WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,509
    Location:
    Canada
    @pvsurfer

    you should be able to use Task Scheduler to create a task that launches the program when your daughter logs on to her account.
     
  2. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
    There should be an option during setup:
    Install for current user only?
    Install for all users?

    Creating a schedule, is beyond skills of an average users.
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    Only happened the once, for both.
     
  4. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Hi,
    We focus on Windows currently and not so sure about how to answer your question at present. I think it depends on how many users need such kind of additional protection on Mac, then we will make our plan accordingly.;)
     
    Last edited: Sep 5, 2020
  5. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Sorry for the inconvience. WVSX can't automatically load into all standard accounts at present and what @Azure Phoenix said is correct. We will get this resolved.
     
    Last edited: Sep 5, 2020
  6. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Thanks for your reply. Please let me know if this happen again.
     
    Last edited: Sep 5, 2020
  7. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    It's a good advice, thanks! I think this option is neccessery when a computer is used by more than one person.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    OK, I see this makes sense.

    Perhaps I misunderstood, was the file of Quick Shutdown wrongly detected on disk or was it the qsd.exe process that was runnning in memory?

    OK, this is what I meant, so you have actually tested malware that use these techniques? And let me explain, there is a difference between blocking malware pre execution and post execution. So normally, an AV will simply block malicious files on disk, and they don't even get a chance to run.

    But let's say AV fails to spot malware and lets it run, then the behavior blocker should block malicious behavior from the malware, like process hollowing, code injection, and keylogging for example. So how did WV block these malware samples that you tested it against, pre or post execution?
     
  9. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    R- if I can intrude, in the test I ran I made sure that some of the malware used various techniques and actually included a Netwalker and an Agent Tesla, so both process hollowing and code injection seemed to be covered. Also I made sure that freshly coded FUD malware were included (as well as the network being disabled) so WV certainly had no help via "dumb" detection.

    But as far as keyloggers (hint: Pyhook is tough) are concerned I suggested then and still suggest now having an outbound firewall in place as any info steeling malware that is undetected STILL needs to connect out.

    M
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Thanks for the feedback, but just to make it clear. You say that you tested NetWalker and Agent Tesla, but did WV simply block them from running? Or did it block certain techniques like process hollowing and file encryption after they were already active in memory? That's what I'm trying to figure out.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Process hollowing and plain .dll injection for that matter are usually detected as attempted process modification attempts against the targeted process. In other words, no memory modification has occurred. If injection takes place, any memory based detection would almost have to be signature based or limited in nature to the code behavior being executed in memory. Additionally if detection was had in memory, system modifcation activities could have occurred prior to the memory detection. Something like Kaspersky does system snapshot ting and can rollback those modifications after a memory detection.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    Can WiseVector Stop-X be used with another AV like Eset?
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Good question.

    Since Eset and some other AV solutions have active memory protection/detection mechanisms, the same scenerio exists that applies to running two real-time scanners together. That is the possibility of "deadly embrace" conflicts. The most likely source of conflict would be with Deep Behavior Inspection. So an exclusion for WiseVector would have to be created there and also possibly for real-time scanning. Something I for one would not recommend at this point given WiseVector current vetted status. Again, we talking about two security solutions using kernel mode drivers.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    I would say you are right, it's probably not a good ideal. I was curious since I hadn't even heard of WiseVector until last week. Eset also has machine learning, I wonder how they compare. I wonder how evolved Eset's machine learning module is at this point. I would say WiseVector probably wins in the machine learning category since that is their main focus, from what I can tell. I'm just speculating though, I will look into WiseVector more when I have time.
     
    Last edited: Sep 5, 2020
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,470
    Location:
    Hawaii
    I ran WV together with VoodooShield for several days. No problem. I am now trying WV in combo with SecureAPlus.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,509
    Location:
    Canada
    Or keep it simple without sacrificing effectiveness and run WV together with built-in Windows Security. Try not to lose sight of how strong and effective Windows 10 already is when it's kept updated and you utilize it's built-in security measures.
     
    Last edited: Sep 5, 2020
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,366
    Location:
    Among the gum trees
    And if we wanted to try, exactly what exclusions should be put in place?

    @WiseVector ?

    Thanks.
     
  18. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    We have several layers to block malware and "qsd.exe" was detected by our static scanning.
    Yes, we have tested thousands of malware samples using these techniques and WVSX can detect them.
    Every AV wants to block all malicious files on disk, but actually it's a dream can hardly be achieved, since there always have a small amount of malware missed from static scanning. That's why we need a behavior blocker.
    The malicious behavior, like process hollowing, code injection, and keylogging, WiseVector StopX detects them at pre-execution and post-execution stage.

    Yes, it can be used with most other AV including Eset.

    WiseVector StopX can work well with ESET, I think there is no need to put exclusions.
     
  19. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    As far as I know the memory detection of ESET is Signature based. Our memory detection is Machine Learning based, so no feature duplicated here.
    Our driver has no conflict with ESET as well.
     
  20. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,321
    Location:
    Hollow Earth - Telos
    It looks like WiseVector does not have a conflict wiith any other apps. Under advanced i excluded Kaspersky Security Cloud, HitmanPro.Alert and OSArmor. Was this necessary for me to do. Is there a list of known Apps that have conflicts with WiseVector.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    I certainly wouldn't agree with this. Eset has spent years developing their machine learning technology: https://www.welivesecurity.com/wp-content/uploads/2019/11/ESET_Advanced_Machine_Learning.pdf
    Eset employs multiple memory detection methods.

    The one you are referring to involves use of Win 10 AMSI interface to scan scripts in memory prior to execution. A feature that WiseVector does not have that I am aware off. Eset also employs the AMSI interface to scan browser and targeted Win processes. Eset uses their Augur deep behavior inspection machine learning engine to monitor memory code post execution. Additionally Eset HIPS is utilized and interfaces with its advanced memory scanner, exploit blocker, deep behavior inspection, and ransomware protections. Also least it be overlooked is Eset employs a Web Access scanner that monitors all Internet based activity including client e-mail scanning. Its firewall protection has a full feature IDS capable of detecting known exploits and:

    Eset_IDS.png

    Plus network packet inspection protections and botnet protection.
     
    Last edited: Sep 6, 2020
  22. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,321
    Location:
    Hollow Earth - Telos
    Like any other defense, AMSI is not a panacea, and ways to bypass were found at Black Hat 2016. It remains to be seen whether Microsoft has been able to plug the holes found by researchers.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Correct. However, Eset and I assume other AV vendors have become quite proficient in detecting those and also UAC bypasses.
     
  24. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,321
    Location:
    Hollow Earth - Telos
    "As with any other security measure, there are also ways to get around AMSI. If, for example, PowerShell version 2 is executed on the respective system, the AMSI integration will be missing from PowerShell and the executable code is not scanned. Since AMSI also uses a signature-based approach, a significant change can potentially prevent discovery of detected malware scripts. Another method is to disable AMSI with the PowerShell cmdlet Set-MpPreference. This disables Windows Defender’s real-time detection, an operation that requires administrator rights".
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.