Removing blocked files

Discussion in 'Prevx Releases' started by Page42, Sep 3, 2009.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    This is a Basic Configuration question...

    My preference, when Prevx encounters a file that it wants to block, is to have Prevx prompt me, thus giving me the option to trust it or to remove it. My concern is that Prevx might remove a false positive if I choose not to decide.

    I believe that the default setting is "Automatically remove blocked files". If I have that checked, and a nasty is encountered, Prevx simply whisks it away, removing it on the spot, correct?

    In order to receive a prompt, (asking me to decide between removal or trusting), I must leave the "Automatically remove blocked files" unchecked, correct?

    What I have noticed is that if I leave that auto remove option unchecked, and wish to remove the file, the process is quite drawn out (as partially illustrated in the attached image), especially when compared to the default auto remove option. I mean, look at all the steps Prevx wants a user to go through just to prepare for cleanup... and I haven't clicked on Next yet to see what comes after the preparation.

    Why is cleanup so cumbersome when a user does not want auto removal? Auto removal is instantaneous... there isn't any saving of documents and closing of programs, disconnecting from the internet, and disabling other security products, as there is when a user asks to be given a choice. Am I right? I hope not. :) I hope I am missing something!
     

    Attached Files:

  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This option isn't as clear as it once was - the normal block dialog which occurs when finding your average executable malware in realtime will result in a dialog which has a button labeled "Remove". Clicking that button will remove the file immediately and then set it up to be removed automatically if that file is seen again. The "Automatically remove blocked files" option comes into play with other forms of blocked files (like an identified changed MBR), not the ones seen in realtime (as that is a redundant feature to the "Remove" button now which used to be named "Block").

    The normal scan/cleanup process does bring the user to the screen you've run into. The problem with that area is that we can't guarantee another process isn't dependent on the existence of the malicious file (whether it be another AV having an open handle to the file, or the file hidden in memory, unlinking itself from all handle tables). Because of this, we give the user quite a few steps to complete a successful cleanup. Disabling the AV/disconnecting the internet/etc. are all made as precautions: some AVs block Prevx from removing a threat they can't remove (this is a side effect of some of the protection, not intentional anti-competitive behavior :)), and some threats may continue downloading additional components during the cleanup process which could make cleanup initially unsuccessful, and saving documents is always a good idea when making system level changes.

    You most likely will be able to continue past cleanup without doing those things, but the average user doesn't get infected every day and when they do, they tend to not know where to start so we've made a wizard interface to make the process as painless as possible.

    We have had some suggestions to remove this wizard completely, but the levels of support complaints that we had before we implemented the wizard were quite high because of people not disabling their AVs and the AV then blocking the cleanup.

    However, we are investigating new cleanup techniques which will let us remove threats easier out from under AVs even if they are locking them which may make the wizard irrelevant. These changes will most likely first appear in Prevx 4.0, so, for now, the wizard will most likely need to remain to cover the stray cases when files can't be cleanly removed.

    Let me know if you have any other thoughts on this process!
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    In order to receive a prompt, (asking me to decide between removal or trusting), I must leave the "Automatically remove blocked files" unchecked, correct? Thanks :)
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    For virtually all cases, you shouldn't have to leave that unchecked to receive a prompt. The checkbox to leave unticked is: "Automatically block files when detected without prompting". Ticking that box along with "Automatically remove blocked files" will cause files to be removed as soon as they're detected (which is not what you want I believe :))
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Okay, got it. Thanks for explaining that. :)
     
Thread Status:
Not open for further replies.