WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Hi,

    Please at least quit Comodo before testing. "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" is a common registry key that many programs will modify it before connecting network. By default WVSX will prevent IE from spawning a Powershell process, but i can't see this in your screenshots. Maybe it was interfered by Comodo?

    Poweliks is six years-old malware, we haven't tested the malware yet. According to your screenshot, it appears that the malware has been blocked by memory scanning in the first place. From https://www.trendmicro.com/en_us/research/14/h/poweliks-malware-hides-in-windows-registry.html we know poweliks will create autorun key and inject dll to other system processes. Honestly i don't believe it can bypass WVSX since WVSX will not allow powershell to perform the above actions.

    Please quit Comodo and then test again. You need to check if the malware has successfully created the autorun entry or injected other system processes. Some virus cleaners hunt for the specific mutex in system to check if the specific malware is installed. However, the mutex may not get released after the malware has been stopped by WVSX.

    You can download a test file here: https://www.wisevector.com/test.zip
    You can double-click it in your VM to see if WVSX's behavior blocker works normally or not, thanks.
     
    Last edited by a moderator: Nov 4, 2020
  2. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Thanks for your information. However, the detection will not be triggered by simply reading private files or folders.
    It is foreseeable that would result in a large number of FPs.
     
  3. JasonUK

    JasonUK Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    100
    Location:
    UK
    I think I may have identified program which is sparking those svchost alerts ~ Bitsum's Process Lasso. I racked my brain last night about which programs may be constantly monitoring all processes and Process Lasso which I've had installed for years seemed a likely candidate. I disabled PL and have not had any repetition of the svchost alert... so far!
     
  4. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Hi,

    We downloaded Vivaldi browser and have been using it for a couple of hours including visit the website you mentioned. But we didn't receive any alert from WVSX. We don't think the Vivaldi or Thunderbird is the cause of the detection. Please try the following steps,

    1.Download Process Monitor from here: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
    2. Open it. On its toolbar, Enable "Show File System Activity" but disable other activity so we can exclude tremendous irrelevant information.
    3. From its top menu, click "Filter"->"Filter", Select "Path"->"contains"->"Include" copy and paste OPERA STABLE\LOGIN DATA to the editbox, Click "Add". See screenshot below,
    https://i.imgur.com/lZZICAx.png


    4. Add another filter but replace the editbox to Chrome\User Data\Default\Login Data.

    Then use your computer as usual. Next if svchost.exe want to harvest sensitive data it will shows up in Process Monitor.
    You can see its process ID and what dlls are loaded. You can contact us support@wisevector.com directly if you have further information.
     
    Last edited: Nov 4, 2020
  5. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    So Process Lasso will let svchost.exe to read sensitive files even not exist in your computer? It sounds a little weird. Anyway you can try the instructions above.
    Did you download Process Lasso from their official website?
     
    Last edited: Nov 4, 2020
  6. JasonUK

    JasonUK Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    100
    Location:
    UK
    PL does not read sensitive files at all but does "dynamically adjust process priority classes" which would include juggling the dozens of svchost processes which may be running at any time. Whether that would have any impact on WV or trigger an alert I have no idea but it's one of the few user programs installed that is monitoring resources/processes. SInce disabling it I hadn't had a reoccurence.. maybe that's just a coincidence but we'll soon find out as I've re-enabled it and setup Process Monitor as you suggested. The software was downloaded from the official website. I'll email any relevant info if/when alert reoccurs.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Ok Thanks. I will try to do it later and let you know.

    By the way does WV actively monitor files read/write just like a traditional AV? If this is the case then I guess we should disable windows defender when WV is installed to decrease the overhead. Am I right?

    Thanks
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,493
    Location:
    Canada
    Sorry I wasn't clear. There is actual writing of data into these directories. A better example of this might be:

    Code:
    C:\Users\myself\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\extensions\support@lastpass.com.xpi
    This is obviously an authorized extension that I installed, but it just illustrates that there can be a possible desire to monitor for unauthorized data writes to vulnerable directories.

