Hi Tarnak, WVSX keeps track of all injected threads in the system. In most cases the injection will be blocked immediately. If not, when the injected thread performs any suspicious behavior, such as accessing the user's private files, or persistence. Then the target process will be terminated by WVSX immediately. Usually the program was injected is a legitimate file, so it will not be quarantined. "MEMRAY:MalThread.A0" means there is a injected thread in conhost.exe and it was doing something suspicious.
Good info for WVSX user's to know if they didn't already. Among many other of it's lightning fast securities, Thanks
@WiseVector Thanks for the explanation I have tied it to this from particular logs for the time period, and it was the update for Advanced Micro Devices Inc. - SecurityDevices - 4.16.0.0 that necessitated a reboot to complete the install. Confirmation from other logs: 10/1/2021 7:53 PM Auto Allowed conhost.exe c:\windows\system32\conhost.exe 0 Safe 5EAD300DC7E4D637948ECB0ED829A072BD152E17 103a0b9fbd9880194053ec76363aac086e71a56c27b4b696891e42a8424a00d1 c:\windows\system32\conhost.exe 0xffffffff -forcev1 867328 srtasks.exe c:\windows\system32\srtasks.exe K_____e 10/1/2021 7:52 AM Auto Allowed conhost.exe c:\windows\system32\conhost.exe 0 Safe 5EAD300DC7E4D637948ECB0ED829A072BD152E17 103a0b9fbd9880194053ec76363aac086e71a56c27b4b696891e42a8424a00d1 c:\windows\system32\conhost.exe 0xffffffff -forcev1 867328 schtasks.exe c:\windows\system32\schtasks.exe K_____e
Have you already tested WVSX against the Zemana trojan simulator? But which app injected this thread into conhost.exe, if it's not malicious then why should WVSX react to this? Perhaps it's simply being too agressive and this may cause problems in my view.
Hi, We have found that after installing some security software, the parent process will inject thread into its child process, and some PUPs can also inject code into system processes. We don't think that AMD driver will inject code into its child process.
Soon I hope. Building anticipation for Windows 11 this week and seeing if that goes smooth or not. Certainly will share my results or at least opinions on how different Safeties are reliable and those that won't prevent it. Of course on Windows 8.1 WVSX takes care of business!
Sometimes it is very difficult to know the source executable of the injected thread, for example, the user may start WVSX some time after booting the system, or the injected thread may be created from a kernel mode driver. It is true that WVSX is aggressive about injected threads that exist in system processes, this can detect some advanced & stealth attacks.
Yes but this is exactly my point, you need to know if it's a trusted tool that has injected code. Because otherwise it might even start to interfere with legitimate Windows OS processes. Being too agressive isn't always a good thing. Take HitmanPro.Alert as example, it often gives false positives but at least it gives info about the process that was blocked. For example it blocks Sandboxie from getting access to browser cookies and elevating priviliges, the problem is that Sandboxie is a trusted tool.
how resilient WVSX is from being manipulated, we all read about AV being subverted and turned against the user, did you simulate a scenario in which wvsx is under pressure (attack), or did you assume it would never happen (base free version 2.73)
Hello, i decided to take this thing for a quick full scan as i haven't scanned in like 2 yrs plus cruelsister recommended it so i thought it might not be too bad, perhaps there could be exclusions for full scans? Its been 2+ hrs since i started scan on a 256gb ssd that is a third empty, and the node_modules have taken like an hour already and still going Also the UI is ugly, like that awkwardly placed ugly X above, the awkward padding on the button the fact you can't click in the middle of the button to open the list u have to click only on the arrow on the right, and in general it's ugly. U need help with that? Otherwise it's simple and nice Also why does it need to connect to internet when its already latest version and report threat stuff and whatever is unchecked? Also why is there 2 of "this" process
Ok there NEEDS to be something done about this, it's been scanning the LCU folder for like half an hour now, i'm pretty sure the other AVs don't take hours and hours of scanning (currently about 3 hours, on a 160-170gb ssd of data mind u, we still have to make it to system32 folder ) The scanning needs to be optimized somehow. If the other AVs can do it, so can Wise Vector! Never say never, when the future looks bleak, ALWAYS push yourself forward!
