Is Prevx good?

man, Prevx is in the news here. For so long, you had to go very deep to find a thread on them. I must say, whatever lit the flame, I am very,very glad. A lot of build up for the new beta and I am sure I will be one of the first standing in line to want to help. Prevx, hit them while the iron is hot.

 

We were definitely out of the public eye for a while during the core of our development phase, but now we are moving full throttle towards a major new release and will definitely be doing some hitting with steaming irons! (in a non violent manner)

 

well, a couple of joe polooka questions:

1) you (PrevxHelp) mentioned that ver3 was rewritten from the ground up....correct? and Prevx2 will still be supported. how?? how will the Prevx2 local agent "talk" to the ver3 server-side software? wiil Prevx2 agent be able to take advantage of ver3 capabilities? will you be running concurrent databases?

2) file infectors. what is so special about that kind of code that Prevx is helpless against it/them? how are they different than other malicious code

3) clean-up routine. is ver3's clean-up routine more efficient/robust/effective than Prevx 2's clean-up routine. on my system Prevx2 often crashed when attempting to clean an infection.

4) 7 sigs, 300 behaviours, and Herd Intelligence still the battle cry?

5) how long (ball-park) is Prevx anticipating running the beta program before release. screw the beta, i want to buy it now.

6) more statement than question. i hope Prevx has worked out a strategy to test ver3. no matter how good ver3 actually turns out to be, without third-party confirmation, few will believe your claims. make it happen.


Mike

 

Hello,
I'll answer your questions in numerical order

1) The information gathered from v3 agents is backward compatible into the v2 format, so, both types of clients are supported from the same database. We have built our systems to be robust enough to handle all prior software (all the way back to Prevx1) as well as all future software. Although v2 won't be able to leverage 100% of the capabilities of v3, it will continue at its current ability and will receive a significant improvement from the new technology behind v3 as well, with the backward compatible information gathering.

2) v3 will be more resilient against file infectors, however, it will still be unable to clean them, similar to other antivirus products. File infectors are simply a very complex type of malware to deal with as they cannot always be cleaned properly. As for detection, we have new technology in place for v3 which will heuristically identify polymorphic file infectors, so, you will notice a significant improvement in the behavior-based detection of file infectors.

3) v3's cleanup routine is far more robust from Prevx2's. We have built it off of the CSI cleanup engine, and it is now much more powerful thanks to the raw disk access, so, it can clean a vast majority of malware completely generically.

4) Yes, this is the battle cry - there are more signatures now, and more behaviors as well. We also have built an advanced sandboxing server farm "in the cloud" which performs an even deeper analysis than can be achieved on the client's computer.

5) We still aren't completely sure how long the beta program will run. We've had so few complaints the current wide-reaching private beta that the public beta will most likely be quite short (we aren't following the Gmail mentality on this one )

6) There is a bit of a difficulty in testing our products and some of the organizations have turned us down before. The main problem is that we require data about the samples to be submitted to the central database for analysis, and some testing organizations do not want this information sent (which is understandable). However, with the increased presence of community-style protection, we think this will be easier in the near future.

Please let me know if you have any more questions or if you want anything clarified.

 

I'm trying here, I know I'm a bit dim .....

Hhmm...every objective comparative test I have seen ( and not for some time ..) PrevX had some glaring failures: cf AVComparatives..that was addressed as I recall at the time Oct 2006 and is prolly ood by now... OK

This site : http://winnow.oitc.com/AntiVirusPerformance.html was trumpeted at CC when PrevX was top of the pile....now....there are explanations as to why PrevX is not at the top...OK

The issues re performance at virus total have bee addressed ...OK
https://www.wilderssecurity.com/showthread.php?t=222657

You want a copy of the questions before the test ??
Sure, that'll do it.
Heh: that puts transparency at a new level
I could be wrong but that seems a little bent.
Although come to think of it I should ask for similar when I;m tested >>> no doubt that would be fine

Goes back to my question about the db.
If not known to the Px db...where does the control arise?

?? the much vaunted heuristics, signature, behaviour ??

Remember, you promised my Mum a bulletproof box.
Of course 100% protection is not a guarantee but claims need to be tested.

 

Not necessarily true: we just require data to be sent to us about the samples and we make the determinations in realtime. Therefore, we aren't getting the samples ahead of time, just at the same time they're being scanned. This is what other AVs can do locally, we just have our solution "in the cloud". Because testers don't want data harvested from all of their malware samples, some testers have declined our participation.

One other note to mention on that topic: a malware collection or grouping of samples is an overall horrible way to test a live antivirus app. It essentially tests the basic scan functionality to give a black/white determination, but it does not take into account any behavioral monitoring, any realtime analysis, and it does not put the sample into context on an infected user's PC.

