Q&A How well are you protected against Emotet?

Nightwalker

Nightwalker

Level 21
Verified
Trusted
Content Creator
May 26, 2014
1,043
@Andy Ful @McMcbrad

Thanks for testing, it is very much appreciated.

I have been using WiseVector StopX for a while on my main PC gamer with a lot of stuff installed and used and so far I only got one false positive from a "obscure" mechanical keyboard control software (that was fixed very quickly).

I am very impressed by WVSX ...
 
  • Like
Reactions: porkpiehat, Cortex, roger_m and 7 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
967
Nightwalker said:
@Andy Ful @McMcbrad

Thanks for testing, it is very much appreciated.

I have been using WiseVector StopX for a while on my main PC gamer with a lot of stuff installed and used and so far I only got one false positive from a "obscure" mechanical keyboard control software (that was fixed very quickly).

I am very impressed by WVSX ...
Click to expand...
I have to admit I was impressed too.
 
  • Like
  • Wow
Reactions: Cortex, roger_m, Protomartyr and 3 others
TairikuOkami

TairikuOkami

Level 30
Verified
Content Creator
May 13, 2017
1,900
McMcbrad said:
I don't know what happened to my system, but now I am unable to download a file with PowerShell Bits, NetClient or anything that I try. My guess is Avast, when remediating the threat changed my WMI permissions. I can see the threat works on sandbox analyses, but on my system - no luck.
Click to expand...
McMcbrad said:
Update: never mind, just needed to restart Windows :LOL: :geek:
Click to expand...
I find that interesting. When I used Forticlient and I opened a webpage that generated a lot of malicious links, my internet was blocked completely till the restart. :unsure:
 
  • Like
Reactions: Cortex, roger_m, Protomartyr and 2 others
Andy Ful

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
McMcbrad said:
I have to admit I was impressed too.
Click to expand...
WiseVector StopX antimalware detection can compete with AV business versions. It can be also compared to WD with ConfigureDefender MAX preset. But it will also have more false positives. The big false positives rate is a standard among AI-based AVs. Furthermore, big AV vendors (like Microsoft, Kaspersky, Avast, etc.) have very good and fast online services for developers to submit wrongly detected software. In the case of WiseVector StopX, developers do not bother to whitelist their software by the vendor.
 
  • Like
Reactions: roger_m, Protomartyr, Dave Russo and 5 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
967
Andy Ful said:
WiseVector StopX antimalware detection can compete with AV business versions. It can be also compared to WD with ConfigureDefender MAX preset. But it will also have more false positives. The big false positives rate is a standard among AI-based AVs. Furthermore, big AV vendors (like Microsoft, Kaspersky, Avast, etc.) have very good and fast online services for developers to submit wrongly detected software. In the case of WiseVector StopX, developers do not bother to whitelist their software by the vendor.
Click to expand...
Yes, big vendors usually have big whitelists as well and usually use this to not only exempt files from scanning, and potential detection, but also for anomaly detection. By training the software to establish a sense of "what's good" false positives are reduced and deviation from this set standard can be considered "not good", or malware. I am not sure if WiseVector uses any whitelisting at all.
 
  • Like
Reactions: Cortex, roger_m, Protomartyr and 3 others
Nightwalker

Nightwalker

Level 21
Verified
Trusted
Content Creator
May 26, 2014
1,043
Andy Ful said:
WiseVector StopX antimalware detection can compete with AV business versions. It can be also compared to WD with ConfigureDefender MAX preset. But it will also have more false positives. The big false positives rate is a standard among AI-based AVs. Furthermore, big AV vendors (like Microsoft, Kaspersky, Avast, etc.) have very good and fast online services for developers to submit wrongly detected software. In the case of WiseVector StopX, developers do not bother to whitelist their software by the vendor.
Click to expand...

It is true, but I just found one until now, it is being a very much different experience compared to lets say Cylance, that was totally unbearable for me.

I ran the usually stuff like Edge/Chrome/Firefox, Microsoft Office, VLC Media Player, Discord, Java, qBittorrent, some "obscure" tools, many games like Control, Genshin Impact, Among Us, Assassin's Creed Valhalla and it was totally fine, I even did some driver updates with it running and so far so good.

It is actually doing much better than some more traditional antivirus like Norton Security, Trend Micro and Panda here.

WVSX may have a much higher false positive numbers in a enterprise environment, but in a domestic setup it is totally fine if a user like me isnt being bombarded with alerts.
 
  • Like
  • +Reputation
  • Applause
Reactions: Cortex, roger_m, Protomartyr and 9 others
Andy Ful

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
Nightwalker said:
WVSX may have a much higher false positive numbers in a enterprise environment, but in a domestic setup it is totally fine if a user like me isnt being bombarded with alerts.
Click to expand...
Such protection should be good for people who use very popular applications. The cons for users on Windows 10 is having two highly overlapping real-time protections. But, as I can see no one complains so far.
I am not sure how strong is WVSX in blocking malicious DLLs and macros that use shellcode.

