WiseVector Stop-X

Sometimes that's the case. I am using a VPN with a kill switch.

 

Actually, MRG Effitas dropped the ball on this one. In the beginning of the report they say they used a browser extension in order to simulate banking trojans, but on page 37/38 they don't mention anything about extensions, so it looks like the simulator was running like a standalone malicious app, just like real banking trojans.

I'm guessing only so called "Safe Browsers'' will pass this test, because they simply won't allow to install any extensions, or only approved ones. And they will of course also block process memory modification of the browser. So AV's wo don't offer this will of course fail, and it's quite hard, if not impossible to protect against malicious extensions once they are running.

To clarify, this test has never been released by Zemana, but they emailed it to me privately. They considered it to be too dangerous, which is a bit weird since people can simply download banking trojans and run them in VM's for anti-malware testing. But I can PM you with a download link if you want to.

 

They used ZombieBrowser extension as described within this report: https://www.mrg-effitas.com/wp-content/uploads/2019/08/2019Q2-Online-Banking.pdf .

FireFox has long blocked the stock version of this add-on: https://blocked.cdn.mozilla.net/i168.html . Hence, the obfuscated modified version developed by MRG.

And I agree that products that passed the test did so by not allowing the extension to install in the browser.

 

@itman
Thanks for the info. But the link you gave is dated "2019". Do they still use the same Zombie "tech" aka extension based testing?
I thought they nowadays use something like more sophisticated method, rather like browser extension based approach. Something like memory injection/hooking based approach which not browser extension based method?

 

I finally gave up upon testing WVSX 3.01 beta,
because of the upload speed issue.
WVSX off vs on:

100/10 Mbit/s is my regular speed

No issue with WVSX 2.73

 

@Hiltihome
Try to test with different browsers, like chrome, firefox, edge with/without any browser extensions enabled?

 

It doesn't make any difference, which browser I use, or if add-ons are enabled or not.
If WVSX is running, upload speed is low.
I also used a measuring app, with the same poor results.
WVSX 2.73 does not effect my upload speed.

 

Thanks nice find, I forgot about this. So I'm guessing that the simulator simply tries to install the Zombie extension, but once it succeeds it's probably game over. Can't believe that browser developers like Google, Microsoft and Mozilla still haven't come up with a way to protect against malicious extension even when they are already running. It's shocking how many capabilities the Zombie extension has, and this means that basically all extensions in the Chrome Web Store can perform the same stuff, makes you think.

https://github.com/Z6543/ZombieBrowserPack

Well, actually this is quite sophisticated, because it's hard to protect against rogue extensions. But I agree, real life banking trojans don't use extensions, so I also don't see the point. It's better if they tested all of these AV's against an already infected machine, now that would be interesting. So this would mean that the banking trojan is already running on the system. I wonder how WVSX would perform.

 

This truly is a weird issue, why would WVSX interfere with download or upload speed. And BTW, I also have a 100/10 Mbit connection, but I wish upload would become a bit faster, t's kinda annoying when uploading big files to Google Drive. So fiber optics clearly has the edge over cable when it comes to this, at least for now.

BTW, I believe that WVSX needs a better GUI, I installed the latest beta, but I couldn't find the HIPS rule maker.

 

Very difficult if not impossible since AV's w/banking protection feature open a "hardened" browser instance.

 

Hi,

Please right click the WVSX icon on the task bar->Actions->Click Rules

 

Sorry, we have tested this many times and have not found any necessary connection between the upload speed issue and WVSX 3.01. It may have something to do with our different locations.

If anyone would like to help test it out, we would be very grateful.
The way to test: please access to https://www.breitbandmessung.de/-> click Browsermessumg->click Browsermessumg starten->you will see the upload and download speed-> Exit WVSX->wait for a while->click test wiederholen->click Browsermessumg starten->observe if there is a change in speed->Please test a few more times if you can.
Thanks in advance!

 

Just tested three times with and without WVSX running. There is no significant difference between the two scenarios (less than 0.2Mbps).

 

Thanks a lot for your test.

 

Very weird, I didn't see it.

 

Yes, it's weired.
Please refer to the pic.
https://ibb.co/xHy3xxB

 

WVSX (v3.01 beta at default settings, Win10 Pro) blocks as 'Trojan.Generic':
C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_dc7a0fe3ada1cbf5\OneApp.IGCC.WinService.exe Trojan.Generic

I chose to Quarantine, but when I looked in there afterwards, there was nothing. Any ideas what this was, and whether block was legit?
Could it be OneDrive related, and can I exclude?

 

That's the thing, this stuff should be tested in a scenario where the machine has already been infected. I would rather see MRG using real life banking trojans instead of extensions which can simply be blocked from loading.

 

Sorry for the inconvenience. We have received same feedback from other users and we have resolved this FP at the first time. This problem should not appear again, thanks for your feedback.

 

Still get this FP after updates, and reboot. Have excluded it now ...

 

Hi,

Can you send this file to virus@wisevector.com, thanks.

 

File sent ...

 

We have replied to you by mail.

 

Thanks @Rasheed187- Have always reserved and set aside a independent PC just for such occasions as testing BOTH malware and security programs in a raw machine. Some malwares in the past have embedded code that simply refuses to work in VM's. This way any sample has free field to run wild and user can safely see hard results if a security program can be fully trusted to combat and prove their claims, or not.

 

I had just completed a required restart to complete install of a driver, earlier, thru Windows Updates.

So, while eveyrthing was loading in the systray, i.e. my start up programs, I got a warning that WVSX had taken action. When I checked the logs, I find it blocked a file, but not quarantined it. I have since scanned the relevant file, and it is clean. I find it a little strange that this action occurred.