Antivirus vendors have been able to get along fine in the big named tests for a long time as they just have to focus on static analysis of malware, but what happens when that malware is live on a system, locked and hidden by a rootkit, and part of a multi-component infection which is constantly mutating? That is where the conventional antivirus product, and therefore, the conventional antivirus test, fails.

I pose the same question to any other vendor If we can't say its bad and aren't sure it's good, we continue to monitor it for further data across the entire community until we can determine the file. Granted, it isn't perfect, but it sure is a lot faster and more accurate than having to have someone manually analyze every one of the millions of samples that come in.

I didn't promise a bullet proof box, as that would be impossible It is very easy to make any file bypass any AV, unless of course you want an OS that consists of no programs, no disk access, and no functionality at all. If you want to actually prevent any malware from ever reaching your mom's PC, you may want to swap it out with a typewriter

We're looking to make the best solution we can - to provide a high level of security with as little interruption as possible and make that solution compatible with other security products as well, encouraging multi-layer protection. Many vendors monopolize the user's PC, and we are really working on changing that mentality. No vendor is perfect - we sure aren't. But we do catch a some large classes of malware which no other vendor can handle well (i.e. difficult rootkits, targeted threats, polymorphic/0day worms). And yes, we do miss some. If you really feel threatened by file infectors or 16bit DOS COM infectors, feel free to use another product alongside ours. Many of the products on the market have a number of signatures to scan and detect 20 year old viruses. Frankly, those viruses are not threats to users at all anymore, so, we don't bother.

Because of this mentality (focusing on REAL threats, not old or dormant threats), we invalidate some of the test results conceptually but we perform quite well in real life examples, something that is hard to test categorically unless you run infections constantly like we do.

In house, we constantly test our products with unpatched browsers, trying to get infected with unbiased infections. I'm honestly surprised that the system is even bootable during some of these infections - the current record I've seen is 100+ individual running pieces of malware with 12 rootkits installed as well, all from one malicious website. We were able to clean the entire infection with two reboots. If that isn't proof of us being effective in a real life example, I don't know what is

 

Cool

Outsource tests:-
Hhmm: real life scenario for a test bed ??
http://remove-malware.com/
Care to offer him a run?

PS

Sorry, that was a bit oblique: I was trying to refer to blocking specific execution of unknown files in the V3 config.

 

Yes, definitely - I'll make a mention of it to my higher-ups. This is the kind of real-world testing users should be basing their opinions on, IMO. The best way to test an antivirus product is to get infected and see what it does However, doing it in a scientific manner is quite difficult.

As for blocking unknown files - I believe what you want is a way to block unknown files from doing certain behaviors, and while that would work under a classical HIPS/behavior blocker, I believe we have pretty firmly decided on moving away from that approach - at least for now. Prevx2's behavior blocking on unknown files works quite well (precisely as well as it would work in v3 if we would implement it there), however, it is a bit of a niche feature and the initial releases of v3 are planned to cover the masses.

However, the development team is aware that there are users that are interested in those types of features still, and I think this functionality may be added down the road. The only problem with behavior blocking is that it does introduce some exclusivity in product choice (i.e. - you can't have two behavior blockers). If you do want behavior blocker technology, currently it would probably be best to use another solution alongside v3 (or just use Prevx2), but, if we do add it in down the road, it would be a completely optional feature, off by default and currently it is near the bottom of the priority list.

 

Ok you must be sick of me now : I'll give it a rest after this..

I also want to block known files sometimes

Ok so I am slowly getting it: a major paradigm shift.

 

glad you're getting it! care to explain what you're getting to me?!?


Mike

 

When the beta of v3 is announced will anyone who wishes be able to download it and try it out or will it be a restricted-by application beta.
Or will those of us who kept the faith get first go

Let it roll man, I'm getting edgy

Ian

 

I agree, the time is right for release of a beta, as the marketplace is pretty dry right now with any new and inovative products.

 

While there are some users who do want that granular level of control over exactly how a security product functions, there are many more who just want to "set and forget" and not bother with advanced settings. The only way for security to work is to make it accurate, and we, along with many other vendors, have found that research is what makes security accurate, not users answering prompts.

Offering functionality to block known files/etc. would be duplicating features already implemented in dozens of programs on the market, and we would much rather be innovative.

 

I know, I know We are itching to get it out as well, we just have a few more features to add.

Don't worry - it is coming quite soon

 

We have finished testing v3 against it and did not encounter any problems Should be good to go!