Ok so after nearly 4 hours it finally finished scanning my ssd, it started to scan the HDD but after like 20 mins i couldn't bother anymore to wait for it so i just quit. However, it detected three "threats" Now, the first one is simply powerrun from here https://www.sordum.org/9416/powerrun-v1-5-run-with-highest-privileges/ but it's v1.3 the one i have, i submitted all 3 files for analysis anyway, funnily enough the x64 exe is not detected now instead of using debugger, i can tell u right here that the other 2 files are harmless (but u can debug em anyway if u wish), cuz now i remember it was some stuff we learned in high school about cpp (i later got bored of it and abandoned learning it) as u can see, i never really liked naming files the right way i like rolling my fingers over the kb here's the code: These 2 exes are apparently "trojan" Edit: also when u quit the program the svc.exe still keeps going... (but not the service from services.msc)
Hello, Because WiseVector StopX has streaming updates. It gets updated in seconds automatically. WiseVectorSvc.exe is used to start the service and accelerate loading speed. Usually, when you perform the first scan with WiseVector StopX, the speed will be not fast, since our engine will extract lots of metadata from files when scanning. Next time the scanning speed will be much faster. Can you please send the files to virus@wisevector.com? Technical staff will prioritize analysis and reply you once they are confirmed to be FP. Thanks.
I know they're false positive i just gave u the code above Unless u think i'm lying ofc, but sure I'll send em It's about improving the detections to make sure stuff like this is not detected Also what about the UI are you interested in volunteers aka contributors? That's the only thing i don't like about this program, though it doesn't bother me too much but it would be nice to look nice. Also since I used Shadow Defender now Wise Vector is gone... so is all my speed optimizations and what not. For next time whenever that is, can i know where is the file or whatever it is that is responsible for "remembering" the scanning so it's faster next time?
Lmfao gmail detected the files as virus so now i can't even send em xD That's what I get for using Gmail Time to use another mail Hey at least u know ur program is not the only one with false positives! Then again all the major avs share signatures with each other prob so it's like whatever
@Floyd 57, I don't believe Gmail will give you that problem if you zip or rar those files and email the archived form.
Thanks. Your email has been replied. Please check. The UI will be improved in the near feature. Thanks for your advice. Please exit Shadow mode before installing WiseVector StopX, and then add WVSX in the Exclusions of Shadow Defender.
adding anything to exclusion of shadow defender will likely cause it to go corrupt or disappear at next reboot, the only thing it excludes without issue are entire drives when you are about to enter shadow mode but not single files or folders
That is very weird. Because I have added many exclusions when I used shadow defender, and nothing had been corrupted nor disappear on reboot. Pretty sure Shadow Defender is design to exclude files and folders if applied
Oh by the way, how many languages does Wise Vector X have? More than 5? More than 10? Perhaps you could make a weblate.org project FOR FREE so users here (and on malwaretips and other places) can help translate the program in our own languages! This will make it available to more people! Win win! Think of all the possibilities this will open!
I just excluded bookmarks and on 2 laptops they disappeared on reboot, I am pretty sure SD does that since once removed exclusions problem was gone
Hi, Thanks for your advice. The multi-language version will be released in the future. Now there are two types of languages. Simple Chinese and English.
WD turns itself off when its replaced by a third party AV. This is to prevent conflicts. WD can be run as a passive second opinion scanner.
Yes, like my KFA. It registered upon installation with Windows Security Center. WD was then disabled. When WiseVector can do that, it will replace WD as the primary AV. For now, it has to be run alongside another third party AV that is registered with WSC,