WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
  3. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Hi,

    Thanks @cruelsister for your reply.

    WiseVector StopX has anti-keylogging function. However, WVSX will not prompt the user every time a suspicious API (such as SetWindowsHookEx) being called. In order to avoid too many pop-ups, we will let AI determine whether a behavior should be intercepted. It is recommended to use in-the-wild malware for testing security software instead of laboratory-made software.

    In addition, the question raised by users should not only refer to keyloggers, but also data stealing software. According to our observations, it is difficult to find malware is a pure keylogger. In fact, every day we catch thousands of new data stealing Trojans. Most of them are Agenttesla, Formbook, Hawkeye, Poulight, Masslogger, Java Qealler, Emotet, Dridex, Lokibot and other malware families. They do not only have the ability to record every keystroke, but also collect the user's cookies, FTP passwords, emails passwords, passwords stored in browsers and then send the data to their servers. Since accessing the browser folder is a common behavior, such as anti-virus software and system cleaning tools will read it, our multi-layers detection is designed to detect data stealing software with a high detection rate without false positives. If WVSX reports WIND:HEUR.InfoStealer.XXX.It proves that you have encountered a data theft Trojan.

    If anyone can find a data-stealing trojan in the wild that can bypass WVSX, please let us know.
     
  4. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Hi@Krusty

    Yes, as @roger_m said, WiseVector StopX doesn't detect EICAR test files.
    If you try to test an AV, you'd better disable WD first by Defender Control, since once WD detect malware, the malware will be locked by WD and other AV cannot access to them. Please run both the AV and malware samples in a virtual machine, it's better that the samples are in-the-wild malware, then the testing result can be more precise.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
  6. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
  7. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Hi WiseVector,

    May I ask what your business model is? The same like Toolwiz.com (the makers of Toolwiz Timefreeze)?
     
  8. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    WiseVector- Thank you for an excellent reply! I do agree that so far I haven't been able to bypass WV with any current in the wild data stealers even a modified (by me) Hawkeye was easily detected and dispatched.

    Your point about in the wild vs lab created is a good one, but nonetheless I can assure you that a person with decent Python skills can code a keylogger that can capture and transmit information without current WV detection. Although FUD and certainly NOT in the wild, the addition of adding some sort of OutBound alerting firewall by the user of WiseVector cannot be a bad thing as ANY data stealing malware (whether detected or not) MUST be able to transmit stolen information out in order to achieve its nasty purpose.

    Finally, I am becoming more impressed by the (so far) lack of false positives.
     
  9. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    In the near future, some advanced features will be charged and the basic features to keep users from malware will be kept free.
     
  10. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Yes, you are right! Adding some sort of OutBound alerting firewall is a good chioce for our users in case the situation occur as you posted here.
    We will add network control in the future. ;)
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Unfortunately my WD machine locked up the same way my machine running Norton did. I guess it doesn't play nicely on my machines. To be fair, two AVs shouldn't be running on a machine anyway.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    A combo of epic proportions!

    Lite and not at all resource hungry is the way we always like to proceed on this end and is proven iron-clad effective as well as durable.
     
  13. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    OMG heard this many times over my 16 years here. o_O :D A new Savior!
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    So have I and catchy too. No end all by any stretch but not such a bad combo unless Microstuff WD is your Savior! o_O:D
     
  15. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
  16. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,935
    Location:
    UK
    Still no issues here using WV in a daily usage situation.
     
  17. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Thank you for answering my question.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Same. Its one of those install and forget real time for my systems. Nothing even hinting of any disjointed concern.
    Shadow Defender + Sandboxie are On-Demand complimentary supports and have been since 8.1 first came out.
    Nice to have WiseVector StopX coupled with Comodo when sampling. Kudos to @cruelsister for her impressive results and reviews to that end with CFW.

    Thank You @WiseVector for an innovative new approach appeal :thumb:
     
  19. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have finally got Religion in my life, and WiseVector is my savior, who will protect me all day and everyday. It is not going away and will only get better.
     
  20. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Our pleasure! Any problem or question, please let me know.;)
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Sounds interesting, can you give a bit more info about how AI decides whether to block certain stuff? For example, SetWindowsHookEx is often used by keyloggers, but legitimate tools also use it. So do you perhaps use some type of whitelist?

    Cool stuff, I assume it will block ALL apps from performing APC injection, no matter if it's legitimate or not?

    And keep in mind that's it fairly easy to bypass the standard Windows Firewall, with stuff like code-injection and interprocess communications. And apparently, apps can simply add "Allow outbound" rules to the registry, Windows Firewall Control blocks this, go figure.

    https://www.binisoft.org/wfc

    LOL, it's been a while that I have seen people on this forum being so stoked about a product, I wonder what the hell is going on. :D
     
  22. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Rasheed- I also was wondering a bit about what WV decides to block, so having too much time on my hands this morning I decided to try a few things (and if I go a bit into the Weeds with this post, forgive in advance):

    1). I started out with 3 different batch files:

    a). The Hello World batch
    b). A script to disable Windows Firewall
    c). A joke script- this one to open endless calc.exe's

    2). Each of the above 3 script were converted to PE32 files, which were then further modified:

    a). extraneous code was added
    b). the exe's were required to request Admin Privilege
    c). the exe files were packed (UPX, Kkrunchy, MPRESS, XPACK)

    With WV installed and the Network Disabled initially, then Enabled to note any differences, the files were run and the results noted (easy, easy...).

    (ps- Nework Enabled/Disabled made no difference)

    Results:

    1). For the file that attempted to disable WF, all instances were blocked.
    2). For the "Hello World" files- the batch file itself ran fine, as did the Hello World unmodified PE32. That exe with UPX was also allowed. Everything else was detected and blocked.
    3). For the Endless Calc file- the script itself was allowed as was the PE32 version. To my surprise he Endless Calc that requested Admin Privilege was also allowed. All else was blocked (including the UPX pack).

    So although this test was a bit interesting, it does indeed show that I need a hobby (or at least brush Ophelia more).

    M
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    When you get a chance, see how WV performs against obfuscated scripts; light to heavy obfuscation. PowerShell, JavaScript, VB Script, etc.. From what I can determine, WV is not using AMSI interface. You can also mix things up; packed + obfuscated, encrypted + obfuscated, etc.
     
  24. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Hi,

    Our AI is based on Supervised Learning ( develop predictive model based on both input and output data manually ),then AI will do Classification and Regression to make it's decision. The working mode is very complicated, not just as simple as whitelist.

    "Block or not block: that is a question.":D It's still decided by our AI, not all Apps will be blocked while just performing APC injection.
     
  25. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    I have been increasingly impressed by the WV features extraction algorithm with regard to predictive efficiency. In my previous post using packers I believe some sort of emulation was used to allow the safe "hello world" UPX packed file to be deemed benign while the other (only kinda-sorta safe) UPX files were considered malicious.

    Personally I eagerly await widespread use of WV to determine predictive ability with any FP feedback.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.