prevx home page claims other AV's missed malware

well, PER Antivirus is a legitimate application. Try to download it from the website and scan with virustotal:
http://www.virustotal.com/analisis/...f1454b8a479dc04844f91a99347e21de08-1236226410
Only Prevx detects it as "Medium Risk Malware"

Beside that, not only no AV detects 100% (incl. Prevx), but also all AV's have FP's (incl. Prevx), so even if many AV's detect something according to Virustotal, its does not make it malicious.

 

Fixed Security applications detecting other security applications is common being that they each modify the system similarly to malware (many AVs produce regular FPs against our new releases as well).

Yes, this is true, but its hard to say with many of these as they do have some very suspicious attributes which are causing them to be flagged (and a sizable chunk of the antivirus industry also detecting them tends to make me think they are indeed malicious).

 

I don't though. On average, I fix far less than one FP per day here (with mionr spikes because of signatures which have overstepped their bounds) and we don't have a sample submission form on our website so users tend to just paste them here publicly - no one sees the FPs from other vendors because they are submitted silently

 

http://www.prevx.com/filenames/2829477802708873910-X1/DOWNTESTER.EXE.html
http://www.virustotal.com/analisis/...9679a42651d1d06a47ee6f3e8e70343cdd-1243949520

another FP. Please note that you count all those FPs as "misses" by the other AVs on your website..

i suggest to start fixing more than just 1 FP per day

 

When we detect a file, we only report it against that day's chart, not against future charts by default. The file you just sent was seen just 4 times between May 21st and June 2nd.

I fix the FPs reported here The research team handles the rest via the customer support inbox.

 

ok, please review also those (plz note that as i do not have the files, except those that i googled for, i have to rely mainly on the names - i wish you would send the files you list as misses of the vendors to the vendors so they could crosscheck):
http://www.prevx.com/filenames/1589501347734697139-X1/HDINSPECTOR.EXE.html
http://www.prevx.com/filenames/1964358450737102365-X1/DLA.EXE.html
http://www.prevx.com/filenames/X2079170817261148648-X1/FXSCOVER.EXE.html
http://www.prevx.com/filenames/2465687340589112146-X1/FXSSVC.EXE.html
http://www.prevx.com/filenames/2068767318989685327-X1/WINSOUND.DLL.html

 

Why don't you add a submission module in PrevX? If a user marks a file as FP in the program it could ask him if he wants to submit it and to provide additional info (where you can download it etc).

Anyway, most of the FP's that I usually see in PrevX do have some 'malicious' behaviour.

Panagiotis

 

http://www.prevx.com/filenames/1589501347734697139-X1/HDINSPECTOR.EXE.html - found by 17/40

http://www.prevx.com/filenames/1964358450737102365-X1/DLA.EXE.html - found by 33/37

http://www.prevx.com/filenames/X2079170817261148648-X1/FXSCOVER.EXE.html - (Can't find the MD5 to check)

http://www.prevx.com/filenames/2465687340589112146-X1/FXSSVC.EXE.html - (Can't find the MD5 to check)

http://www.prevx.com/filenames/2068767318989685327-X1/WINSOUND.DLL.html - found by 3 as "Game/Casino.GEN", probably better categorized as riskware/adware than malware

We do share the missed samples with a number of other vendors. (I believe Avira is getting in contact with our director of malware research as well to get copies of the samples which they are missing.)

 

We have this feature - if you right click a file and click "Report as a false positive" it will get forwarded onto our research team. Unsurprisingly, however, it is abused in massive volumes - malware authors trying to submit their creations as FPs to get us to remove the detection

 

ehm, sorry, but what md5's are you using? even by looking at the prevx site, its clear that it does not refer to a single/specific md5 (files with different sizes). I downloaded HDInspector from the original website (altrixsoft) and scanned it with Virustotal now, and only Prevx detects it (false alarm):
http://www.virustotal.com/analisis/...c1e159cd54481f147dcbcfce7fd78aec70-1243952666

Beside that, I see that you add files uploaded from virustotal, giving the origin SPAIN (of course) and renaming the files to an 8-digit number.

 

There are quite a few:
3BD1F213246C5F22E286BEF4500B67CE
3790A3CA7957B5A83968DA483CC70FD6
0FBE1E35BDFA05FB8F07FD0EAA9BD35B
3436F108F35361BC75F9DC91DACDCAB5
950ADAB403DDD5C25368CD4A0CEE203F

The list goes on...

 

I agree, prevx is a great product.. some more dubios claims made by other AV's on their respective websites:

Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect.

Comodo Internet Security has all the functionality of a paid AV without the price. It eliminates ALL known Viruses, Worms and Trojans from desktops and networks with no license fees or hidden costs.

I could easily find dozens more...

 

Actually i think showing this kind of info on a daily and/or real time basis really does benefit people.

Now if Prevx would also include their own misses, then who could complain.

Let's have and keep these results out in the open for all to see, including All the vendors.

Publishing things like this in plain sight often is what makes vendors step up a gear or 3, and quite a few of them need to !

