Prevx 2.0 & New Prevx CSI

I agree as well... I've read it multiple times and he seems to be saying that you need both PrevX2.0 and CSI if you want optimal protection. Each app has strengths and weaknesses... so basically use both.

When is PrevX2.0 coming out of Beta for Vista?

 

then why not get both. I think CSI is great. Yeah some say it is just taking up space but space I have. To me it is best suited for those using a virtual product. It is great to run before you come out of and after a a freeze or shadow mode. It works to. So say what you want but Prevx has made a great product in CSI and you just need to find a way for it to fit your needs.

 

So what's the difference between manually running a Prevx2 scan & running a PrevxCSI scan? They surely do the same thing except with Prevx2 you can configure a full system scan.

 

We have reproduced the "issue" and our dev team describes it as the following:

"CSI looks for all of the possible drivers in the system during the scan, whether they are active or inactive in memory. Even if they aren't installed, Windows has references for many drivers throughout the registry and CSI is seeing these references and checking to make sure that the file that they point to is not malicious or hidden. When CSI scans these not installed files, Windows File Protection is seeing that it is accessing a "critical" system file (which doesn't exist). One of the modules in CSI requires it to test for the existence of a file by opening it for write access - WFP is seeing this and then "restoring" the file by copying the default file from the DLLCache into the drivers folder. This is an interesting behavior which has no negative effects besides the fact that Windows stores some error messages, but, if you look at the error messages and compare them to your system before and after the scans (as we did to realize this issue), you will see that all of the files that are referenced as being restored never existed before CSI ran - Windows is recreating files which were not there to begin with.

However, as a few users have mentioned this, we are working on a workaround to prevent Windows from logging errors. Note: this will only ever happen the absolute FIRST time you scan with CSI - as Windows would then make copies of the files and CSI would see those files clearly."

Marco

 

The main reason why we have higher memory usage than one may expect is because we store a lot of data in an in-memory and on-disk cache. This cache allows us to run a very fast scan and is a much cleaner approach than using ADS streams on files, but yields the same results. Using CSI1.5, most users will see that after the first scan, subsequent scans take only 10 or so seconds to run.

CSI also has a number of graphics in it that are full-color bitmaps. We may release a 'light' version of CSI in the future which would not have the full bitmaps, but for now, we are trying to cater to users who like nice, colorful GUIs. The main purpose of CSI is to simplify the process for users. GMER and RkU may show more information about rootkits, but CSI simplifies this information into a filename or a registry entry and then lets the user decide on that, rather than saying that x function is hooked by x module.

 

since you brought these brands up.....

how would you measure CSI's rootkit detection capabilities relative to Gmer and RKU? i am all for the simplicity, but what about CSI's effectiveness?

also, has the upgraded rootkit detection capability been included in Prevx2? i recently performed a fresh install of build 127, and after the reboot acquired an update. prior to that there had been no minor rules or signature updates for months.

thanks


Mike

 

Well, CSI is able to detect and remove everything we've found with some exceptions on which we are working on adding detection/removal for. Feel free to test it as you please and post results here. Note that if, for instance, you hide a legitimate program with FUTo, CSI will not detect the hidden program because that is not the malicious component - this helps remove user confusion as a hidden legitimate program can do no damage. However, if you were to hide a suspicious or malicious program, CSI would detect it immediately.

Marco

 

Hi Marco, thanks for your reply.
Your explanation is clear, but it does leave me with some questions. You state that these files 'never existed' before CSI ran. Can you then explain why certain network protocols (source: Tcpip - packet planner for miniport, used to always start at boot but not anymore) are not working on one of my boxes anymore right after this first scan took place?

What does the time stamp of the files that WFP protected look like on your machines? Is the 'date made' also younger than the 'date last changed'? On my box I now have files with 'Date made 8-2-2008' and 'Date last changed 4-8-2004'. This seems weird.

Why does the number of files protected by WFP differ so much? Especially when it concerns files that didn't 'exist' before.

Also UPHClean doesn't seem to need to 'unlock' hived profiles anymore. At shutdown all it says in the Windows logs is "User profile hive cleanup service stopped successfully".
All this leaves me thinking that something has been altered and therefore not working correctly anymore.
I think these things cannot be purely based on coincidence. I hope you agree?

 

Hi,

I have a question about Prevx CSI, why does it needs/want to modify drivers on the system, during scan? Yes I know it´s not malicious, but I wondered about this anyway.

 

Sorry for the belated response - we are working on circumventing a new, CSI-blocking malware which is blocking GMER, HijackThis, and a bunch of other tools. To answer your questions:

Rasheed187 - CSI doesn't actually modify drivers ON the system - as one, small module of our scanner, if a driver doesn't exist, it tries to create the file. If it can't create the file, that is a dead-giveaway of one kind of rootkit (there is, of course, much more logic which goes into this). After creating the temporary file and ensuring that the system is not rootkit'ed, it deletes it.

Stijnson - This could happen because Windows has installed the DEFAULT drivers which were released a few years ago. It might be worth trying Windows Update to see if it will update the rest of the drivers.

 

Please could you also answer post #53?

 

Got an ETA for this wonderful upcoming solution?

Also I have a small question about CSI rootkit detections... Are all rootkit detected simply labled a generic "Malicious Rootkit detected" ? As under these conditions it is rather difficult to identify FP's from real bugs...

 

I'd be interested in an answer to this also, please.

 

i appreciate your answer. CSI for me is a nice additional on-demand scanner, that i presently have alot of confidencw in as Prevx is obviously putting their collective best foot forward in it's development. good luck with this new malware you are battling.

btw, there was a second part to my question that was not addressed.

some insight will be appreciated.


Mike

 

I tried Windows Update, but it changed no other files (it said everything was up to date - still no packet planner for miniport enabled unfortunately). Thanks for your tip though. If anyone has other tips: please share them with me.