Hi, Normally, Thumbs.db should not be in system32, since Thumbs. db is an image cache which makes thumbnail viewing faster, but there is no image in system32 usually. Can you please send the file to virus@wisevector.com and we would like to do a quick analysis and reply you a.s.a.p. Thanks!
@bellgamin @Triple Helix @Baldrick @ako @EASTER @ProTruckDriver Very happy to meet so many bosom friends here! The security products he used before were: Prevx (2 years)->Online Armor(5 years)->Outpost Pro(5 years), and finally->WVSX Cheers!
Not normal to see thumbs.db in Win System32 directory. It is normally stored in: https://www.neuber.com/taskmanager/process/thumbs.db.html There are USB drive based malware that will use thumbs.db. Example here of a worm that copies malicious .dll file renamed to thumbs.db file to the Windows directory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_vb.dth Submit thumbs.db to VT for a scan and see if anything detected.
Same as well. I will keep trying to pressure it with random malwares but WVSX holds up efficiently. Like some of you might be, I am intrigued & anxious for when the Network Protection becomes introduced into one of the next releases.
While I was sleeping overnight, I noticed at 12.41 am 3 WV exes logged in VoodooShield 5.98e beta. Any particular reason for this to occur? I am curious, as usual.
Online Armor--whoo hoo! A basic-user question: for someone running Defender and Controlled Folder Access with more holes than a slice of Swiss Cheese--does Stop-X work well with CFA? I've whitelisted so many binaries and apps, I begin to wonder if it's a little too hole-y and in need of some support. Has the scanning speed improved a bit--from a user standpoint?
Hi, It's normal. We got some files updated yesterday. In certain circumstances, the Service and WiseVector.exe will be restarted when some files were used.
Yes, WVSX woks well with CFA. No need to whitelist those binaries and apps. The first scan may be slow, but it would be faster at the second time.
I've found CFA to be too much of a PITA and while I used it, it only ever blocked legit programs. Norton 360 has a similar feature called, "Data Protector" and likewise, it too has only ever blocked legit programs. I understand the concept but for those features to be useful the main AV component must of failed and allowed the ransomware on the machine already. That's what backup images are for.
File sent. I had recently installed Win 10 v2004 build 19041.508 on a new ThinkBook machine. Pretty much WVSX only on this instance, apart from Macrium Reflect and portable ConfigureDefender (by Andy Ful). USBs have been attached (none that have left my control), but zero detections on VT. We'll see what WV says ...
Hi, File received. Thanks! It is an image cache file, so this is a FP, which has been resovled. Some codes in this file look like a piece of shellcode, so WVSX flagged it. Sorry for the inconvenience.
Ver 2.67 on W10 had a whole lot of problems with this... https://www.majorgeeks.com/files/details/sergei_strelecs_winpe.html
Hi, This file(Sergei_Strelec)is too large and the download speed is very slow. According to the log posted, most files in the folder "Portable" and one file in the folder"UTILITES" were flagged by WVSX. Can you please send the two folders (Portable and UTILITES) zipped with password "infected" to virus@wisevector.com? Then we can perform a quick analysis. We also search this file in google, from http://www.mikebai.com/Article/2020-06/3532.html (use translator) we can see other AV also report these files as virus. We had previously found many tools in some Windows PE distributions were infected by ramnit virus.
I decided to possibly err on the side of caution and deleted everything as it was just a curiosity more than anything. Youll have to dl it yourself if you are interested... sorry.
Good... it will be interesting to see what you find as Majorgeeks as you probably know is a very well respected and trusted site.
According to Strelec's site ..... Checksums (*.iso file): CRC32: 9ADD18BE MD5: 161045856A35BC429B1E6D8193AF4884 SHA-1: 3F8EA701EE80A23D8B475B5B2A38650A477CBABE
Thank you kindly, WiseVector. Gots me some of that too. Always waffling about CFA. Defeats the purpose always having to switch it on and off and then kind of forgetting about it.
I downloaded this and extracted the .rar using 7zip. Scanned the extracted archive with Eset. It had 49 detections. Almost all were PUA's within the .iso file. The one I didn't like was: C:\Users\xxxxx\Downloads\WinPE10_8_Sergei_Strelec_x86_x64_2020.06.09_English\Create a bootable USB drive\SimBoot_1.8\simboot.exe » UPX v13_m8 » AUTOIT » .\bin.7z » 7ZIP » - Incorrect file checksum (CRC); the file is probably password protected. -EDIT- It appears there's another password protected archive embedded in the downloaded one. This is very suspect activity. Also do note the AUTOIT reference. Here's the entire Eset log file:
I keep an earlier version of WinPE10 Sergei Strelec PE and never once encountered a single incident of any concern. Such PE's almost always are flagged because of some of it's programs are deep dive components that to the common user can render issues. Of note, @Peter2150 and myself found it of enormous reliable use and we both added updated image backup overwrites to make it current. More or less we ignored other of it's programs and focused on in my case AOMEI Partition Assistant with DS and it restores DS images in record time with simplicity without fail. That's not to say it's flag proof, only that we practiced and utilize it for Image Restores or Backups flawlessly on a USB Pen. The concern of AV's flagging it is no surprise. They add all sorts of programs that can raise fuss with any AV's not just WVSX. Just my opinion of it from actual experience going on 2 years now. Potentially unsafe is expected but of no real concern. It's been a plain PE that is of great function when Windows can't boot or you simply want to get at your system instead of using a common Win 10 PE to do those duties. Fact is there's likely other programs that if used have the potential to unbalance and disrupt normal operating activities of a system. Sincere apologies for going Off Topic just a bit but @itman raises valid concerns probably better suited to a different thread/topic than WVSX in my opinion. I wouldn't be without it personally.