WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    What?!? No! I love that aspect of the gui. A little transparency is good.
     
  2. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Using WVSX, I just did an on-demand Full Scan. It is obvious that some of my computer's many exe files are NOT running at the time that WVSX does an on-demand scan. So I began wondering: is it possible that a malware could check-out as "clean" when the malware is not running, but WOULD show up as malware when the malware is running?

    Here's the reason why I started wondering: I image my system disk at least 5 times weekly, & retain images for over a month. So I figured: I don't need a real-time AV to PREVENT malware. Instead, I only need an on-demand AV to DETECT infections. Why? Because -- once malware is detected, all I need to do is restore a clean image and POOF! No infection.

    Based on my Detect-don't-Prevent concept, I do not run ANY AV real-time. Before making each image, I do the Detect phase by means of on-demand scans with WVSX and Kaspersky Virus Remover Tool. I have always *assumed* that this series of on-demand AV scans would almost certainly detect any malware that hadn't been caught by my only two real-time security apps: a firewall, and SecureAPlus (a whitelist & anti-exe).

    However, if there ARE malwares that might not be detected unless they are actually running, then my security concept isn't nearly as bullet-proof as I thought and, yes, I SHOULD be running WVSX real-time.

    QUESTION: Is it possible that WVSX could check-out an inactive malware file as "clean" during an on-demand scan but WOULD detect that same file as malware when the file is actively running, and WVSX is running in real-time?
     
  3. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    That is certainly possible, as some malware won't be detected until it runs. WiseVector may think a file is clean when it scans it, but when that file is launched it may detect and block suspicious behaviour.

    That's why any decent antivirus these days does not just rely on static scanning, but includes behaviour blocking too, to help block threats which might otherwise be missed. Unless it causing some issues, it's best to leave the realtime protection enabled.
     
  4. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    @__Nikopol
    Thanks for your feedback!:)
    Sorry for the inconvenience. We reproduced this issue and it will be resolved in our next release.
    It's a known issue, we are trying to figure it out.
    Can you please tell me why you need uploading all currently check-marked files? "Upload Files" button is designed to upload missed samples and FPs.
    Such kind of menu is necessary which can help our users have a better understanding of WVSX. We are working on it.
    There is a "Save as" button. Clicking on it, the results will be saved as TXT Files.
    Yes, we will remove it. Since a number of users told us they can't see the letters clearly with the slight transparency of the window, particularly when the background picture is flowery and fancy.:D
    Yes, we will do it in the future. Have you uploaded all the files through WVSX? If yes, please scan the files again to check if WVSX flags them as malicious again or not. Usually they will be analyzed manually, once being confirmed to be FPs, they will be resolved in a short time. Or you can send them in one pack to virus@wisevector.com. After the analysis is completed, you will get a reply. Thanks!
    Yes, we will add this.
    The excluded files are not uploaded automatically, since it's about users' privacy.
     
  5. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Then a slider would be nice :)
     
  6. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Sorry, I'm afraid we will have to remove it, since many users told us they can't see the letters clearly with the slight transparency of the window...
     
  7. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Hi@bellgamin

    If I'm not mistaken, SecureAPlus is a default deny software which is designed for experienced users. If you don't know how to determine if an executable file should be blocked or not, you'd better enable all protections of WVSX, since WVSX has multi-layers detection which can detect malware bypass static scanning.
     
  8. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Oh no, I like that effect transparency too :(
     
  9. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I know how to use SecureA+ quite well. However, my teen-age great grandchildren use my computer when they visit from time to time. Based on excellent comment by @roger_m I shall run WVSX real-time while they are here.

    As for the semi-transparent GUI -- it is like a beautiful wife who is a bad cook. :rolleyes:
     
    Last edited: Dec 2, 2020
  10. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Well, there are people here that like that option. So, without an option of some sort you'd be saying you value one group of people over another if you got rid of transparency.
     
  11. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,325
    Location:
    US
    In my opinion he's not saying that at all. What are software manufacturers supposed to do? Every program has so many directions (options) that it can go into. Every manufacturer has to, in their opinion, provide the best program that works best for the majority. Every program will have its disgruntled users yet they will still use it because it is a great program.
    Acadia
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    Does this antivirus has behaviour blocker?
     
  13. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I had 33 files that otherwise appeared clean. Uploading them in one go is just less trouble. :D
    Question here: Are you also interested in files that detected positive when scanned with "Aggressive" heuristics? This should create many FPs, I understand that. So I'm wondering if you want those.

    Ah, very nice! Thank you!

    I saw that. But that adds another two steps and a file I don't need to the task of copying something.

    Not yet. I reported them as false positives though. See the bold text down below because I have a question about that.

    Nice!

    I understand that, but when I click "report as false positive", do you not test the file again to be sure? How is that handled? You can't just believe me! XD

    I

    You can appease both groups: As a compromise, just add a slider to the background menu. :)
     
    Last edited: Dec 2, 2020
  14. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    We don't know how many people have reported they don't like it.

