Hi @WiseVector , I'm not sure if I'm more impressed by your awesome program or your stellar support. Nice work, and thank you!
Read through the many, many pages of feedback and valuable comments/responses on the WIseVector threads both here and Malwaretips and have finally taken the plunge and installed WiseVector... it's now scanning which could take some time! Also stepped MBAM back to 'On Demand' after years of it running alongside AV. I should probably ditch MBAM all together based on recent performance tests but will see how WiseVector goes first.
Krusty you are right, everything about this program seems to be just fine, WiseVector are you using alien technology ?
Office documents with malicious macro inside can be detected by WVSX static scanning based AI. Our behavior blocker can also prevent Office from running suspicious executable. By our observing, Drive-by download is relatively rare nowadays. Instead, hackers often trick the user into downloading a JavaScript file to their hard disk, this is a way to circumvent many of the protections built into most web browsers that mitigate the risks of JavaScript. Windows will block an .exe file, for example, but allow a JavaScript (.js) file to run. WVSX's behavior blocker is good at detecting these type of scripts. PE Files being used most of the time in malware attacks. Detecting PE Malware is exactly what AI good at.
If WD's real time malware protection is enabled (on Windows 10) it actually prevents installation of PrivateWin10 (v0.84) considering it to be a "severe threat". This has been reported to @DavidXanatos (PrivateWin10's developer).
600,000+ files into full scan and first alert from WV RT/Protection scanner received and it's quite an important file... C:\Windows\System32\svchost.exe which has been flagged & quarantined with alert WIBD.HEUR.InfoStealer.F012 ~ scanned it with WD, Avast, Avira, Kaspersky, MBAM (RT & on demand scanners) & uploaded to VirusTotal which all give a clean bill of health. File restored for now. *Edit: Used WV to scan file again and this reported no issues (I hadn't excluded file).
A software that tries to disable WD, when starting it, is what I call unwanted. Open source is not an excuse for that. I my opinion, it should not be white-listed. If a user decides to use such, he may exclude it himself.
The fact that a highly questionable (crappy) app is open source, or "useful," or developed by a "reputable" person, or a "favorite" of many users, is NO REASON to whitelist it!!!
Hi, thanks for the feedback. I will test it again later and let you know. sorry i was in hurry and did not look into these details. Good that you are around.
Hi, This action is detected by Behavior Detection but not static scanning. "WIBD" means "WiseVector Intelligence Behavior Detection". Malicious actions being detected by our advanced behavior detection is named WIBD.***. The detection means "svchost.exe"is reading several sensitive data in the system, some files it readed may even not exist in your computer. The svchost.exe is system file so WVSX will not quarantine it. WVSX will block the operation and terminate the process, So after "svchost,exe" was terminated, did you observe any anomalies in the system? By our observing, "WIBD.HEUR.InfoStealer.F" indicates svchost.exe is reading following folders or files, C:\***\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\***\AppData\Roaming\Thunderbird\profiles.ini C:\***\AppData\Roaming\Flock\Browser\profiles.ini
After checking the software's source code (TweakEngine->TweakPresets.cs). We can sure that disabling Windows Defender is part of its tweaks. So the software itself is not malware. However, you guys reminded us of the possibility that this software could be abused by hackers. We have removed it from our whitelists, thanks. @Nightwalker @Hiltihome
Thanks for info. You're right, WV asked whether I wanted to generate an exception or not (not quarantine it as I mistakenly stated). I did not notice any anomalies in the system subsequently. What I have noticed is how light on resources WiseVector is compared to Malwarebytes so the latter has now been uninstalled entirely for now!
Ok, so I believe that I am ready to give this bad boy a try. My plan is to change Malwarebytes to on-demand only. My scanner is Microsoft Defender. The only other security program on my system is VoodooShield. Question: I know that Defender and WV are compatible but in order to make it so are there any changes or whitelisting that I must do, or is WV instantly compatible as soon as I install it. Thanks everyone, Acadia
It is instantly compatible, they are both running fine here on my machine without any special setting.
Hi, "svchost.exe" need to access various sensitive folders or files in a short time to trigger the detection. Under normal circumstances svchost.exe will not access private files, let alone several of them. However, you said you found nothing with many well known AV, it's very strange. If you still have WV installed and if this alert appears again, please can you tell me what are you doing on your computer at that time?Thanks
Identical alert, same file just now... only thing I was doing when alert popped up is refreshing a webpage (www.espncricinfo.com) using Vivaldi browser. (Of the 3 programs you list in post #716 I only have Thunderbird installed which checks every 3mins for new mail) ..and again 6hrs later when only program I was running was a full scan with Avira AV (which found nothing). This time no browser or email was open. Mystified at this point what's causing and with log not indicating which instance of svchost was terminated (sometimes there'll be dozens of svchost processes running) I'm not sure how you can identify which process has caused the alert when it's already been terminated before you can check?!
Ok, confused. Downloaded and ended up with two files: WiseVector_StopX.exe Application 0 KB WiseVector_StopX.exe.part PART File 112 KB Never seen a download like this before, what do I do with these two files, click on one of them, both of them?? Thanks
That just means your download did not complete successfully. PART files are temporary files while a download is going on. Try again.
FWIW and for anyone who cares, svchost.exe seems to be by far the most active system process at reading/modifying other files or folders in vulnerable directories. I have observed the following: Code: C:\Windows\TEMP\* C:\Users\*\AppData\Local\Microsoft\WindowsApps\* C:\ProgramData\* C:\Users\*\AppData\Local\Temp\* C:\ProgramData\Packages\* ...to name a few.