WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    Hi,
    Did you scan "conres.dll" with WVSX?
    It is an old sample which can be detected by WVSX even two years ago. If Real-time Protection is enabled, I think it couldn't be a missed sample.:thumbd:
     
  2. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Is it that old? It's from a few days old pack from VirusSign. AFAIK they include files that have been recently cought with their honeypots or whatever - or maybe they are files uploaded by users. In any case they should be files that are currently in the wild.

    Yes, the conres.dll was created while real-time protection was enabled, of course. Wouldn't make much sense to test stuff if it is disabled. Since it was written and scan-at-write or how that's called is enabled as well, it should have been detected and blocked from being created, but it's always there when I execute a Floxif file. I don't know if he file does anything malicious, but Virustotal shows like 50 hits or more, so I would expect it to be removed by WVSX.
     
  3. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    Hi,
    Thanks for your feedback.
    1. We try to minimize resources usage when performing a scan, so WVSX will not interfere with the user's other work by this way. In the future, we would like to add an option that " Scan faster with more CPU usage" and users can check it if they are willing to.
    2. WVSX releases updates in every minute even second with streaming updates. Not just update after boot.
     
  4. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    I'm pretty sure this sample can be detected by WVSX even two years ago. You can download WVSX installer through our website https://update2.wisevector.com/WiseVector_StopX.exe. The installer was built and signed in September. Please disconnect your VM from network before installing WVSX. Then scan "conres.dll" in your VM, thanks.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Did you upload it to VirusTotal to determine what the detection was there? If this is indeed a two year old sample, the detection rate should be high at VT. If the detection rate is low, then it can be assumed this is a new variant. Also VT will show by date when the sample was first uploaded to it.
     
  6. Sir Percy

    Sir Percy Registered Member

    Joined:
    Apr 22, 2010
    Posts:
    266
    Cool, thank you for replying and for a good product. I really hope you will add this option. :)
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I am having tons of False Positives with the latest PhyCharm Professional version; even without executing any code I have written. The operation of PyCharm itself is causing the false positives. I have been submitting them as false positives from within WiseVector StopX.

    I got a free license for PyCharm Professional through my University. There is also a free community version with less features. You may want to see if they will give you a license for the professional version for testing purposes. https://www.jetbrains.com/pycharm/

    I'm using Windows 10 x64 Professional version 20H2, and I have Python version 3.9.1 installed. Below is information about the version and build of PyCharm I am using.

    Product: PyCharm
    Version: 2020.3
    Build: 203.5981.165
    Released: December 02, 2020
     
  8. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    Hi,

    We have tested PyCharm 2020.3 with Virtualenv installed. When running python scripts in PyCharm it will inject a remote thread into Python.exe.
    This behavior is considered dangerous and will be blocked by WVSX's behavior detection. We have now fixed this issue, thanks for your feedback.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Thank you for looking into this so quickly! I use PyCharm for a Python course I am taking at my University.
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    As an adjunct to your course, get yourself a copy of Violent Python (a fun read).
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Thank you for the recommendation! I will get it, but I will not have time to read it until after i'm finished with the course. It's been difficult getting everything done these last few semesters. I'm glad I only have two more to go!
     
  12. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    Enjoy every second and absolutely absorb everything. Undergraduate education is a wonderful thing only appreciated fully after it is done.
     
  13. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,352
    Location:
    Hawaii
    I did a full scan & WV found 2 possible malware, which I immediately uploaded. WV marked both of these for Exclude. I wanted to change the action to "Quarantine" -- pending results of the upload -- but couldn't find a way to do it.

    How do I get WV to move these to Quarantine vice Exclude?
     
  14. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    Hi,
    Now in this case, you can only move these two files out of Exclude manually, then rescan these two files and select Quarantine.
    Can you please send these files to virus@wisevector.com and you will get our reply after the analysis is completed. Thanks!
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,352
    Location:
    Hawaii
    As noted in my Post #963, I uploaded these 2 files immediately as they were detected by WV. Do you want me to send them a second time?

