Is Prevx good?

That's a good point. Hermes - can you send me a copy of that file so I can manually analyze it? It looks "borderline" from what I can see (i.e. - it might be a piece of malware using the same name), but having the real file would be the best way to tell definitively.

 

No problem!

 

We are definitely not intentionally trying to make you unhappy, but, those features are each used by far less than 1% of our user base. I'm honestly surprised at how little they're used, but statistics don't lie. I know a lot of you, like myself, actually like tweaking programs to squeeze every last bit of customization out of them, but, for at least the initial phase of v3, we have to cater to the masses.

v3 has been developed focusing on the average user, similar to the ABC mode in P2. If we do see an increased demand, we will add in more advanced features, however, we're really looking to minimize the potential for accidental problems and user confusion, so, we've kept it as simple as possible. (Inexperienced users poking around in advanced menus actually causes quite a bit of our support inbox hassles)

We recommend that more tech savvy users who actually use the Pro/Expert/Program Monitor/etc. features of Prevx 2 stay with Prevx 2 for now and that's why we're going to actually keep Prevx 2 available on our website and for sale to new users (and continue supporting it, providing updates, etc.)

We will most likely rewrite those features into v3 down the road, but, for instance, x64 compatibility is higher on the list at the moment and it is those advanced features which make Prevx 2 incompatible with Vista's UAC.

I hope that helps clear up some of the gray area. I'm not saying that v3 is totally un-customizable, but it definitely does not have the granular options that some other programs have. However, this is because we're focusing on making the defaults as good as possible so that there is little to no need for customization.

 

Most of your user base probably doesn't go purposely looking for and analyzing malware.

I agree with the thinking on the new version and the reason behind the changes. Set and forget is the way to go for the masses. Thanks for keeping 2.0 around for us teckies though.

 

No problem! And we completely understand that some people do enjoy analyzing malware and keeping up with the newest trends We sure do!

 

Hello Longboard,

I am to work on the issue again Monday morning, but so far the only detection available of the atiodcli.exe is done by Prevx CSI. It detects it, then claims to have cleaned it, but on follow up scans re detects the infection.

As for the file itself, it is visible in file manager but impossible to delete it or upload it to any online single file scanners for further group inspection as then the file shows up as non existent (Cloacked). I have tried GMER and a few other tools, which are all showing NFF.

The only scan hash code I have of it which could be compared to some database of the file available is this from Prevx CSI:

H:\WINDOWS\system32\ATIODCLI.exe
[PX5: 28A0D25D00582171C24500281FA708008AA90806]
Malware Group: Cloaked Malware

for more info on the PREVX CSI detection see here: http://www.prevx.com/filenames/180911876374742844-0/ATIODCLI.EXE.html

I have issues using some of my regular tools due to the X64 configuration (The early tools I used are somewhat ineffective on it when it comes to kernel hook scanning). I''l keep posting info here as I keep digging further...

 

Hello Hermes,
Can you send me the file? I can manually analyze it and prove if it is malicious or not. I'm going to err on the side of it being a false positive, but, I need the file in hand to determine that.

 

Morning PrevxHelp,

I'm waiting for the client to call this morning so I can keep working on it... It's not quite 9:00am in Toronto yet so I wont call in...
I don't have the file yet. I can send you the log from your own CSI if you wish.

 

In this case, the log probably won't help. I'll be around for when you get the file

 

I strongly hope I can make V3 to query unknown programs. Is this the case?

 

We're working on a number of new levels of heuristics which will give you the ability to configure how often you want to be warned. However, keeping with the goal of "set and forget", we have moved much more of the decision making to the central database, so, it won't be quite as granular as Prevx2 (but if you really want those types of warnings, you can just stay with Prevx2 which will continue to be supported and still uses the realtime database).

 

Hi!

Among others, for me Prevx has been a strongly improved version of Processguard (ie. anti-executable). I really hope you will not remove this beautiful part of Prevx away.

 

Hello,
We aren't necessarily removing those features, however, we've removing the unnecessary popups generated by them. We've found that 99% of users would prefer to just not be bothered with every new program they download.

We now always take the central databases' opinion when prompting the user, so, it is no longer a simple whitelisting solution, rather, it is a community/analysis informed whitelist, which dramatically reduces the number of popups and finally in v3 we are able to leverage the full benefit of the community view as we have always wanted to.

 

is prevex free?

 

Prevx CSI is a free scanner - it will scan your computer as many times as you want, but if you want to clean up your system, you are required to buy at least a one month subscription.

Prevx 3 will have a trial version, still working on all of the aspects of it so I don't want to say anything incorrect just yet.

 

thanks for the fast reply and value info

 

is prevex similar or same as drivesentry that has a scaner and black and white list?

 

I've personally not used DriveSentry, but Prevx contains whitelisting, blacklisting, heuristic analysis, behavioral analysis, server-side sandbox analysis, a number of separate signatures to help detect malware, and a community based definition system which protects all of our users from the community database instantly rather than waiting for definition updates/downloads.

The community database is really where the heart of Prevx lies - it analyzes all of the behaviors and determines the intent of a program in realtime to protect users immediately as threats emerge.

Please let me know if you have any further questions

 

Well I have done everything humanely possible to unearth this bug remotely. I have used every tricks and tools in the game and came up empty. I will have to extract the hard disk and physically scan it from an independent OS...

Note: The failed CSI cleanup temporarily makes the file visible (Uncloaked), however it has proved impossible to obtain an MD5 or SHA1 hash with any of the tools I have available. All I can get is the file was created on 20/08/2007 3:36pm and is 48.5 Kb in size. Any attempts to capture the executable as failed...

Attempts to execute the process triggers Prevx 2.0 which claims to have jailed it, however visiting the jails displays it's empty...

The fun continues!

 

This is very interesting. If Prevx 2 is disabled, can you still not access the file? This behavior definitely sounds malicious (programs hiding from the file system = not up to anything good! ), however, it could be an artifact from an entirely different program.....

These things are always more difficult than they would seem to diagnose! Good luck getting the file

 

probably may be a rootkit hiding some where in your os and maybe prevex detect it but not able to remove it,maybe.

 

between Prevx and Drive Sentry which one has the highest lvel of protection againts zero day attack?

 

I will prevent myself from responding because of the obvious bias

 

@Prevx Help

With the new version, a good idea would to have the updates done unattended by default. I am thinking of someone like my mother, who has zilch for computer savvy, as the target user for this so the less popups and need for user intervention, thus the less phone calls to me the better.

 

i undestand,dont worry about that