Is Prevx good?

Prevx 3, might, might be something that works as one.

 

Correct

 

i would like to, if i may, move the dialog away from P3 (momentarily), to P2.

i have been a user of P1 and P2, and have generally been pleased with the products to the point they have been irreplacible (and i have tried) on my system. but i am somewhat confused by this backwards compatibility with P3. i was under the impression that when P2 was introduced, what 2 years ago? that P1 ceased to exist, as the products were inherently too different for the P1 agent to communicate with the P2 mothership. now it seems, i am and have been wrong.

so my questions are:

1) with the total rewrite of Prevx server-side code (aka the mothership), but the retention of Prevx2 as a product, how is Prevx 2 improved? can P2 take advantage of P3's increased number of recognized behaviours? and/or the perceived increase in P3 signatures for recognizing families of malware? you mentioned in another post the enhanced server-side sandboxing, and the more robust cleaning routines. will today's Prevx2 take full advantage of these developments?

2) if i were to purchase P2 today, would P2 immediately leverage the advantages (whatever they may be) of P3 or has the P3 switch not been thrown yet?

3) if i can leverage P3 by purchasing P2, than why would i, other than the refreshed GUI, need/want P3? are there features/functionalities of P3, that P2 can not/will not be able to leverage? with P2's ability to comms with the P3 mothership, will P2 for example, be able to detect and clean Rustock C, as CSI can presently, and P2 was unable to (if EraserW's silence on this question is any indication {and not trying to start trouble, just indicating i had brought up questions regarding P2 and CSI's detection/cleaning abilities that went unanswered}) in the past?

4) i guess if i had to distill my questions (and i really would prefer a line item response) it is how much improved is P2 with a new P3 backbone, and how much more improved is P3 with an agent written to specifically comms with a P3 mothership?


thanks!


Mike

 

Hello,
(I'm not going to respond line by line, but in paragraph form Sorry for writing a book again!)

With each new product we release, the previous products can't leverage the new information quite as well as the new product. i.e. - Prevx1's database does use an entirely separate structure, however, it is possible for us to support some of the events and some of the data is backward compatible. We did not rewrite the entire central DB - we just rewrote the entire client-side agent, however, we have made massive changes to the central DB (not an entire overhaul tho).

Prevx2 can take advantage of a lot of P3's increased number of behaviors/signatures/recognizing of families/server-side sandboxing/etc. When a behavior is logged, we analyze it with rules and the rules create determinations. The determinations themselves are what is transmitted between the agents, so, CSI/P2/P3 would all be able to use all of the new events (granted, P1 is very very old, but, there are still basic elements of the DB which are completely backward compatible with P1 so the users which we still have from P1 would benefit marginally).

However, there ARE signatures which are not backward compatible which come in the form of a completely different structure of determinations. The signatures which will be configurable by the heuristics slider bars in the v3 configuration screen are the main difference on the DB-side. Although the collected data will be able to be used by Prevx2, v2 would not be able to respond to the data as immediately as v3 can. The big benefit of v3 is that we're looking to automatically detect the samples in the disappointingly large window between when a piece of malware is first released and the time it takes for classical AV vendors to add a signature and the user to update to receive the signature. v3 will be able to do this quite well, and, although we don't give the user complete granular control over the settings of individual behavior monitors, you are given quite a bit of control over how the heuristics respond (and, in the case of v3, heuristics are NOT normal heuristics. Our "heuristics" are analyzing the entire community and statistically determining "outliers" which should not appear on a normal user's PC. As to how these engines work.... )

However, putting v2 in Pro/Expert mode would yield similar results on some pieces of malware, albeit with substantially more false positives and user interaction, and that is what we've worked on reducing in v3 while not reducing heuristic detection.

Regarding advanced cleanup: Prevx2 may not be able to leverage the benefits of Prevx3 in this case. There are a lot of client-side advancements which needed to take place for Prevx3 to detect/clean advanced rootkits like Rustock.C, for instance. Prevx2's rootkit detection is nowhere near as advanced as Prevx3's, however, Prevx2 will prevent you from being infected with the rootkit in the first place (as will Prevx3), so, that isn't as important for a realtime protection product. However, if you do think you are infected with Rustock.C, the MBR rootkit, AK922, Tdsserv, or any other of the thousands of popular rootkits, and you are a P2 user, you may want to just run a scan with CSI v3 to check. The actual detection of Rustock.C is simplistic, but being able to see the file on disk is not That is where the difference is seen between the engines.

