Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.
Please tell me where can I download it. We will analyze soon. Thanks.
DeepL was installed for weeks, but FP happend first yesterday.
It's resolved. Thanks for your report.
I have been using Windows 7 since 2010 -- over 11 years. Back then, our company's IT disabled Task Scheduler on all computers in the network -- about 35 computers, as I recall. Task Scheduler was easily misused by malware back then, and was NOT needed by Windows 7 or any key app, so our IT deleted it and installed TaskRunner.
Win7 runs just fine without the Windows Task Scheduler. Moreover, TaskRunner's capabilities are far, far superior to those of Task Scheduler.
You say Windows 10 needs Task Scheduler to be launched. Does this mean that WVSX is designed solely for Win10? There are still a lot of Win7 users, not to mention Win8 users are still out there, as well.
BOTTOM LINE: I still do not see why WVSX clings to this odd method of startup when NO other AV does so.
I began using WVSX and started this thread back in August 2020. I am right now switching back to ESET. However, I will continue to monitor this thread. If WVSX ever makes its startup method as friendly & easy as every other AV, I will give WVSX another look. Until then, Aloha & best of luck to you.
Thanks @bellgamin for an honorable mention. 8 runs circles around crappy spy happy 10.
Blast from the past.
Thank you for your feedback, we will try to disable scheduled tasks on Windows 7 and see if we can find an alternative way to launch WVSX at startup
WiseVector, do what you think is best, if you try to accommodate requests from every user you'll never get anywhere. Some will have valid points but a lot will just nitpick to suit their needs.
I don't see any practical reason to disable Task Scheduler. If you disable it, you lose some important functionality, such as automatically running chkdsk to scan for disk errors and the automatic weekly defrag of hard drives and SSDs, to give just two examples of the many standard Microsoft scheduled tasks. In fact this is the first time I've ever seen a discussion about disabling it.
this is no discussion about advantages of task schedule or whether it should turned off or not* but that it can be exploited to shut off wisevector at startup ( many ways to code it, to disable a task) not only via cmd but many other administrative tools , powershell in primis, it is worth to look into just in case, but they acknowledged that so we can move on
(btw. you don't need to defrag SSD, that task in correlation with other tasks is more for sysmain purpose , but superprefetch should be disabled because abused by malware and not needed for SSD) latest black hat conference tells about it too, you can fool windows defences with it. https://youtu.be/XQdKCO1Ql8U Also clean task is used to escalate priviledges, as it doesn't need UAC consent but runs with admin priviledges. Literally you could wipe the entire schedule and everything works , if you have SSD and external AV and firewall there is little to no use of the schedule unless you have particular needs or using a particular service
But it's also possible to stop startup entries in the registry too, so I don't see the big deal about Task Manager being able to be disabled.
For the record, there are cases where it is worthwhile to defrag SSDs, which is why sometimes Windows 10 will defrag them, rather than just issuing a TRIM command.
As well as defraging, there are many other scheduled tasks from Microsoft. It makes sense not to disable Task Scheduler.
if you verified that it can be easily done you should point that out, I installed WWSX on my mother PC she will never see WVSX icon missing at startup, I noticed after 2 hours of pc use in my case, so I disabled WD with defender control since OP recommends it but WVSX was off too, so I had no AV without noticing it
if something malicious want to get in it will want to shut off AV first. I would personally feel safer if AV is more resilient to startup entry termination. Especially for my mother who can't notice such stuff
about SSD: I know I defrag SSD sometimes too, I try to find the middle ground between theories, as said discussion is not about task schedule but its potential misuse to terminate WVSX at next restart, the software maker should in my opinion implement some mechanism to prevent such manipulations or at least warn the user that a critical entry is modified
@lucd I believe the issue is that it will only automatically run at startup if you're using an Admin account.
it will fail to load with admin account if you manipulated task job to remove WVSX entry. It will load the service but the service is inactive (see severals posts above), it can't scan for instance ( I included pic of what happens if you try to scan with admin approval)
Obviously. But, what I was talking about is that if you're using a Standard User Account it's won't run automatically. This is a big issue, but it id going to be fixed. It's not an issue for me as I use an Admin account.
