Introducing, The New Prevx Edge.

Discussion in 'Prevx Releases' started by trjam, Nov 13, 2008.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    I haven't read this thread for a while but have skimmed the last couple of pages and am a bit confused about the issue of scanning files on access. I asked a (sort of) similar question a couple of months back and was told that PrevX Edge DOES do some scanning of non-executable files.

    PS. I would still like an option added to disable the sending of filenames and paths, particularly for non-executable files. I know this information is used during analysis, but surely a lot of analysis could still be done without this info (ie. this info is not absolutely essential for doing analysis).
     
  2. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Also, the file "nircmd.exe" which you can get from here is identified as "High Risk Cloaked Malware". I'm guessing this is a FP ?
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, Edge scans non-executable files on-demand but not on read/write. The last posts have been primarily focused on whether Edge would scan files that aren't actually doing anything on the system, which it does not as they do not pose a threat.

    In the case of non-executable files, Edge runs local analysis and does not send anything up to the database in virtually all cases so we don't collect/analyze that data (for pictures/documents for instance).
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I tried downloading it and it isn't found here - could you send me an entry from the scan log which includes that file so I can see exactly what version is causing it? (FWIW, "NirSoft" files are frequently used by malware which is probably where this got caught from)
     
  5. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    As requested. When it was detected, I right-clicked the file on the alert and chose "Report false positive" (in case that has changed things)

    Code:
    [NFP] c:\windows\nircmd.exe	[PX5: 6847635E0031BF7978E500D454453000E3440291]
    
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks :) Now it is fixed!
     
  7. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    So if I never ran a manual Scan, no non-executable files would be scanned (eg. .doc file opened/saved by Word, or mp3/avi files being played/accessed by a media player ?) ?

    And... If I did run a manual scan and some doc/mp3/avi files were analysed, in virtually all cases, no file data, filename or file path would be sent to the PrevX servers ?

    May I ask in what cases does PrevX collect/analyse data for non-executable files ?
     
  8. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Lightning quick, as always! Do you ever sleep ? :D
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We don't collect any data for non-executable files (it would simply be far too much server power required :D we have billions of files and those are JUST executables :))

    Locally, we run an analysis checking for exploits of non-executable files but you may see non-executable files being scanned in the "Scanning: " field. This is just because we don't look at the extension of the file - we read all of the files and check the file header to see if they're executable (as the file extension isn't reliable) so while it may look like we're scanning them, we most likely are going to ignore them :)
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I wish! :D
     
  11. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    One other thing - if I save the scan results, the log file is always opened in Notepad, rather than the app associated with the .log extension.
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, that's true - we open it by default in Notepad just in case malware has modified the .log extension handler. Not much of a chance for that to really happen, but this way we execute a program which we know rather than an arbitrary associated program :)
     
  13. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Suppose Notepad has been modified/replaced by malware ? :D
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Fair point :D It does cut down risk a "bit" however by controlling what we're opening it in :D
     
  15. BrendanK.

    BrendanK. Guest

    I got a few FP's today :(

    c:\windows\system32\drivers\oamon.sys
    c:\windows\system32\drivers\oadriver.sys
    c:\program files\superantispyware\saskutil.sys
    c:\windows\system32\drivers\oanet.sys
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Could you save a scan log and PM me the entries including these files? Thanks :)
     
  17. trio

    trio Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    15
    If you only collect executable file data then does this mean that Edge cannot detect non-executable threats such as script viruses e.g. VBS?
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Edge protects primarily against executable threats (the vast majority) but we detect certain threats locally without submitting the data to the server.
     
  19. BrendanK.

    BrendanK. Guest

    The on demand isn't picking it up o_O
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The files may have been automatically trusted by our database - if you send me a log after a scan it should contain the files (I'll PM you my email address :)) and I'll double check their status.
     
  21. dorgane

    dorgane Guest

    hi,
    have you got an date for new release ? tank you

    Arnaud
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We have a very exciting change/release/announcement coming very soon (that's all I can say for now ;))
     
  23. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    I'll be up early in the morning then :D
     
  24. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,692
    Looking forward to it.
    (Patiently waiting)
     
  25. Martijn2

    Martijn2 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    321
    Location:
    The Netherlands
    Wow, the new version got a major GUI overhaul... gonna check it out now! ;)

    edit: I see the self protection is enabled in Windows 7 x64 now? very nice!

    edit2: The new interface is great! Very easy to use now, compliments to you guys!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.