Prevx and zipped files - on-demand detection compromised

Discussion in 'Prevx Releases' started by ssj100, Aug 5, 2009.

Thread Status:
Not open for further replies.
  1. ssj100

    ssj100 Guest

    I have noticed that if you rar (zip) a piece of malware that is normally detected by Prevx, Prevx will no longer detect it.

    This is rather disappointing, but I guess that's what you get for using cloud technology - my guess is that Prevx has very poor archive analysis depth. Good thing I use Avira as my primary on-demand scanner.

    The reason why this is most disappointing for my purposes is that a lot of newly introduced files on my system (sandboxes) come in archive format (.rar).

    Any comments on the above? Am I mistaken? Thanks for any replies.
     
  2. Retadpuss

    Retadpuss Suspended Member

    Joined:
    Apr 4, 2009
    Posts:
    226
    Prevx does not scan inside archives. Mind you, nothing can run in an archive!

    Puss
     
  3. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    But in that case i will be caught by prevx!
     
  4. ace11

    ace11 Registered Member

    Joined:
    Aug 23, 2007
    Posts:
    98
    IF prevx3 does not scan into archive ( and i'm not debating the design decision of that feature) , then if you right clicking on an archive file there should not be an option "scan with prevx3" - its so misleading.

    If this can not be achieved easily then right clicking and scanning the archive should not yield a msg "no infected files found" - because such an information is very misleading and can cause an embarrassment:

    yesterday i scanned an archive in such a way , it came out (obviously) "cleaned" and i gave that file to one of my work-customers. He does not use sophisticated AV , but he counted on my promise that this archive is clean.
    you all can guess the rest of the story. :blink:
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    It is said a hundred times that PrevX is no good on demand scanner! PrevX fully works on execution so you should not trust the on demand scan at all.
    If you want to scan files befor leading them to friends scan them with a-squared free or any other on demand scanner.

    Btw. i would never lend a file to a customer if i am not 100% convinced that the file is save! :rolleyes:
     
  6. ace11

    ace11 Registered Member

    Joined:
    Aug 23, 2007
    Posts:
    98
    Habakuck -
    it seems that you referring to my post ,
    but the I can see no relevance what so ever to the issues I wrote about :doubt:
     
  7. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Hm, could be a language problem cause i am german. =)

    I meant that PrevX isnt good in detecting malware while scanning on-demand. PrevX is very powerfull in detecting malware when the malicious file is executed. So, if you did not execute the file (like in your case only scan the archive) PrevX is poor in detection.
     
  8. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    As files can be stored inside archives without being compressed, the option should still be shown for archive files, since PrevX would/should detect them in this case (assuming it detects them when they aren't in an archive).

    You can use services like VirusTotal which scan uploaded files/archives with just about every anti-malware software available, and then give you the results.

    You can also extract the files and run them with PrevX enabled to be further convinced a file is clean.
     
  9. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Prevx is doing what it says: scanning a file ;)
    Prolly, should have some specific warning re archive files on R click scan or system scan; rather than "safe" result.
    Absolutely, PrevX is right up there for detecting 'launched' or running mals.

    Running the .exe or whatever in Sandboxie: will prevent the install of a file, but not help re Mal or no unless you track it.
    IIRC, PrevX can actually see "inside" the sandboxie layer ( or used to anyway) and detect mals running : I stand to be corrected if that has changed.
    Could consider DefenceWall and run as untrusted then see, or maybe one of the other policy restriction type apps: GESWall
    Even think about OA as a hipstype set-up with their AV.

    Personally, I would like some alliance or cooperation with PrevX and Tzuk: the combo could be GREAT, permutations limitless. :)
    Regards.
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree that we should add a message to tell the user that we haven't scanned the archive's contents. Even if the file is stored flat/non-compressed in the archive, we still do not scan it - we focus only on actual threats and a file in the archive is not a threat.

    You could also have your work customers install Prevx as well which would prevent them from getting threats from a number of areas in addition to your archives :D
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This isn't the case - even if a file is stored in an archive without being compressed, it is still "in" the archive so we wouldn't scan it. For example, if you store a file non-compressed in a .zip archive and then rename the .zip to .exe, it will not run and cannot infect your computer.
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    How common is archive scanning among AVs? Do most of them scan inside archives during on-demand scanning, be it right-click or otherwise?

