no way of updating it to clean the infection.

 

In what way can an infection "kill" the connection?

When running Edge or CSI, it immediately checks the HOSTs file, LSP chain, and a number of other areas to identify if it can correctly reach the internet and it will prompt the user with a guide on how to repair it automatically if it can't.

I don't see why the user would be unable to use safemode with networking. It loads the same limited environment with just a couple extra drivers for the network support.

IMO, online databases for malware protection (like Prevx for instance ) are really the only feasible way of blocking new threats. Sure, you can block behaviors, but with that, you aren't blocking a threat - you are just blocking the side effect. You can also block things using definitions, however, that is ineffective for mutating infections. An online, community-facing database will give the AV company the means of monitoring threats on the global scale and apply definitions en-masse without the need for the delay of an update.

 

Exactly We can update signatures in one second and have them apply to every computer using Edge. A normal AV has to write, upload, build, and send the definition, then every user has to download it (requiring an internet connection) and rescan their system.

With the necessary increased frequency of definitions and the growing popularity of broadband internet connections, it will shortly become impossible for an AV to function WITHOUT having the definitions hosted centrally.

 

But if your internet connection was disconnected, in that rare instance, a user could always have the infection removed once he/she is online again.

For example, many users are content (no complaints) to use several leading 'on-demand scans' to remove an infection after it has already bypassed the resident AV and been on the system.