WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Inconsistency may be caused by the huge distance to Frankfurt.
    Ping 190ms must be at least 25 hops, likely more.
    I'm only 5 hops away, ping 12ms.

    I have WiFi disabled, and don't use a browser, but the Windows app,
    from Breitbandmessung.de
     
  2. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    The issue is, that average users will follow the advice to block.
    Blocking updates may cause security risks.
     
  3. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Could you please send the file to virus@wisevector.com, we will analyze it if it is benign we will whitelist it.
     
  4. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    File sent.
    It's the update checker from the app TC4shell.
    https://www.tc4shell.com/
     
  5. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    190
    Location:
    Poland
    Hi @WiseVector, any news about Floxif infection? Any self-protection update?
     
  6. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Thanks. We have whitelisted this file.
     
  7. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Sorry for the late. We have tested the Floxif samples you provided, WVSX's advanced detection blocked them all.:geek:
     
  8. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Thank YOU,
    for stellar support.
     
  9. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    190
    Location:
    Poland
    Ok, now I know the true value of your app...
     
  10. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    I'm sorry if you're not happy about the answer, but it's true Floxif did't infect the system in our testing.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I can understand that WVSX performs quite good when it comes to blocking code injection. But my question is purely technical. There are 4 tools that claim to block banking trojans proactively, but they do it in a different way, let me explain:

    HitmanPro.Alert: alerts about modified browser memory
    G Data BankGuard: alerts about modified browser memory and replaces the modified API's
    Trusteer Rapport: blocks modification of browser API's related to SSL network traffic
    SpyShelter: blocks modification of browser API's related to SSL network traffic

    So my question is, do you know how Trusteer and SpyShelter are able to block banking trojans from setting network hooks even after code injection? This has strangely enough never been explained. Or perhaps I'm misunderstanding and they are simply blocking code injection, similar to other HIPS?
     
  12. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    We tested with iVPN + WireGuard enabled. Sometimes the internet speed is even faster when WVSX is on, in most cases there is only a minor difference.

    WVSX is on

    Capture28.PNG

    WVSX is off

    Capture29.PNG
     
  13. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    It is possible to detect user mode hooks. For example, for inline hooks the standard way to do this is to overwrite the first 5 bytes of the function with a jump to malicious code, so the AV can check the first 5 bytes to see if the function has been hooked or not.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks, this is some useful info. I think they are indeed probably monitoring this stuff, so this would mean that they can block it even after succesful code injection. I have tested SpyShelter against the Zemana SSL keylogger simulator and it will always correctly block it from setting network hooks, even if you allow it to install a global hook.
     
  15. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    That's not the case for me. A few days ago, I had no internet connection again. After shutting down WiseVector I had internet access again. I had kept WiseVector closed since I noticed the speed issues, but I rebooted a few days, so WiseVector was running again.
     
  16. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    In recent MRG-Effitas test, they use (in-house coded?) "Banking Simulator test". Only Eset, Malwarebytes and Symantec Endpoint passed this test.
    It would interesting to know, what kind of method they use for this simulator test.
     
  17. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    that's a lottery in these tests, you never know which av will win, and what methods they use so I stop looking at them. I am a bit confused with wvsx standard it does not seam to update, so I disabled its connections , also because it is not using cloud and doing everything locally so whats the point of letting it connect?
     
  18. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    When testing AV it is better to use in-the-wild malware since AV often has a higher tolerance for programs produced by reputable companies.
     
  19. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    If possible, you can also try to use some BitTorrent clients to download big files at maximum speed, and then check if the the download speed will be affected when WVSX is on.
     
  20. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    WVSX is constantly updating for signatures, models, etc. So it is better to allow internet access for WVSX.
     
  21. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I can't do that when I have no internet connection. For now, I never have WiseVector running due to the internet problems.
     
  22. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Sorry but I don’t quite follow you. Is the "internet problems" mean that whenever your computer resumes from sleep, you must quit WVSX to get internet connection?
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, the Zemana simulator is wrongly detected by Win Defender as malware. But to clarify, it's a tool that I use to test if SpyShelter works correctly. This simulator will use global hook and DLL injection to intercept network traffic and SS correctly blocks it, even if you allow code injection.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @Rasheed187 - Could you possibly share the link to that particular test. Thanks
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Refer to pages 37-38 in the .pdf download. Remember the MRG simulator test uses custom code written by them. What is described in the write-up lists what non-detected activity results in test failure.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.