 

I really appreciate your help, but sadly I don't think there's as it was the whole experience.

Many FPs of things that simply shouldn't be possible (XP-AntiSpy, XPize, etc.), heavy operation, loosing focus of the current window when it analyzes something, uncomfortable removal procedure, things first seen one or two years ago not yet classified, unknown-classification on Windows files (! - e.g. when opening a Windows Security Center-alert by the tray, the file-type which is used then (think it's *.CPL)) and when downloading Hotbar right from Zango's homepage for it; Hotbar.com just for a test, PrevX wouldn't react, even if it's obviously in its database, like a new "version" or "variant" would make it fail (if I recall correctly it would classify it as unknown, which means if you rely on PrevX with its default settings which is apparently to allow unknown-classified applications - the user would get infected then) - and this is only what I can remember right now.

I also have this list which I made over things I noted about the software when running it:

"- Forward-button in console doesn't work - pointing at it and clicking when you should be able to, it "clicks" the back-button instead, and this seems
to apply to XP as well, or I don't know what this forward-button is for, but it doesn't make sense
- Some visual bugs
- Some text not looking good - see Advanced > Protection Settings and look where it says "[...] list_more" for example (Wouldn't it be better if it
beneath said the clickable text, but instead: "More info" since there's plenty of space to put it there separately and would look better and be
easier understandable?)
- Behaviour for Unknown programs-option is NOT set to "Query" but "Allow" by default even though this is not recommended and "Query" should be default, all according to the help file
- Going back and forth between profiles/options (e.g. ABC, Pro and Expert - maybe even other options in the software) might set options even though I
didn't click apply
- Amber icon/classification on their own PrevX CSI application in the activity log
- When PrevX authenticates files, you loose "focus" on the current window you're working with. This can be very frustrating if you're for example writing
and is obviously in general as well
- No minimize-button on the "console"
- Detects AntiWPA as malware because it's a "hacktool", even if it doesn't involve destroying/corrupting the system in any way in reality anyway
- When in jail, can only get options for detected items by right-clicking an *item*, not right-clicking in the empty space which should reveal options
for all IMO
- Overall the authenticating is very slow and stops me from working as effective as possible, is intrusive as I loose focus as mentioned before. Also
authenticate often on stuff that's probably not needed since I've noticed it on system files when I'm doing installations or scans with software.
That's when it get's most frustrative
- SO many FPs on things that should obviously be classified as legit and not so obvious that should still be classified as legit - I only say "thorough
analyzis!" "


So, what can I say..? It was like the whole thing, and it all just feels like a big waste.

 

Hello,
We have been working constantly since the release of v2 to improve/remove all of the complaints you have had. We have significantly improved things over the last year and are continuing to improve everything every day.

If you do find a few spare processor cycles in the coming weeks, you may want to give v3 a try - we have not experienced any of the issues you mention about v2 in v3.

 

I'm glad to hear that, and I'll most probably run the beta of v3, but since it's not a free upgrade and my license of v2 has just been eating the validity days for a long time by now for nothing, I'm simply not that tempted to do something about it afterwards. The purchase has just left a bad feeling.

 

Many (most) products that use "one year licence"-system offer updates/upgrades during that period. For those who have just purchased new v2 licence it is unfair not to give the possibility to get v3.

 

We do offer upgrades and updates during the period. However, v3 is a fundamentally different product from v2 and consider that to be a completely separate product, requiring a unique license.

 

In my case I renewed my license for Prevx2 just 7 weeks ago. While I can accept that I will not get a free upgrade to the new v3 surely there has to be an option when upgrading to the new version for a discount to be applied against the months left on your current Prevx2 license, 10 months in my case. I was given the impression (mistakenly perhaps) that a renewal would be good for the new version when it came out.

 

Yes, we will definitely offer a discount. I'm not completely sure of what the discount will be, but you will definitely be reimbursed proportionately for the remaining duration on your license.

 

Many thanks for the quick clarification.
I was sincerely hoping that there wouldn't be a repeat of the bad feeling that Prevx caused when they changed Prevx2 from being free unless you had an infection and invoked the cleanup to being a paid for software without even a trial for fist time users. That was very badly handled and left a bad taste for many users.

 

We will most definitely be offering a trial (and as far as I've heard, it will be a very interesting type of trial as well, but I won't go making promises in case we change the logic ), and we are trying to be as fair as possible with regards to the new licensing. The default, one year license will include cleanup and protection and you will be able to upgrade existing CSI licenses (and Prevx2 licenses as well, as far as I know) into a v3 license at a discounted fee.

 

Much appreciated, ur not speaking of CSI but Prevx 3 right?