Prevx software analyzes malware behavior to pick up where antivirus products leave off

Tim Wilson, Editor in Chief, Dark Reading, Contributor

January 9, 2007

3 Min Read

Your computer is infected. You've contracted some sort of malware file that slipped past your antivirus software, probably because it's something new. You know the name of the file, but you're not sure what it is -- or how to get rid of it.

What do you do now?

For more than a million savvy users and IT professionals each day, the answer is to look up the filename on Google, Yahoo, or some other search engine. If the file is a bad one, someone's sure to have detected it and posted a suggested fix, right?

Wrong, says Jack Erasmus, CTO of Prevx, a small U.K.-based security software vendor. "What a lot of people don't know is that it sometimes takes search engines anywhere from two to 15 days to recognize and list a malware filename in its search results," Erasmus says. "You could search for a file and find nothing about it, and all the while you're being infected."

Prevx thinks it has developed a better backup plan for those exploits that escape the mainstream antivirus packages: Prevx1, an anti-malware application that analyzes application behavior, as well as traditional malware signatures.

Unlike antivirus products, which scan for malware based on known "signatures" that have been discovered previously, Prevx uses heuristics to seek out applications and processes that behave suspiciously on the end user's machine. When such suspicious activity occurs, the client reports the behavior to the Prevx database, where it is analyzed through both automated and manual study.

"As a result, we're finding malware that not only isn't identified by the antivirus tools, but isn't even recognized by the search engines yet," says Erasmus. The Prevx1 software will then perform a cleanup on the end user's machine, isolating or removing data or applications that might be malicious.

The Prevx software costs just $24.95 for a one-year subscription, and can be used as "insurance" against infection by new malware, Erasmus says. "You can download it and leave it on your machine, and if you never get infected, we don't charge you anything," he says. If Prevx1 finds an infection and cleans it, then the user has 30 days to decide whether to license it.

So far, however, Prevx gets most of its customers from Google searches on suspicious files that haven't been identified by other security vendors -- or even by the search engines themselves. "Most of our customers are people who are already infected," Erasmus says. "People start searching on filenames that seem suspicious, and they end up talking to us because nobody else has any data about them." About 70 percent of Prevx's customers already have some sort of antivirus software in place, Erasmus says.

The search engine approach to malware research doesn't always work well, Erasmus warns. Prevx already is trying to encourage the search engine vendors to fast-track information about malicious files, so it will show up in search results faster.

But even that might not solve the problem in the future, Erasmus says. "Attackers are getting wise to the search engine practice, and they've begun to rename their files to make them more difficult to search," he observes. "One attacker named his file '.exe,' which returns about 176 million results on Google."

The heuristics approach is a better backup for antivirus tools, because it analyzes malware behavior, rather than filenames, Erasmus says. "No matter what they call it, we can usually spot it."

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights