WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    @WiseVector, thank you for sharing this information and good luck with your software and hard work:)
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This Virus Bulletin article might be of interest to WiseVector:

    CHALLENGES FOR YOUNG ANTI-MALWARE PRODUCTS TODAY
    https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Mustaca.pdf
     
  3. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Thank you. The info in this PDF is helpful.:)
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the feedback. And yes, in theory legitimate tools can also use certain code injection methods, so you can't always block them, to avoid false positives. But if code injection is blocked post execution, will WVSX clearly show you this similar to HitmanPro.Alert? If so can you post some screenshots?

    Also, in the first post, it was mentioned that WVSX doesn't use signatures, so is it comparable to Cylance? Another question that comes to mind is, how well would it perform in tests done by MRG Effitas and AV-TEST, do you believe it would block most of these samples even without using traditional signatures?

    https://www.mrg-effitas.com/test-library/
    https://www.av-test.org/en/antivirus/home-windows/
     
  5. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Below are some examples to show WVSX defeated the popular, stealth threats,

    1. Ursnif banker trojan. The malware always get low detection (<5) in VT in the first place. Why? Because it decrypts its real payloads in memory.

    The malware:

    https://i.imgur.com/27nrGNp.png

    Let's run it. Open cmd, enter "regsvr32 the malware path". WVSX will detect it without needing signatures updates.

    https://i.imgur.com/GiZwYYJ.png

    2. Azorult stealer malware. It will inject its code into dllhost.exe and then dllhost.exe will send several sensitive data to hacker . WVSX will block it at pre-injection and post-injection stage.

    The malware:

    https://i.imgur.com/DNNuWsj.png

    WVSX blocked it when Advanced Protection enabled,

    https://i.imgur.com/oH1H0Mv.png

    We need to disable Advanced Protection to let the malware do its dirty job. WVSX still detected the malicious code in dllhost.exe.

    https://i.imgur.com/fIapJER.png

    3. DLL side-loading attack. The sample below utilized a copy of legitimate ESET binary EHttpSrv.exe.

    The malware:

    https://i.imgur.com/Zrvzjsc.png

    The binary is digitally signed and trusted by most security software,

    https://i.imgur.com/5oJRY1u.png

    Let's run it. WVSX blocked the malicious dll easily.

    https://i.imgur.com/CcyZAZQ.png


    We are not so familiar with cylance but it seems that it did not perform well in the latest AV-TEST.
    We haven’t taken the test yet so we can't tell you how WVSX will perform in the test, but at present we are confident that WVSX can defeat the most popular advanced threats.
     
    Last edited: Sep 28, 2020
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Impressive. And thanks for taking the time to post.

    I hope you are successful in your endeavours to commercialise WVSX - you deserve it!
    You will have my custom, if my depreciating currency can afford it. :isay:
     
    Last edited: Sep 28, 2020
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This process, Ehhtpsvc.exe doesn't exist in current Eset versions. Note that the version refers to a Smart Security release; i.e. ver. 5, long obsolete and no longer supported. Just how obsolete this process is can be had here: https://support.eset.com/en/kb3678-...pported-eset-end-of-life-policy-home-products that only references version 8 and shows all Smart Security versions as unsupported. If my memory serves me right, Smart Security ver. 5 ran on WIN 2000/XP/Vista. Actually, Wilders has a thread on SS5 here: https://www.wilderssecurity.com/thr...ndidate-available.301246/page-13#post-1935872 . It was officially released in the fall of 2011.

    Eset current versions do use a helper service that runs as a kernel mode driver.

    -EDIT- If Eset SS5 was downloaded from here: hxxps://eset.version-2.sg/products/smartsecurity/ , this appear to be a phished web site. So most likely malware was downloaded.

    Appears Eset legit purchases/trials in China must be done through their Hong Kong portal: https://en.eset.hk/
     
    Last edited: Sep 28, 2020
  8. Marcelo

    Marcelo Registered Member

    Joined:
    Oct 11, 2005
    Posts:
    276
    Location:
    Rio de Janeiro, Brazil.
  9. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    On that site my right click back does not work or my browser back to page does not work.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    +1

    Brilliant. Thanks for every correspondence and explains!
     
  11. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    @EASTER @paulderdash
    Thanks! Your support is our motivation to get WiseVector StopX improved.:)
     
  12. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    No AV reports WiseVector StopX as Spyware.
    If some people are willing to cover their eyes with prejudice, then there is nothing we can do.
    In any case, we are trying our best to make WiseVector StopX better and more powerful.:D
     
    Last edited: Sep 29, 2020
  13. Marcelo

    Marcelo Registered Member

    Joined:
    Oct 11, 2005
    Posts:
    276
    Location:
    Rio de Janeiro, Brazil.
    I have to agree... Better not to answer this kind of comment as nothing will convince these people their accusations are based on no evidence.
     
  14. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    225
    Location:
    Romania
    Great program you have here WiseVector. :thumb:
    I've installed it today and I have a FP (it's an older version of WinMTR).

    winmtr.jpg

    No big deal, I put it in Exclusions but I wanted you to know.

