Introducing, The New Prevx Edge.

i am with you on the sj100 , weird there is no direct comparisons between Prevx and other anti virus

maybe prevx help will direct us to such place

cheers

 

Take this analogy: if you go to the doctor's office, they tell you what vaccines to get to keep "updated" against the newest viruses, they don't expect the patients to read up on what new strains are going around, they just tell you to come back every year and schedule an appointment for you to do so. You pay the doctor (or your insurance company does) and then everything is taken care of - no further "user education" needed.

However, the point which I'm criticizing with AV vendors is that elapsed was saying that many users received an AV with their computer from the OEM and his point was that many of them continue just using the 30-90 day trial alone without purchasing it, thinking they are protected. In this case, the error is in the hands of the AV vendor, leading the user into a false sense of security when they are using nothing more than a trial. An AV needs to be updated multiple times per hour to have any chance of keeping up with the newest threats. An AV which warns when its signatures are one month outdated is completely useless, unless you go around inserting boot sector infecting floppy disks

Free AVs are out of the scope of my complaints However, you are looking at this from a techie perspective The average home user doesn't have any idea what a particular security product should do to work well for them - they just want to go to a store, pick up a box, open it, put the CD in their computer, and be done with it. Security is not interesting to a vast majority of home users and they want it to be a transparent process, as it should be.

While this is in theory possible because we don't prevent all threats, we have a policy of guaranteeing cleanup on all systems, otherwise we issue a refund immediately if one of our engineers can't correct it. Other AVs usually charge significant amounts of money for these services, but we do this because we know we're going to catch a vast majority of what is infecting the computer and therefore we're going to be effective in cleanup so that we rarely have to use the manual cleanup. Therefore, based on real world examples of threats seen by real users, I think we are extremely effective.

I don't see us entering in a comparison like this simply because these tests are categorically and fundamentally flawed. Old malware does not affect users - threats today last only a few hours/days at the most, and these tests with hundreds of thousands of samples are completely illogical. Sure it is technologically possible for an old threat to maybe show a popup on the screen or delete a file, but would you rather be protected against an ancient virus from 1993 or Conficker or XP Antivirus 2009 spreading to 10+ million PCs today? The fact that a number of companies can score 99+% in these tests essentially proves how useless they are because it is completely false that those AVs are finding 99+% of threats actually affecting users. If this were the case, we would not have any where near the volume of malware problems we have today and there probably wouldn't even be a purpose for Prevx as you could just use the other vendors and be nearly perfectly protected.

There are many samples which we simply do not bother detecting (old DOS samples, ancient samples which won't run on today's computers, garbage/corrupted files, non-malicious joke programs, etc.) which are almost always included in these massive comparison tests, resulting in unfairly poor scores to some companies.

Frankly, detecting a large volume of samples is not hard at all. If we were given a collection of 500,000 samples to add detection for (and in most of these comparison tests, the missed samples are given after you take the test), our automated analysis and server-side sandboxing could analyze each of the samples and add intelligent signatures for all of them in about 36 hours but I suspect it would not improve our products 1%.

For instance, we've taken some samples from these tests before when considering whether it would be an accurate assessment of our products and we checked our database to see how many users had actually seen these samples in the real world (which is the unique view that Prevx has which other companies do not). Unsurprisingly, a high percentage of the samples were seen by a staggering... 2 users - one being the initial test, the other being our researcher when scanning the file to check with the database.

Until "conventional" AV testing organizations design tests which can properly assess today's infections, we are going to have to rely on organizations like PCMag.com (http://www.pcmag.com/article2/0,2817,2346861,00.asp) and mirzos from remove-malware.com (http://www.youtube.com/watch?v=AAx6Y2MW_uA&feature=fvst) to perform accurate tests as they should be performed - with today's malware, using new infections in the correct context on an infected system.

Sorry for the rant I've made some of these points before, but its a holiday in the US/UK today so I'm assuming more people may be reading this thread so I might as well give them something to read for a little while

Let me know your thoughts on this!

