Introducing, The New Prevx Edge.

I haven't read this thread for a while but have skimmed the last couple of pages and am a bit confused about the issue of scanning files on access. I asked a (sort of) similar question a couple of months back and was told that PrevX Edge DOES do some scanning of non-executable files.

PS. I would still like an option added to disable the sending of filenames and paths, particularly for non-executable files. I know this information is used during analysis, but surely a lot of analysis could still be done without this info (ie. this info is not absolutely essential for doing analysis).

 

Also, the file "nircmd.exe" which you can get from here is identified as "High Risk Cloaked Malware". I'm guessing this is a FP ?

 

Yes, Edge scans non-executable files on-demand but not on read/write. The last posts have been primarily focused on whether Edge would scan files that aren't actually doing anything on the system, which it does not as they do not pose a threat.

In the case of non-executable files, Edge runs local analysis and does not send anything up to the database in virtually all cases so we don't collect/analyze that data (for pictures/documents for instance).

 

I tried downloading it and it isn't found here - could you send me an entry from the scan log which includes that file so I can see exactly what version is causing it? (FWIW, "NirSoft" files are frequently used by malware which is probably where this got caught from)

 

As requested. When it was detected, I right-clicked the file on the alert and chose "Report false positive" (in case that has changed things)

Code:

[NFP] c:\windows\nircmd.exe	[PX5: 6847635E0031BF7978E500D454453000E3440291]

 

Thanks Now it is fixed!

 

So if I never ran a manual Scan, no non-executable files would be scanned (eg. .doc file opened/saved by Word, or mp3/avi files being played/accessed by a media player ?) ?

And... If I did run a manual scan and some doc/mp3/avi files were analysed, in virtually all cases, no file data, filename or file path would be sent to the PrevX servers ?

May I ask in what cases does PrevX collect/analyse data for non-executable files ?

 

Lightning quick, as always! Do you ever sleep ?

 

We don't collect any data for non-executable files (it would simply be far too much server power required we have billions of files and those are JUST executables )

Locally, we run an analysis checking for exploits of non-executable files but you may see non-executable files being scanned in the "Scanning: " field. This is just because we don't look at the extension of the file - we read all of the files and check the file header to see if they're executable (as the file extension isn't reliable) so while it may look like we're scanning them, we most likely are going to ignore them

 

I wish!

 

One other thing - if I save the scan results, the log file is always opened in Notepad, rather than the app associated with the .log extension.

 

Yes, that's true - we open it by default in Notepad just in case malware has modified the .log extension handler. Not much of a chance for that to really happen, but this way we execute a program which we know rather than an arbitrary associated program

 

Suppose Notepad has been modified/replaced by malware ?

 

Fair point It does cut down risk a "bit" however by controlling what we're opening it in

 

I got a few FP's today

c:\windows\system32\drivers\oamon.sys
c:\windows\system32\drivers\oadriver.sys
c:\program files\superantispyware\saskutil.sys
c:\windows\system32\drivers\oanet.sys

 

Hello,
Could you save a scan log and PM me the entries including these files? Thanks

 

If you only collect executable file data then does this mean that Edge cannot detect non-executable threats such as script viruses e.g. VBS?

 

Edge protects primarily against executable threats (the vast majority) but we detect certain threats locally without submitting the data to the server.

 

The on demand isn't picking it up

 

The files may have been automatically trusted by our database - if you send me a log after a scan it should contain the files (I'll PM you my email address ) and I'll double check their status.

 

hi,
have you got an date for new release ? tank you

Arnaud

 

We have a very exciting change/release/announcement coming very soon (that's all I can say for now )

 

I'll be up early in the morning then

 

Looking forward to it.
(Patiently waiting)

 

Wow, the new version got a major GUI overhaul... gonna check it out now!

edit: I see the self protection is enabled in Windows 7 x64 now? very nice!

edit2: The new interface is great! Very easy to use now, compliments to you guys!