Introducing, The New Prevx Edge.

Discussion in 'Prevx Releases' started by trjam, Nov 13, 2008.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We obviously analyze samples before reporting them as bad, otherwise we would have some million very unhappy customers :) Chances are, your software has some characteristic which is similar to known malware and this is what is causing it to be flagged.

    Please send me a PM with a download link to your software and I will get it sorted immediately.

    (Also, if its any consolation, every revision of our software which we put out gets flagged by a half dozen AVs - false positives are an unavoidable consequence to heuristic analysis)
     
  2. oldBear

    oldBear Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    37
    Thanks for the quick response.

    PM sent.

    Will let you all know the findings.

    Thanks again.

    cheers
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    I've corrected the false positive - this may happen from time to time on brand new software. When you ran this program, you were literally the first person to ever use it in the Prevx Community which is a very suspicious act for software. In cases like this, we generally recommend that software developers send us a link to download their release software and we will get it whitelisted immediately, or, our database will almost always whitelist it automatically as soon as it gets enough data about the program from a handful of users (size varies depending on the file of course).

    Please let me know if you have any further questions or if you have any future version which you would like whitelisted :)
     
  4. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    Been following with interest this thread: particularly the recent test from interact for which there has been some partially correct blowtorching.

    The major defeciencies in some of the tests not withstanding, there are some legitimate unanswered questions: why did Edge miss those 4 viruses when connected ??.
    Why did CSi detect only 1. ?

    At least 2 of The much criticised black list scanners got 10 !! :rolleyes:

    ?? ?? Any comments yet.
    What about the apparent gross failure of CSI ??

    While I agree with most of the general comments re Hips and pop-ups, I have done some of my own testing with OA and PX2 with a blacklist scanner backup and find their solution to be more reassuring than an invisible process.
    I guess the same would apply to GESWall.

    Try not to punch people out who might find some issues to address, rather work together.

    @Eraser & PrevX Help
    Is this consistent with no HIPS functions in Edge unless connected to www, or in fact none at all, rather a cloud based database scanner??
    Hope your servers are nice and robust ;)

    I dont want to start a flame war but this smells a bit of PrevX's previous issues where marketing hype did not always equate to test results.

    Has prevx paid for any independent testers to give the evolving Edge a run yet??
    Roll on AVC, cant be that hard to get them to do a test and release the results can it, Andreas always looking for a bfew extra $$
    Have to be transparent mind :D .
    Not just yet baby, not yet.:)
    Regards.
     
  5. oldBear

    oldBear Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    37
    Many thanks for your assistance. I'm not exactly sure what you mean by "When you ran this program, you were literally the first person to ever use it in the Prevx Community" since I have never run it in the Prevx community, but was merely inquiring as to the online report which reported -

    NOTEFROG.EXE has been seen to perform the following behavior:

    Can communicate with other computer systems using HTTP protocols - it has the ability to access the site for online help.
    Can Send email using SMTP protocols - No
    This Process sends MIME Email - No
    Creates system tray popups, messages, errors and security warnings - No
    NOTEFROG.EXE has been the subject of the following behavior:

    Created as a process on disk - it's an executable program downloaded and installed
    Executed as a Process - it's an executable
    Has code inserted into its Virtual Memory space by other programs - not to my knowledge
    Deleted as a process from disk - not to my knowledge

    None of which is a true and valid assessment of it's behavior.

    cheers

    Berry Taylor
    NoteFrog/ClipGuru developer
     
    Last edited: Jan 5, 2009
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello Longboard,
    interact has yet to respond to me or send me the missed samples so its hard to judge at this point, but 4 samples doesn't exactly define a product :D

    interact mentioned that the samples were modified so the jury is still out on whether they are actually malicious still. Many scanners find corrupted samples, we choose not to. We detect real threats rather than go after garbage, corrupted, or non-malicious samples.

    CSI and Edge use the same back end database so honestly I'm not sure why CSI would miss them... hate to say it, but it was most likely a flaw in testing methodology which caused CSI to miss them. CSI doesn't scan your entire system as every single file in your system is not a threat to your system. How can we be certain that interact's samples actually infected the system? We cannot. The other AVs merely warned that the program was going to start - not much of a test at all really, especially of an ondemand scanner. CSI was developed to give a very fast opinion on a system, not to painstakingly waste the time of the user by scanning 500,000 files, of which 99.9999% are completely clean. We have a great deal of highly tuned algorithms which analyze the disk, registry, and memory for rootkits and then subsequently scan the registry and "threatening" programs for malware.

    Our servers are completely redundant and highly fault tolerant. Granted, nothing is infallible but we've got a boatload of architecture behind us.

    We haven't paid independent testers to give Edge a run yet and personally I don't think that AVC/AVT are going to be a correct test for Edge at all due to the conceptual divide between their test methodology and our technology.

    As for OA making you feel more secure - that's definitely a possibility for some users. Frankly, I much prefer silent security but there are some users (many here :D) which do prefer notifications on every system event and we do not offer that anymore. Requiring users to decide is a technologically flawed concept and that is why we require the database back end, which contains information from millions of customers (anonymously :D) and can make a much MUCH better informed decision than a single user clicking 'Block' or 'Allow' can.

