Hitman pro cleaning traces behind Prevx

Prevx removed 26 infections, including rootkits, but something was left behind:

http://img521.imageshack.us/i/hitmanpro.jpg/

Nice work from both of them.

 

Prevx and Hitman kicking ass. Awesome.

How's the system after running both, responsive, most threats gone?

 

ive got a question about Hitman, does Hitman scan files using the full potential of the AV's in the cloud (heuristic, rootkit detection etc.) that the AV's normally use when scanning or is it simply their blacklist signatures that it used like VirusTotal?

 

Interesting question. At least I think Loman is quite active here from time to time, but I dunno how frequent. What I do know is that it doesn't use the full potential of Prevx, at least not last time discussed.

Joe, what is the status on Hitman Pro's implementation of your engine? Since it's indeed a part of Loman's software I figured you must be involved somehow in the development and implementation of your own in theirs.

 

They use a very old version of our engine and I believe they choose files to scan based on their own decisions rather than what we choose which may explain some difference in detection.

For Prevx's implementation, Hitman is in-between VirusTotal and the full Prevx 3.0 product regarding effectiveness but much closer to the full product than VT is I *think* they have some of their own rootkit detection but they don't use any of ours.

 

Did they not come to an agreement with you, or just the agreement to "implement" your engine and market your product on their page?

 

Hitman uses its own engine on the local system. It uploads suspect files to the cloud where they are scanned by the various engines. As Joe has pointed out, the Prevx engine is an older version with reduced functionality. The other engines are all full versiona and up to date as far as I am aware.

Puss

 

Not sure what you mean by agreement?

 

I mean, how were they able/permitted to implement your engine in the first place, and so on with the technical details? I can't imagine the engine lying around free for everyone.

 

Yes we aren't quite THAT open We have let them integrate it/interface with our cloud - they're using many of the components of the default installation, just in a different way from the normal user interface.

 

To shed some light on the Prevx integration:

Hitman Pro version 2.x installed a lot of software on a computer, including Prevx CSI 1.0 and ran them after each other.

Hitman Pro version 3.x does not install any third party software anymore. Instead it uses cloud computing to consult various anti-malware technologies from several partners, including Prevx.

Hitman Pro version 3.x performs a behavioral scan on the PC and submits suspicious files to the scan cloud.

It is this unique behavioral scan that can pick out of 400.000 files (on average on a Vista machine) the suspicious files. And it is this behavioral scan that can correlate registry keys and data files with the suspicious files to perform the clean up.

It is the behavioral scan that makes Hitman Pro so fast. And it is Prevx that identifies most of the new malware that isn't yet detected by the other partners.

And when even Prevx doesn't know it, the behavioral scan in Hitman Pro still displays a score to give a sense of the suspiciousness of a file (a score > 20 is really suspicious). In EWS mode you get more unknown suspicous files to show up when you have no connection with the internet (hence, the cloud).

So Prevx is not used on the PC as of Hitman Pro version 3.x. But our clouds are connected.

 

Thanks, Erik. Is the behavioral scan the "Early score"-thingie, or is it always in action when using HP?

 

The Behavioral Scan is actually my thingy so let me explain a bit on that one. The Behavioral Scan is the core of Hitman Pro 3.x and everything in Hitman Pro 3.x is based on it. This scan is actually a balanced scoring model which is based on the fact that cybercriminals scramble or minimize static and dynamic information in or relate to a file. The more barriers criminals throw in to evade or complicate research and detection, the more suspicious a file is. To get an idea, here is a very brief list of some of the information Hitman Pro 3.x tries to determine and is able to correlate:

• where a file comes from
• how it got on your PC
• which publisher created it
• what purpose it has
• whether it can be uninstalled appropriately
• if it is visible for the user and through Windows API's
• if it's communicating with unreliable computers on the internet (consults public blacklists)
• if it's compressed or encrypted (also known as entropy)
• if it has anomalies commonly found in malicious software (we analyzed hundreds of thousands of malware files)
• what people say about the file on security related websites (our Gossip Rating technology to detect rogue/fake AV products)

So it is in fact an intelligent malware detection system based on association mining. Each relation/reference and static property of a file will make its score go up or down. In the end, legitimate files have a very low score, bad files always have a high score. This way Hitman Pro 3.x does not have to consult the Scan Cloud for every file on a computer and also prevents false positives. False positives are uncommon with Hitman Pro 3.x anyway: before a file is targeted for removal, the score of a file must be above the threshold, its hash signature and authenticode certificate not on our on-board whitelist, not known as safe in our cloud and marked as bad by one of the partners in the cloud.

The Early Warning Scoring (EWS) are some extra logic rules that uses the intelligence gathered by the Behavioral Scan. EWS is meant to help somewhat experienced users to remove 0-day malware (suspicious files that none of the cloud partners could yet identify). For example, files with typical rootkit behavior will always show up in Hitman Pro 3.x, whether the Scan Cloud is or is not available or identifies it or not.

 

Thanks for the information - it was a great source of knowledge.

Is v3 just the first step and will you evolve this product to an advanced real-time protection kind of software in the future?

 

We are (again) working on some new ideas, but I won't go into the details of these innovations at this moment. All I can say is: just stay tuned

 

Sorry, I don't recall that you've written that - was it in this very thread?

 

Thanks Mark and Erik for your most enlightening posts.

It'd be great to see this develop into a full-blown, real-time AM.

 

Seemed totally clean.

 

Thanks for the testing and response ako.