Malware indentification class

Discussion in 'Prevx Releases' started by CloneRanger, Feb 14, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Prevx

    Hi downloaded some malware to test.

    pt.png

    wp543.exe indentified as Low Risk Adware

    tdl_3.241.exe indentified as Medium Risk Malware

    Thought you might like to think about maybe reclassifying the TDL rootkit as free to clean up, which is what i thought you did with some of the nastier stuff. Whereas the only one listed as free to clean up, is indentified as Low Risk Adware ?

    By the way, you should be getting the malware not listed soon, as these have being passed on to vendors through another website.
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    It will clean the MBR rootkit as for as I know for free, if you want full cleanup you are going to have to purchase a license to clean more than Low Risk Adware!

    TH
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Triple Helix

    I'm not infected, only did an on demand scan on the downloaded malware to test.

    I was allerting Prevx to the apparant discrepancy between the two classes. wp543.exe indentified as Low Risk Adware and tdl_3.241.exe indentified as Medium Risk Malware

    The issue being, why is a Low Risk considered suitable for a free to clean up, when the Medium Risk is not ? I would have expected it to be the other way round. And i would have thought that the rootkit tdl_3.241.exe would be classed as a High Risk.

    I hear you on the MBR free clean up, but as you can see, it's not only MBR infections that are generously able to be included.

    Hope to hear from Prevx on all this. :thumb:
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I understand that you are not infected but do have the EXE files but the free version will only removes Adware and MBR rootkit for free all others you do need a license to remove! :doubt: You only get so much for free!

    TH
     
  5. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    Simple - its the free version.

    if people need the software to clean their machine of medium> risks, a purchase is needed.

    if the higher risk threats for detected and deleted, not so many people would feel the 'need' to purchase Prevx.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Triple Helix And PC__Gamer

    Hi yes of course you're right thanks, didn't expect everything cleaned up for free.

    Still would expect to see malware like the rootkit tdl_3.241.exe classed as a High Risk not Medium Risk.

    By the way TH, do you work for Prevx, as you answered in place of them ?
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Sorry I don't work for them but I'm just a Happy volunteer just like anyone else is on the forums! Prevx Mods will tell you the same thing as PC__Gamer & I did! ;) We are just trying to answer your Question but by all means wait for the Prevx Mods to answer your Question!

    TH
     
    Last edited: Feb 15, 2010
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Triple Helix

    Please don't get me wrong i wasn't objecting to PC__Gamer and your posts. Just hoped that Prevx would respond as i flagged it for their attention right at the top.

    Nice to hear you are a Happy volunteer, appreciated :)
     
  9. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    In theory.
    Out of curiosity I installed Provx Free a few weeks ago and then a MBR rootkit.
    There was a prompt about the infection, but the Deep Scan afterwards didn't find the MBR infection.
    Go figure... only empty promises for free. :thumbd:

    Cheers
     
  10. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    ummm...errr...kind of better than...empty promises for a fee :D:D:D
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello CloneRanger,
    Sorry for the lack of a response - I ended up not having enough time in my "rounds" yesterday to get over to all of the threads :) Thank you, as always, Triple Helix, for your responses :thumb:

    The distinction of High Risk/Medium Risk takes place automatically, based on a handful of criteria like popularity and diversity of the infection, not necessarily how difficult it is to remove. Think of it more as having a massive global epidemic of a disease which just causes a slight fever - there will be high risk for you to get infected, but not necessarily a high risk of it mutating into a hemorrhagic fever.

    We clean up most Low Risk Adware infections for free because they are generally very easy to clean with the generic cleanup engine in Prevx. We do try and give away as much as possible for free, but cleanup is an area which could likely require manual assistance and support, and it is generally a much more complex area than prevention so we've decided to make that our primary for-pay feature.

    Let me know if you have any comments!

    @subset: if you could please send us the dropper of the MBR rootkit, we can add free detection for it :)
     
  12. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    I have emailed the file (Undetected Sinowal sample).
    This one may be a bit drowsy, usually it takes some time till it gets active.

    But I still don't understand how Prevx Free should be able to remove MBR rootkits if it doesn't even detect a modified MBR. o_O
    A Deep Scan found nothing, but GMER found the MBR rootkit code.
    It goes without saying that the detection of the dropper or its remains does not remove the MBR rootkit.

    Cheers
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Hi i understand you have a lot to deal with, especially these days :D

    My main point was/is, i would expect to see malware like the rootkit tdl_3.241.exe classed as a High Risk not Medium Risk.
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for the sample - it is likely that this is a new version of the MBR rootkit which Prevx doesn't detect immediately. We should be able to add detection centrally, however, and I'll report back as soon as I have some results :)
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree - although, the classification is made completely automatically and there is no human intervention available for determinations made on-the-fly. So while TDL3 is a rather difficult to remove, it currently isn't meeting the criteria to heuristically be identified as a "High Risk" threat. This may change in the future, of course, as the risk levels are highly dynamic.
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @PrevxHelp

    Nice of you to agree :)

    I'm surprised, but you're the boss :D

    Now that be asking for miracles :D
     
Thread Status:
Not open for further replies.