WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,562
    Location:
    Among the gum trees
    Hi @WiseVector ,

    I'm not sure if I'm more impressed by your awesome program or your stellar support. Nice work, and thank you! :)
     
  2. JasonUK

    JasonUK Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    103
    Location:
    UK
    Read through the many, many pages of feedback and valuable comments/responses on the WIseVector threads both here and Malwaretips and have finally taken the plunge and installed WiseVector... it's now scanning which could take some time! Also stepped MBAM back to 'On Demand' after years of it running alongside AV. I should probably ditch MBAM all together based on recent performance tests but will see how WiseVector goes first.
     
  3. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,438
    Location:
    Milan and Seoul
    Krusty you are right, everything about this program seems to be just fine, WiseVector are you using alien technology:D ?
     
  4. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    534
    Location:
    China
    Office documents with malicious macro inside can be detected by WVSX static scanning based AI. Our behavior blocker can also prevent Office from running suspicious
    executable.

    By our observing, Drive-by download is relatively rare nowadays. Instead, hackers often trick the user into downloading a JavaScript file to their hard disk, this is a way to circumvent many of the protections built into most web browsers that mitigate the risks of JavaScript. Windows will block an .exe file, for example, but allow a JavaScript (.js) file to run. WVSX's behavior blocker is good at detecting these type of scripts.

    PE Files being used most of the time in malware attacks. Detecting PE Malware is exactly what AI good at.
     
  5. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    534
    Location:
    China
  6. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,570
    Location:
    USA
    If WD's real time malware protection is enabled (on Windows 10) it actually prevents installation of PrivateWin10 (v0.84) considering it to be a "severe threat". This has been reported to @DavidXanatos (PrivateWin10's developer).
     
    Last edited: Nov 2, 2020
  7. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    534
    Location:
    China
    @JasonUK
    Thank you for trying WVSX. Any question please feel free to contact me.:)
     
  8. JasonUK

    JasonUK Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    103
    Location:
    UK
    600,000+ files into full scan and first alert from WV RT/Protection scanner received and it's quite an important file...

    C:\Windows\System32\svchost.exe which has been flagged & quarantined with alert WIBD.HEUR.InfoStealer.F012 ~ scanned it with WD, Avast, Avira, Kaspersky, MBAM (RT & on demand scanners) & uploaded to VirusTotal which all give a clean bill of health. File restored for now.

    *Edit: Used WV to scan file again and this reported no issues (I hadn't excluded file).
     
    Last edited: Nov 2, 2020
  9. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,054
    Location:
    Baden Germany
    A software that tries to disable WD, when starting it, is what I call unwanted.
    Open source is not an excuse for that.

    I my opinion, it should not be white-listed.

    If a user decides to use such, he may exclude it himself.
     
  10. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,349
    I fully agree with you.
     
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    7,637
    Location:
    Hawaii
    The fact that a highly questionable (crappy) app is open source, or "useful," or developed by a "reputable" person, or a "favorite" of many users, is NO REASON to whitelist it!!!
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Hi, thanks for the feedback. I will test it again later and let you know. sorry i was in hurry and did not look into these details. Good that you are around.
     
  13. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    534
    Location:
    China
    Hi,

    This action is detected by Behavior Detection but not static scanning.

    "WIBD" means "WiseVector Intelligence Behavior Detection". Malicious actions being detected by our advanced behavior detection is named WIBD.***.
    The detection means "svchost.exe"is reading several sensitive data in the system, some files it readed may even not exist in your computer.
    The svchost.exe is system file so WVSX will not quarantine it. WVSX will block the operation and terminate the process,
    So after "svchost,exe" was terminated, did you observe any anomalies in the system?

    By our observing, "WIBD.HEUR.InfoStealer.F" indicates svchost.exe is reading following folders or files,

    C:\***\AppData\Local\Google\Chrome\User Data\Default\Login Data
    C:\***\AppData\Roaming\Thunderbird\profiles.ini
    C:\***\AppData\Roaming\Flock\Browser\profiles.ini
     
  14. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    534
    Location:
    China
    After checking the software's source code (TweakEngine->TweakPresets.cs). We can sure that disabling Windows Defender is part of its tweaks. So the software itself is not malware. However, you guys reminded us of the possibility that this software could be abused by hackers. We have removed it from our whitelists, thanks. @Nightwalker @Hiltihome
     
  15. JasonUK

    JasonUK Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    103
    Location:
    UK
    Thanks for info. You're right, WV asked whether I wanted to generate an exception or not (not quarantine it as I mistakenly stated). I did not notice any anomalies in the system subsequently.

    What I have noticed is how light on resources WiseVector is compared to Malwarebytes so the latter has now been uninstalled entirely for now!
     
  16. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,236
    Location:
    US
    Ok, so I believe that I am ready to give this bad boy a try. My plan is to change Malwarebytes to on-demand only. My scanner is Microsoft Defender. The only other security program on my system is VoodooShield.

    Question: I know that Defender and WV are compatible but in order to make it so are there any changes or whitelisting that I must do, or is WV instantly compatible as soon as I install it.
    Thanks everyone, Acadia
     
  17. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,349
    It is instantly compatible, they are both running fine here on my machine without any special setting.
     
  18. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    534
    Location:
    China
    Hi,

    "svchost.exe" need to access various sensitive folders or files in a short time to trigger the detection. Under normal circumstances svchost.exe will not access private files, let alone several of them. However, you said you found nothing with many well known AV, it's very strange.

    If you still have WV installed and if this alert appears again, please can you tell me what are you doing on your computer at that time?Thanks
     
    Last edited: Nov 3, 2020
  19. JasonUK

    JasonUK Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    103
    Location:
    UK
    Identical alert, same file just now... only thing I was doing when alert popped up is refreshing a webpage (www.espncricinfo.com) using Vivaldi browser. (Of the 3 programs you list in post #716 I only have Thunderbird installed which checks every 3mins for new mail)

    ..and again 6hrs later when only program I was running was a full scan with Avira AV (which found nothing). This time no browser or email was open.

    Mystified at this point what's causing and with log not indicating which instance of svchost was terminated (sometimes there'll be dozens of svchost processes running) I'm not sure how you can identify which process has caused the alert when it's already been terminated before you can check?!
     
    Last edited: Nov 3, 2020
  20. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,236
    Location:
    US
    Thanks, Nightwalker!
    Acadia
     
  21. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,236
    Location:
    US
    Ok, confused. Downloaded and ended up with two files:

    WiseVector_StopX.exe Application 0 KB
    WiseVector_StopX.exe.part PART File 112 KB

    Never seen a download like this before, what do I do with these two files, click on one of them, both of them??
    Thanks
     
  22. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,124
    Location:
    Location Unknown
    That just means your download did not complete successfully. PART files are temporary files while a download is going on. Try again.
     
  23. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,236
    Location:
    US
    Thanks, n8chavez, the second time did it.
    Acadia
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Tried as suggested, unfortunately still fails as far as I can test.
     

    Attached Files:

  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,589
    Location:
    Canada
    FWIW and for anyone who cares, svchost.exe seems to be by far the most active system process at reading/modifying other files or folders in vulnerable directories. I have observed the following:

    Code:
    C:\Windows\TEMP\*
    
    C:\Users\*\AppData\Local\Microsoft\WindowsApps\*
    
    C:\ProgramData\*
    
    C:\Users\*\AppData\Local\Temp\*
    
    C:\ProgramData\Packages\*
    ...to name a few.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.