    Hate to say it, but we all make mistakes and based on the sheer number of decisions created by HIPS products, users tend to make statistically more mistakes when prompted with more popups to act upon :)

    If you can teach my mom what dll injection is then I will be a firm believer that HIPS are for the masses.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Ah ok, I misunderstood what version you meant. It's going to take me a bit to find the copy of the program within our database to change that page but I'll get it sorted :)
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    There - it should be corrected now :) Sorry about that. It now says "Currently Being Reviewed" rather than malicious - it looks like we detected a copy of your software which was infected with an executable file infector and then we correlated it back to the filename notefrog.exe and therefore made it look like it was your software to blame :(

    Again, my apologies for the false positive - filenames aren't a very reliable way to search for a file but average users aren't very adept at memorizing 128+ bit mathematical hashes so this will have to do for now :D
     
  9. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    thanks for response
    Did i miss the answer to the above?
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The HIPS components in Edge report the behaviors to the database where the database then analyze the behaviors and return the response (as well as all of the other pieces of information, etc. etc. :))

    It is a HIPS in the sense that it uses the same data as a HIPS does but it is different in the sense that it doesn't let the user then act on each individual piece of data.
     
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
  12. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    here is the translation

    here
     
  14. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    clearly shows just how much mr marx knows...... :rolleyes:

    and seriously, what kind of review is this... ive seen more informative reviews on top10reviews

    and he says he tested it?.. how? against what?.... the only thing he mentions is the wildlist, which is completely BS!
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's also interesting that no one let us know about this review and no one sent us any samples which we missed - something that they do for every other AV test (the testers send the samples to the companies to let them know what they've missed).

    As we have data on every sample, it would be very interesting to see how "wild" the often-criticized wildlist samples really are :rolleyes:
     
  16. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    And, moreover, there isn't *any* technical description about how they have run the test and how the heuristic detection has been tested and, still, which program settings have been used. As far as I know anyone of us received any email from Andreas Marx.

    Now this is really interesting.
     
  17. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    There seems sto be some links missing on that article.
    :rolleyes: AM does in fact have some cred
    Maybe have to subscribe to get the links to the "notes"
     
  18. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    You must feel like you're banging your head against a brick wall with these 'tests'.:rolleyes:
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Luckily EraserHW has some brain cells to spare :D

    Andreas Marx is one of the foremost AV testers, which is why this is so jarring and surprising to us :doubt:
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Not entirely true. There are plenty here that feel placing the label,"foremost AV testers" is totally inaccurate. The validity of his testing methods have been debated here for years.
     
  21. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    831
    Not going to stop me from using it.
     
  22. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    The reality is, until their is quite a bit of testing done by numeous whatevers, you will not be able to draw a conclusive pattern for the ability of Edge. Some will show it low, some high. The key over time will be to see where the consistent level is. I have seen Avira ranked poorly at one testing site, , but I knew it was crap because the concensus of all put together, showed it to be great.

    So it is good the testing has begun, but really, it will take quite a few more to start showing a distinctive pattern. I know it is good, and in the end, that is really all that matters.
     
  23. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    Yep, and it isn't going to stop me from using it either. :D They would have to gun me down and take it from me.
     
  24. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I agree since surely it's a pre-requisite for any meaningful test of an application that the test is performed in as close to a real world scenario as possible.
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I sincerely thank all of you for your kind words and objective opinions to look past a test :)

    Regardless of what testing organizations say about Edge, we are confident it will be a success and we are going to continue working adamantly on it, constantly rolling out new technology and improving performance.

    If one of these tests does find a legitimate flaw or mistake or missed detection in Edge, I will be the first person to admit it here and we will immediately take the appropriate measures to fix it promptly.

    The flaw with a lot of current AV testing is that it assumes that the priority of every AV company is to find the infamous WildList samples. Frankly, those samples are old, outdated, and hardly Wild compared to the threats which are ACTUALLY affecting users. With thousands of new threats coming out every day, how can a two-month-old list of 378 samples, which are conveniently distributed to the AV vendors, accurately assess the security of the products being tested :doubt:

    I'm also fairly sure, based on user complaints and forum posts, that XP Antivirus and the other rogue AVs are "relatively popular" infections (affecting literally hundreds of thousands or millions of users) with thousands of variants each... where are those samples in the latest WildList? o_O

    The other flaw is the flaw in on-demand testing. Granted, some organizations are working on improving this and discussing the possibility of performing tests more akin to today's protection but most testing still consists of right clicking on the folder and selecting 'Scan', which doesn't include any actual protection, realtime analysis, etc.

    And the final flaw in my mini-rant is the flaw in detecting old threats. Large sample collections of 1 million+ samples (most of which are 6+ months old!!) do NOT represent the strength of an AV. Sure, we could go out an write an AV which finds these 1 million old samples but how long does the average infection last and how many of those samples would really be affecting users? The average infection today is lasting a mere handful of hours rather than 6 months. To be fair, infections used to last much longer (and some old ones are still trickling around on newsgroups, etc. but they are well covered) However, antivirus products have gotten better so infections had to get better and malware authors are no longer motivated only by creativity - they want to make $$$ and you do that by being fast and dynamic.

    No test of a large collection of antiquated/dead malware will properly assess the effectiveness of today's AV.

    *Steps off soapbox* :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.