Edit
From the developer website, it follows that some work was done this year to improve the detection of DLL side-loading and macros. Also in July, the issue of crashing on Win10 2004 was solved, too. WVSX uses advanced memory protection - this can sometimes produce conflicts with applications.
 
Last edited:
  • Like
Reactions: SeriousHoax, harlan4096, roger_m and 5 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
967
Andy Ful said:
Such protection should be good for people who use very popular applications. The cons for users on Windows 10 is having two highly overlapping real-time protections. But, as I can see no one complains so far.
I am not sure how strong is WVSX in blocking malicious DLLs and macros that use shellcode.
Click to expand...
We can put that to a test too in the upcoming days.
 
  • Like
  • Thanks
Reactions: porkpiehat, roger_m, Protomartyr and 4 others
Andy Ful

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629

@McMcbrad,​

Did you test this malware against WD ConfigureDefender HIGH Profile (changing the settings requires computer reboot)? Your PowerShell script is obfuscated, so it should be blocked by one of the ASR rules: "Block execution of potentially obfuscated scripts". You can also use the ConfigureDefender Log to see if this rule (or another) blocked something.
Thank you :)(y)
 
  • Like
Reactions: Protomartyr, roger_m, harlan4096 and 5 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
967
Andy Ful said:

@McMcbrad,​

Did you test this malware against WD ConfigureDefender HIGH Profile (changing the settings requires computer reboot)? Your PowerShell script is obfuscated, so it should be blocked by one of the ASR rules: "Block execution of potentially obfuscated scripts". You can also use the ConfigureDefender Log to see if this rule (or another) blocked something.
Thank you :)(y)
Click to expand...
Yes, I did that yesterday and the script just failed to work. Configure_Defender, as you have designed it, blocks the attack chain, which is always the best approach.
 
  • Like
  • Applause
  • +Reputation
Reactions: Protomartyr, Cortex, roger_m and 5 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
967
Andy Ful said:
Thanks. I did not test this ASR rule for a long time. Good to see it working. :)
Click to expand...
There are few other rules that are crucial against this type of content:
Block Office Applications from creating child processes - this is totally unnecessary for most users and heavily abused. Rule should be enabled.
Block Office Applications from creating executable content - not sure what it covers (might be only *.exe files), but whatever it is, the rule should be enabled.
Block Office Applications from injecting in other processes - this rule should be enabled on any system ASAP.

If someone wants to manually tweak the tool, I suggest they always use the rules above.
 
  • Like
  • +Reputation
Reactions: Protomartyr, Azure, Cortex and 4 others
Nagisa

Nagisa

Level 6
Verified
Jul 19, 2018
288
The test i made yesterday was a bit of uncomplete, as the malicious IP the sample connects to is unaccessible from my country. But nevertheless, Comodo was able to block the sample. Even at 'partially limited' restriction, the process had no access to network so it wouldn't download the payload even if it could.

5.png
 
  • Like
Reactions: porkpiehat, Protomartyr, Cortex and 3 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
967
Nagisa said:
The test i made yesterday was a bit of uncomplete, as the malicious IP the sample connects to is unaccessible from my country. But nevertheless, Comodo was able to block the sample. Even at 'partially limited' restriction, the process had no access to network so it wouldn't download the payload even if it could.
Click to expand...
Yes, the server didn't accept requests from your country unfortunately (or maybe fortunately). :D
 
  • Like
  • Haha
Reactions: SecurityNightmares, Cortex, roger_m and 2 others
McMcbrad

McMcbrad

Level 20
Oct 16, 2020
967
Thales said:
Sorry I think my message was relocated or I missed the thread :D
Click to expand...
I personally don't recommend running something so simple as SimpleWall. It's always better to run a firewall that is connected to other layers of defence, such as URL Blacklist and reputation. In that case, assuming Configure_Defender was not used, your best hope is to have an effective web blocker that will abort the connection.
 
  • Like
Reactions: Protomartyr, SecurityNightmares, roger_m and 2 others

Similar threads

upnorth
Malware analysis Trickbot now Offers ‘TrickBoot’ : Persist, Brick, Profit
Replies
1
Views
548
Threat Analysis
upnorth
upnorth
McMcbrad
Malware analysis Fileless Tesla Abuses .Net Framework Processes
Replies
46
Views
2,352
Threat Analysis
McMcbrad
McMcbrad
upnorth
Malware analysis Salfram : Robbing the Place Without Removing Your Name Tag
Replies
0
Views
461
Threat Analysis
upnorth
upnorth
Top