    I understand how to manually move these files from exclude & will do so. However, I am concerned that WV detected these files as possible threats but automatically designated them as "Exclude" with NO action on my part.

    Why would WV detect these files as possible threats and then automatically designate them for exclusion with NO input by the user? Is this the way WV works or is there a problem with my copy of WV? Or... what?
     
  16. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    If you send the two files to our mailbox, we will know which files were from you and tell you the reason why WVSX detected them as malicious when the analysis is completed.
    No, WVSX will not automatically designate the files for exclusion with no input by the user. Quarantine is the default action. Exclude is a button you can click. When clicking Exclude, there will be an alert "Are you sure you want to exclude this harmful file?":)
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,352
    Location:
    Hawaii
    Not necessary. I already sent you the files and a subsequent scan by WV did NOT label them as threats. Evidently they were FPs & WV has been adjusted accordingly.

    But that IS what WV did do. Perhaps my copy is messed up? I will download again & re-install.
     
  18. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    If these files were marked for Exclude, WVSX will not alert them as malicious again. Please move them out from Exclude and rescan, then you will know the result.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,352
    Location:
    Hawaii
    Yes, I know to do that before rescanning. I had already moved them out of Exclude before I rescanned and before posting #967. I do appreciate your help, however. :thumb:
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Yeah, I know! The real-world work environment can be brutal! I worked in a Maximum Security Correctional facility for 12 years as a Corrections Officer, Cert Team Member, and Spanish Interpreter. I've also had various other jobs over the years. I went to school for Spanish years ago, but I did not finish my bachelor's. I believe I completed 92 hours, if i'm not mistaken. I decided to go back 3 1/2 years ago and work on a degree in CIT (Computer Information Technology), which is in the Department of Engineering. I have an AAS in CIT Information Security. I'm focusing on Database Administration, Networking, and Security for my bachelors. I should be done within a year.

    I provided a couple of links below in case you are curious about the program I am in.
    Here is a link to the program I am in. https://www.wku.edu/cit/
    Here is a link that shows the type of classes I have been taking the last couple of years. https://www.wku.edu/cit/cit_brochure1c.pdf
     
  21. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    482
    Location:
    China
    upload_2020-12-23_11-12-6.gif :)Hello Everyone,

    WiseVector StopX V2.70 is here,

    What's new:
    1. Added lightweight rollback to roll back changes caused by some destructive malware, such as ransomware. This feature has been designed to remain lightweight and users can hardly notice any performance degradation.
    2. Redesigned the real-time file monitoring, it is more sensitive and faster than before.
    3. Redesigned the Behavior Detection. Now the Behavior Detection can identify more unknown file infector viruses, being more capable of detecting advanced threats.
    4. Improved Memory Protection to detect RAT trojan abuses legitimate processes to hide their malicious implants, such as Gh0st, Meterpreter and CobaltStrike.
    5. Malware quarantine is now sorted by date. Quarantine reason is added.
    6. The UI is not transparent now, so that the interface can be displayed more clearly. Some new skins are added.
    7. Improved the ability to delete malicious files being locked.
    8. Now users can select whether or not to automatically download and install program updates.

    The download link:
    https://update2.wisevector.com/WiseVector_StopX_V27.exe
    https://www.wisevector.com/WiseVector_StopX_V27.exe

    Please pick up the faster one.
    After a few days of testing, V2.67 can update to V2.70 automatically. Now you can perform an overwrite install or fresh install.

    Cheers & Best Regards,
    WiseVector
     
  22. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,465
    Location:
    UK
    First link downloaded quickly for me.
    Installed over the top of previous version.
    You need to exit WV before the over the top install will run.
    Exclusions etc all kept.
    Nice skins!!
    Am busy running a scan.

    All seems good so far.
     
  23. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,362
    Location:
    Milan and Seoul
    Freshly installed V. 2.70, Thanks! No issues so far.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,727
    Location:
    U.S.A. (South)
    Flawless upgrade. Thanks You for many new improvements!
     
  25. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    222
    Location:
    UK
    Ran the upgrade and a quick scan. All good (and more legible!). Many thanks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.