Is Prevx good?

Discussion in 'other anti-malware software' started by truthseeker, Aug 31, 2008.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We're in the final weeks of testing now. I'd imagine early November, and the beta program will most likely be quite short.
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    sounds very good and promising. I am really looking forward to what you folks have done. Prevx deserves it and support will be strong.:thumb:
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :D I'm really itching to get it out as well - we've been sitting on it for so long testing every last bit of it just to make sure the release goes smoothly.

    Its time will come soon! :D Trust me, I lost patience waiting for the release a month ago :D
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    is prevx fast software?
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    If you mean fast by light/minimal performance impact, then yes. We have designed the system protection from the ground up to integrate the drivers and userlevel code seamlessly to provide the highest level of performance and compatibility.

    As for fast in the context of fast software development - Prevx3 has taken a while to develop, but that's because we're willing to spend the extra $ to take our time developing the software and perfecting it rather than rushing it out the door. Granted, we may not put out a new major release every 6 months like some other vendors, but our products are constantly improved behind the scenes and via incremental updates.
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    sounds good and i will love to give it a try:thumb: thanks for the fast reply.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No problem! :thumb: As soon as it's ready, we'll either have an announcement on our website or I'll message users here (or both :)).
     
  8. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    i would be interested in knowing how Prevx as an organization defines P3. what is it's identity, and how would you (collectively) position P3 against competitors such as Mamatu and Threatfire??


    Mike
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Prevx3 is not necessarily a HIPS, and it is not necessarily an AV. It utilizes the benefits of both and essentially sits in its own product class.

    From our work on Prevx2 and earlier, we've learned that users don't care and don't want to answer prompts, therefore, that prevents us from developing a standard HIPS.

    Prevx3 will function LIKE a standard AV (plain black/white prompts when something is malicious) but its detection is entirely different. While a standard AV tries to concentrate on every threat ever released that infected more than x users, we concentrate most on new threats, emerging threats, and threats which are actually infecting users, even if the threat has only infected one, single user's PC. Our realtime analysis capabilities have improved greatly, so, we are actually able to identify threats that are unique on a single user's PC - something a classic AV cannot do as they can only respond based on user submissions and write definitions which are economically beneficial.

    As well as focusing on new threats, our database also has historical data on millions of infections which users have encountered in the past, therefore, we can function as a complete AV replacement.

    However, as I've said, our true benefit lies in the ever-growing area of samples that standard AVs cannot detect due to human limitations and virus definition updates. The lifespan of infections is rapidly decreasing and this is bad news for conventional antivirus companies.

    The process in a conventional company normally goes:

    1) User gets infected with a virus
    2) The user either sends the sample to their AV company or the antivirus software automatically uploads it for analysis
    3) The sample is put through some automated filters to determine if it is a known good file, false positive, or simple variant of a known piece of malware
    4) After the automated filters analyze the file, it is up to a human to write a signature for most samples.
    5) This signature must be tested for quality
    6) The signature is then uploaded to the update server
    7) The user's PC checks for updates on a regular interval (hourly/daily/etc.)
    8 ) The user's PC then connects and downloads the signature update
    9) The user needs to rescan their computer to identify the threat which could take minutes to hours.

    This 9 step nightmare is the main reason why conventional AVs fail - threats simply don't live that long. We see threats that mutate server-side every minute, pumping out a sample that is undetectable by every AV. There is no way an AV could keep up with that number of samples.

    We provide a completely different approach. We analyze the sample's behavior as soon as it reaches the user's system. Our database determines thousands of malware samples per hour as soon as they are scanned the first time by the first user, and then it catches most of the rest on the next rescan or as soon as it gets more data.

    Because of the differences in approach, its hard to compare our products to other offerings. We honestly believe that v3 can replace an AV entirely on a vast majority of user's PCs, however, there are some users which may fare better with a multi-layered defense. In that case, we have not experienced any incompatibilities between other AVs and v3, so, we gladly open the door for other users that want to use, for instance, a free AV alongside v3 just to make sure they're always protected.

    As for Mamutu/Threatfire, I've not personally used either so I probably wouldn't be the best one to compare them, but as far as I know, they both rely on user interaction as a classical HIPS does, which, although it would catch some of the malware which AVs miss during the aforementioned 9 step process, the potential for false positives could confuse users and prevent them from making the right decision when it really counts (not that we won't have false positives, of course, but every AV has false positives simply because some programs really do look malicious and its difficult to differentiate between clean and bad in those cases).

    If you want any more elaboration, please let me know :) I just bought a new keyboard and need to break it in :D
     
    Last edited: Oct 20, 2008
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,448
    Location:
    Hawaii
    *Sounds* great. But the same was true when similar promises were made ages ago on your CastleCops forum. Until V3 comes to reality -- if it ever does -- it is vaporware.

    I do wish you to succeed however.

    Umm... where is Notok?
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for your undying accusations of vaporware :D We've given a timeline and, assuming a meteor doesn't collide with the earth in the next couple weeks, I see no reason why we would postpone the launch.

    If it was vaporware, I would be wasting quite a lot of my own personal time not being paid overtime helping users on Wilders :D I truly believe in our products and don't mind spending time trolling forums answering questions :)

    As for our support staff, companies evolve, staff evolves, and products evolve. We've hired a great deal of talented new employees to aid with tech support and will be trying to provide adequate answers to any questions/comments/concerns posed here or at our Castlecops forum or to our inbox.
     