    Anyway, I don't want to dwell on this, as there's probably little interest for most users of your product in this type of data control.
     
  9. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Yes, WV will monitor files read/write, but the I/O Operations was optimized so WV doesn't take up too much resources like traditional antivirus software does.
    If you are concerned about your computer's speed you can disable on access scan in WV. Open WV, click "settings"-> "Basic"->"Real-time protection"->"Set up"->uncheck "Scan file on creation".
    Or you can disable Windows Defender Real-Time Protection. Open Windows Defender Security Center. Click the Virus & threat protection settings option., turn off the Real-time protection toggle switch.
     
  10. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Hi,

    Thank for your advice. But you can't install an extension just by copying the .xpi file to the profile folder. At least you need to drag the xpi file to Firefox tab to install it.
    So this won't be a security issue for now, but we'll keep an eye on it, thanks.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    WD will auto re-enable itself in short order:
    https://support.microsoft.com/en-us...security-2ae0363d-0ada-c064-8b56-6a39afb6a963
     
  12. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    536
  13. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,020
    Location:
    Canada
    I'm using Defender Control.
     
  14. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,320
    Location:
    Hollow Earth - Telos
    I can't uninstall WVSX for some reason.
     
  15. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,000
    Location:
    Location Unknown
    What happens when you try to?
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Seems it will still provide on-execution protection? I did this. Good option.
    Thanks
     
    Last edited: Nov 5, 2020
  17. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,554
    Location:
    USA
    @WiseVector,
    I am running WVSX along with SpyShelter (Free). As they both employ a HIPS do you foresee a conflict?
     
  18. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,320
    Location:
    Hollow Earth - Telos
    My UAC pops up and i click on yes. Nothing happens after that. That also happens when i try to install Adwcleaner. I click yes and nothing happens.
     
  19. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,390
    Location:
    Milan and Seoul
    So do I, very effective just one click...
     
  20. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Hi,

    We have tested SpyShelter V12.3, no conflict with WVSX so far.:)
     
  21. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    505
    Location:
    China
    Hi,
    There might be some problems with your OS. Please restart your computer and try again. Seems that when a program requires administrative access, it can't run continuously.
     
  22. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    698
    Location:
    Island of Woman
    There is conflict , 1) it will stop wise vector from accessing memory of other programmes by default and by looking at the logs even more behaviors : 2) it blocks wise vectors main exe from doing its thing - that's what the log says ( I noticed that long after using both at the same time so WWSX is not immediately stopped only under certain circumstances/behaviors)
    If you use spy shelter free (ssf) version you need to whitelist all the folders at the beginning otherwise it will be too late after even if whitelisted later (I believe it is a programme malfunction or stupidity of the free version, since you should be able to roll back decisions effectively in ssf, I know ssf doesn't allow rule editing but still..)
    Anyway the allow programme to take action autonomously in ssf should be checked off, or in paid version you can easily update rules. In spy shelter free whitelist all the folders that u need at the very start because spy shelter free decisions cannot be rolled back so to speak: WWSX will never access memory again

    if ssf is configured: no conflict:)
     
    Last edited: Nov 6, 2020
  23. porkpiehat

    porkpiehat Registered Member

    Joined:
    Jul 18, 2015
    Posts:
    45
    'You can download a test file here: https://www.wisevector.com/test.zip
    You can double-click it in your VM to see if WVSX's behavior blocker works normally or not, thanks.'

    just out of curiosity, what is supposed to happen,? WVSX doesn't react when test is run...
     
  24. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,314
    It should stop the batch file after execution, if it isnt happening maybe there is a problem with your WiseVector StopX installation.
     

    Attached Files:

  25. porkpiehat

    porkpiehat Registered Member

    Joined:
    Jul 18, 2015
    Posts:
    45
    no, nothing.... there is a black popup which flashes too quickly to read, but no reaction from WV....

    it seems, even though I exit CFW, it still catches the test before WVXS...

    so, after disabling FW, and containment, WVXS caught the test.... s'all good. :thumb:
     
    Last edited: Nov 6, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.