Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.
Does WVSX scan ram? I see no mention it as a custom scan option?
Yes, WVSX scans ram when you perform full scan and quick scan.
When Real-time deep memory inspection is enabled, WVSX can detect in-memory malware that uses the following techniques: Reflective Dll Injection, Process Hollowing, Manually PE loading (Exe and Dll), DotnetToJS, Sharpshooter, Net code in PowerShell, Process Doppelgänging, Process Reimaging, remote threads in system processes and etc.
OK thanks, so you improved WVSX and now it catches it. But can you tell me how it's caught, is it purely by watching behavior or is it because of improved signatures?
But AI isn't supposed to be based on signatures right? Or are these "signatures" related to AI/machine learning?
We have improved behavior signatures to detect it.
Our AI cannot detect all types of malware in 100%. Such being the case, our AI in the cloud (much stronger than the local AI) will try its best to extract family signatures from the missed samples and then deliver them to endpoint immediately.
This is certainly true as could be seen by a new strain of ransomware that came out in the past 2 weeks. Not given a name so far (but I will, calling it Killar after the main encryption routine). It was coded in Golang (up and coming language for ransomware, used in Snake last year and Smaug last month) and is a fast encryptor.
As Killar was a few days old I was impressed but actually not surprised that when it was run WV detected and stopped it. But this did not tell me anything about the strength of the AI component of Wisevector. So to that end:
1). with WV installed I both blocked the network as well as shutting off the real time protection component.
2). I modified Killar (not that much, but enough) and ran this variant.
Although the malware was once again detected, WV did take a few seconds to "think about things" which turned out to be a few seconds to long for this fast encryptor to be stopped from trashing files.
To be fair, this was a rather nasty test, and the next day similarly coded variants were stopped immediately with WV real time enabled. But nonetheless, a true zero day new malware strain will present initial issues. This can be prevented by the addition of CF (cruel). CF and WVSX work marvelously together as could be seen with Killar: on the malware run, CF will contain it immediately, and when WV recognizes it after those few seconds it would be deleted from within containment. Even cooler is those files that would have been encrypted on the actual system in the absence of CF can be viewed within the VTRoot (containment) directory. A simple sandbox flush (or reboot) will leave the system as pristine as ever.
In short, although WVSX continues to impress, the addition of CF will result in a Killar combination.
Great deductive logic example as always, my lady. Perhaps WV can work a deal out with Comodo? After all, its AV sucks. Also appears WV is already using Comodo certs..
Good night, what a nasty. Is this not something enterprises (more than home users) should be shaking and quaking over?
WiseVector, are you considering in the future to cater to enterprise? This setup illustrated above: Stop X plus a containment/sandbox to buy some time to analyze--it sounds really good.
I've been following recent discussion on this thread and I decided to install WVSX since I also have recently installed Comodo Internet Security Pro for which I used CruelSister's configuration settings.
I'm using Windows 10 Pro v.2004 OS Build 19041.572 and I normally use a standard account for my work at the PC. The installation of any program requires administrator rights which I provide as necessary.
The installation of WVSX was problematic, because during the installation CIS stepped in and asked me whether to allow WSVX-related programs to run not isolated the next time. The installation stalled (at 100%) and I was obliged to close it. I restarted it after changing the rating of three WSVX files in CIS to "Trusted" and this time it proceeded to the end, including requiring me to restart the computer. I restarted the computer, but WSVX would not open. In fact the icon appeared in the Taskbar tray, but then it disappeared. I therefore uninstalled WSVX and rebooted the computer. I restarted the installation after checking that the rating of the WSVX installer in CIS was "Trusted". This time the installation proceeded with no problems, but I was not asked to restart the computer.
Running a Quick scan with WSVX was quite slow, taking quite a few minutes to complete. It discovered one possible malware, but I believe it's a false positive. I reported it using the WSVX interface. What will happen now? Will I get some feedback from WSVX?
The WSVX tray icon menu shows as selected both the Basic and Advanced protection. What is the difference between the two? Since there is no Help provided for the program, this is a bit confusing to say the least.
I would also ask the developer if the installation of WSVX on my computer is considered all right given the problem that I faced. Is there a way to uninstall WSVX completely and redo the installation if necessary?
Another question that comes to mind is how would I use WSVX on a day-to-day basis having in mind that I would be using a standard Windows account as opposed to an administrator account for my work on my PC.
Thanks a lot for your testing!
Is there any file encrypted during the few seconds? If yes, can you please send the sample to email@example.com or upload it to a netdisc? We would like to test as well.
I think this says it got at least some of the files.
We aims at home users at present. Getting WiseVector StopX improved to be more powerful is our first priority. No plan to add a containment/sandbox now.
We would like to cater to enterprise in the future.
To be precise, the test was run as follows:
1). Network was disabled prior to WV installation
2). WV installed and Real Time protection disabled, and system was rebooted
3). An initial verification of protection was done by running an older Tesla, which WV detected and quarantined.
4). Killar was run. It is important to note that this ransomware has a biphasic method of action. Phase 1 is an attack on the Desktop and the Documents folder (where ONLY doc files are targeted). Phase 2 is encryption of other things in other folders (Music, Videos, Contacts. etc).
Results- Encryption was allowed for phase 1 (that the Honeypot files were in place was confirmed), and desktop items and doc's were affected. Killar was then detected prior to Phase 2 attack, so no other changes were seen.
(Fun Fact- AppCheck is similarly affected, but infected items were auto-restored.)
thank you for your testing and for sharing your analysis. Just curious, is the sample you tested similar to what is reported in the following link:
Thanks for your reply with the details.