 

We don't know our own misses (as we would just detect them ) but we're interested in the opposite view if other vendors have this data against real world samples

 

The cacophony of voices expressing dismay at the troubling marketing tactics of Prevx continues to grow in volume, and now even includes a reseller of the Prevx product . . . .

 

I think the table on prevx site is misleading; if you want, let's say "indirectly misleading". Almost all average users will look at the graph and compare the various products together, thinking that the one with the lowest number is better than the one with the highest number, no considering that the one with the low number is just not represented often in the chart. if you want to keep the chart at any cost, at least make it statistically valid. Tell how many PC's were scanned in total, how many were protected by an AV, how many had which AV, and on how many Prevx found something where an AV was installed, etc. You do not even need to name the other companies.

 

We had this in the past and still received massive complaints about it. We are adding a line to the "Explain this chart" which will clarify our intent:

"These statistics cannot be used to compare the effectiveness of one product to another."

If you look at what we're claiming, we really aren't misrepresenting the data at all and I think adding this line to "Explain this chart" should clarify any complaints.

In contrast, other vendors have similar charts and don't give any underlying data and are directly comparing the other products (i.e. http://www.threatfire.com/)

 

IBK, I think that the term “indirectly misleading” is a fair description of the problem.

The issue of whether or not “almost all average users” will misinterpret the data is an empirical question. Prevx could, for example, display a pop-up window with a few simple questions to a random selection of visitors to the “missed threats” details webpage asking:

Would you do us a favor? Based upon your examination of the “missed threats” statistics on our website, we’re interested in learning about your perspectives. There are no “right” or “wrong” answers to the following two questions – just provide your honest viewpoint.

1. Security vendors with lower number of “missed threats” statistics are better than those with higher numbers.

Strongly____________________________Strongly
Disagree_____________________________Agree
___1________2________3________4________5​

2. Prevx misses threats that other anti-virus vendors are detecting.

Strongly____________________________Strongly
Disagree_____________________________Agree
___1________2________3________4________5​

​

I retain the hope that Prevx is interested in really learning the truth about the extent to which the “missed threats” are misinterpreted, and will deploy a research initiative of the form recommended here -- perhaps including questions that other forum community members can suggest.

 

With the next website change going out, we will circumvent the issue entirely by making it blatantly clear by saying:

"These statistics cannot be used to compare the effectiveness of one product to another."

 

IBK,
It seems you will have all day to find them...

Unfortunately, we haven't a chart of them, if not the users will be scared...

 

The Threatfire link may directly compare products, however they state that they've tested 1300 samples. This approach also has its issues of course, however it is more valid in terms of comparing different AVs, as the same testbed has been used 'against the specific product'. They are not comparing "instances found on user PCs" like your statistics do.

Both representations of the data (PrevX and Threatfires) are relatively meaningless. Threatfires because of the low amount of samples used, and PrevXs because of the missing number of total installations per AV product.

Pointing fingers at them is like saying, "But look, they're posting flawed statistics too!".

From my POV, both sites/stats are effectively meaningless in their current state.

 

I would consider myself an average (or slightly above) user along the lines of a "hobbyist" more than an "enthusiast." I cannot understand why this chart would cause such problems. I had an issue not too long ago about how they (Prevx) captured this information from my computer so I contacted them and it was quickly explained, and adequately at that. With that being said it appears to me that Prevx is being open and transparent about their intentions. I think the problem comes from trying to make more out of the chart/data than is intended. In fact other vendors (Sophos Threat Detection Test for example) make a similar claim, albeit more subtle and without a chart. In the end Prevx has found several active infections, not dormant files like whats used in 3rd- party test, that others missed minus FP's of course (which EVERY vendor has).

 

PrevxHelp, to clarify, from whom did these complaints occur? Users? Vendors?

Just for purposes of illustration, can you kindly post in this forum the count of the number of “missed threats” statistics for each vendor together with the number of PCs upon which that count is based? I am not asking that you redesign the website – only that you share these summary details with this forum community for one day’s “missed threats” report.

PrevxHelp, this action is certainly a step in the right direction! You sincerely deserve credit for listening and responding to the forum community.

Two additional questions:

• Would you consider elevating the prominence of this statement from the “Explain this chart” section to the main body of the chart itself?
• Would you consider editing the statement to read, “These statistics cannot be used to compare the effectiveness of Prevx or of any other product to another,” since the number of threats detected by the other products and missed by Prevx is not displayed?

 

But it is NOT meaningless for what we're trying to say - we're saying that AVs miss threats and here is the list of threats which they miss. We're not trying to say X AV is better than Y AV at all, we're just giving the raw data.

It may be meaningless to you if you only find meaning in data which directly compares products but the conclusion we want users to draw is that no one product is perfect and they should use multiple products if they want to achieve the best security possible.

 

Since there is no way one could provide proof, I'll speculate and say that "website change" is like fine print on any product. The majority of visitors seeing the marketing tool will go home with the chart foremost in their minds....right or wrong. They will not have read the fine print and Company A"s marketing group will simply shrugg their shoulders and only be worried about the bottom line