Strange: "Fail to set data for TrojanSimulator"

Discussion in 'Prevx Releases' started by Habakuck, Jun 23, 2009.

Thread Status:
Not open for further replies.
  1. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Hi.

    I want to test the combination of Morro and prevX.

    So i downloaded Mischel Internet Security Ltd TrojanSimulator.

    On download Morro detects it but i wrote an override cause i want to test the real trojan behavior.

    After that i executed the trojansimulator.exe -> Prevx popups and recommended to block the action but i wrote an override cause i want to test the detection if the trojan installs.

    Then i hit the install button and got Windows promt:
    That's great i think! =) But why do i get this failor?
    I thougt it is an automatic block from prevX so i deinstalled prevx, restarted my PC and tried to install the TestTrojan. => Same Windows failor.

    What is all this about?
     
    Last edited: Jun 23, 2009
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Have you checked that TrojanSimulator is compatible on your OS? (or is Morro blocking it silently?)

    Also note that applying an override in Prevx (probably Morro also) prevents any blocking coming of that process :)
     
  3. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    TS is compatible to my OS: Vista.

    I dont think Morro blocks it cause i wrote an override and the override is listet in Morros "Alowed" Menue.

    So PrevX does not write a permanant block for this threat?

    PS: Ok. The Installer needs Administrator privilegs but doesnt promt for... :|


    I deactivated PrevX. Installed the TestRojan Server TSServ.exe and reactivated PrevX.

    -> SCHOCKING: Prevx detects nothing.
    I ran a Scan my computer => Prevx detects the installer torjansimulator.exe and reboots to remove it.
    After reboot the TSServ.exe is still RUNNING! :ninja: wtf !?


    PS: Morro detects it on reactivation. Without any on demand scan.... Thats no good score for prevx.. :( Settings are at maximum.
     
    Last edited: Jun 23, 2009
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We haven't developed Prevx to detect leaktests :) Detection for this is entirely trivial but it is unnecessary and useless as it does not actually infect the system and isn't a real threat to users.
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    But it is a running server... What is not malicious to that threat?
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It is still just a leaktest - we actually determined it good manually to ignore it from the heuristics to prove the point that it is not malware and is not malicious :)
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    To prove the point, I un-marked it as trusted in our database and it was automatically re-flagged as bad. We will now block it, even though leaktests are a waste of resources and effort on both the vendors and the users testing with them :)
     
  8. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Thank you for this great real time support... :)

    But on my maschine TSServ.exe is running but PrevX says: "System is secure".
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No problem :)

    This may be a caching issue - TSServ.exe has been good for over a year so I suspect it won't be reverified for some hours. If you uninstall and reinstall it should pick it up immediately, however :)
     
  10. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Shall i reinstall Prevx or the Test Trojan Server?

    OK. i think you ment reinstalling PrevX.

    I will do so.. =)

    So the misdetection is the result of the learning procedure.. Am i right?
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Try reinstalling both Prevx and the test Trojan Server.
     
  12. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    First i tested to reinstall the test server. No detection.

    After that i reinstalled PrevX completely, using Revo Uninstaller. Then i rebooted my PC.

    I reinstalled Prevx and now it detects the server and the Registry Run Command.
    :D
    Great. Well done Joe. Thanks very much! I nerver saw a better live support! :thumb:
    You're the best man. ;)


    You see: I habe problems to trust the new cloud av concept cause i am used to work with signature based avs.
    Therefore i have to learn and i am very interessted in every new development.

    Now i understand a bit more of how PrevX works and i will go on learning cause PrevX is a great programm.
    You think about what you are doing.

    So in my opinion you were right not to detect the server because it is not malicious.
    But it is hard for a user who cant look behind the scenes.

    My thumb is up PrevX. Well done.
     
Thread Status:
Not open for further replies.