The Prevx3 intelligence has not been switched on yet, outside of beta users, and is currently running in a temporary, analytical mode so we can fully see what the impacts are. Prevx2 will receive a significant bump up in detection, thanks to our ever-growing web farm sandbox and the additional Prevx3 logic (and we are working on another couple signatures as well, but they will come in a 3.1 release, but they will be backward compatible with Prevx2 as well), however, it won't match the level of Prevx2 out-of-the-box. If you don't mind (or if you want ) behavioral popups, then Prevx2 could provide similar protection to Prevx3.

As for how much improved v3 is over v2 - the key piece you will notice is stability. Prevx2 was developed when Windows XP was the main operating system around, and that brought a great deal of issues when migrating to Vista. Also, we have completely re-engineered the client/server relationship, the local database, the scan engine, and the GUI with stability, performance, and forward-compatibility in mind.

We have a LOT planned for Prevx3, and I for one am excited to finally see the light at the end of the tunnel! The seeds of Prevx3 were planted back in August 2007 and the new drivers were started back in 2006. We've taken our time developing Prevx3 but things are finally starting to move quickly.

Hope that answers everything. Please let me know if I missed anything or if I went off on too many tangents!

 

Excellent explanation as to how the differences are going to play out. I, for one, can't wait for the new version to come out and as much as I like P2, I will probably upgrade to P3 and go for the set and forget technology. There are a few people who's computers I take care of (clean up their boo-boos) who's arms I am strongly going to twist to invest in P3 also.

 

FWIW, (and I have to check with QA again), but last I heard, you can actually use P3 alongside P2 on the same computer. We're really looking to make it completely compatible with every other security product (however, some of P2's self protection could interfere with P3, and vice versa, but I'll get the final word soon as to how well they will work together).

 

I will have to test that out when I get to beta test it just to make sure. It will be one of the first things I throw at it.

One thing I would like to see changed and its a problem I occasionally run into now. A normal user wouldnt run into it but where I re-image/reinstall my OS quite often due to testing, P2 occasionally won't activate as I use all my activations, even though it is going back on the same computer with all the same hardware, and I have to send a ticket off to support to get them reset my activations. Although it is never a problem getting it done it is just a PITA having to do it.

 

Yes, this happens far more frequently than I'd like as well... probably 75% of our support inbox inquiries are license related (quite annoying), however, there is no perfect way to link a license to a physical machine, so, we actually have to manually respond to each one and check to make sure it isn't someone trying to abuse the system.

We've tried other algorithms in the past, but there simply isn't a 100% solution.

 

Hmmmmm. Give us 365 activations then. That would keep me going for the year....hmm on second thought....that's only 1 a day.

 

We are working on a better identification algorithm, but it won't be quite some time until its rolled out. I'm definitely looking forward to that day tho!

If you (or anyone) has any license activation issues, PM me. They sometimes lose priority in the inbox and get pushed aside over weekends.

 

pheww! man if i were into eating elephants this one would last for years! reminds me of the god ole days, when one would ask a Prevx guru a question, you would get an answer plus!

i absolutely do not undestand what you mean by this:

i ran Prevx1 in Expert mode mostly. then with Prevx2, i turned it down a notch to Pro mode, with Unknown set to Query. then finally after i realised Prevx2 was intended to be an "Automated" malware detection tool, and understood that was what i was actually looking for, i set Prevx2 to ABC mode with Unknown set to Run.

i am finally at peace with the realization i haven't the slightest idea of how to consistently answer Classical HIPS pop-ups with any accuracy. i ran Comodo FW with D+ for wha seemed like forever, and it was always a guessing game (for me) as to what the pop-up meant, and the correct disposition for the request. i finally disabled D+ completely, and am running it's excellent FW singularly. my system is clean, so i have licensed Defensewall to protect infection vectors via Ilyas excellent and thorough policy rulsets. i am presently usung A2 Anti-Malware, but when i determine what Prevx is best for my intended purpose, A2 is out and i will probably go back to Avira as a dedicated AV solution. or none at all. depends on how confident i am/become in whichever Prevx.

