Introducing, The New Prevx Edge.

Many thanks for your reply but could you be kindly more specific how the Edge would complement the ESS? You know I am not so IT tech savvy . I thought the trial version of Edge is not capable of cleaning, it does only monitoring, doesn't it? An exact explanation what the trial Edge will do, would be highly appreciated. Apologies for any inconvenience, my query could cause.

regards,
pegas

 

Hey PrevxHelp,

I had a hit with your program for a possible MBR rootkit.

I have a large drive and had some unallocated space I decided to format. It was during the end of this procedure that your program alerted. I know that MBRrootkit likes to drop stuff at the end of a drive.

The EQSecure alert at the same time was about "\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{CLSID}\Shell\Autoplay\DropTarget" but there is no entry in the logs for this alert.

I decided to run GMER and the MBR.exe also. GMER BSOD's during the devices scan with a stop 0x050/win32k.sys; the MBR.exe came up clean.
I emailed GMER 2 days ago about the BSODs, but he hasn't returned my email.

I had been running RootRepeal before and it was only showing 3 entries in drivers. Normally it would show entries in files like locked to the windows api and such. Didn't even show EQSecures hidden processes. After uninstalling a driver in Device Manager/show hidden devices/non plug and play, Its name was related to Acronis, It now shows more stuff in Rootrepeal.
I think something may have been limiting RootRepeal's scanning.

Is there anything I can do to verify if I do or do not have an MBR Rootkit?

 

I've yet to hear back from the research guys but I'll let you know as soon as I do. If you have the exact program which was causing the FP (or the precise link within the firefox website), I'll check it out myself.

 

I believe this might be a false positive on our end. During your format, the formatting program most likely modified the MBR/bootsector/partition table, etc. which caused the warning.

I'm going to err on the side of this being legitimate and see if we can make any changes to allow format operations, which look very similar to MBR infections, and not warn.

Thanks for the report Let me know if you have any further questions with this or if you want one of us Prevx representatives to check out your system remotely if you aren't convinced you are clean.

 

ok sry i forgt to state which version i dl.

I downloaded the eng (us) windows version.

This is the link :
http://www.mozilla.com/en-US/products/download.html?product=firefox-3.1b2&os=win&lang=en-US

 

I have a license for Edge and it is currently active on my rig but can someone please clarify which of Online Armor 3 paid, A Squared Anti Malware 4 and Edge is an overlap or duplication of protection, I am now also running Avast Home 4.8., I have removed Threatfire since installing Edge.

Gh113

 

Can't seem to get through initial scan on install.

Here's the Vista error:

Problem signature:
Problem Event Name: APPCRASH
Application Name: prevx.exe
Application Version: 3.0.0.199
Application Timestamp: 49382c38
Fault Module Name: ntdll.dll
Fault Module Version: 6.0.6001.18000
Fault Module Timestamp: 4791a7a6
Exception Code: c0000005
Exception Offset: 00069460

Can Joe or anyone take a look?

I've given Edge permission in ESS.

Thanks in advance.

philby

 

Thanks PrevxHelp,

I figured it was something like a FP, better to have an expert verify.

If I have any issues with Prevx Edge or malware questions from same I will post.

I appreciate the help and kindness. I haven't seen a product with such great support.

Question-My gmer scan showed the file mbr.sys in a TEMP file in Documents and Settings:
? C:\DOCUME~1\VERR_I~1\LOCAL\Temp\mbr.sys
The system cannot find the file specified. !

Is this something I should investigate further?

 

Hmm.... this is an interesting case. While the operation you were doing on your harddisk (formatting) would generally make modifications to the MBR legitimately, potentially causing a false positive, Edge may have been correct in its diagnosis of an MBR rootkit in this case as that driver does not look like it is doing anything legitimate.

If you run an Edge scan now, does it say anything about \\.\PhysicalDrive0\MBR as an infection named "Possible MBR Rootkit"? If it does, then you may very well be infected. If not (and if this was really a malware intrusion), Edge appears to have blocked it.

This is interesting though, and possibly a very odd set of coincidences. Please let me know what you find!

 

Hello,
This could be caused by malware or a software bug. I've sent you a PM as to what we could try and do to resolve it Thank you for the report!

 

Bout time, someone stumped you.

 

I ran a Prevx scan after the alert and it came up 0 malicious items found.

