WiseVector Stop-X

@pvsurfer

you should be able to use Task Scheduler to create a task that launches the program when your daughter logs on to her account.

 

There should be an option during setup:
Install for current user only?
Install for all users?

Creating a schedule, is beyond skills of an average users.

 

Only happened the once, for both.

 

Hi,
We focus on Windows currently and not so sure about how to answer your question at present. I think it depends on how many users need such kind of additional protection on Mac, then we will make our plan accordingly.

 

Sorry for the inconvience. WVSX can't automatically load into all standard accounts at present and what @Azure Phoenix said is correct. We will get this resolved.

 

Thanks for your reply. Please let me know if this happen again.

 

It's a good advice, thanks! I think this option is neccessery when a computer is used by more than one person.

 

OK, I see this makes sense.

Perhaps I misunderstood, was the file of Quick Shutdown wrongly detected on disk or was it the qsd.exe process that was runnning in memory?

OK, this is what I meant, so you have actually tested malware that use these techniques? And let me explain, there is a difference between blocking malware pre execution and post execution. So normally, an AV will simply block malicious files on disk, and they don't even get a chance to run.

But let's say AV fails to spot malware and lets it run, then the behavior blocker should block malicious behavior from the malware, like process hollowing, code injection, and keylogging for example. So how did WV block these malware samples that you tested it against, pre or post execution?

 

R- if I can intrude, in the test I ran I made sure that some of the malware used various techniques and actually included a Netwalker and an Agent Tesla, so both process hollowing and code injection seemed to be covered. Also I made sure that freshly coded FUD malware were included (as well as the network being disabled) so WV certainly had no help via "dumb" detection.

But as far as keyloggers (hint: Pyhook is tough) are concerned I suggested then and still suggest now having an outbound firewall in place as any info steeling malware that is undetected STILL needs to connect out.

M

 

Thanks for the feedback, but just to make it clear. You say that you tested NetWalker and Agent Tesla, but did WV simply block them from running? Or did it block certain techniques like process hollowing and file encryption after they were already active in memory? That's what I'm trying to figure out.

 

Process hollowing and plain .dll injection for that matter are usually detected as attempted process modification attempts against the targeted process. In other words, no memory modification has occurred. If injection takes place, any memory based detection would almost have to be signature based or limited in nature to the code behavior being executed in memory. Additionally if detection was had in memory, system modifcation activities could have occurred prior to the memory detection. Something like Kaspersky does system snapshot ting and can rollback those modifications after a memory detection.

 

Can WiseVector Stop-X be used with another AV like Eset?

 

Good question.

Since Eset and some other AV solutions have active memory protection/detection mechanisms, the same scenerio exists that applies to running two real-time scanners together. That is the possibility of "deadly embrace" conflicts. The most likely source of conflict would be with Deep Behavior Inspection. So an exclusion for WiseVector would have to be created there and also possibly for real-time scanning. Something I for one would not recommend at this point given WiseVector current vetted status. Again, we talking about two security solutions using kernel mode drivers.

 

I would say you are right, it's probably not a good ideal. I was curious since I hadn't even heard of WiseVector until last week. Eset also has machine learning, I wonder how they compare. I wonder how evolved Eset's machine learning module is at this point. I would say WiseVector probably wins in the machine learning category since that is their main focus, from what I can tell. I'm just speculating though, I will look into WiseVector more when I have time.

 

I ran WV together with VoodooShield for several days. No problem. I am now trying WV in combo with SecureAPlus.

 

Or keep it simple without sacrificing effectiveness and run WV together with built-in Windows Security. Try not to lose sight of how strong and effective Windows 10 already is when it's kept updated and you utilize it's built-in security measures.

 

And if we wanted to try, exactly what exclusions should be put in place?

@WiseVector ?

Thanks.

 

We have several layers to block malware and "qsd.exe" was detected by our static scanning.

Yes, we have tested thousands of malware samples using these techniques and WVSX can detect them.

Every AV wants to block all malicious files on disk, but actually it's a dream can hardly be achieved, since there always have a small amount of malware missed from static scanning. That's why we need a behavior blocker.

The malicious behavior, like process hollowing, code injection, and keylogging, WiseVector StopX detects them at pre-execution and post-execution stage.

Yes, it can be used with most other AV including Eset.

WiseVector StopX can work well with ESET, I think there is no need to put exclusions.

 

As far as I know the memory detection of ESET is Signature based. Our memory detection is Machine Learning based, so no feature duplicated here.
Our driver has no conflict with ESET as well.

 

It looks like WiseVector does not have a conflict wiith any other apps. Under advanced i excluded Kaspersky Security Cloud, HitmanPro.Alert and OSArmor. Was this necessary for me to do. Is there a list of known Apps that have conflicts with WiseVector.

 

I certainly wouldn't agree with this. Eset has spent years developing their machine learning technology: https://www.welivesecurity.com/wp-content/uploads/2019/11/ESET_Advanced_Machine_Learning.pdf

Eset employs multiple memory detection methods.

The one you are referring to involves use of Win 10 AMSI interface to scan scripts in memory prior to execution. A feature that WiseVector does not have that I am aware off. Eset also employs the AMSI interface to scan browser and targeted Win processes. Eset uses their Augur deep behavior inspection machine learning engine to monitor memory code post execution. Additionally Eset HIPS is utilized and interfaces with its advanced memory scanner, exploit blocker, deep behavior inspection, and ransomware protections. Also least it be overlooked is Eset employs a Web Access scanner that monitors all Internet based activity including client e-mail scanning. Its firewall protection has a full feature IDS capable of detecting known exploits and:



Plus network packet inspection protections and botnet protection.

 

Like any other defense, AMSI is not a panacea, and ways to bypass were found at Black Hat 2016. It remains to be seen whether Microsoft has been able to plug the holes found by researchers.

 

Correct. However, Eset and I assume other AV vendors have become quite proficient in detecting those and also UAC bypasses.

 

"As with any other security measure, there are also ways to get around AMSI. If, for example, PowerShell version 2 is executed on the respective system, the AMSI integration will be missing from PowerShell and the executable code is not scanned. Since AMSI also uses a signature-based approach, a significant change can potentially prevent discovery of detected malware scripts. Another method is to disable AMSI with the PowerShell cmdlet Set-MpPreference. This disables Windows Defender’s real-time detection, an operation that requires administrator rights".

 

Eset blog article on Augur machine learning behavior engine in action: https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/