Introducing, The New Prevx Edge.

Our approach is essentially the opposite of a blacklist in most cases. While we do have blacklisting and whitelisting components for one-off threats, most of our database is based around statistical models of program popularity and program behaviors. We correlate program behaviors collected from all users who have seen a program and centrally analyze them to find the intent of the program in question. We then also aggregate contextual information about the programs like what registry entries pointed to them and what files they have modified/created and from all of this information, our systems can automatically identify malicious behavior as a derivative of previous threats or identify brand new threats on the first sighting based on a dynamic profiling of the community. In addition to this centralized behavioral analysis, we use correlative algorithms which dissect a program's static structure and format to find similar programs in function at a binary level which allows us to find families of malware with single signatures rather than developing separate detection for each variant.

In a real world example, I don't really see this happening too often However our next release will be including on-the-fly analysis of the browser to automatically detect any malicious downloaded content which hasn't tried to load yet but the chances of a user downloading a program and not using it until their ISP is down is quite low

Additionally, in the event that it is down, we queue up the data to be checked so as soon as the connection is resumed, we will analyze the programs and then perform any removal as necessary if they are indeed found to be malicious.

 

Although we rely on gathering data, it isn't gathered to generate signatures in the conventional means. A brand new threat with completely new behavior can be stopped immediately - case in point: the Storm worm. We found the first variants immediately as they were released and the first user seeing the first infection was immediately protected. Granted, we can't stop ALL threats immediately just because we don't have enough data on them. However, our Age/Spread protection (in Settings > Heuristic Settings) are completely different from a blacklist or any other aspect of our protection. They look at the age of a program and the popularity of a program. If a program is suspicious in any way and is brand new and only seen by a small handful of users, this protection will block the program. This conceptually defeats polymorphic threats as they try and become unique on every PC.

In addition to this, our "heuristics" look at what actually happens on the PC as a program runs so although we might not catch new malware on the first instance, we're going to catch it soon after once we determine it isn't doing anything legitimate on the PC

All of our behavior monitoring and heuristics are highly dynamic so FPs are automatically corrected as programs are seen by a larger number of users and trusted by age. Also, nearly all of our signatures and heuristics are generated completely automatically - our research team merely tunes the underlying rules and algorithms as they see fit but rarely do any of our researchers mark individual threats as malicious; it simply is ineffective for new threats to detect a single sample as they constantly change.

 

How good is Prevx ? Pretty good in my opinion, but I don't just rely on it. Even Prevx says you should have a layered approach.( I think he said that in one of his posts.....to many look back and check.)

Case in point, yesterday SSM came up with this and I blocked it. End of story! Was it malicious or potentially so, I do not know. All I know is I had never seen that particular popup before. See screenshot attached.

 

Wow, would you look at that task bar!

 

A shocker! I know, but I can't help myself.

 

I know what you mean.

 

Ditto, same result here too.

 

seems they fix it , for now no more this wierd FP hehe

 

Hi,

I have encounter some false positive with prevx.

I have attracted the scan log in this post. PLease fix it soon.

 

btw

how do i set prevx starting minimize after pc reboot?

 

That is not a malicious action ans is a FP by SSM - sethc.exe is a legitimate program from Microsoft which changes the system contrast for usability reasons. You should be able to start it on-demand by hitting ALT+Left Shift+PrintScreen.

We don't block this because it isn't malicious

 

I suspect this is caused because of the sandbox preventing Prevx from reaching the outside disk properly, which is why the FP is a rootkit detection FP. If you can send me a scan log I can get it corrected ASAP

 

Hello,
I checked each of these files and they are not false positives - iedfix.c.exe is found by 15 vendors on VT and gaemon.des is definitely suspicious (and found by 6 vendors on VT).

 

Prevx should automatically be minimized on bootup as long as the system is clean. If your status is infected after the sandboxie detection, you may want to run another scan to see if that clears it up Let me know!

 

10x prevx for fast help

i just wana ask this , if i set in "setting" all 3 bars to "medium"

1) does it mean i get more FP
2) does it mean it will popup more than the recommended tag?
3) do u recommended increasing it to more than the default?
10x

another FP goes for eaz fix

 

Hi PrevxHelp,

I have sent all the samples detected by prevx to avira and all come back clean.

So who is correct now. I am confuse.

 

It seems to be solved thank you.

 

Hi PrevxHelp. Great that you answer all questions coming up!


I would like to test Prevx full, but i can't find a real trial version anywhere.
I currently use the free version. However, I would like to test all functions before I buy licenses for me and my family.

By the way: When will the Q3-update appear?
I hope it will increase the offline detection on a base level...

PS: What is the difference between a and a [BP] tag in the logfile?

Would be great if you can explain the logfile completely...

 

I'm not sure This sample looks like a hoax/fake AV, as detected by a-squared, Antiy-AVL, Avast, Comodo, eSafe, eTrust, GData, K7, McAfee, panda, Sophos, Sunbelt, Trend, and ViRobot (and us )

I tend to err on the side of all of these companies not being wrong

 

Setting them to medium will only make a marginal impact on FPs - if you set them all to Maximum that is essentially a "paranoid" mode which will trigger on quite a few additional files (it basically provides intelligent whitelisting in that case). Setting them to medium, however, should improve detection as well so you may want to try that - if you do experience any FPs with it, let me know

A couple other users have reported this as well - we're working on solving it but I'm surprised its happening in the first place as the data seems to be trusted already in the database Can you PM/email me a log with the details on the file?

 

Fantastic! Thanks for letting us know

 

Then i think i will report those samples as false positive to those company that detect it and see what is their reply. Then i will get back to u here.

 

Any time

Sure I've PM'd you a 7 day test license to try out all of the functionality. We have the default trial as just a free product with no realtime protection or cleanup which lets people try out all of the other functionality for free for as long as they want, rather than like a standard AV which completely prevents you from using it further after ~30 days.

We don't have a precise timeline yet as we are still deep in the middle of developing the additional functionality and we don't want to let anything out until it is really ready to be seen publicly. Offline detection is indeed an important area which we are adding in the next release, as well as secured web browsing, significantly enhanced behavior monitoring, and a faster communication to the centralized database for less overhead (as well as a number of other features behind the scenes )

The log file contains a number of flags which we use at customer support to help find threats easier. The B denotes a "Bad" file, and the P means "Packed". You'll see other determinations like U (unknown/currently being reviewed), and G (good + trusted) as well as some others like D (an age/spread heuristic detection) and H (a conventional pure heuristic detection).

The log contains the determination, filename, and "PX5" in each entry - the PX5 is a unique identifier which we use to locate a single file in our database.

Hope that helps! Let me know if you need anything else

 

must admit never saw such well done!!! support !! so kind and so professional !!
rely amazing such companies exist in those mad days

way to go prevx team!!

 

Hi PrevxHelp,

I googled IEDFix.c.exe on google and found out that it is indeed a false positive. U can learn more about it here.

So maybe u can call ur virus analysis to re-analyses the sample again.