Prevx 2.0 & New Prevx CSI

So what, you need to buy both products?

 

How many of you have had Prevex 2.0 or CSI find malware on your systems since you have used the programs? Also, what AV were you using at the time?

 

Sorry, I don't understand your reply. I'm not sure if you mean that I SHOULD buy both products, or that it's a cunning plan by Prevx Inc to sell 2 products to the same customer?

 

I think you need to buy just prevx2.0.

 

To who says that a user need both CSI and Prevx 2.0, please read again carefully my post #17.


To Hermescomputers:

We have identified an issue with Comodo and CSI which is causing false positives and will have it fixed shortly. It is caused because Comodo Defense+ module is preventing under some circumstances CSI from accessing system areas. We will be contacting Comodo to add us to their whitelist and we will be looking into possible engine adjustments as well.

 

@EraserHW

I have read your post several times. You seem to indicate that a computer could use both Prevx2 and CSI. I still however do not fully understand why this is so. I would appreciate if you could explain it in a way that I can fully understand so that I may also explain it to my customers.

 

One thing I have noticed about CSI is that it doesn't want to run in a Limited User Account. I already knew that 2.0 wouldn't update or do proper clean up in LUA. With more people getting on the LUA bandwagon I am wondering if they are going to make changes to both instances of Prevx to make it more compatible.

 

Thanks...

Is this based on my logs or is this an issue discovered by the CSI dev team?
Am I to assume that based on the logs I sent there is no rootkit?

This would be consistent with my own research however it does not explain why I had to Delete the entire system restore in my system to eliminate the detections... Could you or someone shed some light as to what it did find in the system restore points that caused this situation...

 

Perhaps you should utilize PrevxR-people more? (as you should have during testing of Prevx2).

 

New update to CSI has been released

 

Changelog?

 

• Compatibility with Comodo Security Products
• Greatly improved detection on BHOs and other DLL-based malware
• Simplified Scan Process
• Rootkit Scanner false positive elimination
• New Scanner GUI which displays information on what is being scanned
• More detailed logging of the cleanup process

 

Nice, thanks Marco.

 

You're welcome

 

I am totally impressed with CSI.

Someone like me who uses SafeSpace or ShadowDefender, this works out to be the perfect addition. I dont need real time scanning but I do want the ability to scan and detect on a regular basis to help inform me if a reboot or purge is needed. I dont know, these 2 methods and/or prodt types may be the most formidable way to go. CSI is very good.

 

I agree. I am wishing that I had of gone with CSI instead of the full blown 2.0 version now. A year from now when my subscription runs out I will probably make the switch.

 

I think CSI and any virtual software are built to go together. It has no system impact except for when you decide to scan. I like the schedule scan format. They have really done a very good job with it.

 

You don't mind CSI taking up 17mb of memory then?

 

Peanuts for most newer computers. You would have to be severely RAM-limited to be concerned with this amount of memory for a security program.

The effect on system performance is much more important.

 

Of course, but it is sitting there taking up a fair amount of memory while doing nothing. That is not the same as no system impact & while it's sitting in memory, it raises the possibility of conflicts. In fact my wife's computer (Vista32, Nod32, AVGas, PrevxCSI) had a Prevx crash message a few days ago.

 

I have a big problem with CSI (version 1.5.103.197 - I know there is a newer version, but the problems I have are 'caused' by x.197).

I will try to explain what has happened as clearly as possible, but feel free to jump in or ask for more details if things are unclear because I feel I really need help to resolve this.

The problems occur on 2 different computers (and not connected to each other I might add. One is at work and the other one is at home).

I discovered this 'by accident' because all seems to be working well (internet connection works, no strange error messages whatsoever).

When I start a CSI scan I see a report of this in my Windows Event Logs: pxark-service has started (or something similar - I'm running a Dutch XP at home so I'll try to translate the messages as best as I can).

On February 8th I started a CSI scan with version x.197 on my home pc for the first time. When I take a look at the event log for February 8th I see the pxark-service message followed by a large number of 'Windows File Protection' messages (the time stamp for these messages is only a few seconds later than the time stamp of the pxark-service).

When I opened one of these messages I saw the following:
Type gebeurtenis: Informatie
Bron van gebeurtenis: Windows File Protection
Categorie van gebeurtenis: Geen
Gebeurtenis-ID: 64002
Datum: 8-2-2008
Tijd: 14:51:28
Gebruiker: n.v.t.
Computer: XXXXX-XXXXXXX
Beschrijving:
Er is geprobeerd om bestandsvervanging toe te passen op het beveiligde systeembestand battc.sys. Dit bestand is teruggezet naar de oorspronkelijke versie om systeemstabiliteit te behouden. De bestandsversie van het systeembestand is 5.1.2600.0.

Roughly translated it says that file replacement for battc.sys was detected and that the file has been reset to the original version in order to maintain system stability.

Unfortunately I have 20-30 of these messages, all regarding different sys-files (a lot these sys-files belong to SCSI drivers/miniport drivers). Because of the changes made to these files the 'Date made' (8-2-200 of the file is now newer than the 'Date last changed' (17-1-2004 or something like that).

Normally I had a message in my event log (at boot up) like this:
Type gebeurtenis: Informatie
Bron van gebeurtenis: Tcpip
Categorie van gebeurtenis: Geen
Gebeurtenis-ID: 4201
Datum: 8-2-2008
Tijd: 14:45:18
Gebruiker: n.v.t.
Computer: XXXXX-XXXXXXXX
Beschrijving:
Het systeem heeft ontdekt dat netwerkadapter NVIDIA...Controller - Pakketplanner-minipoort met het netwerk is verbonden. De normale werking van de netwerkadapter is begonnen.

Since February 8th these messages haven't occured in the log, leaving me thinking that the miniport-packetplanner isn't working (properly) anymore.
I also have UPHClean installed on my pc. This reports the unlocking of profiles on a pc. Normally it needed to unlock profiles at shutdown (profiles locked by svchost.exe), but these messages have also ceased since February 8th.

To cut things short (which may be too late, considering all the text above -): how can I rectify all this?

Why does CSI want to change these sys-files and why didn't it happen sooner? I have been running older version of CSI without any problems.
I am also NOT blaming CSI entirely, I guess it's a matter of CSI colliding with Windows File Protection (on by default, at least what I've read on the net).

Can someone please assist me in this matter? All help is welcome.

 

17mb when not doing anything? Here's mine:
http://img524.imageshack.us/img524/962/taskmanagercsira9.gif

...and then it jumps up to around 9mb when scanning.

 

I see you use XP, perhaps it's more with Vista?

 

Ah, well that isn't something I've tested

 

As with Montpellier, on XP it is only taking about 5MB VM when the GUI Window is up and this moves to 9MB VM when scanning.

More than likely as most programs when installed on Vista seem to take up more memory.