Prevx and zipped files - on-demand detection compromised

I have noticed that if you rar (zip) a piece of malware that is normally detected by Prevx, Prevx will no longer detect it.

This is rather disappointing, but I guess that's what you get for using cloud technology - my guess is that Prevx has very poor archive analysis depth. Good thing I use Avira as my primary on-demand scanner.

The reason why this is most disappointing for my purposes is that a lot of newly introduced files on my system (sandboxes) come in archive format (.rar).

Any comments on the above? Am I mistaken? Thanks for any replies.

 

Prevx does not scan inside archives. Mind you, nothing can run in an archive!

Puss

 

But in that case i will be caught by prevx!

 

IF prevx3 does not scan into archive ( and i'm not debating the design decision of that feature) , then if you right clicking on an archive file there should not be an option "scan with prevx3" - its so misleading.

If this can not be achieved easily then right clicking and scanning the archive should not yield a msg "no infected files found" - because such an information is very misleading and can cause an embarrassment:

yesterday i scanned an archive in such a way , it came out (obviously) "cleaned" and i gave that file to one of my work-customers. He does not use sophisticated AV , but he counted on my promise that this archive is clean.
you all can guess the rest of the story.

 

It is said a hundred times that PrevX is no good on demand scanner! PrevX fully works on execution so you should not trust the on demand scan at all.
If you want to scan files befor leading them to friends scan them with a-squared free or any other on demand scanner.

Btw. i would never lend a file to a customer if i am not 100% convinced that the file is save!

 

Habakuck -
it seems that you referring to my post ,
but the I can see no relevance what so ever to the issues I wrote about

 

Hm, could be a language problem cause i am german. =)

I meant that PrevX isnt good in detecting malware while scanning on-demand. PrevX is very powerfull in detecting malware when the malicious file is executed. So, if you did not execute the file (like in your case only scan the archive) PrevX is poor in detection.

 

As files can be stored inside archives without being compressed, the option should still be shown for archive files, since PrevX would/should detect them in this case (assuming it detects them when they aren't in an archive).

You can use services like VirusTotal which scan uploaded files/archives with just about every anti-malware software available, and then give you the results.

You can also extract the files and run them with PrevX enabled to be further convinced a file is clean.

 

Prevx is doing what it says: scanning a file
Prolly, should have some specific warning re archive files on R click scan or system scan; rather than "safe" result.

Absolutely, PrevX is right up there for detecting 'launched' or running mals.

Running the .exe or whatever in Sandboxie: will prevent the install of a file, but not help re Mal or no unless you track it.
IIRC, PrevX can actually see "inside" the sandboxie layer ( or used to anyway) and detect mals running : I stand to be corrected if that has changed.
Could consider DefenceWall and run as untrusted then see, or maybe one of the other policy restriction type apps: GESWall
Even think about OA as a hipstype set-up with their AV.

Personally, I would like some alliance or cooperation with PrevX and Tzuk: the combo could be GREAT, permutations limitless.
Regards.

 

I agree that we should add a message to tell the user that we haven't scanned the archive's contents. Even if the file is stored flat/non-compressed in the archive, we still do not scan it - we focus only on actual threats and a file in the archive is not a threat.

You could also have your work customers install Prevx as well which would prevent them from getting threats from a number of areas in addition to your archives

 

This isn't the case - even if a file is stored in an archive without being compressed, it is still "in" the archive so we wouldn't scan it. For example, if you store a file non-compressed in a .zip archive and then rename the .zip to .exe, it will not run and cannot infect your computer.

 

How common is archive scanning among AVs? Do most of them scan inside archives during on-demand scanning, be it right-click or otherwise?

What about AMs like SAS and MBAM?

Anyone feel knowledgable enough on this topic to provide a list of security products that scan on-demand inside archives?

 

Many conventional AVs do, I don't believe MBAM/SAS do. It is, in our opinion, entirely unnecessary to do on the local user's PC. The only benefit is to scan within an email gateway which is why most AVs have it (as they offer those products also).

Granted, our feelings toward it changed between Prevx 2 and Prevx 3 - we used to have it in, and in fact, we have all of the code written for it... but we really don't see a place for it. A few years back, AVs were measured on how many different archive formats they could dissect but this is completely irrelevant for actually providing protection. It even got to the point where AVs were looking for archives within emails encrypted with images attached to the email like used by the Bagle worm - why bother Just detect the infection itself if it tries to enter the user's PC

*steps off soapbox*

 

Assuming the anti-malware program in question can detect the malware, it should alert you on execution anyway, and I think this is the overall point PrevxHelp is trying to make.

This applies to every other AM product out there; even with whatever you use, it could already still "be too late by then". (Ignoring the use of Sandboxie as a safeguard in this context.)

 

Without trying to be argumentative - in what way could it be theoretically too late? Extracting an archive doesn't load any of the files into memory and even if you run it by double clicking within the archive, the file is first extracted to a temporary directory and then run from there so Prevx will jump in and scan/block it.

 

@PrevX help:
Apropos of above:
Will/can PX "see into the sandbox" if any executable is run ??

 

Yes it's handy for some of us who to want to scan compressed files, for nasties etc, but for most people out there in www land it's not a priority, or do they even know about such things.

The most important thing is that, any nasty gets pounced on ASAP when activated, and dealt with properly.

If including compression scanning would make Prevx bloated to some degree, and consume more resources etc, then i would say leave it out. Or, include the option, so those who wish can enable it.

 

Yes, from what I've seen from the results from users testing Sandboxie and a few other sandboxes, Prevx is able to see within the sandboxed environment.

 

We've currently only had a small handful of requests for it but if we do end up adding it, we will offer it as an optional additional download. Unfortunately archive decompression support does bloat up AVs rather significantly and we want to keep with the mantra of "detecting real threats".

However we do understand the "power user" requests but on-demand analysis in Prevx (and in most other AVs with behavioral monitoring/runtime analysis components) is no where near as effective as seeing a threat in realtime on a real system.

 

@StevieO

 

Malware cannot start infecting your system spontaneously once it is extracted (and frankly I'm sure glad it conceptually can't because I do it every day ). At that point it is merely files on the disk which aren't loading code which brings up another point of the unnecessary scanning of folders while users are browsing them (which many AVs do) - opening a folder of files cannot infect you unless there is some bizarre exploit in Windows Explorer itself but that would be caught as code tried to execute anyway.

 

I think you missed the point I was trying to make. You said:

My point was that with some other AV/AM that blocks in real-time that has no archive scanning or that feature turned off, it could also be theoretically too late by then if you execute the program after extracting it.

In that context, I'm ignoring the use of scanning archives or sandboxing with any product. We're putting faith in the ability of the product to be able to detect and block on execution; if it can't then it's not likely to detect within the archive either is it?

 

No - there have never been any exploits against Windows Explorer exploitable by file extraction and it is engineered in a way to prevent them as well as possible (it doesn't actually load the files). The only possibility of an exploit would have to be in the icon format of executables but malware authors only have ~256 bytes to work with and the icon format has been analyzed over and over again and does not contain any exploits.

Scanning on writing is not the most important part of an AV - scanning on execution is.

 

And for a technical user I think a classical HIPS is a good addition. Granted, if I gave a classical HIPS to any member of my family I would have to disconnect my phone to stop being bothered

 

Lucky for me, but I am not a technical user, that managed to get the hang of SSM. I had nobody to bother, lucky for them.