Prevx vs NOD32??

I came across Prevx website seaching for a possible virus on a client's Win2k server that had an expired antivirus. Prevx shows this chart showing all of the viruses etc that NOD32 supposedly missed:

http://www.prevx.com/avgraph/12/Eset.html

How accurate are these figures and should I be concerned that NOD32 is missing stuff that Prevx somehow catches?

 

Eset could do the exact same thing, show a graph where they detect stuff that Prevx misses. If your worried just use em both

 

A Prevx employee has stated this in the past, which is why things like ZoneLabs, CA & Sophos are low.

 

I have no clue as to how they gather all this information, however, it's nothing but unfair bad marketing of their product and I wouldn't put much faith in these results. The question is - were these files found on systems with fully up to date AV software and all modules enabled? Were they actually malicious and functional? Would a huge number of users with cracked version, that are unable to update, affect the statistics? How many FPs their product generates? Meaning that reporting a lot of benign files as malicious/suspicious would appear as a superb positive detection at the first sight, but on the other hand AVs, that don't flag these benign files, would gain bad points in the statistics.

We'd be really interested in getting and analysing those samples. This is something a proper method of testing involves and AV testers are supposed to verify the sample test set with AV vendors. Without knowing the answers to the above questions and analysing a set of such samples, these statistics will be considered misleading, biased and unfair.

 

Yes, I too came across PrevX and was intrigued by those results on their site.
Firstly, these are results that could only come from systems with both Eset and PrevX, which makes sense why Eset's count is so high, as I personally would think anyone who takes the time to go for Eset and not just pick one of the others off the shelf is looking for more advanced protection. These users could then also be tempted by PrevX.

I've trialled the software, and also the Free monitor, however I can confirm it definately picks up FP's like crazy. What's worse is even after I told it "I know this file IS NOT a VIRUS", the next time I rebooted and logged in, it popped up again. The free monitor, as you can expect is basic, but I believe is roughly what the CSI Enterprise product is, which I personally didn't find a touch on Eset's client information in v4, or the Eset RA.

I wasn't impressed, so decided to remove it. I prefer Eset's automatic quarantine, clean, delete, report with brief notifications preferable to PrevX's popup in your face, "I've found all these malicious files, now what do I do?" and the majority of them were legit files.

 

While Prevx Edge is a bit aggressive when it comes to false positives, they are quick to solve them. Their support specialist is probably the most active here at Wilders, so many of the users concerns are addressed very quickly. Personally, I've only encountered one false positive--not too bad, considering that I have quite a lot of programs installed.

 

Hello,
We gather this information from our CSI scanner - it identifies the antivirus product installed via the WMI data in the security center and then reports back centrally what infections are found.

The fact of a user being outdated/cracked is irrelevant in these statistics. The users have the products installed and think they are protected, but they aren't. Our graphs show that no product offers 100% protection - if you are interested in further information on the files themselves, you can click on the chart and view the more granular details (i.e. http://www.prevx.com/avgraph/12/Eset.html)

If we had even a 1% false positive rate, we would have been out of business years ago, but feel free to add a +/- of even 5% (which would mean we would find around 1,500 false positives on every user's system but would have virtually no impact on the daily results - and note: we only allow reporting of about 200 infections per user so no one user can try and skew the statistics).

Granted, the number of infections is dependent on the number of users using both products (so ESET, being more popular than some of the others, is going to miss more) but the data is there to show that no matter what product you're using, infections will get through (and we are also not impervious to this, of course).

Please let me/us know if you have any further questions or would like any more clarification.

 

We're always working on reducing FPs and improving detection, like every other AV company. Our FP levels average less than 1/1000th of 1% across all users and most are fixed automatically - some users, however, experience more than others if they are using more "techie" tools which modify the system.

If you are still experiencing false positives, it would be helpful if you could run a scan and send me a scan log and I'll fix them ASAP (and yes, it would give a small reduction in the missed detections moving forward, assuming other users are using that software as well )

 

the first link is what stopped me from purchasing prevx and indeed un-install it, it's not nessesary to name the av companies, in fact it's quite amateur and shockingly un-professional.

 

There was only one piece of perhaps uncommon software (an SMTP Server with anti-spam, I trialed on my PC and hadn't removed yet), everything else was standard programs.

I would also point out, that Eset does not force a user to scan their computer after installing it. While you could argue it would be a good idea to recommend it to the user, Eset's view seems to be that when any malware tries to run or be accessed, it will be caught at that point.

However, PrevX, like most of the others rely more on doing a full system scan (granted, it seems impressive it can scan an entire system in 2 minutes to a normal user, I think those of us in the know are a lot more suspicious of this and find it hard to believe it's scanning anything but the extreme basics to do it in that time).

Therefore, is it not safe to say PrevX reports that these got by Eset, but they were already on the system and have not yet been accessed or doing anything to warrant capture by Eset?

The Average user will just want to install it and forget it, in fact, I've come across a huge number who got Symantec/Norton with their PC and believed they were protected, however they had never actually run/completed the setup process. In this instance, would PrevX also chalk up a bad mark against Symantec/Norton as it's installed, but not actually setup to run yet?