    Looking forward to your further development.

    LE: WinMTR version 0.92 x64 went smooth without any alert from WiseVector.
     
  15. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Hi,
    No matter Ehhtpsvc.exe exists or not exists in current Eset versions, the binary is digitally signed and trusted by most security software, unfortunately, this can be utilized by DLL side-loading attack. Not only Eset, lots of programs being produced by some well known companies(like Avast, Symantec, Microsoft, citrix, Nvidia, Mcafee, Adobe, Avira. etc.) are also used to perform this kind of attack.
    Actually, we capture several malware utilizing DLL side-loading every week. All malware samples in our tests were captured in the past five days.
     
    Last edited: Sep 29, 2020
  16. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Thanks for your feedback.
    Can you please report it as a FP via "Upload files" ( if the file is over 20M, please send it to virus@wisevector.com)?
    We would analyze the file and resolve this soon.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Please try to do so against a current version Eset product. The only process running in these versions is ekrn.exe. So perform your test against that process.

    -EDIT- As far as "the binary is digitally signed and trusted by most security software," I don't think this is the case. I couldn't find a download for ehttpsvc.exe for version 5. However, a version 4 of it shows:
    As such, I assume the cert. for version 5 would have expired.
     
    Last edited: Sep 29, 2020
  18. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    By their very nature, all security apps have the ability to delve deeply inside a computer's deepest, darkest areas. Nowadays, a security app from ANY nation in the world is potentially "risky" to one's privacy -- and that includes security apps developed in one's own home country. :eek::oops::isay:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    @WiseVector -- I'm running Win7.

    When I first installed WV, it put a shortcut icon on my desktop. I immediately pulled that shortcut onto the task bar so that I could easily run WV, or NOT run WV, as I chose. I did that because WV was new to me & I wanted to test it before deciding to have it running real-time. I also deleted the desktop shortcut because I keep a clean desktop.

    After I gained confidence in WV, I went to settings & put a checkmark in the boxes to "Automatically launch at system startup" and "Enable Real-time protection"

    ==>QUESTION 1: It seems to me that these two settings are redundant. Why would I have a security app launch at startup if I did NOT want real-time protection? Conversely, how could I set a security app to do real-time protection WITHOUT it being launched at startup?

    I have noticed that when I had WV NOT selected to launch at startup, it still loaded WiseVectorSvc.exe. Yes, I know I can adjust Autoruns to prevent that. HOWEVER, after I told WV's settings that, yes, I DO want WV to launch at startup, it did NOT launch at startup. That is, the WV service was an active process but WiseVector.exe was NOT an active process. Instead, I had to click WV's shortcut on my computer's task bar to get WiseVector.exe running as an active process.

    ==>QUESTION 2: Am I doing something wrong, or is it a glitch unique to my computer, or is it a glitch in WV? Or what........??
     
    Last edited: Sep 29, 2020
  19. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China

    I think there is some misunderstandings here. It is not that we insist on using the old version of ESET software to test, but that the file is used by cybercriminals and we just captured the sample. From another aspect, the new versions often have preventive measures to against DLL Side-Loading attack, so criminals tend to use older versions.

    The certificate is still valid, see:
    https://i.imgur.com/8OLOOl6.png

    For more details about DLL Side-Loading attack, see:
    https://attack.mitre.org/techniques/T1574/002/
     
  20. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    I don't think the two options are redundant. Some users may want to disable the Real-Time protection but keep Advanced Protection and Memory Protection enabled. So they can still get protected at startup.

    WiseVectorSvc.exe is responsible for loading the modules and other stuff into the memory. The advantage is that we don't need to load the modules every time WVSX is started, which will reduce the user's waiting time. You can stop WiseVectorSvc.exe from launching at startup, press the Win + R keys on your keyboard,, type "services. msc" and hit Enter or press OK. The Services app window is now open. Change "WiseVector Service" startup type to Manual.

    WiseVector.exe is started by a scheduled task. See screenshot below,

    https://i.imgur.com/u8FrP2q.png

    Please make sure you did't delete it in AutoRun.
     
  21. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    225
    Location:
    Romania
    Done.

    Thanks.
     
  22. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    It uses way to much CPU every time i come out of sleep mode. When that gets fixed i will start to use it again.
     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,940
    Location:
    UK
    I don't use sleep mode at all so cannot confirm this.
    Have you done a restart of your machine since you installed Win 10 (I remember you only installed Win 10 for the first time a few days ago)
     
  24. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Hi,
    Thanks for your feedback.
    1. In the previous post, you told me WiseVector had high CPU for 15 seconds when you brought the computer out of sleep. High CPU usage took more than 15 seconds this time?
    2. If you could install WiseVector StopX again one day, can you please try to turn off the "Memory Inspection" and observe whether this issue would happen again? Then we can get a general idea.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Likewise, no sleep here. I haven't noticed this issue.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.