Introducing, The New Prevx Edge.

Discussion in 'Prevx Releases' started by trjam, Nov 13, 2008.

Thread Status:
Not open for further replies.
  1. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,369
    Many thanks for your reply but could you be kindly more specific how the Edge would complement the ESS? You know I am not so IT tech savvy :oops: . I thought the trial version of Edge is not capable of cleaning, it does only monitoring, doesn't it? An exact explanation what the trial Edge will do, would be highly appreciated. Apologies for any inconvenience, my query could cause.

    regards,
    pegas
     
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Hey PrevxHelp,

    I had a hit with your program for a possible MBR rootkit.

    I have a large drive and had some unallocated space I decided to format. It was during the end of this procedure that your program alerted. I know that MBRrootkit likes to drop stuff at the end of a drive.

    The EQSecure alert at the same time was about "\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{CLSID}\Shell\Autoplay\DropTarget" but there is no entry in the logs for this alert.

    I decided to run GMER and the MBR.exe also. GMER BSOD's during the devices scan with a stop 0x050/win32k.sys; the MBR.exe came up clean.
    I emailed GMER 2 days ago about the BSODs, but he hasn't returned my email.

    I had been running RootRepeal before and it was only showing 3 entries in drivers. Normally it would show entries in files like locked to the windows api and such. Didn't even show EQSecures hidden processes. After uninstalling a driver in Device Manager/show hidden devices/non plug and play, Its name was related to Acronis, It now shows more stuff in Rootrepeal.
    I think something may have been limiting RootRepeal's scanning.

    Is there anything I can do to verify if I do or do not have an MBR Rootkit?
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I've yet to hear back from the research guys but I'll let you know as soon as I do. If you have the exact program which was causing the FP (or the precise link within the firefox website), I'll check it out myself.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I believe this might be a false positive on our end. During your format, the formatting program most likely modified the MBR/bootsector/partition table, etc. which caused the warning.

    I'm going to err on the side of this being legitimate and see if we can make any changes to allow format operations, which look very similar to MBR infections, and not warn.

    Thanks for the report :D Let me know if you have any further questions with this or if you want one of us Prevx representatives to check out your system remotely if you aren't convinced you are clean.
     
  5. Criss

    Criss Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    186
  6. greenhorn113

    greenhorn113 Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    149
    Location:
    England
    I have a license for Edge and it is currently active on my rig but can someone please clarify which of Online Armor 3 paid, A Squared Anti Malware 4 and Edge is an overlap or duplication of protection, I am now also running Avast Home 4.8., I have removed Threatfire since installing Edge.

    Gh113o_O
     
  7. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Can't seem to get through initial scan on install.

    Here's the Vista error:

    Problem signature:
    Problem Event Name: APPCRASH
    Application Name: prevx.exe
    Application Version: 3.0.0.199
    Application Timestamp: 49382c38
    Fault Module Name: ntdll.dll
    Fault Module Version: 6.0.6001.18000
    Fault Module Timestamp: 4791a7a6
    Exception Code: c0000005
    Exception Offset: 00069460


    Can Joe or anyone take a look?

    I've given Edge permission in ESS.

    Thanks in advance.

    philby
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Thanks PrevxHelp,

    I figured it was something like a FP, better to have an expert verify.

    If I have any issues with Prevx Edge or malware questions from same I will post.

    I appreciate the help and kindness. I haven't seen a product with such great support.

    Question-My gmer scan showed the file mbr.sys in a TEMP file in Documents and Settings:
    ? C:\DOCUME~1\VERR_I~1\LOCAL\Temp\mbr.sys
    The system cannot find the file specified. !

    Is this something I should investigate further?
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hmm.... this is an interesting case. While the operation you were doing on your harddisk (formatting) would generally make modifications to the MBR legitimately, potentially causing a false positive, Edge may have been correct in its diagnosis of an MBR rootkit in this case as that driver does not look like it is doing anything legitimate.

    If you run an Edge scan now, does it say anything about \\.\PhysicalDrive0\MBR as an infection named "Possible MBR Rootkit"? If it does, then you may very well be infected. If not (and if this was really a malware intrusion), Edge appears to have blocked it.

    This is interesting though, and possibly a very odd set of coincidences. Please let me know what you find! :)
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    This could be caused by malware or a software bug. I've sent you a PM as to what we could try and do to resolve it :) Thank you for the report!
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Bout time, someone stumped you.;)
     
  12. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I ran a Prevx scan after the alert and it came up 0 malicious items found.