 

PrevxHelp, could you update regarding a support ticket i put in on the 23rd May. via your support centre.

Or would it be better to do it on here?

Many thanks.

 

Can you PM me your email address? It will be a miracle if I can hunt and peck to find the right one without an email address

 

Thanks, done.

 

False positive:

Filename: efhgjjfg.sys
File size: 241152 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: b9d3d8e976855e2a5d0173c1d2d20a5d
SHA1: cc0cef0a408fb15cf72806dd99aafafcbd178dae

Scan at Jotti was negative. I believe this is part of Malware Defender.

 

Can you PM me the entry from the scan log? It is most likely a FP and was flagged because of it being a suspicious, system-accessing driver with random filenames.

 

PrevxHelp, it is an empirical question whether a security suite minimizes the number of "missed threats" detected by Prevx - and, it is a question that could be answered if Prevx was willing to provide a simple copy of its “missed threats” data to the forum community for independent examination. I still don't really understand the reason why Prevx is unwilling to be transparent and forthcoming with this information.

PevxHelp, I believe I may not have clearly communicated what I meant by “up-to-date.” I was not referring to whether the most recent anti-virus signatures have been installed, but whether the user has the most recent version of the application installed (e.g., version “16.5” of Norton Internet Security rather than the prior “16.0” version).

With this clarification in mind, does the Prevx “missed threats” data support the hypothesis that that users with an out-of-date version of a security product were at considerably more risk than those with the up-to-date version?

PrevxHelp, can you kindly post a copy of the Prevx presentation from the RSA conference? I am interested in learning more. In advance, thank you for sharing.

PrevxHelp, is this number (a) the count of unique malicious files found or (b) the count of the number of instances of all malicious files found on all PCs that have been scanned on that day? If the latter, then what is the former?

PrevxHelp, what makes the PC Magazine anti-virus methodology “valid,” but the methodologies used by organizations such as AV Comparatives “invalid”?

For the “infected system” case, PC Magazine installed the product “on a dozen test systems infested with a wide variety of malware samples including viruses, Trojans, worms, adware, spyware, and scareware (rogue security software)” and measured detection/removal rates. For the “clean system” case, PC Magazine exposed an uninfected PC to various classes of malware and measured detection/prevention rates.

PrevxHelp, I find it disappointing that in every case in which there is latitude in how the “missed threats” statistics are complied, Prevx always chooses the option that will make its product look superior to the competition. In my opinion, this is not “fair & balanced” coverage of the (obvious) issue that all security products (including Prevx) fail to be 100% effective.

I clearly understand that companies will always do their best to highlight their own products' strengths. However, when you are doing so and simultaneously "disparaging" the competition, I think Prevx has the ethical responsibility to go out of its way to ensure a "fair & balanced" treatment of the information that minimizes all potential misinterpretation.

 

This is confusing. I have never had a problem after Prevx took a look at the false positive. But KIS's klif.sys is still detected by my Prevx - I have to tell it to ignore. Is there something wrong with my Prevx? I have heuristics to high and apply after age/popularity detection.

 

Hmm... its possible that Kaspersky is mutating their driver every time they write it to disk. If you could please send me an updated scan log, I'll ensure it is taken care of with a more intelligent signature to prevent the FP

 

PM with single file scan sent.

 

Same FPs with KIS 2010; my first with Prevx.

 

It can be assumed that it would be marginally less, assuming the security suite protects against the types of threats we look for. Using the same example I've said before - if a threat is trying to enter from a spam email and the antispam component blocks the email containing a sample which the AV engine would not have blocked had the sample run, then the suite would provide additional protection. However, if the threat came in from other means which would not have gone through the spam filter (i.e. USB) then the detection would be the same. This case of spam blocking is likely one of the only cases where the suite would show a benefit.

