Hi Guys

First some background. Prevx began developing HIPS products in 2001. Prevx launched Prevx Enterprise in Q2 2003 and this was followed with Home and Pro (May 2004/October 2004 respectively). Prevx Home was the first volume consumer HIPS product with around 1.2Million active users. As you will probably already know Prevx Home and Prevx Pro included a 'call home' feature which allowed us to collect anonymous threat information across the web. In 18 months we had built a data mountain of some 3+ terrabytes.

After much analysis of this info it became patently clear that the mass consumer market just cannot deal with the technically oriented popups. In fact most users are more afraid of stopping their system working by choosing to stop an app (or indeed an attack) than they are about the risk of being infected. Simple put, a user has a greater than 70% probability of allowing an event than stopping it. This made a complete mockery of the protection we were trying to provide. True for a technically advanced user PrevxHome/Pro had a lot going for them. But few users want to step through an app one potentially malicious step at a time. The vast majority > 99% of users want a security application to just protect them, if possible zero pop ups, but above all else easy to use. Enter Prevx1.

Prevx1 monitors more than 120 different system behaviours. It anonymously reports 'unique' application behaviour back to our community database which then monitors this feed in real time constantly assessing and re-assessing an application's behaviour. Also this process is not just associated with looking for malicious code it is also looking to identify benign code too.

To give you some perspective on this. We are currently seeing more than 50,000 unique new executables each and every day (actually closer to 100,000 in the last few weeks). Around 2.5% are found to be malicious!

Our community database gives us an ability to determine malicious code more accurately and with fewer false positives. It also has a wide range of information at its disposal which HIPS would never have. Such as knowing that a piece of code never uses the same name twice, or rarely. Such as knowing that a specific file has many executable forms. Such as knowing this piece of code is only ever created by known malware. In total the database has more than 200 datapoints to determine the ancestry, genetics, behaviour and propagation of an entity. The community database is getting stronger and stronger every day.

In the last month we have noticed, based on comments in forums like this, that we are spotting new malware faster and faster. Just take a look at the number of first, and often only entries we are getting under google for new mailicious file names. It speaks volumes about the effectiveness of our technology to detect and determine new malware first.

Claim 1: We are beginning to see more malware than others and we are seeing it faster. This advantage is growing every day. We may not win every battle or test but we are winning more and more each day. We see our technology is on the ascent while others are struggling to keep pace.

Beyond spotting new malware we are also seeing mutations of existing malware almost instantly. This last week we saw, and immediately protected against a new agent of Spyware Quake and Spy Falcon. See google: http://www.google.com/search?q=atmclk.exe.

Claim 2: we are tracking and protecting against more variants and mutations than others and we are doing this faster every day.

We recently added the first generation of our clean up technology into Prevx1. Because of our community database we can also see the success or failure of our clean up technology. The next two releases will see this important aspect of the product improved further to address some of the really tricky clean up operations that we know are defeating all other security products.

Now to the crux how to test Prevx1. If you want to test Prevx1 as a pure behaviour based app, then let us configure it that way for you, that is really easy for us to to do. You will get more alerts, it will win tests. But get this, the mainstream user doesn't want it and as our technology gathers momentum we don't think even techies need it.

Remember, Prevx1 will NOT allow any unknown code execution on a user's PC without a prompt. Therefore testing Prevx1 with a piece of code which you choose to run has already bypassed Gate 1 of our protection. Once you have chosen to allow an app to run, we will monitor its behaviour centrally. We have made matters worse for ourselves by marking many of these tools as safe. Safe apps are immune from our behavioural checking. Consequently, we will always fail these tests. Maybe we should just mark all of these as caution. The user will be prompted and the behaviour will then be checked.

We speak to large enterprises all the time who are trying to deploy and manage HIPS and other behavioural products. These are simply not working on scale. They still has too many false positives for widespread adoption. One false positive in a commercial environment can stop thousands of users from working at a cost running into hundreds of thousands an hour. Most of the time these products are detuned to provide minimal protection in return for less interruption.

Remember also that Behavioural products are also not immune from Zero Day. They only trap certain behaviours or patterns of behaviours. These patterns must be updated as malware evolves. They are not a solid state defence or panacea!

Each week we take the malware samples harvested in the wild and fire them at more than 10 of the top security products. The average detection score is around 50% and declining. Even running all apps together the detection is only around 95%.

We are building products geared for real world conditions. Prevx1 is protecting thousands of new users each day, detecting and removing infections that their existing security product did not know about. It is well worth noting that all of our traffic is search engine generated, which typically means that these users have an infection and found us looking for the cure.

We are not trying to score points here against other products. We know we have created a different approach with Prevx1. It is slowly but surely overtaking many other products and we are confident this trend will continue. After all we do have more information at our disposal about the make up and distribution of malware than any other company. So please don't think of Prevx1 as HIPS, it is a very different model.

Now enter Prevx 2.0 extending the knowledge gained through Prevx1 deployment, feedback and lessons learnt. See www.prevx.com for more details.

We welcome your thoughts.

Regards

Prevx