WiseVector Stop-X

Hi,

Please at least quit Comodo before testing. "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" is a common registry key that many programs will modify it before connecting network. By default WVSX will prevent IE from spawning a Powershell process, but i can't see this in your screenshots. Maybe it was interfered by Comodo?

Poweliks is six years-old malware, we haven't tested the malware yet. According to your screenshot, it appears that the malware has been blocked by memory scanning in the first place. From https://www.trendmicro.com/en_us/research/14/h/poweliks-malware-hides-in-windows-registry.html we know poweliks will create autorun key and inject dll to other system processes. Honestly i don't believe it can bypass WVSX since WVSX will not allow powershell to perform the above actions.

Please quit Comodo and then test again. You need to check if the malware has successfully created the autorun entry or injected other system processes. Some virus cleaners hunt for the specific mutex in system to check if the specific malware is installed. However, the mutex may not get released after the malware has been stopped by WVSX.

You can download a test file here: https://www.wisevector.com/test.zip
You can double-click it in your VM to see if WVSX's behavior blocker works normally or not, thanks.

 

Thanks for your information. However, the detection will not be triggered by simply reading private files or folders.
It is foreseeable that would result in a large number of FPs.

 

I think I may have identified program which is sparking those svchost alerts ~ Bitsum's Process Lasso. I racked my brain last night about which programs may be constantly monitoring all processes and Process Lasso which I've had installed for years seemed a likely candidate. I disabled PL and have not had any repetition of the svchost alert... so far!

 

Hi,

We downloaded Vivaldi browser and have been using it for a couple of hours including visit the website you mentioned. But we didn't receive any alert from WVSX. We don't think the Vivaldi or Thunderbird is the cause of the detection. Please try the following steps,

1.Download Process Monitor from here: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
2. Open it. On its toolbar, Enable "Show File System Activity" but disable other activity so we can exclude tremendous irrelevant information.
3. From its top menu, click "Filter"->"Filter", Select "Path"->"contains"->"Include" copy and paste OPERA STABLE\LOGIN DATA to the editbox, Click "Add". See screenshot below,
https://i.imgur.com/lZZICAx.png


4. Add another filter but replace the editbox to Chrome\User Data\Default\Login Data.

Then use your computer as usual. Next if svchost.exe want to harvest sensitive data it will shows up in Process Monitor.
You can see its process ID and what dlls are loaded. You can contact us support@wisevector.com directly if you have further information.

 

So Process Lasso will let svchost.exe to read sensitive files even not exist in your computer? It sounds a little weird. Anyway you can try the instructions above.
Did you download Process Lasso from their official website?

 

PL does not read sensitive files at all but does "dynamically adjust process priority classes" which would include juggling the dozens of svchost processes which may be running at any time. Whether that would have any impact on WV or trigger an alert I have no idea but it's one of the few user programs installed that is monitoring resources/processes. SInce disabling it I hadn't had a reoccurence.. maybe that's just a coincidence but we'll soon find out as I've re-enabled it and setup Process Monitor as you suggested. The software was downloaded from the official website. I'll email any relevant info if/when alert reoccurs.

 

Ok Thanks. I will try to do it later and let you know.

By the way does WV actively monitor files read/write just like a traditional AV? If this is the case then I guess we should disable windows defender when WV is installed to decrease the overhead. Am I right?

Thanks

 

Sorry I wasn't clear. There is actual writing of data into these directories. A better example of this might be:

Code:

C:\Users\myself\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\extensions\support@lastpass.com.xpi

This is obviously an authorized extension that I installed, but it just illustrates that there can be a possible desire to monitor for unauthorized data writes to vulnerable directories.

Anyway, I don't want to dwell on this, as there's probably little interest for most users of your product in this type of data control.

 

Yes, WV will monitor files read/write, but the I/O Operations was optimized so WV doesn't take up too much resources like traditional antivirus software does.
If you are concerned about your computer's speed you can disable on access scan in WV. Open WV, click "settings"-> "Basic"->"Real-time protection"->"Set up"->uncheck "Scan file on creation".
Or you can disable Windows Defender Real-Time Protection. Open Windows Defender Security Center. Click the Virus & threat protection settings option., turn off the Real-time protection toggle switch.

 

Hi,

Thank for your advice. But you can't install an extension just by copying the .xpi file to the profile folder. At least you need to drag the xpi file to Firefox tab to install it.
So this won't be a security issue for now, but we'll keep an eye on it, thanks.

 

WD will auto re-enable itself in short order:

https://support.microsoft.com/en-us...security-2ae0363d-0ada-c064-8b56-6a39afb6a963

 

Maybe disabling specific components of Windows Defender with Configure Defender or GPE would work?

 

I'm using Defender Control.

 

I can't uninstall WVSX for some reason.

 

What happens when you try to?

 

Seems it will still provide on-execution protection? I did this. Good option.
Thanks

 

@WiseVector,
I am running WVSX along with SpyShelter (Free). As they both employ a HIPS do you foresee a conflict?

 

My UAC pops up and i click on yes. Nothing happens after that. That also happens when i try to install Adwcleaner. I click yes and nothing happens.

 

So do I, very effective just one click...

 

Hi,

We have tested SpyShelter V12.3, no conflict with WVSX so far.

 

Hi,
There might be some problems with your OS. Please restart your computer and try again. Seems that when a program requires administrative access, it can't run continuously.

 

There is conflict , 1) it will stop wise vector from accessing memory of other programmes by default and by looking at the logs even more behaviors : 2) it blocks wise vectors main exe from doing its thing - that's what the log says ( I noticed that long after using both at the same time so WWSX is not immediately stopped only under certain circumstances/behaviors)
If you use spy shelter free (ssf) version you need to whitelist all the folders at the beginning otherwise it will be too late after even if whitelisted later (I believe it is a programme malfunction or stupidity of the free version, since you should be able to roll back decisions effectively in ssf, I know ssf doesn't allow rule editing but still..)
Anyway the allow programme to take action autonomously in ssf should be checked off, or in paid version you can easily update rules. In spy shelter free whitelist all the folders that u need at the very start because spy shelter free decisions cannot be rolled back so to speak: WWSX will never access memory again

if ssf is configured: no conflict

 

'You can download a test file here: https://www.wisevector.com/test.zip
You can double-click it in your VM to see if WVSX's behavior blocker works normally or not, thanks.'
just out of curiosity, what is supposed to happen,? WVSX doesn't react when test is run...

 

It should stop the batch file after execution, if it isnt happening maybe there is a problem with your WiseVector StopX installation.

 

no, nothing.... there is a black popup which flashes too quickly to read, but no reaction from WV....

it seems, even though I exit CFW, it still catches the test before WVXS...

so, after disabling FW, and containment, WVXS caught the test.... s'all good.