WiseVector Stop-X

Discussion in 'other anti-malware software' started by bellgamin, Aug 10, 2020.

  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,976
    I had just completed a required restart to complete install of a driver, earlier, thru Windows Updates.

    So, while eveyrthing was loading in the systray, i.e. my start up programs, I got a warning that WVSX had taken action. When I checked the logs, I find it blocked a file, but not quarantined it. I have since scanned the relevant file, and it is clean. I find it a little strange that this action occurred.

    WVSX_threat detection_ action taken_01.JPG
     
  2. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    495
    Location:
    China
    Hi Tarnak,

    WVSX keeps track of all injected threads in the system.

    In most cases the injection will be blocked immediately. If not, when the injected thread performs any suspicious behavior, such as accessing the user's private files, or persistence. Then the target process will be terminated by WVSX immediately. Usually the program was injected is a legitimate file, so it will not be quarantined.

    "MEMRAY:MalThread.A0" means there is a injected thread in conhost.exe and it was doing something suspicious.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,770
    Location:
    U.S.A. (South)
    Good info for WVSX user's to know if they didn't already. Among many other of it's lightning fast securities, Thanks
     
  4. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,976
    @WiseVector

    Thanks for the explanation :thumb:

    I have tied it to this from particular logs for the time period, and it was the update for Advanced Micro Devices Inc. - SecurityDevices - 4.16.0.0 that necessitated a reboot to complete the install.

    WVSX_threat detection_ action taken_03.JPG

    Confirmation from other logs:

    10/1/2021 7:53 PM Auto Allowed conhost.exe c:\windows\system32\conhost.exe 0 Safe 5EAD300DC7E4D637948ECB0ED829A072BD152E17 103a0b9fbd9880194053ec76363aac086e71a56c27b4b696891e42a8424a00d1 c:\windows\system32\conhost.exe 0xffffffff -forcev1 867328 srtasks.exe c:\windows\system32\srtasks.exe K_____e




    10/1/2021 7:52 AM Auto Allowed conhost.exe c:\windows\system32\conhost.exe 0 Safe 5EAD300DC7E4D637948ECB0ED829A072BD152E17 103a0b9fbd9880194053ec76363aac086e71a56c27b4b696891e42a8424a00d1 c:\windows\system32\conhost.exe 0xffffffff -forcev1 867328 schtasks.exe c:\windows\system32\schtasks.exe K_____e
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    Have you already tested WVSX against the Zemana trojan simulator?

    But which app injected this thread into conhost.exe, if it's not malicious then why should WVSX react to this? Perhaps it's simply being too agressive and this may cause problems in my view.
     
  6. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    495
    Location:
    China
    Hi,

    We have found that after installing some security software, the parent process will inject thread into its child process, and some PUPs can also inject code into system processes.

    We don't think that AMD driver will inject code into its child process.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,770
    Location:
    U.S.A. (South)
    Soon I hope. Building anticipation for Windows 11 this week and seeing if that goes smooth or not. Certainly will share my results or at least opinions on how different Safeties are reliable and those that won't prevent it.

    Of course on Windows 8.1 WVSX takes care of business! :)
     
  8. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    495
    Location:
    China
    Sometimes it is very difficult to know the source executable of the injected thread, for example, the user may start WVSX some time after booting the system, or the injected thread may be created from a kernel mode driver.

    It is true that WVSX is aggressive about injected threads that exist in system processes, this can detect some advanced & stealth attacks.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,774
    Location:
    The Netherlands
    Yes but this is exactly my point, you need to know if it's a trusted tool that has injected code. Because otherwise it might even start to interfere with legitimate Windows OS processes. Being too agressive isn't always a good thing.

    Take HitmanPro.Alert as example, it often gives false positives but at least it gives info about the process that was blocked. For example it blocks Sandboxie from getting access to browser cookies and elevating priviliges, the problem is that Sandboxie is a trusted tool.
     
  10. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    686
    Location:
    Island of Woman
    how resilient WVSX is from being manipulated, we all read about AV being subverted and turned against the user, did you simulate a scenario in which wvsx is under pressure (attack), or did you assume it would never happen (base free version 2.73)
     
    Last edited: Oct 4, 2021
  11. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Hello, i decided to take this thing for a quick full scan as i haven't scanned in like 2 yrs plus cruelsister recommended it so i thought it might not be too bad, perhaps there could be exclusions for full scans? Its been 2+ hrs since i started scan on a 256gb ssd that is a third empty, and the node_modules have taken like an hour already and still going


    upload_2021-10-4_19-0-6.png

    Also the UI is ugly, like that awkwardly placed ugly X above, the awkward padding on the button upload_2021-10-4_18-57-3.png
    the fact you can't click in the middle of the button to open the list upload_2021-10-4_18-57-19.png u have to click only on the arrow on the right, and in general it's ugly. U need help with that? Otherwise it's simple and nice

    Also why does it need to connect to internet when its already latest version and report threat stuff and whatever is unchecked?