+1 that's another issue, alot of people use admin to perform updates but stay "underpriviledged" for normal tasks, such setup is recommended by many
Regarding the Scheduled Task startup question, please note that in order for an attack on the WVSX task to be accomplished it must first get past WVSX itself first. One can simply test this by the construction of an application to delete a task, remembering that such a file must be able to run with Administrator privilege (easy enough to do, and actually my Cat did so while cleaning her paws).
While such a file is invisible to something like WD, one would note that WVSX, even with Real Time protection disabled and the network disconnected will not allow such a Task deletion to be accomplished.
I suppose that a more complicated version of this could be woven into an otherwise legitimate file, but one must question if such a thing would be undetectable and even more importantly worth the effort to produce (Ophelia didn't think it was).
While cleaning her paws? Your cat is giving me a severe inferiority complex.
Turns out Ophelia should have spent less time on her paws. A bit of manipulation will yield a file that does indeed shut things down (sometimes simplicity is best).
I am getting some systemsettings.exe error when accessing clipboard settings , the system detected an overrun of a stack based buffer, I wonder if it has something to do with WVSX install or where to look at to fix it, these microsoft messages are getting more unhelpful by the day
Scheduler is abused, for instance you can run elevated PS commands over WinRM via a scheduled task, which removes constrains and allows to install .NET, reach network shares etc.
overall I think it's gj disabling it (personal opinion so don't get nervous people, please), it is abused by malware since it was created and totally unnecessary on modern "hardened" pc that doesn't run unnecessary junk, nvt OSA and avz don't like it either, btw enabling it is just 1 cmd line unless they borked it somewhat, this doesn't work for you? See in in services.msc what they call your schedule service (double click and check Service name) and substitute accordingly: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule" /v Start /d 2 /t "REG_DWORD" /f
substitute "Schedule" with "Task Scheduler5.0" or whatever you got there
It might be game over but I prefer AV to function, security solutions are there to warn you even post factum untill they are disabled/substituted, delaying that stage is of the essence, the user will never know he was infected unless the malware creator was dumb or lazy or due to some error, aim should be stealth and persistence. You don't get a "game over" prompt like in some computer game , malware integrates perfectly and stays with you for a long time silently, see how companies get infected it often is multistage attack where malware creators have to slowly navigate around their systems, reacon, scan, observation, lateral movement, etc , it can take up to two weeks or more, what about lolbins? delaying the phase were defences are off increase the chance that AV (or other solutions) will capture some malicious dll or exe so that the user is warned, then if he suspects something he should wipe and start over immediately
I believe that blocking cmdlets related to WSVX would help improve security, thankfully you can't run them with wmic, but you can with WMI, Powershell. Don't know for other utilities, Winrm.exe, wbemtest.exe , WSH (VBScript, JScript), IWBem, .Net System.management. Not priority I think but if dev have time why not do it, otherwise doesn't make sense to stop/monitor just one utility , best regards
Thanks! We take into account the feedback from all of our users. Making WVSX robuster is our constant goal.
Can you please tell me what's your operating system and the steps of accessing clipboard settings? We would like to test soon. Thanks!
please kindly review : windows 10 20H2 latest update KB5001391 , access normally via start -> settings -> type "clipboard" in search field, select "clipboard", I might have broken it prior to installing WVSX
Hey @WiseVector do you plan to make WSVX more friendlier in terms of running it alongside other av programs as a second layer. Considering how light it is and all the protection you offer already in the free version.
We would really appreciate if it plays well with more and more AV's. I am currently trying to find a good AV that will play well with it. Also is there a chance to have WSVX register in Windows Action Center as a AV?
Also there is no cloud protection in the current version just streaming updates?
AKA self-defence..... To add to CS's response, From what i read from the dev's reply on here WSVX has no reaction to deletion of scheduled tasks which could be used against the program.Potentially?
But again WSVX is hardly one of the top dogs on the radar for malware authors to go after. While kaspersky and many others are always on targets. Most malware samples dont even bother disabling av programs especially not the commodity ones (rats, stealers etc). Qbot although will bypass Window Firewall and look to disable defender. I cant think of any other actively spreading malware that might go after AV's atleast not right now.
Gone are the days of fake av programs and tune up utilities which used to block image executions of various av programs once they got a hold of the system. AV's were still pretty helpless even then if something like that happened.
Separate names with a comma.