    Could be 4 here that like it vs 15 that don't like it.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I never even noticed the slight transparency, but then I hardly ever open the GUI. It doesn't bother me either way.
     
  16. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Yes it does.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Never was a fan of transparency but that's just me.
    Transparency in no way deters what i'm seeing. Its readable but DISTANT.

    Whatever conclusion is arrived on the GUI is acceptable for me too. But also doesn't transparency cost another nanoamount of resources just to decorate for optics?

    At any rate seems one can never please all of the people all the time. But can please most of the people most of the time.
     
    Last edited: Dec 2, 2020
  18. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    You should run real-time all the time, because your backup does not protect from stolen data and credentials.
    On demand scan is not enough, because modern malware can be file less, and living from the land, using legit Windows components.
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    That's nice it's time to try it love it already thank you my friend
     
  20. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    :eek: I didn't know that. I shall take precautions accordingly. Thanks!
     
  21. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I am testing a whole bunch of malware from the bazaar and other sources in my VM. (Which is mostly stealthed) I assume they are all recent. So far 100% detection rate out of ~150 files! (exe, xlsm, doc, jar, etc... everything)
    Most were detected after unzipping them. Some where only detected when executed. So there is your Behaviour Blocker, @jmonge :D

    I don't follow very sophisticated testing rules or whatever. I just have a bunch of programs like procmon running to check if anything actually happened or not, and the only AM on my up-to-date windows 10 1909 vm that is running is WVSX. I have an evaluation copy of HMPalert running, but it is only logging. Active WAN network - which may be a mistake.
    Therefore the results might only be interesting for me.
     
  22. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    @WiseVector
    You might want to download all the malware samples from the github of "InQuest". There are 273 files that are not detected, and a spot test revealed they are found positive by other AM. (Via Virustotal)
    Most of them are non-executable; so this might be the reason why they aren't detected yet. (By the behavior blocker part of WVSX)

    Some that I can execute are only blocked by my Anti-exe. So I assume they would've been running fine. I might let them run later on without the AExe

    Edit: I found a surprising amount of files that weren't detected, but were undoubtedly malware. For example: A rootkit from 2017, almost all VBS stuff I tested, some stuxnet maldocs, many more maldocs, ShadowHammer for some reason, TransparentTribe - but that's for android... I probably uploaded more than 50 files already. :/ (Although none of these were executed, yet. So take that with a bucket of salt)
    Interestingly, many not detected files were the oldest variants of otherwise detected malware. (For example: The oldest variant of Cutwail)



    Edit: Once I added the right file extension to .doc files they are getting detected without opening them. Is there a reason why detection is depended on the file extension? Efficiency? But I can find out what file it is by reading the header. Would that be too slow if WVSX would take that into consideration?
    --Edit: I just found the same behavior with a VBS script. I even scanned it manually before renaming, and it was found "clean". Then after adding ".vbs" it was suddenly malware. Weird.
    This looks like one could register a new file extension that will be executed with the scripting host and it will not be detected. Lets see....

    WOAH: Ok, huge issue, I think:
    If I register a new file extension for a VBS malware-script, like ".vbnew", using the "assoc .vbnew=VBSFile" command and then run the script with wscript.exe IT RUNS WITHOUT GETTING COUGHT by WVSX!

    This might not be used YET in the wild, but still; A big issue, imo.
    It must be the same with ".doc" files and probably others, too. I hope this isn't the case for "exe" files... Can you even register a new executable file extension for normal exe files?




    Edit: Oh I forgot to say that WVSX's heuristic analysis is in "Normal" mode for all tests.

    Edit: Ah, I may have another bug: Right now the status-bar or whatever that bar on the bottom with the version number is called, is not visible. I do not know why. Only a restart of the app resolved this issue.

    Edit: Feature requests:
    - Maybe add a context menu item for uploading a file? I'm not really sure it would help many people, though.
    - The context menu entry to "Scan with WiseVector" can only scan 1000 files at once. Would it be a problem to make it unlimited?
     
    Last edited: Dec 3, 2020
  23. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Em...I think you misunderstood me. We just try to optimize WVSX to meet the needs of most users. We've always weighed the pros and cons in this process.
    As@__Nikopol posted, add a slider to the background menu is good, we will do this in the future.;)
     
  24. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Of course we will test the files again and most of them will be analyzed manually one by one. If you want to know more details about the files, please send them in one pack to virus@wisevector.com.
    Do you mean by that the 33 files were detected as malicious when scanned with "Aggressive" heuristics? Setting on Aggressive, WiseVector StopX can detect more suspicious files during static scanning, but there might be more FPs. Therefore setting on Normal or High is appropriate for most users. The settings will be effective when you perform static scanning only. If you are experienced in checking whether a file is malicious or not, setting on Aggressive is OK.
     
  25. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    543
    Location:
    China
    Of course we have.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.