    What about AMs like SAS and MBAM?

    Anyone feel knowledgable enough on this topic to provide a list of security products that scan on-demand inside archives?
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Many conventional AVs do, I don't believe MBAM/SAS do. It is, in our opinion, entirely unnecessary to do on the local user's PC. The only benefit is to scan within an email gateway which is why most AVs have it (as they offer those products also).

    Granted, our feelings toward it changed between Prevx 2 and Prevx 3 - we used to have it in, and in fact, we have all of the code written for it... but we really don't see a place for it. A few years back, AVs were measured on how many different archive formats they could dissect but this is completely irrelevant for actually providing protection. It even got to the point where AVs were looking for archives within emails encrypted with images attached to the email like used by the Bagle worm - why bother o_O Just detect the infection itself if it tries to enter the user's PC :)

    *steps off soapbox*
     
  14. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    Assuming the anti-malware program in question can detect the malware, it should alert you on execution anyway, and I think this is the overall point PrevxHelp is trying to make.
    This applies to every other AM product out there; even with whatever you use, it could already still "be too late by then". (Ignoring the use of Sandboxie as a safeguard in this context.)
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Without trying to be argumentative - in what way could it be theoretically too late? Extracting an archive doesn't load any of the files into memory and even if you run it by double clicking within the archive, the file is first extracted to a temporary directory and then run from there so Prevx will jump in and scan/block it.
     
  16. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @PrevX help:
    Apropos of above:
    Will/can PX "see into the sandbox" if any executable is run ??
     
  17. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Yes it's handy for some of us who to want to scan compressed files, for nasties etc, but for most people out there in www land it's not a priority, or do they even know about such things.

    The most important thing is that, any nasty gets pounced on ASAP when activated, and dealt with properly.

    If including compression scanning would make Prevx bloated to some degree, and consume more resources etc, then i would say leave it out. Or, include the option, so those who wish can enable it.
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, from what I've seen from the results from users testing Sandboxie and a few other sandboxes, Prevx is able to see within the sandboxed environment.
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We've currently only had a small handful of requests for it but if we do end up adding it, we will offer it as an optional additional download. Unfortunately archive decompression support does bloat up AVs rather significantly and we want to keep with the mantra of "detecting real threats".

    However we do understand the "power user" requests but on-demand analysis in Prevx (and in most other AVs with behavioral monitoring/runtime analysis components) is no where near as effective as seeing a threat in realtime on a real system.
     
  20. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    :thumb: :)

    @StevieO
    :thumb:
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Malware cannot start infecting your system spontaneously once it is extracted (and frankly I'm sure glad it conceptually can't because I do it every day ;)). At that point it is merely files on the disk which aren't loading code which brings up another point of the unnecessary scanning of folders while users are browsing them (which many AVs do) - opening a folder of files cannot infect you unless there is some bizarre exploit in Windows Explorer itself but that would be caught as code tried to execute anyway.
     
  22. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I think you missed the point I was trying to make. You said:
    My point was that with some other AV/AM that blocks in real-time that has no archive scanning or that feature turned off, it could also be theoretically too late by then if you execute the program after extracting it.

    In that context, I'm ignoring the use of scanning archives or sandboxing with any product. We're putting faith in the ability of the product to be able to detect and block on execution; if it can't then it's not likely to detect within the archive either is it?
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No - there have never been any exploits against Windows Explorer exploitable by file extraction and it is engineered in a way to prevent them as well as possible (it doesn't actually load the files). The only possibility of an exploit would have to be in the icon format of executables but malware authors only have ~256 bytes to work with and the icon format has been analyzed over and over again and does not contain any exploits.

    Scanning on writing is not the most important part of an AV - scanning on execution is.
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    And for a technical user I think a classical HIPS is a good addition. Granted, if I gave a classical HIPS to any member of my family I would have to disconnect my phone to stop being bothered :doubt:
     
  25. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,892
    Lucky for me, but I am not a technical user, that managed to get the hang of SSM. I had nobody to bother, lucky for them. :D
     
Thread Status:
Not open for further replies.