New Prevx1 sending out IP address

Discussion in 'other anti-malware software' started by Frieza, Jan 25, 2006.

Thread Status:
Not open for further replies.
  1. Frieza

    Frieza Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    5
    I decided to try out the new Prevx1 professional version on my virtual computer testbed. After all updates and installation had been completed I decided to run my packet sniffer on logging mode just to see the sort of data being sent out. The following is what I logged:

    Date: XX <---- Todays date
    Server: Microsoft-IIS/6.0
    pragma: no-cache
    cache-control: private
    X-PREVX-IP: X.X.X.X <----------- My IP address was here
    X-PREVX-ERROR: false
    Content-Length: 17
    Content-Type: application/octet-stream
    Expires: XX
    Cache-control: no-cache

    Host: ron1.prevx.com
    Content-Length: 0
    X-PREVX-soft: ZERO
    X-PREVX-hn: <---------- The Host name of my virtual computer was here
    X-PREVX-pcid: X
    X-PREVX-cid: X
    X-PREVX-sv: X
    X-PREVX-rc: 0
    X-PREVX-profile: PREVX1
    X-PREVX-mid: X <---------- a very long text string was here
    X-PREVX-lic: 0
    X-PREVX-cmd: adtextexpired

    I have obviously replaced some information with an ''X'' because I did not know what it was but my main question is why do you think they send out IP addresses. I know they collect attack data but they say no data collected is personally identifiable. I emailed them about this and received no reply.

    If any Prevx1 users run a sniffer in logging mode, when you start up the console you to will probably see this data being sent out. For the moment I will continue to use the old version of Prevx Pro.
     
  2. I'm confused. If your program is connecting to Prevx, they HAVE to know your IP address.
     
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Prevx is a 'community protection' program. If you install or run an 'unknown' program it will send back to it's community database for verification (to check if its bad...if the database doesn't know it, analysts analyse it, and you get a computer reply [you don't see it unless it's malware] later).

    When it dials this information out, it has to send your IP adress with it so that the community database can reply.
     
  4. Frieza

    Frieza Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    5
    The fact that Prevx sends back data when you run or install an unknown program is fine and I am aware of this, however no unknown programs, new installs or any new programs at all where being executed.

    I installed Prevx on a bare bones test system that uses Windows XP. The Prevx database was created and installation and reboots were completed. My computer was sitting idle not running any additional or new programs or anything else apart from the sniffer that had already been added to the database. So I wonder why Prevx sends Host name and IP adress if there is not even a reason to do so.

    I know that our IP address need to be known whenever we communicate but why is the Host name being sent along with the IP address in such a format. I am very cautious so will not assume anything.
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Prevx1 also auto-updates the local database cache, this allows dialup users to remain protected when not online. This also makes it so that if you have something marked good that later gets changed to bad, then it can be marked bad before you end up running it again, or kill it in memory as soon as possible, without having to wait until it's restarted.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It’s strange that you didn’t get a response from support. I don’t think I’ve seen a case before where they haven’t responded, I’ve certainly never had any that didn’t get a response. The only thing I can surmise is that you emailed an inactive mailbox or something.. support is almost all done through the Support link in the program (or on the right-click menu for the tray icon) at this point. You might try there next time.

    When you double click a file in the Recent Program Activity window it will bring up a webpage with the info from the database on that particular file. If you click over to the “Propagation” tab you will see the different countries that particular file has been seen in. This information is extracted from the first 2 sets of numbers in the IP, and then the IP is discarded (this was stated in the program audit that was done when Prevx Pro came out) after any necessary return info is sent. This same info is collected by most antivirus companies.. any of the ones that have a “virus radar” that track outbreaks by geographical region. This just checks what country you’re in, and doesn’t identify you personally.

    The “very long text string” you noted in the information in the original post would be your license information to make sure yours is a legit Prevx1 agent, and not trying to hack into the database. This is also common among most antivirus and antispyware scanners, as they don’t want to give database updates to just anyone.. not much point in having a paid product otherwise.

    As far as updates go, it’s also going to do periodic database updates, which are separate from the software updates that you can change the time in the Preferences tab (not sure how you got it to 30 days, since 7 is the max in Prevx1). That makes sure that you get new determinations as soon as possible, without having to wait until the next time the program runs. If you have something currently running that is later determined to be bad, once it gets that update it will terminate the program and Jail it. This is also so that dialup users can have pre-determined malware blocked in the event that it runs while they are not online.

    And yes, as others noted the server will need to know your IP anytime you connect to it.. just as with any server, otherwise it won’t know where to send the data. The difference is in what’s done with it. I would tend to think that if there was any deception going on, the information would not be sent in plain text, freely available for anyone to see if they care to do so. Generally scams have no transparency, that is they hide everything expecting the user not to notice. Prevx has been around for several years and has been audited. On top of that you’ll notice that there are entries for it on Secunia, which means that security researchers have taken a really good look at the program and interrogated it quite thoroughly. If the info being sent was suspicious, I’m sure they would have picked up on it, especially considering it’s right there in plain text, unencrypted.

    Hope that helps :)
     
  7. Frieza

    Frieza Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    5
    Thanks very much to all who responded, I am naturally suspicious I guess but my mind is now at rest lol. Alot of very good points were made so I appreciate all feedback. I will upgrade to Prevx1 later on with the new license. When I mentioned the updates every 30 days, I think I got that confused with the old version of Prevx that allows that as opposed to the new maximum of 7 days I think. Regards
     
Loading...
Thread Status:
Not open for further replies.