so with that picture drawn, which P is for me, and why (if you will).

and btw thanks for your committed engagement with us users, past, present, and potential. speaking for myself, your participation here is going a long way towards healing old wounds, and restoring what was once special with Prevx.

thanks,


Mike

 

fascinating. i was actually going to ask that question a few days ago, but thought my inquiry would have been regarded as sarcastic, and indeed there would have been an element of sarcasm as well as genuine curiosity.

doubt i would be so tempted. interesting though how the two products are so different, that running together could be feasible.

oh....is the green globe retained in P3? something (for me) very comforting about seeing that 'go' symbology in my systray.


Mike

 

I, too, greatly applaud the interaction here lately. One of the first things I always get asked is how the support is for the software I am recommending. With the level of support I am seeing with Prevx as of late I can definately give a two thumbs up.

 

Mike, I am running Avira Premium along with P2 and it is proving out to be a very effective combination. I am running P2 in ABC mode more and more lately, myself.

 

OK, I've got a question I have never thought of asking. I know that P2 offers quite a bit of protection to IE. Are other browsers protected to the same level by P2 and P3 when it comes out.

 

I actually have 275 days left on my subscription, so I do hope I'm in for a hefty discount on v3 incase I decide I want to purchase it...

 

Yes, this is definitely the problem with classical HIPS. While they can claim being able to block 100% of malware, it is completely dependent on user interaction, which is very hard for any user, especially when prompts are becoming increasingly cryptic as malware evolves.

No problem! We're definitely looking to improve/fix past (mis)conceptions about us on all fronts and will continue to do so until our software has absolutely perfect detection with no flaws/bugs and no complaints from anyone (so, basically, you'll be seeing a lot of me/others for a long time )

 

We sadly do not have the green globe anymore We're using the CSI "eye" icon for both products now and it just has an 'X' in the middle of it when it is disabled. I'll mention it to the graphic designer to see if he'd be willing to make a more Prevx2-esque icon as right now the icon does not reflect the infection status as well as Prevx2 did.

 

The browser protection is more generic in Prevx3. We don't have any direct web-scanning, but that is because the protection offered by a web scanner is virtually entirely duplicated by the on-access/realtime protector.

As for other forms of web protection, what else are you looking for in terms of protection? (there are a lot of different kinds of browser protection, so, before I go off of another elephant-sized tangent, it might be better to know where to start to answer your question)

 

well P3 maybe so comprehensive, a dedicated AV may be redunsant. i will probably still run Avira, at least early on while beating up on P3.

i had always believed, based on comments from previous Prevx gurus, that there was no drop off in protection between ABC-Pro-Expert modes. but looking at some of PrevxHelp comments, they seem to imply, P2 protection is dependent on it's user selected mode


Mike

 

I am just going by the list on the "Advanced" tab. Home page hijacks, BHO's....stuff like that.

 

The actual concrete protection is not dependent based on the selected mode. We highly recommend that everyone just use ABC mode, as that reflects what our database really says (and, for what its worth, nearly 99% of all of our users use only ABC mode). Only techie users who want to be warned on a more granular level would use Pro/Expert modes, but really, ABC should protect you well enough. You can simulate the more advanced modes in Prevx3 by using max-settings, however, they will generate more FPs. We highly recommend the out-of-the-box settings on both products and any claims which we make about our detection are based on out-of-the-box settings (just because most users never change the settings).

 

Yes, currently this is <not> integrated into v3, but it is high up on the todo list. It might not make it into the final first release, but we have a whole system configuration applet planned for at least an early automatic upgrade which will let you fix system policies, monitor homepage hijacks, remove certain BHOs, etc.

As for other browser support - we are going to first integrate protection for IE primarily as it is the easiest to work with and has the largest user base. After that, we will move onto other browser which require more intricate interfaces.

 

IE needs the most help anyways.

 

True However, I think very few products fix the Firefox homepage, and I really don't think it would be "that" complex....

I'll mention it to the dev. team as well as a infection-status-indicating tray icon (for Mike)

Any other speculative/psychic suggestions?