WSA and PREVX.

Discussion in 'Prevx Releases' started by Taliscicero, Jun 16, 2012.

Thread Status:
Not open for further replies.
  1. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I was wondering, PREVX when it was its own product was great, and had detection rates even in its infancy. Now its a part of WSA, WSA does not do even half as well. I am wondering why, as by rights it should do better as to my knowledge it is PREVX with webroot signatures/prevx's own, and extra webroot secureity tools. I have found this to be very un-true, and wonder how seemingly the webroot team has cut the prevx base detection by half? I am generally interested, as webroot could have done nothing, recolored the PREVX window, and re-sold PREVX with better detection.
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    I'm mot sure where you get "cut by half" idea from. Recent tests show Webroot to be doing well, although by their admission the last couple of AV-C test results could have been better. Some corrections have been done to the database backend following some internal investigations so we should start to see even better results in future tests.
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    This is untrue I don't know where you get your information from? WSA is a superior product and all Prevx users will be upgraded to WSA at some point!

    TH
     
    Last edited: Jun 16, 2012
  4. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Its my own personal opinion, from self testing and looking at other independent results. I know the prevx team are great and are working hard as always. I am just curious as to how supposedly the database back-end got in to trouble in the first place.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Nothing has cut the detection rates in half - the Prevx database/logic exists exactly as it was within WSA's backend but now with massive improvements all around.

    The "issues" in these tests have never been in trouble for actual users. The lessened results only occur when someone tests a great deal of threats in a short period of time. The database was using a subset of rules to prevent a cascade of false positives if a rule wasn't selective enough. This was relevant when many new infections were seen in a short period of time - something the average user doesn't run into, but something antivirus tests do by design.
     
  6. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    This makes sense, thanks. I can understand how having something to stop a cascade of false positives could have such a detrimental effective on traditional testing, I do find interesting though as it could be used as an attack vector against WRSA, for example a simple code that replicates itself slightly different every time in quick succession. If i'm understanding correctly, even if it looks like a threat that there is some level of replication that WRSA would just ignore the files actions?
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    They wouldn't all be unique threats - it would be copies/new versions of the same threat, which doesn't get caught in this logic - only fully different threats.
     
  8. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    True, but what if they are a cluster threat, I am talking many small ones. If for example someone took code from other threats, and created a portal on the computer, or even multiple where many small threats are downloaded from a server somewhere, and with that also a completely unseen threat that wont get picked by WRSA as its non-recognizable, and also bundles with so many other threats WRSA considers it suspicious but ignores it because it feels that its pulling FP's. Yeah, WRSA will get rid of all the other threats and fix the problem, or someone will use other software, but that one threat that could have been caught goes away in the wind. I know its an out there situation, but maybe one you need to re-asses. I know that people are clever, and if this would work then it will be done one way or another, you guys have made it easy by explaining the problem.
     
  9. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Uh, well first of all, Prevx 3.0 was NEVER tested by the major organizations that release test reports...so we don't know (nor will we ever) how Prevx 3.0 would have done on AV-C/AV-T...

    ...Therefore, saying "cut detection in half" is a completely invalid and incorrect statement.
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Well, in any case, we removed this logic in favor of a different FP-prevention approach so it won't have any risk of this type of attack :)
     
  11. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Also, from what I saw, when it encountered such a cascade detection, it would alert the user very thoroughly to contact support for a human being to see what's going on. In a test, they would fail it because "the program didn't handle it on its own". In real life, such an exploit attempt would do nothing but get threat research professional eyes onto the situation.
     
  12. Tsast42

    Tsast42 Registered Member

    Joined:
    May 7, 2012
    Posts:
    137
    Location:
    United Kingdom
    I think it's as STV0726 said; Prevx aced all the tests it was in whilst WSA hasn't, but that's because WSA has been in more demanding and a greater variety of tests. So although it feels like a deterioration it's more that Prevx has moved up to the big league as a sole-security application so is under greater scrutiny.
     
Thread Status:
Not open for further replies.