    Also why is there 2 of "this" process

    upload_2021-10-4_19-8-10.png
     
  12. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Ok there NEEDS to be something done about this, it's been scanning the LCU folder for like half an hour now, i'm pretty sure the other AVs don't take hours and hours of scanning (currently about 3 hours, on a 160-170gb ssd of data mind u, we still have to make it to system32 folder :) )

    upload_2021-10-4_19-43-44.png

    The scanning needs to be optimized somehow. If the other AVs can do it, so can Wise Vector! Never say never, when the future looks bleak, ALWAYS push yourself forward!
     
  13. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Ok so after nearly 4 hours it finally finished scanning my ssd, it started to scan the HDD but after like 20 mins i couldn't bother anymore to wait for it so i just quit. However, it detected three "threats"

    upload_2021-10-4_20-59-56.png


    Now, the first one is simply powerrun from here https://www.sordum.org/9416/powerrun-v1-5-run-with-highest-privileges/ but it's v1.3 the one i have, i submitted all 3 files for analysis anyway, funnily enough the x64 exe is not detected

    now instead of using debugger, i can tell u right here that the other 2 files are harmless (but u can debug em anyway if u wish), cuz now i remember it was some stuff we learned in high school about cpp (i later got bored of it and abandoned learning it)

    upload_2021-10-4_21-0-46.png

    as u can see, i never really liked naming files the right way i like rolling my fingers over the kb

    here's the code:

    upload_2021-10-4_21-1-27.png

    upload_2021-10-4_21-1-45.png


    These 2 exes are apparently "trojan"

    Edit: also when u quit the program the svc.exe still keeps going... (but not the service from services.msc)
     
    Last edited: Oct 4, 2021
  14. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    495
    Location:
    China
    Hello,

    Because WiseVector StopX has streaming updates. It gets updated in seconds automatically.
    WiseVectorSvc.exe is used to start the service and accelerate loading speed.
    Usually, when you perform the first scan with WiseVector StopX, the speed will be not fast, since our engine will extract lots of metadata from files when scanning. Next time the scanning speed will be much faster.
    Can you please send the files to virus@wisevector.com? Technical staff will prioritize analysis and reply you once they are confirmed to be FP. Thanks.
     
  15. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    I know they're false positive i just gave u the code above :p Unless u think i'm lying ofc, but sure I'll send em

    It's about improving the detections to make sure stuff like this is not detected

    Also what about the UI are you interested in volunteers aka contributors? That's the only thing i don't like about this program, though it doesn't bother me too much but it would be nice to look nice.

    Also since I used Shadow Defender now Wise Vector is gone... so is all my speed optimizations and what not. For next time whenever that is, can i know where is the file or whatever it is that is responsible for "remembering" the scanning so it's faster next time?
     
  16. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Lmfao gmail detected the files as virus so now i can't even send em xD

    upload_2021-10-5_18-38-49.png

    That's what I get for using Gmail

    Time to use another mail

    Hey at least u know ur program is not the only one with false positives! Then again all the major avs share signatures with each other prob so it's like whatever
     
  17. appster

    appster Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    560
    Location:
    Paradise
    @Floyd 57, I don't believe Gmail will give you that problem if you zip or rar those files and email the archived form.
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    And the compressed file needs to be password protected to avoid Gmail (or G Drive) detection.
     
  19. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    495
    Location:
    China
    Thanks. Your email has been replied. Please check.
    The UI will be improved in the near feature. Thanks for your advice.
    Please exit Shadow mode before installing WiseVector StopX, and then add WVSX in the Exclusions of Shadow Defender.
     
  20. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    686
    Location:
    Island of Woman
    adding anything to exclusion of shadow defender will likely cause it to go corrupt or disappear at next reboot, the only thing it excludes without issue are entire drives when you are about to enter shadow mode but not single files or folders
     
  21. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,369
    That is very weird. Because I have added many exclusions when I used shadow defender, and nothing had been corrupted nor disappear on reboot.

    Pretty sure Shadow Defender is design to exclude files and folders if applied
     
  22. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Oh by the way, how many languages does Wise Vector X have? More than 5? More than 10? Perhaps you could make a weblate.org project FOR FREE so users here (and on malwaretips and other places) can help translate the program in our own languages! This will make it available to more people! Win win! Think of all the possibilities this will open!
     
  23. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    686
    Location:
    Island of Woman
    I just excluded bookmarks and on 2 laptops they disappeared on reboot, I am pretty sure SD does that since once removed exclusions problem was gone
     
  24. WiseVector

    WiseVector Registered Member

    Joined:
    Aug 16, 2020
    Posts:
    495
    Location:
    China
    Hi,

    Thanks for your advice. The multi-language version will be released in the future.
    Now there are two types of languages. Simple Chinese and English.
     
  25. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    WD turns itself off when its replaced by a third party AV. This is to prevent conflicts. WD can be run as a passive second opinion scanner.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.