WiseVector Stop-X

@__Nikopol
Thanks for your testing.

1) We have took a quick look of the github of "InQuest" and most of samples are macros, pictures, part of emails and scripts (downloader). Files types like macros were extracted from Office files and they are fragments of malware which can't perform malicious actions, since they can't run without being a part of office files. ML based security software scan the entire file rather than a fragment of it, which is different from the signature based AV. On the other hand, testing security software with old samples doesn't make sense, 95% of malware will disappear in a month. For example, the scripts from the github can't download any malware since their CC server died long time ago.

2) For missed old samples you can execute them in a VM to test WVSX .

3) WVSX will only scan "vbs, js, hta, msi, jar, htm, bat" if they have the correct file extension, because without correct file extension, users cannot execute them directly.

The "Assoc" problem has been confirmed, we will fix it in the next version. For other bugs you mentioned, we will test WVSX to see if we can reproduce.

 

Oh, OK. That makes sense.
In the back of my head I thought maybe you'd run the undetected old samples to train your ML network. Many use weird obfuscation methods.

Yea, I did upload mostly old malware or weird stuff like ShadowHammer.
IMO WVSX should detect the old ones too, in order to stop them from running in the background and pinging a server that's offline. (Like one I could install and observe pinging easily) WVSX would let run. I don't know if this would be a security issue or not.
The newest samples were all detected without issues.

I'm not a professional or in any way competent, so I hope I don't produce unnecessary work for you.

At least I was somewhat useful. Haha xD

 

Nice I will try it soon

 

Hm. Then I guess it will be the same for the files in the github of "malware samples/malware-feed", from which I can execute many files. (mainly in "Checkpoint.rampant.kitten" and "2020.09.17.fbi-flash...") I think they are rather recent, but I don't really know. Maybe, just to be sure, take a look into them? ESET onlinescanner found 19 files all over the system after executing the malware, from that github, while WVSX was active.

Although... you've probably already looked into all the malware files you could find on the internet and I'm just wasting your time.

 

Thanks for your testing.
Is there "You are protected" showing on the GUI of WVSX? Did the Behavior Detection and Memory Inspection detect any sample? If yes, there will be alerts like "WIBD.XXX." and "MEMRAY.XXX".

 

Yes it was showing in the GUI. Yes, it detected several, but not all. Every module activated, heuristics at "Normal". The Malware was running fine in the background. Though I didn't let them connect to the net and I don't know what kind of malware it is.

I didn't upload the files because I thought it might be easier for you to download them there, and it's like 40 executable files (With active WVSX) and no bulk upload function.

Edit: Misunderstood one sentence, corrected.

 

Thanks for your feedback.
So you mean there were alerts like "WIBD.XXX." and "MEMRAY.XXX"?
We would like to test the files named "Checkpoint.rampant.kitten" and "2020.09.17.fbi-flash...". If WVSX do have an issue to detect such type of malware, we will get WVSX improved accordingly.

 

Regarding rampant.kitten, note that there are a number of variants each of which will look for specific computer software configurations in place prior to anything malicious occurring. In other words, if Kitty looks to see if product X is installed and it determines that it is not the file will just stop without anything malicious being done (it just dies).

So Best Practice for those testing malware (either from GitHub or self-coded) is to run the test sample in a clean system, verify that something malicious is actually being done (where and when), and only then run that file against a given security product.

 

I don't remember if there were alerts including WIBD and MEMRAY, but every detection option in WVSX was activated. Just like after a fresh install. Again, you can find them here: github "malware samples/malware-feed". They were just too many for me to upload them. Sorry

Ah, then it makes sense that some weren't detected. There are still those from FBI.FLASH though

That's too much work for me I just do this while watching videos, out of curiosity. I don't want to put a big amount of work into it. It does bring results, so it's good enough for me. This way I tested probably more than 3000 samples already.

--------------

@WiseVector I am impressed by how fast the detection updates after uploading a file! I found one undetected sample in the newest VirusSign archive, ran it fine, (I could even observe what it was doing with procmon) uploaded it, then no more than three minutes later I was testing another archive (They extract into the same folder) and the file was detected and deleted!
Very impressive! And I didn't even click "Check for updates"!

Edit: It wasn't even a fluke! Three more undetected samples took less three minutes after uploading them until they were detected! I think that's amazing.

 

@WiseVector There's a FP, or something like that, when running Malwarebytes Adwarecleaner's "Basic repair". The batch file it creates is detected as: "WIBD:HEUR.AntiAV.A". Why is that detected as "AntiAV"? Because it closes all programs?

 

I just ran basic repair, with default options, but WVSX did not kick in.
Perhaps they already fixed it.

 

I tried downloading WiseVector Stop-X from the website, but when I click on the download button it says were having trouble finding that site.

 

@Cutting_Edgetech
https://update2.wisevector.com/WiseVector_StopX.exe

 

Thank you!

I tried that link, and i get the same can't find site message. Maybe I have a DNS issue. Does the link work for you?

 

It definitely works here.

 

I may have a DNS problem. I will trouble shoot it after I finish my work.

 

It believe my IP could be blacklisted by their host or something. I was looking in the Firefox developer console and it says blocked by DevTools. I will try with another browser and see if I get the same results.

 

Brave Browser gave me the following error which usually means you have a DNS issue. ERR_NAME_NOT_RESOLVED

Maybe DNS records need time propagate across DNS domains. This usually only happens when a machine's name has changed recently. It normally takes anywhere from a few hours to 48 hours for DNS to update across the Internet.

It may not even be a DNS issue. If they are using a Host file to block my IP then I could get the same error message.

Edit: 12/4/20 @ 7:31
nslookup returned the host name
I guess DNS is working ok. I'm not sure what to think.

 

@Cutting_Edgetech:
My link does work.
You may have a serious issue, perhaps a DNS-Hijack on your machine, or router.
Are you able to download other security, for example KAV?

 

I'm able to download other security apps. I have Eset Internet Security, ERP 4, and MBAE installed on this machine. I use this machine primarily for school. I don't think it is infected. Maybe Eset Firewall is blocking more than it should. I'm not sure what the issue is yet.

Thank you for the pm!

 

WVSX main website is HERE...
https://www.wisevector.com/en/

Their download site is as @Hiltihome posted in comment #889 above.

Their sites all work fine for me, here in Hawaii. I hope you get your problem solved.

P.S. There is a download link further down the page on WVSX's main website. Have you tried using that -- instead of using Hiltihome's link?

 

I tried downloading the installer so many times that i'm blocked from the website now. Some of the trouble shooting I did could have been detected as an attacker doing Reconnaissance. The host for the installer may have had my IP range blacklisted. As you know, sometimes host will block an IP range that also includes innocent users. I only started using this IP range about 3 weeks ago. My ISP keeps changing back and forth between a 184.XXX.. range and a 216.XXX...

 

I did a quick scan with WiseVector Stop-X and it did not find any threats. It took quite a while for a quick scan; longer than I expected. I noticed that the scan log is empty. It failed to log the scan, so I don't know how long it took.

 

I just changed the Heuristics from normal to high.

 

Thanks @Hiltihome. I updated today from post #889 referenced above too.
Yes @bellgamin Main website for WVSX works fine here too.