Previously Detected Files: [D] (ACTIVE) C:\Documents and Settings\VERR_INVALID_NAME\Local Settings\Temp\_TinDel.exe [PX5: 0186414100B628B80A9F005FF9C7D500B79BCD14] Malware Group: Community.OuterEdge [BP] (ACTIVE) C:\Documents and Settings\VERR_INVALID_NAME\Desktop\sreng2\Plugins\NTFSTREAM.SRE [PX5: 589384C400CD63CFB04001FDB02AF10097C552D3] Malware Group: Worm

 

Installation issue was resolved by Joe via remote access.

He is extremely professional.

Wish I worked with/for someone like him. Excellent stuff.

Thanks again

philby

 

Hello,
This looks fine. I'm going to err on the side of saying your system is clean. Whether it was actually infected or not may remain a mystery

 

Thank you for your kind words As always, if you (or anyone else for that matter) ever run into any problems, I'm never too far away

 

I'd suggest running comparison scans using Rootkitty within Windows and from UBCD4Win,that should highlight any discrepancies.

 

I've tried using Rootkitty but the scan from UBCD4win shows a very large amount of files. Impossible to verify integrity.

At the time I used Rootkitty I decided to wipe the drive. After wiping I surfed with the UBCD4win. While surfing I recieved a raw write of 5108 sectors at the end of the disk. A wiped drive had been written to.
The only possibility for this behaviour is if UBCD4win was corrupt when created.

I put in the first UBCD/linux and wiped again. Then I decided to see what all of the tools were. One by one loading them. I found a tool that would reset the HDD to it's maximum size. It reported a difference of about 100kb so I reset to maximum and then wiped front and back, completing with a full wipe.

After reinstalling I load SP3 from CD. Connecting to the internet, I download and install Returnil. Now all connections to internet are through Returnil. While using Returnil something was causing a BSOD of corrupt driver. (I think an attack now.) Connecting without Returnil, one BSOD of the same kind. After reboot no more BSODs with or without Returnil.

Wiping and reinstalling seems to clear the issues but they wiggle back in. Currently My CMOS clock is an hour back after a mysterious reboot.

 

Hi PrevxHelp, would you kindly expedite an answer to my query. Or is there something what hinders to publicly reveal the Edge's capabilities in the trial mode?

 

Hey PrevxHelp,

Malware and the Component Object Model system.

Is there any malware written to use the C.O.M. system partially or fully?

If malware is written for C.O.M., Is detecting it anymore difficult to detect than other types of malware?

If Malware is written in C.O.M., Would it be truly cross platform capable?

 

Morning Joe,
Clicked on Help & FAQ's under Tools & Settings last night and got this pop-up:

Is this a known problem or confined to my particular machine? This is reproducible every time I click on Help & FAQ's.
Prevx restarts on its own about 30 secs or so later leaving two icons in the system tray.

 

@Dark Star 72, works fine for me

 

Hello,

PrevxHelp hasn't replied during this weekend because he has had an air travel

Prevx Edge in trial mode has full detection capabilities of Prevx Edge full version. The only difference is that Prevx Edge won't remove eventually detected infections.

If a malware bypass ESS and is detected by Edge, you'll get a popup that advise you Prevx Edge detected the malware but it couldn't remove it as it is in evaluation mode.

 

Also, to add what EraserHW said, Edge will only detect malware in realtime and not block it under the trial, but the trial is time-unlimited so you can use it for as long as you want (as somewhat of an on-demand scanner in realtime if wanted).

 

Hi Dark Star 72,
We haven't heard of any other users complaining about this, however, its possible that there is an issue.

Do you have any programs installed which could be filtering memory access/changing allocations/etc.? Clicking 'Help & FAQs' doesn't really "do" a whole lot so I'd doubt there is really a buffer overflow going on, so I'm going to tend to err on the side of it being another product interfering with us when using that function.

Let me know and I'll investigate it further ASAP

 

Hello,
To the underlying OS, COM is just another layer for software to communicate through. It is a Windows-dependent technology (but cross-platform within Windows itself).

Malware is really no harder to detect if it uses COM, and I'm imagining there are some infections which use it just to obfuscate their actions a bit more (I personally haven't seen any but IANAMR (I Am Not A Malware Researcher )