Malware indentification class

@Prevx

Hi downloaded some malware to test.



wp543.exe indentified as Low Risk Adware

tdl_3.241.exe indentified as Medium Risk Malware

Thought you might like to think about maybe reclassifying the TDL rootkit as free to clean up, which is what i thought you did with some of the nastier stuff. Whereas the only one listed as free to clean up, is indentified as Low Risk Adware ?

By the way, you should be getting the malware not listed soon, as these have being passed on to vendors through another website.

 

It will clean the MBR rootkit as for as I know for free, if you want full cleanup you are going to have to purchase a license to clean more than Low Risk Adware!

TH

 

@Triple Helix

I'm not infected, only did an on demand scan on the downloaded malware to test.

I was allerting Prevx to the apparant discrepancy between the two classes. wp543.exe indentified as Low Risk Adware and tdl_3.241.exe indentified as Medium Risk Malware

The issue being, why is a Low Risk considered suitable for a free to clean up, when the Medium Risk is not ? I would have expected it to be the other way round. And i would have thought that the rootkit tdl_3.241.exe would be classed as a High Risk.

I hear you on the MBR free clean up, but as you can see, it's not only MBR infections that are generously able to be included.

Hope to hear from Prevx on all this.

 

I understand that you are not infected but do have the EXE files but the free version will only removes Adware and MBR rootkit for free all others you do need a license to remove! You only get so much for free!

TH

 

Simple - its the free version.

if people need the software to clean their machine of medium> risks, a purchase is needed.

if the higher risk threats for detected and deleted, not so many people would feel the 'need' to purchase Prevx.

 

@Triple Helix And PC__Gamer

Hi yes of course you're right thanks, didn't expect everything cleaned up for free.

Still would expect to see malware like the rootkit tdl_3.241.exe classed as a High Risk not Medium Risk.

By the way TH, do you work for Prevx, as you answered in place of them ?

 

Sorry I don't work for them but I'm just a Happy volunteer just like anyone else is on the forums! Prevx Mods will tell you the same thing as PC__Gamer & I did! We are just trying to answer your Question but by all means wait for the Prevx Mods to answer your Question!

TH

 

@Triple Helix

Please don't get me wrong i wasn't objecting to PC__Gamer and your posts. Just hoped that Prevx would respond as i flagged it for their attention right at the top.

Nice to hear you are a Happy volunteer, appreciated

 

In theory.
Out of curiosity I installed Provx Free a few weeks ago and then a MBR rootkit.
There was a prompt about the infection, but the Deep Scan afterwards didn't find the MBR infection.
Go figure... only empty promises for free.

Cheers

 

ummm...errr...kind of better than...empty promises for a fee

 

Hello CloneRanger,
Sorry for the lack of a response - I ended up not having enough time in my "rounds" yesterday to get over to all of the threads Thank you, as always, Triple Helix, for your responses

The distinction of High Risk/Medium Risk takes place automatically, based on a handful of criteria like popularity and diversity of the infection, not necessarily how difficult it is to remove. Think of it more as having a massive global epidemic of a disease which just causes a slight fever - there will be high risk for you to get infected, but not necessarily a high risk of it mutating into a hemorrhagic fever.

We clean up most Low Risk Adware infections for free because they are generally very easy to clean with the generic cleanup engine in Prevx. We do try and give away as much as possible for free, but cleanup is an area which could likely require manual assistance and support, and it is generally a much more complex area than prevention so we've decided to make that our primary for-pay feature.

Let me know if you have any comments!

@subset: if you could please send us the dropper of the MBR rootkit, we can add free detection for it

 

I have emailed the file (Undetected Sinowal sample).
This one may be a bit drowsy, usually it takes some time till it gets active.

But I still don't understand how Prevx Free should be able to remove MBR rootkits if it doesn't even detect a modified MBR.
A Deep Scan found nothing, but GMER found the MBR rootkit code.
It goes without saying that the detection of the dropper or its remains does not remove the MBR rootkit.

Cheers

 

@PrevxHelp

Hi i understand you have a lot to deal with, especially these days

My main point was/is, i would expect to see malware like the rootkit tdl_3.241.exe classed as a High Risk not Medium Risk.

 

Thank you for the sample - it is likely that this is a new version of the MBR rootkit which Prevx doesn't detect immediately. We should be able to add detection centrally, however, and I'll report back as soon as I have some results

 

I agree - although, the classification is made completely automatically and there is no human intervention available for determinations made on-the-fly. So while TDL3 is a rather difficult to remove, it currently isn't meeting the criteria to heuristically be identified as a "High Risk" threat. This may change in the future, of course, as the risk levels are highly dynamic.

 

@PrevxHelp

Nice of you to agree

I'm surprised, but you're the boss

Now that be asking for miracles