  12. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I hope Prevx sprung for the new keyboard. Don't worry about the length of your posts...they are all excellent reads.

    I will certainly attest to one thing. In my travels P2 is consistantly nailing more driveby stuff than whatever AV I may be trying out. And thats on ABC mode.
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's good to hear - driveby downloads and exploit-based infections are really where AVs are struggling because of how frequently they mutate. These infections are hosted on dozens of servers, swapped in and out in high frequency with changing infections each time.

    In our internal testing, we've run the "same" infection side by side, coming from the same malicious website on identical OS images running off of the same IP address, resulting in a really incredible range of infections. It's actually quite fun to try and see the "Infection of the Minute", ranging from multiple rootkits like the Braviax/karina.dat/rustock/Srizbi infections, to various keyloggers and backdoors, all the way down to dozens of trojans being dropped throughout the system. I'm always stunned when Windows still boots up after being trashed this violently :D

    (As for the keyboard - I highly recommend Microsoft's Natural Wireless Ergonomic Keyboard 7000. The MS ergonomic keyboards take a bit of getting used to, but once you get the hang of them, they save a substantial amount of wrist strain. :))
     
  14. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I might have to move to England and go to work for you guys. Sounds like you have lots of fun.

    I have also personally observed fake antivirus sites change payloads almost minute by minute. And yes, I have had my test lappy so infected that it would not run at all.
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :D :D We try to not have TOO much fun, but malware is an amusing beast to play with :)

    Without Acronis/other imaging software, we would never get anything done :). We make images of each infection and then try CSI's cleanup against it and if we ever miss any component, we improve the engine and then restore the exact infection - saves hours of time and loads of guesswork.

    And its always fun to keep in tune with how the bad guys are progressing. Its really jarring to see how the malware world has evolved from trojans that delete all of your files to professional-looking apps like XP Antivirus that a majority of users cannot distinguish as illegitimate.

    I guess that's where AV researchers come in handy :D
     
  16. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    About the same methods I use. I would have to come up with another hobby if I didn't have Acronis & Returnil.

    You guys are doing good with XP Antivirus and its brethren. Very rare for me to find one that you guys are not nailing now.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Great! :thumb:
     
  18. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Some infections are really really amusing :D
     
  19. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    even a Prevx cynic such as myself realises there is a v3, so i am not sure where the usually even keeled Bellgamin is forming his reservations. that said, you guys should stop putzing around and release the public beta NOW! Today!

    by your own admission, you have written and tested the product months ago, so allow us to assist you with the final fine-tuning. you could release the beta now, and fine tune while the beta is ongoing. the benefit would be real-time feedback, allowing you to more accurately tune the product to end-user needs.

    the product is ready, and were ready for it. seriuously. ask your higher ups to release the beta now, or this week.


    Mike
     
  20. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Mike is right, also i going from a former fan to a disapointed 1 am now totally satisfied with what im reading so far, much appreciated - everyone deserves a second chance especially such a remarkable product - mind you that P2 did well in my last test so i have much higher hopes for P3 or CSI for that mather.

    About the beta, u should internally release it to all Wilders posters that volunteer, im interested as well
     
  21. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    A question about the workings of P3.
    I always understood that with P2 if your internet connection was lost, albeit temporarily, and Prevx couldn't connect to the 'community database', then if a suspicious activity was detected by the Prevx element that is installed on the operatives computer and it couldn't verify it with the 'community database' then it would be tracked and restricted in what it could do until an internet connection was re-established. In this situation the 'traffic light' would also turn yellow. Will this sort of situation still be dealt with in the same way?
    I have a couple of times tried to use my printer when my internet connection has been down and because Prevx couldn't 'clear' the printer (drivers?) with the 'community database' the only way to use the printer was to temporarily shut down Prevx until I had finished.
    I hope that makes sense, I couldn't think of any other way to put it.

    Ian
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Sorry to keep delaying things, but we are a very careful company with a lot of users and a lot of partners. There are still things being changed in the beta which are important changes to get in before it goes public, so, we are going to have to wait until everything has cleared before releasing.

    I imagine the early public beta users will contain many of the Wilders users and if we don't make a public beta announcement on our website once we release it to wider beta, I will definitely PM it to users here (once I receive permission to do so :D)
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Lost internet connections are handled much differently in v3. Our engine gathers more data from the individual executable program from the onset which allows us to estimate intent easier. Then, within less than one second of the internet returning, v3 will aggregate and prioritize the behaviors and new file signatures and check them with the database and v3 will immediately detect and block any samples detected while the internet was down via the aggregated behaviors.

    Therefore, under most circumstances, if a file has not exhibited suspicious behavior before, it would continue to function properly when the internet is down and if it does turn out to be malicious, the file will be stopped in its tracks as soon as we can get the newest data.

    (And, as always, existing infections are blocked when the internet is down.)
     
  24. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    PrevxHelp, I'm enjoying reading this thread as you make complete sense with your explanations.

    You've definitely spiked my interest in trying a beta and/or using the next release of your software. :thumb:
     
  25. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Better start checking my message box more often :D :cool:

    And thanks for your reply re: lost internet connections.

    Ian
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.