WiseVector Stop-X

It's my pleasure. Regards!

 

OK thanks, so it is a very extensive HIPS, looks a bit like Malware Defender, did you also work on this project?

https://www.softpedia.com/get/Security/Secure-cleaning/Malware-Defender.shtml

 

@Rasheed187 - It is (WVSX) a welcome feature where one chooses via user preference/option and others. Was wondering something along those lines myself with the same curiosity. The HIPS were a tough cookie on infiltrate attempts and while not a AV with a chase/delete technique, HIPS would stop intruders dead in their tracks (hanging them up) (SuspendProcCall) to allow user's to disable and delete offenders.

WVSX is incredible snap-quick in snatching baddies and I suppose the AI is self learning enough to cover lots of vectors. And we all know Windows has a joyride of paths, processes, and calls that at any given moment even a good safe trusted file can be alerted on. (and why it's recommended to SEND SAMPLE) for their review. Thank Goodness for WVSX review choices and exclusions list.

 

The detection of WiseVector StopX is pretty good for sure, but the most impressive "feature" for me is the total lack of false positives, it is something that should make some AI vendors be ashamed of their products.

I was expecting some false positives and pop-ups in the V3 beta version (HIPS + Firewall), but no, complete silent in my everyday usage scenario.

 

Couldn't agree with you more on that @Nightwalker. It is very well thought out and obviously ambitious and equally conscientious development team.

@WiseVector - This

 

I am not quite sure if someone can post malware samples here, but there is a board in malwaretips where you can post samples so other testers can download and test.

If possible, could you possibly test your Floxif samples with WVSX again? We can sure that WVSX is able to block any files infected by Floxif virus.
If you don't have time you can PM me the Floxif samples. Thanks.

 

Hi,

We have nothing to do with Malware Defender.

 

Thank you for letting me know about this rule, also thanks for providing the resources so we can talk with our users here.

 

Thanks for trying the V3 beta. If you find any missed malware samples or FPs, please let me know.

 

Thanks for your support as always.

I dont consider it as a FP, WVSX is doing its job detecting it, but maybe you could whitelist ConfigureDefender tool in its beta version, it will trigger a "WIBD:HEUR.MalPowerShell.B" detection when you use it to customize Microsoft Defender settings.

It is a safe tool already whitelisted by Microsoft and many users like to use WVSX with Defender at "High" Settings.

https://www.wilderssecurity.com/thr...-defender-settings.399788/page-2#post-3023169
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/page-65#post-953239

 

Perhaps I'm being thick but the following block from WVSZ pops up every time that Opera updates itself and I have to allow the process.

C:\Program Files\Opera\77.0.4054.277\opera_autoupdate.exe

Where in v3.01 can I whitelist this process and does the prog accept wild cards in the string i.e.:
C:\Program Files\Opera\*\opera_autoupdate.exe

 

We have reproduced the issue you encountered. If a program drops another program to temporary folder and then executes a suspicious PowerShell command.
That would make the AI think it is quite suspicious. Anyway, we have resolved this issue, thanks for your feedback.

 

Hi faircot,

What's the detection name reported by WVSX? You can see it in Log->Protection.

 

WIPD Potential.Ransom.A

Hope that helps!

 

Have you changed ransomware bait folders in WVSX? You can see them in Settings->Advanced->Anti-Ransomware Settings->Enable deception-based ransomware detection->Set up.
If any program tries to modify files within ransomware bait folders, it will be terminated by WVSX.

If you want to protect your important files from unauthorized modification. You can add them in Settings->Advanced->Anti-Ransomware Settings->Enable document protection->Set up.

 

I haven't altered the default bait folders.

Don't understand what needs to be set up. The issue I have is that the Opera updater name changes with the version of Opera. I want to whitelist this process.

Thanks for your reply.

 

You can add the entire opera directory to exclusions. Click "Exclusions" at the bottom right of WVSX, click "Add"->"Add Directory", select C:\Program Files\Opera.

 

Right. Many thanks, done. I did think of doing this but wanted to avoid whitelisting a complete directory.

Regards

 

@WiseVector It's assumed ANY program acting on bait files is shutdown with the exception of Explorer.exe?
Simply curious. I have no use to test that locally by manually attempting to reassigning attributes or other modifications to the WVSX set. Program is amazing! Thanks as always for your support to our issues and questions.

 

Yes, Explorer.exe is an exception.

However, compromised explorer.exe will be terminated by WVSX.( being injected, hollowed, etc.)

 

@WiseVector What about Trusteer bypass? I was wondering if WVSX would protect against this?
https://www.adlice.com/carberp-anti_rapport-beating-trusteer-protection/

@Rasheed187
Thanks to pointing out this from HitmanPro.Alert BETA thread.

 

I did have a couple of false positives months ago which was a bit disappointing to me. But I did not try the newest version with HIPS+firewall yet.

OK, thanks for letting me know, but protection wise it looks a bit of the same, that's why. Perhaps if you have the time you can make a list of all behaviors that are monitored, thanks.

 

What kind of software that was detected? I tested with some productivity software, torrent client, games, Discord, download managers and so on with no false positive whatsoever.