Prevx FP killed my Rollback Rx & deleted all my snapshot!!!

Discussion in 'Prevx Releases' started by fce, Jun 21, 2009.

Thread Status:
Not open for further replies.
  1. fce

    fce Registered Member

    Joined:
    May 20, 2007
    Posts:
    758
    i hate to say this but his is BS!!

    what the heck Prevx delete all my 15 snapshot!

    i'm very dissapointed with this kind of FP (if it's FP)....i really dont know that this is FP or not with the rootkit.MBR message.
     

    Attached Files:

  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    You knew it was an FP yet you pressed cleanup now why?
     
  3. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    I thought the Rollback issue had been previously fixed following earlier reports of MBR detections.

    I'm surprised you ran cleanup without first getting the file analysed to check whether it's indeed a FP.
     
  4. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    dissapointing FP from Prevx... but nothing is perfect.

    but not much of a ISR program if the sector mapping is not backuped somewhere else for recovery
     
  5. thathagat

    thathagat Guest

  6. Ade 1

    Ade 1 Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    471
    Location:
    In The Bath
    I'm sure you could have right clicked it and chosen to exclude it.
     
  7. fce

    fce Registered Member

    Joined:
    May 20, 2007
    Posts:
    758
    you guys are diehard fans with your reply....

    let me clear it for you guys, a month ago this Rollback-Prevx "FP" is already fixed...i dont know that this FP still exist. Is this standard that every other month FP will exist (re: Rollback-Prevx FP)?

    this is BS!
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hmm :doubt: The Rollback Rx false positive should have been corrected but they do use the exact same techniques as a rootkit to hide their MBR changes so it is impossible to automatically whitelist any new version of theirs.

    We're sorry for the false positive but there is little that we can do to automatically trust the Rollback Rx MBR. If you could send a scan log to report@prevxresearch.com we will ensure that we correct this ASAP.
     
  9. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    That is why you make sure it's a false positive before you clean it up then you would not have this problem. If I ever came across something that look fishy I would ask for help here first before messing with anything in the MBR. And another thing is that all security programs have false positives and that's the way it is sorry to say.

    TH
     
    Last edited: Jun 21, 2009
  10. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Prevx detected the same thing just right now. Please FIX the FP.
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Can you please send me a scan log to report@prevxresearch.com so that I can fix the FP?
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Also note that Prevx shouldn't have actually deleted any snapshots - all that it would be cleaning is the 512 byte master boot record. You may want to try reinstalling Rollback Rx to see if that would restore the view of the snapshots.
     
  13. Ni3K

    Ni3K Registered Member

    Joined:
    Nov 25, 2008
    Posts:
    22
    I put a ticket in via support on Prevx awhile back with exactly the same FP.

    But to date it has never been fixed and they have received my scan logs.

    Hopefully one day it will be, otherwise one of the programs will have to go.!
     
  14. Ni3K

    Ni3K Registered Member

    Joined:
    Nov 25, 2008
    Posts:
    22
    Joe what happens when u run clean up is that Rollback rx does not work any more and reverts back to the installation backup, ie the 1st one when the software was installed. That could be a week or two or far longer..
     
  15. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,556
    Why on earth are you guys complaing?

    Rollback-RX and Eaz-Fix are rootkits. For heaven's sake they hide not only the mbr but their whole file system.

    PrevX is only doing it's job and it's going it pretty well.

    Instead of complaining to PrevX, you should complain to HorizonDatasys because Rollback fails to protect the mbr!

    @PrevXhelp
    can you pm me? Maybe I can help on how to "overide" this detection.

    Panagiotis
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The FP should be corrected - try running a scan when you are online (so that it gets the updated signature) and it should show "clean/secure" now.

    If not, please let me know!
     
  18. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Scan - done, fixed. Thanks Joe.
     
  19. fce

    fce Registered Member

    Joined:
    May 20, 2007
    Posts:
    758
    when my computer restart after the BSOD message, Prvex & Rollback is uninstalled already. it's like i rollback my system where i don't have anything.

    now i know why AV Comparative give big penalty to FP on their test.

    I would rather be infected and let my KIS kill that malware. damn FP!
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Every AM/AV vendor suffers false positives from time to time, including KIS & PrevX. Admittedly some cope better than others.

    This is the problem when using behaviours, generics and heuristics as a means of detection. There is no great panacea to all of this other than creating a signature for every known instance, but that is time consuming given the amount of malware in existence hence why other methods are employed, but they ain't foolproof as we see occasionally.

    As for getting infected and letting KIS deal with it, that's fine as long as they are able to detect it and deal with it, and this goes for any antimalware program, PrevX included.
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I still disagree that this is a FP :doubt: Rollback Rx <is> using a rootkit on the MBR to hide the sectors. We are able to scan extremely low in the system to get at the real data which other antirootkit programs cannot do currently.

    If the other antirootkit programs were able to scan as low as we are, they would have the same FP. And the fact that we are able to clean the system out from under Rollback Rx shows that they have a major flaw in that they don't block all writes to the disk which means that malware could do the same :doubt:
     
    Last edited: Jun 22, 2009
  22. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    In that case, those that are concerned about this should contact the developers of Rollback Rx/Eaz-Fix as suggested by pandlouk, and provide them with details of what is happening when using programs like Prevx.

    As an interim measure, could Rollback Rx be added under Detection Overrides?
     
  23. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The FP is already fixed so it shouldn't be a problem now :) (but yes, you can use Detection Overrides or right click on the file and Report as a False Positive)
     
  24. chetcope

    chetcope Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    10
    The same thing happened to me in May & I ended up with my system as it was in November! Luckily I had data backups etc. This Forum came a month too late!

    I kept getting their dire messages over several weeks so I finally let it clean up (I did so fearfuly I admit!).

    Hey I know I should have checked the issue out more but I also no idea that the result would be so catastrophic. Some commentors here in this thread have been overly harsh on those of us who sprang for the FP.

    One of my peeves about Prevx was that they had no forums (they do here...now!) where I could have found others who were experiencing this. There's surprisingly precious little self help material of any kind on their website (Well now they've added a link to this (new) Forum. All a cust can do (til now) is send an email asking about a FP.

    The Prevx Edge software seems to have only 2 options: clean up or declare it a false positive for good. There's no tools for investigating online (Other than a link to the website--"Help & Support").

    I posted a ticket with them in May but they never got back to me (not that they could help me after the fact).

    Horizon Data Systems' forums (they keep disappearing & being reborn) are also not helpful. We are reduced to posting about Rollback ad hoc at Wilders--or poaching in the FDISR forum. [Google searches on the issues recommended too).

    For Your Info: I switched to my trusty FDISR (knowing there's a decent forum for it & also having decided not to buy the Rollback 9 upgrade) & kept Prevx Edge (for now).
     
    Last edited: Jul 3, 2009
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Angry, yes, but at the wrong target. Pandlouk is right, Prevx just did it's job and did it well. Rollback and Eaz-Fix users, sometimes don't want to understand that they way those programs work is inherently risky. You are building snapshots of files, that the Operating System has no clue as to their existence. They are totally maintained with in the programs internal structure, and anything that disturbs that trashes all those files.

    Does this mean they are bad programs. No, but the user needs to understand how they work, the impact on the mbr, and use appropriate caution.

    Also note that although, Rollback, Eazfix and even FDISR can to an extent, undo infections, they really aren't designed to be security software. I can see if Rollback protected the mbr, it could cause other issues, that might be worse.

    Pete
     
Thread Status:
Not open for further replies.