    Previously Detected Files: [D] (ACTIVE) C:\Documents and Settings\VERR_INVALID_NAME\Local Settings\Temp\_TinDel.exe [PX5: 0186414100B628B80A9F005FF9C7D500B79BCD14] Malware Group: Community.OuterEdge [BP] (ACTIVE) C:\Documents and Settings\VERR_INVALID_NAME\Desktop\sreng2\Plugins\NTFSTREAM.SRE [PX5: 589384C400CD63CFB04001FDB02AF10097C552D3] Malware Group: Worm
     
  13. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    944
    Installation issue was resolved by Joe via remote access.

    He is extremely professional.

    Wish I worked with/for someone like him. Excellent stuff.

    Thanks again

    philby
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    This looks fine. I'm going to err on the side of saying your system is clean. Whether it was actually infected or not may remain a mystery :D
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for your kind words :) As always, if you (or anyone else for that matter) ever run into any problems, I'm never too far away :)
     
  16. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I'd suggest running comparison scans using Rootkitty within Windows and from UBCD4Win,that should highlight any discrepancies.
     
  17. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I've tried using Rootkitty but the scan from UBCD4win shows a very large amount of files. Impossible to verify integrity.

    At the time I used Rootkitty I decided to wipe the drive. After wiping I surfed with the UBCD4win. While surfing I recieved a raw write of 5108 sectors at the end of the disk. A wiped drive had been written to.
    The only possibility for this behaviour is if UBCD4win was corrupt when created.

    I put in the first UBCD/linux and wiped again. Then I decided to see what all of the tools were. One by one loading them. I found a tool that would reset the HDD to it's maximum size. It reported a difference of about 100kb so I reset to maximum and then wiped front and back, completing with a full wipe.

    After reinstalling I load SP3 from CD. Connecting to the internet, I download and install Returnil. Now all connections to internet are through Returnil. While using Returnil something was causing a BSOD of corrupt driver. (I think an attack now.) Connecting without Returnil, one BSOD of the same kind. After reboot no more BSODs with or without Returnil.

    Wiping and reinstalling seems to clear the issues but they wiggle back in. Currently My CMOS clock is an hour back after a mysterious reboot.
     
  18. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,369
    Hi PrevxHelp, would you kindly expedite an answer to my query. Or is there something what hinders to publicly reveal the Edge's capabilities in the trial mode?
     
  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Hey PrevxHelp,

    Malware and the Component Object Model system.

    Is there any malware written to use the C.O.M. system partially or fully?

    If malware is written for C.O.M., Is detecting it anymore difficult to detect than other types of malware?

    If Malware is written in C.O.M., Would it be truly cross platform capable?
     
  20. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    762
    Morning Joe,
    Clicked on Help & FAQ's under Tools & Settings last night and got this pop-up:

    Is this a known problem or confined to my particular machine? This is reproducible every time I click on Help & FAQ's.
    Prevx restarts on its own about 30 secs or so later leaving two icons in the system tray.
     

    Attached Files:

  21. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    @Dark Star 72, works fine for me :)
     
  22. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Hello,

    PrevxHelp hasn't replied during this weekend because he has had an air travel :)

    Prevx Edge in trial mode has full detection capabilities of Prevx Edge full version. The only difference is that Prevx Edge won't remove eventually detected infections.

    If a malware bypass ESS and is detected by Edge, you'll get a popup that advise you Prevx Edge detected the malware but it couldn't remove it as it is in evaluation mode.
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Also, to add what EraserHW said, Edge will only detect malware in realtime and not block it under the trial, but the trial is time-unlimited so you can use it for as long as you want (as somewhat of an on-demand scanner in realtime if wanted).
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hi Dark Star 72,
    We haven't heard of any other users complaining about this, however, its possible that there is an issue.

    Do you have any programs installed which could be filtering memory access/changing allocations/etc.? Clicking 'Help & FAQs' doesn't really "do" a whole lot so I'd doubt there is really a buffer overflow going on, so I'm going to tend to err on the side of it being another product interfering with us when using that function.

    Let me know and I'll investigate it further ASAP :)
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    To the underlying OS, COM is just another layer for software to communicate through. It is a Windows-dependent technology (but cross-platform within Windows itself).

    Malware is really no harder to detect if it uses COM, and I'm imagining there are some infections which use it just to obfuscate their actions a bit more (I personally haven't seen any but IANAMR (I Am Not A Malware Researcher :D)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.