WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    Hi WiseVector! Yes, file infectors are part of the tested samples. Because you can still find them in the wild. I don't know for sure but I feel that publishing infected files is against this forum rules. My primary goal is to improve cyberspace security for average person (I have already had some success in this matter). My project is independent of funding from antivirus vendors, because in my opinion this can create a toxic relationship. But I am always ready to help you improve your security product. Have a nice day!
     
  2. Space Ghost

    Space Ghost Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    87
    Location:
    Ireland
    It's my pleasure. Regards!
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,728
    Location:
    U.S.A. (South)
    @Rasheed187 - It is (WVSX) a welcome feature where one chooses via user preference/option and others. Was wondering something along those lines myself with the same curiosity. The HIPS were a tough cookie on infiltrate attempts and while not a AV with a chase/delete technique, HIPS would stop intruders dead in their tracks (hanging them up) (SuspendProcCall) to allow user's to disable and delete offenders.

    WVSX is incredible snap-quick in snatching baddies and I suppose the AI is self learning enough to cover lots of vectors. And we all know Windows has a joyride of paths, processes, and calls that at any given moment even a good safe trusted file can be alerted on. (and why it's recommended to SEND SAMPLE) for their review. Thank Goodness for WVSX review choices and exclusions list.
     
  5. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,305
    The detection of WiseVector StopX is pretty good for sure, but the most impressive "feature" for me is the total lack of false positives, it is something that should make some AI vendors be ashamed of their products.

    I was expecting some false positives and pop-ups in the V3 beta version (HIPS + Firewall), but no, complete silent in my everyday usage scenario.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,728
    Location:
    U.S.A. (South)
    Couldn't agree with you more on that @Nightwalker. It is very well thought out and obviously ambitious and equally conscientious development team.

    @WiseVector - This
    :thumb:
     
    Last edited: Jul 31, 2021
  7. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
    I am not quite sure if someone can post malware samples here, but there is a board in malwaretips where you can post samples so other testers can download and test.

    If possible, could you possibly test your Floxif samples with WVSX again? We can sure that WVSX is able to block any files infected by Floxif virus. :thumbd:
    If you don't have time you can PM me the Floxif samples. Thanks.
     
  8. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
  9. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    69,497
    Location:
    U.S.A.
  10. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
  11. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    69,497
    Location:
    U.S.A.
    WiseVector, you're welcome! Take care and stay safe.
     
  12. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
    Thanks for trying the V3 beta. If you find any missed malware samples or FPs, please let me know.
     
  13. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,305
    Thanks for your support as always.

    I dont consider it as a FP, WVSX is doing its job detecting it, but maybe you could whitelist ConfigureDefender tool in its beta version, it will trigger a "WIBD:HEUR.MalPowerShell.B" detection when you use it to customize Microsoft Defender settings.

    It is a safe tool already whitelisted by Microsoft and many users like to use WVSX with Defender at "High" Settings.

    https://www.wilderssecurity.com/thr...-defender-settings.399788/page-2#post-3023169
    https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/page-65#post-953239
     
    Last edited: Aug 1, 2021
  14. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    222
    Location:
    UK
    Perhaps I'm being thick but the following block from WVSZ pops up every time that Opera updates itself and I have to allow the process.

    C:\Program Files\Opera\77.0.4054.277\opera_autoupdate.exe

    Where in v3.01 can I whitelist this process and does the prog accept wild cards in the string i.e.:
    C:\Program Files\Opera\*\opera_autoupdate.exe
     
  15. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
    We have reproduced the issue you encountered. If a program drops another program to temporary folder and then executes a suspicious PowerShell command.
    That would make the AI think it is quite suspicious. Anyway, we have resolved this issue, thanks for your feedback.
     
  16. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
    Hi faircot,

    What's the detection name reported by WVSX? You can see it in Log->Protection.
     
  17. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    222
    Location:
    UK
    WIPD Potential.Ransom.A

    Hope that helps!
     
  18. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
    Have you changed ransomware bait folders in WVSX? You can see them in Settings->Advanced->Anti-Ransomware Settings->Enable deception-based ransomware detection->Set up.
    If any program tries to modify files within ransomware bait folders, it will be terminated by WVSX.

    If you want to protect your important files from unauthorized modification. You can add them in Settings->Advanced->Anti-Ransomware Settings->Enable document protection->Set up.
     
  19. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    222
    Location:
    UK
    I haven't altered the default bait folders.

    Don't understand what needs to be set up. The issue I have is that the Opera updater name changes with the version of Opera. I want to whitelist this process.

    Thanks for your reply.
     
  20. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
    You can add the entire opera directory to exclusions. Click "Exclusions" at the bottom right of WVSX, click "Add"->"Add Directory", select C:\Program Files\Opera.
     
  21. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    222
    Location:
    UK
    Right. Many thanks, done. I did think of doing this but wanted to avoid whitelisting a complete directory.

    Regards
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,728
    Location:
    U.S.A. (South)
    @WiseVector It's assumed ANY program acting on bait files is shutdown with the exception of Explorer.exe?
    Simply curious. I have no use to test that locally by manually attempting to reassigning attributes or other modifications to the WVSX set. Program is amazing! Thanks as always for your support to our issues and questions.
     
  23. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    483
    Location:
    China
    Yes, Explorer.exe is an exception.

    However, compromised explorer.exe will be terminated by WVSX.( being injected, hollowed, etc.) ;)
     
  24. Rebsat

    Rebsat Registered Member

    Joined:
    Oct 20, 2014
    Posts:
    33
    Location:
    My Desk
    Last edited: Aug 5, 2021
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    I did have a couple of false positives months ago which was a bit disappointing to me. But I did not try the newest version with HIPS+firewall yet.

    OK, thanks for letting me know, but protection wise it looks a bit of the same, that's why. Perhaps if you have the time you can make a list of all behaviors that are monitored, thanks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.