Scheduled scans are a must

Discussion in 'Prevx Releases' started by trjam, Aug 27, 2009.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    First, I have no issue with nightly smart scans and think they are a valued tool. With Prevx, if your PC is on 24/7 as mine on this one, it is required. Why? I know Prevx is very good, but sometimes it doesnt act on a .exe until it goes active. I dont want any .exe on my PC, dead or alive. I really think that if you disable this feature you reduce your protection by 25 percent. I am totally comfortable with Prevx and nothing else, as long as I keep this activated.

    I know Joe, bust the hell out of them cloud servers nightly. Get use to it, all you cloud dudes better. Of course with what you charge for a family license a little extra power usage is no biggie.


    And where are you folks, you camp out here and now it is infrequent visits. Lol Spending those incentive checks are you.:cool:

    It is time for a beta, actually past time. And where is Marcos, popping in and popping out periodacally. Makes me wonder if his resume is being past around. Sorry Marcos, I had to.

    It is time, to take another step in the life of Prevx ###. It is time.
     
  2. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Hey trjam, is there a point in there somewhere? :blink:
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We recommend, encourage, and automatically configure a daily scheduled scan by default and our cloud servers don't mind :)

    I'm always here ;) There just haven't been any posts today :) We are currently having a number of third party organizations perform penetration testing on our new v3.5 protection. This type of third party testing takes quite a bit of time to complete because of how thorough it is but we will be releasing v3.5 to the public as soon as this testing is complete.
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thanks Joe, no one can question your work ethics or dedication. But I am interested in how Prevx plans on dealing with FPs long term instead of you having to manually fix them. I say again, that a testing firm like IBKs would no doubt give Prevx a Advaced rating for detection, but overall score it low based on what I have seen.

    So let me go further. Lets talk about true cloud scanning. I thought or would think, that if something is flagged as malware, but not seen by Prevx, it would just be dealt with as suspious and not deemed for cleaning. It would be tracked on that PC until a proper determination is made. Or is that way it is? Because alot of what I see posted should pop up as suspious, awaiting futher determination, instad f being classed as malware. As a user, I can live with that and it allows me to know that even though the executable is still there, it is being followed for later detection and deletion. That way, I dont delete it and cause issues with my OS if deemed a FP.It kind of makes the whole issue of FPs mute.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not sure what you mean - could you clarify this?
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Ok, things get detected as malware, members post here, you check it out and find it is a FP and make adjustments. Obviously Prevx has not seen it yet. So it would seem those should be deemed as suspious and flagged by no option giving for deleting. Then Prevx checks into the reported malware if not seen by other users and if real, adds it, then on the next scheduled scan instead of beiing labeled suspious it is cllasified as malware and deletion is recomended.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    When we warn about a threat, that means we have gathered enough data to say that it is a threat - the FPs reported here virtually always are caused because programs are performing actions that are extremely similar/identical to those performed by malware or the programs contain very similar structure to known malware.

    There isn't much we can do to minimize FPs because we don't have many FPs. I know you seem to think we do but honestly we see less than 5 FPs a day from our entire userbase of upwards of 6 million users (far more than the handful of users who post here). Many of the FPs reported here are from users who are using very elevated settings (i.e. all on maximum) which will logically produce FPs because of the intention of the maximum settings (to warn often on anything new and marginally suspicious).

    If you do see false positives, please let me know but honestly, I've fixed one FP today and no other FPs were submitted at all today :doubt:
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    When something is detected here as a FP it is usually because a family of similar programs has been detected - not necessarily that we're detecting that specific file as malicious. All of our detections are "fuzzy", meaning we don't have one file mapped to one definition which will logically leave some room open for false positives because of the mathematical possibility that two files will share aspects without sharing intention.
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    well I respectfully agree and disagree. I have seen members post here that they found x FPs and you fix them in seconds. What criteria is used to do this. And heaven forbid, if you broke a leg skiing, who would do this then. I think more of all the millions of users that are not members here. They have to be getting FPs now and then and dont have the ability to contact you directly here. So Prevx says something is malware and they delete it. It seems that approach could have more of a long term negative impact on cloud scanning. How do they find out they just screwed up. Cloud scanning should always take new detections and classify them differently for all those other millions of users. People need to know that the final determination is made by Prevx either now, or later. Humans will guess wrong 50 percent of the time.
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Fuzzy doesnt cut it when it comes to a user who knows nothing of what a FP is. Classify it, track it then deal with it. To me that is how cloud scanning should work.
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Let me put it this way, new or suspious should be quarantined by default. Then when a final determination is made, Prevx deletes it if real, or alerts the user it is safe and they can unquaranteen it.
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm here as a convenience - I'm not even in the support team or research team and yet I do them here :) Our normal users contact us through our support inbox.