Also, my personal preference is for a client to display some useful information to end users (which is why I'm pleased with v4 in that respect), and a remote admin console that also provides detailed information on clients and their status, customisation and push install, the ability for it to work over a WAN as well as LAN, HTML reports, etc. On the client side, the mostly autonomous performance, I'm alerted when it's doing things by a non-intrusive popup that fades, so I'm in the know without being interrupted while working (a definate necessity in corporate environments, I have seen anti-virus products thrown out for this reason), but yet still with all the advanced options one can conceive at this point.

I just don't see any of that in PrevX sadly.

 

Your blowing smoke out your arse. I think you need to review what you've said. Outdated /cracked is very relevant to the protection level provided. Some of us were born at night , but it wasn't last night. .

 

I respectfully disagree Why would a user download a cracked/outdated version of the software unless they expected it to still protect them? Sure, some of the threats reported may be blocked by the newest version of NOD32 and were missed by the cracked version but the fact remains that there are NOD32 users out there who are getting infected.

Frankly, if such a high portion of the population of NOD32 users is using cracked/outdated software, I think they have more problems on hand than just detection

 

AJStevens: If you could please run a scan with CSI and send me a scan log containing the false positives, it would be a big help and would help ESETs rankings as well, if they are indeed false positives

The scan which takes place in CSI is short, but it is extremely thorough - including a detailed rootkit scan over the disk, registry, and memory. Conventional AVs scan through every file on disk, extracting archives, etc. which is why they take significantly longer. Also note that registered users can run a full scan of their system - it is just largely unnecessary.

Detection of the samples just means that they exist on the system. We scan through loaded files/active processes/system areas so if a file exists in one of these areas and is bad, there is a high probability that it is actually infecting the system.

If Symantec was installed into the security center, we would report the mark against them if the user had an infection on their PC. Normally, however, an inactive antivirus program does not register itself as the active antivirus program

We are in the process of developing a new enterprise management system for our clients which includes many of the features you have described already (even down to the fading popup) but the users in the reports on our homepage are virtually all home users so corporate performance isn't factored in.

 

We're not here to make a flame about Prevx's marketing methods. I think we all are mature and can make our own opinions and attitudes based on facts.
As for cracked versions, they are often installed by common users who are not much computer savvy. They either download a trial version and search for a crack which itself is often a disguised trojan, or they grab a leaked username/password from the web which is cancelled shortly after, but the users don't pay attention to warnings about failing updates and visit risky sites though. Another thing that should be taken into consideration is that the best effectivity for blocking malware can be achieved by installing the antivirus on a clean system. The web/email scannners use more sensitive heuristics so the chances they will catch something nasty before entering the system are pretty high.

 

Agree. Lets just let this one die now by its natural course. Nothing can be gained by it.

 

One problem that I see is that with any malware scanner false positives are only reported if the end user is tech savy enough to realize that in fact the malware detected in a file may be false positive.

I think a majority of people just take the software's scanning result at face value and either quarantine or delete the file and never report it as false positive.

Saying that "Our FP levels average less than 1/1000th of 1% across all users"
may be a somewhat skewed.

 

Sure, this is definitely true - but we have a unique view because all of the signatures are hosted in the database centrally so we know when programs are being detected and when they aren't. It is quite easy to track down and fix false positives, and we are able to see the results of every rule we create immediately to know how they will impact the user population. Every AV has false positives - it is the inevitable result of heuristics. (Case in point: NOD32 detects nearly ever new version of CSI and Edge as Win32/Generik )

Within the last 2 weeks, we've rolled out a new false positive prevention system and server-side analysis system so we are now getting more accurate data than ever and in the end, the affects of false positives are only marginal on the charts (which are also retrospectively corrected as false positives are corrected).

 

And this is why a layered approach is always recommended No scanner finds 100% (not Prevx, not ESET, not Symantec) and they never will.

We've worked hard so that we can work alongside other security products as well as work on an infected system. We provide the charts on our homepage for user education - many users think that their current security product is all that they need.... but they are wrong.

The only way to show them this is to present the real data behind our claims and hopefully they will come to the conclusion that they need more than one security product. Whether they choose to use our solution alongside their AV or some other product, it is in everyone's best interest to improve the security of users.

 

Still, I think that some of the information you've mentioned here should be mentioned on the statistics page as well. Common users understand the numbers the way that the higher number of undetected samples, the worse detection the product has. They do not take into account other facts, such as that the numbers depend on the number of users who have particular AV programs installed.

If there's a need to discuss this topic further, I'd suggest moving the discussion to the "Other AV software" forum where it might get better attention from other people.

 

We do explain the chart in this way if you click "Explain This Chart >" on the homepage directly under the statistics

Quote from the website:
"The Security Vendor chart displayed above shows, in simple terms, a total count of malicious programs found yesterday by Prevx CSI and Prevx Edge on PCs protected by security products supplied by each of the vendors shown.

You should expect to see a higher number against the more popular security vendors because we see more of these users and consequently a higher number of malware infections.
More Information

If you click on any one of the bars in the chart, you can see exactly what infections have been found on PCs protected by security products supplied by that vendor."

 

Posted on Prevx website.

You should expect to see a higher number against the more popular security vendors because we see more of these users and consequently a higher number of malware infections.

 

PrevexHelp already new this I'm sure. But simply chose to play stupid.

 

Mind reader now Hammer.

 

If somebody( PrevexHelp) ventures into injun territory blowing their regimental bugle, they should expect a few arrows to be fired their way.

 

I already quoted this in the 3rd post I think the rest of this thread was useless as it pretty much explains everything. :/