A malware that seems to have bypassed Cis completely.

[Guest]

[dave1234]

I use the Cis whole suite  and have Prevx 3.00 as a back up. I have just ran a full scan with Prevx and Cavs. Prevx detected what is known as bricks of egypt- wt.exe in C Program Files Hp Games and is regarded by Prevx as medium malware.

My first observation is Cavs did not detect it on full scan and was not alerted by d+ which is set to safe mode, Av on low setting.Also the real time part of Prevx did not alert either?.

I checked out the file description with Prevx and it appears to be legit as it is documented as actual malware.This is puzzling as i am wondering if this the first time in my case that a malware has bypassed Cis completely!. I know nothing is 100% but would appreciate forum comments on this one.

Regards
Dave1234.

[Ronny]

Hi dave,

Can you upload that file to www.virustotal.com and see what the other virus scanners think of it ?
and/or post the results link here ?

[dave1234]

Hi Ronny. I uploaded the file to virustotal and got 0/40 0%. This would tell me its an Fp.What is confusing though is why Prevx recognised it and has it documented as malware in its data base.I know that Virustotal uses a stripped down version of Prevx 3.00 ( according to Prevx help), and am now wondering if thats the case it may be that Prevx is the only vendor to detect this malware. However i would have still hoped,  (expected D+ to alert?). I am going to contact Prevx to Find out more on this matter and will hopefully be able to report back.

Regards
Dave1234

[SiberLynx]

Hi dave1234,

What you described was the detection by scanner(s).
That is, say, normal when one scanner would flag something but another will remain silent.
All of them can produce FPs or one or both can miss real malware.

As the same time, I probably missed something, but I don't see how Defense+ can be blamed here?
You did not tell anything about running the said file.

Why you were expecting an alert by Defense+ during the scan whether it was Prevx or CAV?

Another thing (irrespectively to the scanning) is that when you run the executable the Alert(s) by Defense+ may not have correlation with flaggings by antivirus.

Execution can be found as a suspect by HIPS or IDS any other behavioural analysis (which can be true or FP as well) but it may not be currently flagged by any AV... and vice versa.

My regards

[Matty_R]

See if you can find the entry anywhere in Defence+/Advanced/Computer Security Policy, if it is there it may be an idea to set it as Isolated App while checking it out.
If it`s not there it may not have been executed.

Matt

[SiberLynx]

See if you can find the entry anywhere in Defence+/Advanced/Computer Security Policy, if it is there it may be an idea to set it as Isolated App while checking it out.
If it`s not there it may not have been executed.

Matt

Hi Matt,

That is true.

But such question could be asked if there was anything said about execution and no Alerts.
If I got the description by dave1234 right, he was talking about scanning only...
at that stage the execution of the flagged file cannot be questioned.

but again, probably I missed something (it is too late here now   I have to leave this box & will come back tomorrow,... which is already started...)

Cheers!

[dave1234]

Hello to Ronny and Siberlynx. I returned to Find my prayers have been answered and my doubts about Cis unfounded!.

 After uploading the log file, Prevx have e-mailed me to say they have determined that the supposed malware was indeed an Fp. This restores my faith in Cis as up to now it has been bulletproof and was thinking it had chinks in its 3 layers of armour.

Not knocking prevx though, its only the 2nd fp i have had in 10 months so no complaints overall, but could not do without Cis as a whole.Incidentally i wonder as Prevx is a behavior blocker type app, whether its needed at all as we have the mighty D+?.I would be interested in comments about the need or extra benefits that Prevx may provide and if i am wasting my money.

Regards

Dave1234.

[Ronny]

Hi Dave,

Good to hear, FP's will happen with all vendors, it just depends on how fast they are fixed.
Comodo is pursuing 30 minute updates after reporting a fix on the forums here, so I'd say that's pretty fast 

I'm not familiar enough with PrevX but if it's a bit like ThreatFire I'd say it's not needed next to each other.
If you switch D+ to ProActive and know how it behaves (i like paranoid mode) then nothing should happen.
If you use common sense on browsing etc of course, don't play with "patches" and "cracks" on your live system for instance 

I like to run scan's once a week with stuff like MalwareBytes Anti-Malware or SuperAntispyware and Gmer and/or other rootkit scanners, then once a month with the Ultimate Boot CD for Windows and Avira that should do the trick, save as much log files as you can if you need "proof" if something should happen to your bank account.

[Tags:]