Prevx CSI - how does it work?

Apologies if I'm being dumb here, but can someone explain how Prevx CSI actually works, and what the purpose of it is?

I've watched the presentation and looked at the website (point me in the right direction if I'm going blind) and I don't get two basic points:

It's not realtime, so presumably by the time it runs a scan and finds something your PC is already infected?

I'm asking as I've downloaded the demo, setup the server and a client, and whilst the manuals explain how to use the product, they don't go into great depth about how it actually functions and I'm interested.

 

Hello,

what do you want to know exactly?

Prevx CSI has been developed as an additional security layer to your existing security product. Its highly tuned engine allow you to check in minutes if any infections have bypassed your installed security solution.

It hasn't a real time monitor, it's just an additional check with advanced cleanup features if an infection is found (cleanup license, not the free version of CSI).

It makes use of our always up to date Prevx Community Database.

This is a short and common explanation; any specific question is welcome

Best regards,

Marco

 

Hi Marco, thanks for the reply.

What does it actually scan? When I installed it on my machine (this is the CSI enterprise version so I guess it may have a "no frills" GUI) and did a scan, it showed me the number of files being scanned, and it was damned quick, but it didn't give too much detail of what it was checking, and what it was checking against i.e. with our regular Antivirus we know that it is using pattern file XYZ and I didn't see an equivalent in prevx - does it use a copy of the community database that the client downloads from the local management server?

I ask as it looks an interesting product - we have around 400-500 PCs (depending when you looked) and so far I haven't found any A/V that's convinced me overall to switch from who we currently use (Trend) but its malware detection and remediation isn't perfect.

 

In the enterprise version, CSI doesn't display what its scanning to the user, but, it will scan the same data as the consumer CSI scans. It scans all running processes, all loaded modules, all files referenced by registry entries which can be used to house malware, and dormant files in a number of locations across the system are scanned just to make sure they're clean. CSI Enterprise centralizes the definitions from across the enterprise into the server computer, caching the results and responding to clients with duplicate files with the same answer from the initial query to the community database (or any updated query if the determination changes).

It doesn't store a copy of the entire community database, only a mirror of the responses for the files in your network, but the management server queries the community database for answers on the files it scans (and only the management server will - the clients individually report back to the server and the server scans from there). For what its worth, CSI will only scan executable files and when it scans the files, it sends up only mathematical data to the database - a couple signatures which are used to identify the intent of the program - not including any personal data and all scans are anonymous.

If you have any further questions please let us know

 

I paid for Prevx CSI but gave it up after a few months of always finding false positives, notably in AVG Internet Security program files.

 

There's a function called "report false positive" if you click with the right mouse button on the files CSI found as infected

We try to fix every false positive as fast as possible. Of course if users help us reporting every false positive they've found, everything will become faster and better

 

Thanks Marco. The area where this specifically appeals to me is servers, where for obvious reasons I don't want to be running a resource consuming antivirus program all of the time, but I do want to be sure that the servers haven't been exploited and an occasional i.e. every X hours scan sounds like it has potential.

Would you consider prevx suitable for that sort of role? Mostly Windows 2003 R2 servers.

I guess what I'm trying to gauge is how thorough you'd consider it at checking for nasties vs. traditional antivirus?

Incidentally you refer to a "community database" - if someone had bad intentions, presumably there's a screening process to prevent a reputable application being deliberately reported/classified as malicious?

 

Of course behind everything there's the whole process analysis done by our analysts to prevent any possible attempt to alterate every data