    Users may sometimes run into this, but generally the FPs reported here are seen by only a couple users (usually less than 3, almost always less than 10) so the global impact is negligible.

    I'm not sure what the distinction is with cloud/conventional AVs here - normal AVs have the exact same problems except with a normal AV, the developers/researchers can't fix them immediately: definitions have to be released/updated/etc. We can just click a button and fix FPs immediately across the entire community.

    We take the decisions out of the hands of the users by automating them and our systems automatically prevent FPs from reaching more than a small number of users - those cases are all stray cases: many of our rules detect 500,000 malicious files and cause 1 FP.
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I aint going win at this, am I ?
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    If fuzzy doesn't cut it then get ready to have no real-world detection and require billions of signatures :) Fuzzy detection is the only way to go and is the inherent concept in all antivirus programs.

    FP tracking is exactly what we do and we prevent any large FPs so the FPs reported here are all stray cases from either unpopular programs or files which do appear suspicious enough to be classified as malicious.

    We don't automatically quarantine new programs as we would be quarantining > 250,000 new programs every day if that was the case. Newly determined malicious programs are just as malicious as programs determined a year ago - the FPs we see aren't because of changes in rules, just new files being caught by old rules so the age of the program is irrelevant in this case.

    We don't differentiate between suspicious and malicious as if we think something is malicious, we say it is malicious. Breaking it down to levels of "suspicion" is far too complicated for the average user, which is why we either block it or don't. Either way, we will continue to track its behavior in case we do update it in the future but we stand behind what we detect - FPs are just rare inevitabilities.
     
  15. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    But if I reread this entire thread, and seperated actual malware posted and FPs you fxed, your ratio of 500,00 to 1 would be wrong.
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not sure I follow - every Prevx user doesn't jump into this thread every time something is detected. The posts of missed malware are rare here but the volumes of detected malware across the community is very high (upwards of 30,000 new threats blocked every day, many more of older threats).
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    I have still to see a FP in here.... :)

    No offense and sorry to interrupts the monologue but... you are missing the point. Prevx seems to have a % of FP in line with the other security tools.

    There is nothing to fix and the few false positives are dealt with by support as 99.9% of the other company do.

    Considering the quite different way threats are detected (no classical signature), it is amazing to see how few FPs are generated.

    Sorry for the intrusion and '..SLAM..' (closing the door again). :isay:

    Cheers,
    Fax
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I'll say this... you have spoiled Wilders Prevx users absolutely rotten. There is no chance of getting from the normal tech support channels the same rapid response and one-on-one attention that you provide. And I think ahead to the day when you are, for whatever reason, no longer available to us here, and I question whether I will still be the Prevx enthusiast then that I am today. I think I am one of many who feels this way, too. Nice work, Joe! :)
     
  19. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    :'( Me to
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for the kind words *blush* :) I have no intentions of going anywhere anytime soon (except to our UK office for the next two weeks so my timezone may be a bit shifted) so don't worry :)

    Although I do work for a software vendor, I still consider myself to firstly be a user and I try and follow the mantra of "treat others the way you want to be treated" which is where my support mentality comes from (and the mentality of the other people in Prevx as well).
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Nah, not Marcos, he has a mean streak in him.;) So what are you going to be doing at home base for 2 weeks? Lol
     
  22. PrevxWebDesigner

    PrevxWebDesigner Former Prevx Moderator

    Joined:
    Nov 13, 2008
    Posts:
    89
    Bothering me probably, and complaining about the terrible food ;)
     
  23. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Great suds though :thumb:

    TH
     
  24. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    PrevxHelp, isn’t this a situation where a file-specific analysis (e.g., a reputation score) could be helpful? If the behavior of File A and File B is similar, but the reputation of File A is high and that of File B is low, then File A can be correctly classified as “safe” while File B can be classified as “malware.” In other words, doesn’t reputation enable a distinction between “aspects” and “intention”?

    To clarify further, does Prevx map reputation to an individual, unique file or to a fuzzy set of similar files?

    Trjam, are you saying that users should be presented with three options (“safe,” “unsafe,” and “temporarily unsure”) when a file is classified rather than just two (“safe,” “unsafe”)?
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    correct. To me it would allow users who are not sure to choose a safe option until Prevx decides. A automated FP clarification method. Instead of what we now have.
     
Thread Status:
Not open for further replies.