Q&A How well are you protected against Emotet?

Nightwalker

Level 21
Verified
Trusted
Content Creator
May 26, 2014
1,043
@Andy Ful @McMcbrad

Thanks for testing, it is very much appreciated.

I have been using WiseVector StopX for a while on my main PC gamer with a lot of stuff installed and used and so far I only got one false positive from a "obscure" mechanical keyboard control software (that was fixed very quickly).

I am very impressed by WVSX ...
 

McMcbrad

Level 20
Oct 16, 2020
967
@Andy Ful @McMcbrad

Thanks for testing, it is very much appreciated.

I have been using WiseVector StopX for a while on my main PC gamer with a lot of stuff installed and used and so far I only got one false positive from a "obscure" mechanical keyboard control software (that was fixed very quickly).

I am very impressed by WVSX ...
I have to admit I was impressed too.
 

TairikuOkami

Level 30
Verified
Content Creator
May 13, 2017
1,900
I don't know what happened to my system, but now I am unable to download a file with PowerShell Bits, NetClient or anything that I try. My guess is Avast, when remediating the threat changed my WMI permissions. I can see the threat works on sandbox analyses, but on my system - no luck.
Update: never mind, just needed to restart Windows :LOL: :geek:
I find that interesting. When I used Forticlient and I opened a webpage that generated a lot of malicious links, my internet was blocked completely till the restart. :unsure:
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
I have to admit I was impressed too.
WiseVector StopX antimalware detection can compete with AV business versions. It can be also compared to WD with ConfigureDefender MAX preset. But it will also have more false positives. The big false positives rate is a standard among AI-based AVs. Furthermore, big AV vendors (like Microsoft, Kaspersky, Avast, etc.) have very good and fast online services for developers to submit wrongly detected software. In the case of WiseVector StopX, developers do not bother to whitelist their software by the vendor.
 

McMcbrad

Level 20
Oct 16, 2020
967
WiseVector StopX antimalware detection can compete with AV business versions. It can be also compared to WD with ConfigureDefender MAX preset. But it will also have more false positives. The big false positives rate is a standard among AI-based AVs. Furthermore, big AV vendors (like Microsoft, Kaspersky, Avast, etc.) have very good and fast online services for developers to submit wrongly detected software. In the case of WiseVector StopX, developers do not bother to whitelist their software by the vendor.
Yes, big vendors usually have big whitelists as well and usually use this to not only exempt files from scanning, and potential detection, but also for anomaly detection. By training the software to establish a sense of "what's good" false positives are reduced and deviation from this set standard can be considered "not good", or malware. I am not sure if WiseVector uses any whitelisting at all.
 

Nightwalker

Level 21
Verified
Trusted
Content Creator
May 26, 2014
1,043
WiseVector StopX antimalware detection can compete with AV business versions. It can be also compared to WD with ConfigureDefender MAX preset. But it will also have more false positives. The big false positives rate is a standard among AI-based AVs. Furthermore, big AV vendors (like Microsoft, Kaspersky, Avast, etc.) have very good and fast online services for developers to submit wrongly detected software. In the case of WiseVector StopX, developers do not bother to whitelist their software by the vendor.

It is true, but I just found one until now, it is being a very much different experience compared to lets say Cylance, that was totally unbearable for me.

I ran the usually stuff like Edge/Chrome/Firefox, Microsoft Office, VLC Media Player, Discord, Java, qBittorrent, some "obscure" tools, many games like Control, Genshin Impact, Among Us, Assassin's Creed Valhalla and it was totally fine, I even did some driver updates with it running and so far so good.

It is actually doing much better than some more traditional antivirus like Norton Security, Trend Micro and Panda here.

WVSX may have a much higher false positive numbers in a enterprise environment, but in a domestic setup it is totally fine if a user like me isnt being bombarded with alerts.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629
WVSX may have a much higher false positive numbers in a enterprise environment, but in a domestic setup it is totally fine if a user like me isnt being bombarded with alerts.
Such protection should be good for people who use very popular applications. The cons for users on Windows 10 is having two highly overlapping real-time protections. But, as I can see no one complains so far.
I am not sure how strong is WVSX in blocking malicious DLLs and macros that use shellcode.

Edit
From the developer website, it follows that some work was done this year to improve the detection of DLL side-loading and macros. Also in July, the issue of crashing on Win10 2004 was solved, too. WVSX uses advanced memory protection - this can sometimes produce conflicts with applications.
 
Last edited:

McMcbrad

Level 20
Oct 16, 2020
967
Such protection should be good for people who use very popular applications. The cons for users on Windows 10 is having two highly overlapping real-time protections. But, as I can see no one complains so far.
I am not sure how strong is WVSX in blocking malicious DLLs and macros that use shellcode.
We can put that to a test too in the upcoming days.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,629

@McMcbrad,​

Did you test this malware against WD ConfigureDefender HIGH Profile (changing the settings requires computer reboot)? Your PowerShell script is obfuscated, so it should be blocked by one of the ASR rules: "Block execution of potentially obfuscated scripts". You can also use the ConfigureDefender Log to see if this rule (or another) blocked something.
Thank you :)(y)
 

McMcbrad

Level 20
Oct 16, 2020
967

@McMcbrad,​

Did you test this malware against WD ConfigureDefender HIGH Profile (changing the settings requires computer reboot)? Your PowerShell script is obfuscated, so it should be blocked by one of the ASR rules: "Block execution of potentially obfuscated scripts". You can also use the ConfigureDefender Log to see if this rule (or another) blocked something.
Thank you :)(y)
Yes, I did that yesterday and the script just failed to work. Configure_Defender, as you have designed it, blocks the attack chain, which is always the best approach.
 

McMcbrad

Level 20
Oct 16, 2020
967
Thanks. I did not test this ASR rule for a long time. Good to see it working. :)
There are few other rules that are crucial against this type of content:
Block Office Applications from creating child processes - this is totally unnecessary for most users and heavily abused. Rule should be enabled.
Block Office Applications from creating executable content - not sure what it covers (might be only *.exe files), but whatever it is, the rule should be enabled.
Block Office Applications from injecting in other processes - this rule should be enabled on any system ASAP.

If someone wants to manually tweak the tool, I suggest they always use the rules above.
 

Nagisa

Level 6
Verified
Jul 19, 2018
288
The test i made yesterday was a bit of uncomplete, as the malicious IP the sample connects to is unaccessible from my country. But nevertheless, Comodo was able to block the sample. Even at 'partially limited' restriction, the process had no access to network so it wouldn't download the payload even if it could.

5.png
 

McMcbrad

Level 20
Oct 16, 2020
967
The test i made yesterday was a bit of uncomplete, as the malicious IP the sample connects to is unaccessible from my country. But nevertheless, Comodo was able to block the sample. Even at 'partially limited' restriction, the process had no access to network so it wouldn't download the payload even if it could.
Yes, the server didn't accept requests from your country unfortunately (or maybe fortunately). :D
 

McMcbrad

Level 20
Oct 16, 2020
967
Sorry I think my message was relocated or I missed the thread :D
I personally don't recommend running something so simple as SimpleWall. It's always better to run a firewall that is connected to other layers of defence, such as URL Blacklist and reputation. In that case, assuming Configure_Defender was not used, your best hope is to have an effective web blocker that will abort the connection.
 
Top