The installer on our official site was released 2 months ago. During the 2 months, we have got WVSX updated and added a dozen new ransomware detection modules. We usually upgrade our behavior detection models at least once a day.
We're curious about your test because we have tested Killar ransomware sample (sha256: 43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f)
when this sample just appeared and no file was encrypted. WVSX terminated the ransomware with name: "WIBD:HEUR.Ransom.U".
The following situations can be considered a failure of WVSX,
1. Update WVSX to the latest, disconnect from the network, disable Real Time protection, run the malware, files got encrypted..
2. Use some hardest packers or other Antivirus Evasion Tools to bypass WVSX's static scanning, run the malware, files got encrypted.
This problem was probably caused by Comodo. Normally, there is no need to restart the computer when you complete the installation. If the GUI showing "You Are Protected" means WVSX is well installed.
Thanks for reporting the suspected file to us. If it's a false alarm, we'll fix it. Please scan the file again after some time.
If you report the file through email (firstname.lastname@example.org), you will get our reply once the analysis is over.
Usually, when you perform the first scan with WiseVector StopX, the speed will be not fast, since our engine will extract lots of metadata from files when scanning. Next time the scanning speed will be much faster.
Sorry for the inconvenience at present. Basic protection includes Real-time protection ( scan running processes, scan on file execution and scan on file creation). Advanced protection means AI based Behavior Detection.
Using the uninstaller of WVSX is the best way.
At present, you need to start WiseVector StopX manually when using a standard Windows account.
Thank you for all your answers to my questions. Apparently in the end all went well with the installation as I do see the "You Are Protected" message when I open the GUI. I look forward to trying out WVSX in more depth in the next few days.
Also my apologies for writing the acronym for WiseVector StopX wrong! I see my typos in my previous message and I cringe...
She already explained this previously:
Elaborating, she modified the sample enough to create in effect a 0-day ransomware.
If "smart" behavior signatures were used, they failed to detect this was a polymorphic variant.
WV other behavior detection methods;
And detected for:
She also noted that another dedicated anti-ransomware product popular with Wilders folks had the same results. However, this product does auto backup of protected folders and was able to auto restore any files encrypted in phase 1 of the attack.
What matters is that she didn't update WVSX to the latest before disconnecting from the network (please correct me if i'm wrong). WVSX works in a way that may not be the same as the others, its behavioral models are frequently updated based on AI and expert analysis. As I said before, it can be considered a defense failure if following situation occurs.
1. Upgrade WVSX to the latest version and disconnect from the network.
2. Modify the ransomware (like cruesister did) so that it can evade the static scans of WVSX.
3. Run the ransomware, if files are encrypted, it can be considered a failure.
I recommend that testers should upgrade WVSX at least once a week, two months is a long time.
Of notice @itman's statement
@WiseVector- And you will pardon should my previous earlier post expressing curiosity of interest belabor the point when I (not suggested), but asked IF WVSX at some future point MIGHT could find of use integrating a "rollback mechanism" of sorts only in the event a clever bypass would make success at encrypting some files or/or evading the dummy bait files or WVSX capture mechanisms. That said the updates im confident are designed to any discovered found gaps.
Of a fact that sort of aggressiveness is possible as apparently is been evidenced (Thanks @cruelsister) but obviously by the most notorious of concoctions badware authors research & dream up to fulfill their expectations.
As an active beta tester for the anti-ransomware program Ransomoff when first introduced it was found to be a useful integral part of it's own prevention technique fully, due to that equally novel ability to instantly rollback affected files. Incredibly effective bypasses are no doubt novel studio material code for badware actors active in improving that capability.
Its why just out of curiosity, if decided to also employ a similar feature would it in any way take away from the magnificient stellar lightweightness of WVSX. Or otherwise inhibit any of the already effective preventions well built in this program in it's current form.
Not that rollback is or ever needed nor expected on a future release. Just as mentioned. A curiosity given potential of advance novel inventions to present themselves,
We plan to add ransomware rollback in the near feature. (Thanks again for your test @cruelsister)
Today we tested a zero-day ransomware and although WVSX were able to detect the malware by real-time protection, the ransomware still encrypted the files on desktop during dynamic execution with real-time protection disabled . We realized that we need to add ransomware rollback feature. We have discussed the technical details of how to balance between performance and real-time backup. We will release the next version of WVSX with ransomware rollback feature asap.
CruelSister disabled WV real-time protection in her testing noted previously. I believe the assumption was it was only positive signature based.
My opinion is currently, most top-tiered security solutions real-time protection feature's incorporate behavior detection methods . As such to fairly test the product, real-time protection should never be disabled.
Because as seen lately smart behavior signatures isn't that much reliable either, so we must put our brains to work to come up with something more better technology wise.
@WiseVector- Great News indeed!
Our deepest compliments to such dynamic and thoughtful attention as well as your own personal support!
Making an already fascinating product even better.
I'm confident that your team of researchers and inventors will succeed greatly at achieving that balance to keeping it lightweight and effective as ever. Thank You
I sincerely appreciate the admissions, for better or worse, when updating on WV's progress. Many products keep their development hush-hush (for obvious reasons) but in this case, it's nice to see the disclosures, particularly when it comes to ransomware and how various products deal with it at any given moment.
I totally agree with you on that! The only reason that I disabled the WVSX protection was to gauge its ability to detect malicious mechanism sans any sort of signature based detection ability; and even then I had to resort to playing dirty by re-coding a new malware strain in order to bypass. Please make no mistake- for its size and speed WVSX is extremely impressive, and quite frankly I felt very guilty by being very nasty.
My compliments to the coders!