Looking at it economically, it would take far too much effort with essentially no return to produce the data for public inspection and we have far too many other important things to be working on. Although we take all suggestions into consideration, we are a small company with a massive number of users so we prefer to put the rest of the user's best interest above the requests of a single non-user.

My answer still stands - the only logical choice for an antivirus company to make when releasing new protection is to release it to existing users using older versions as well, otherwise the chance of the user's protection failing is clearly higher and if it were to fail against a new threat, the user would surely not come back to that company for protection in the future. AV companies make the most money from renewals, not one-time purchases (which is why any company with a "lifetime" license is bound to fail as soon as they saturate the market) so it is in their best interest to protect their users as best as possible.

I don't have a copy of the presentations used but we just had the website open with the filename information displayed for part of it (if that is what you are referring to).

It is the former - the latter is far higher.

The samples used and the means of testing the protection/detection are what make the PC Magazine review representative of today's threats, rather than the on-demand tests of AV Comparatives. Running an on-demand scan of a few hundred thousand files does not show how well a product protects against new threats. I responded with more verbosity in this post: https://www.wilderssecurity.com/showpost.php?p=1473523&postcount=4111

At every point, I don't see where we incorrectly say that we are better than the competition. We say that we protect where the others fail... because we do. We've made it very clear as to how we gather the data and why it is logically correct.

I don't see it as disparaging the competition - I see it as highlighting a flaw in the other products which they aren't admitting to. Sure, they mention that their protection isn't 100% in their EULAs but in every place where a user would actually see, they tout their products as the best and that they lead their users to a false sense of security and prevent them from actually improving their security by breaking compatibility with other security products.

I've spent hours of my time responding to these inquiries which I could have been using to improve our products further and we are just continuing to go in a circle. To summarize the discussion:

> Our vendor charts show threats which the other vendors miss. That is all they are meant to do and that is all that they do. There is no need to interpret them further and we won't interpret them further behind the scenes because that obscures the meaning.

> We detect threats that other vendors miss

> We are logically included in the statement "Every day, popular security products are missing thousands of infections"

> Prevx scans for active infections, not for infections in archives or dormant in subfolders on the disk so logically if we detect an infection and another AV is active on the system, it allowed that threat through

> Out of 20,000+ unique detections per day, far less than 1% are false positives so the statistics are not terribly skewed because of them

> Older/outdated antivirus software is not a problem for AV companies and makes no difference on the charts, being that they must logically try as hard as possible to keep backward compatibility with new technology to protect their users better to reduce complaints and fuel renewals

> Internet security suites have functions which can block a fraction more samples, but in the end they ARE still letting thousands of threats through, just as their anti-malware counterparts are

> On-demand, massive collection AV testing is flawed by concept and most new products today cannot be adequately assessed in this manner (and obviously AVs aren't catching 99% of threats in the true wild)

Please let me know if I've missed any or if there are any other points which need to be settled

 

Fixed - the FP was indeed caused because of heightened heuristics and is corrected now

 

Could you send me the log entry referencing the file by clicking Tools > Save Scan Results? I suspect they've updated their driver which is causing us to complain about it as kilf.sys (and most other AV drivers) perform virus-like behavior on the system so unless we whitelist them, we tend to FP on new builds (and vice versa with them on us )

 

Thanks Joe, as always to your prompt followup.

 

Just did a scan with Prevx and no threats detected this time; now that was a fast fix

Threats were picked up previously by Prevx after a full scan by KAV.

 

Although I enjoy taking credit for things I actually do, I can't take credit for this one Can you still send me a scan log just so I can double check that everything is fixed? It is possible that Kaspersky is dropping/deleting their driver every time they scan, which could cause an intermittent FP.

 

The last CLEAN log or do you want me to scan with KAV again and then send that log?

 

Yes, the last clean log should probably have some information which can at least lead me down the right path to find out what happened

 

Log sent. Thanks.

 

Amen and amen!

 

After a reboot and a KAV update, same 2 "threats" picked up as before.

I will send new log to you.

 

+1