WiseVector

From WiseVector
Verified
Developer
I thought WiseVector to be fabulous, until I discovered how crappy it is. It was eating 145k handles for nothing!
WiseVector.exe: 83k handles
WiseVextorSvc.exe: 62k handles

Once I uninstalled it, the handle usage of my Windows 7 went back from 190k+ handles to 45k handles with my usual apps open.
Hi Ludditus,

Sorry for the inconvenience.
The problem seems to be a handle leak.
We will test in Windows 7 and try our best to reproduce the problem.
If we can reproduce, the problem will be resolved a.s.a.p.

Best Regards,
WiseVector
 

WiseVector

From WiseVector
Verified
Developer
Hi everyone,

WiseVector StopX V2.09 is released.
You can download the new version via https://www.wisevector.com/WiseVector_StopX.exe.
You can update directly through the update menu if you already have V2.X installed.

Please refer to the update log below:
1. Improved defense against Revenge Fileless Malware Family.
2. Resolved the Handle Leak in certain circumstances. ( Thanks @Ludditus for your feedback. The engineer who did this part of programming has been fired, since he has more than ten years of experience in computer programming, but made such a basic mistake. We can't bear with him...:mad:
3. Resolved some false positives in behavior detection.




Just kidding, however, in order to punish the engineer, all colleagues would not talk with him for a whole day. :p
 
4

436880927

2. Resolved the Handle Leak in certain circumstances. ( Thanks @Ludditus for your feedback. The engineer who did this part of programming has been fired, since he has more than ten years of experience in computer programming, but made such a basic mistake. We can't bear with him...:mad:
One could argue that his or her colleagues are no better because you should have a code review system in place before pushing it out to your consumers. You do have a code review system, right?

I would also hope that you endorse fuzzing and other automated testing techniques to find unforeseen bugs before other people do. Consulting professional teams for auditing is also a good idea.
 

Ludditus

Level 1
The engineer who did this part of programming has been fired, since he has more than ten years of experience in computer programming, but made such a basic mistake. We can't bear with him...:mad:
This is not a reason to fire a developer. If things were that way, almost everyone working at Microsoft and pretty much everywhere else in IT would be jobless.
 

WiseVector

From WiseVector
Verified
Developer
One could argue that his or her colleagues are no better because you should have a code review system in place before pushing it out to your consumers. You do have a code review system, right?

I would also hope that you endorse fuzzing and other automated testing techniques to find unforeseen bugs before other people do. Consulting professional teams for auditing is also a good idea.
Hi Opcode,

Thanks for your advice.
Yes, we have a code review system but it is imperfect at present.
We will improve the system a.s.a.p. and try to make no basic mistake anymore.

Best Regards,
WiseVector
 

Evjl's Rain

Level 42
Verified
Trusted
Content Creator
Malware Hunter
I'm actually using WiseVector on my main laptop to replace my beloved Avast
I almost happy with everything except 4 points:

1/ When I disabled WV's realtime protection and executed cmd-> sfc/scannow, WV service was still actively scanning and consuming 0.5-1% CPU. It was supposed to consume 0% CPU after being disabled
2/ WV "Upload file" seems to have a size limit. I tried to submit a ~770KB file but WV didn't show me any notification if the upload was successful or not
3/ The ransomware honeypot folders/bait folders look a bit unpleasant. Perhaps, can we have an option to hide them? Does it affect the protection at all?
4/ When I was in v2.08 and clicked "check for update", it didn't seem to update to v2.09. I had to manually install it

By the way, I seriously think WV has more potential than Cylance and it has broader support of file types. Cylance Home is completely useless against scripts
 

harlan4096

Level 61
Verified
Staff member
Malware Hunter
4/ When I was in v2.08 and clicked "check for update", it didn't seem to update to v2.09. I had to manually install it
In one of my VMs with WV 2.07 it has just auto updated some minutes ago to 2.09 via "Check for update"... but it did not auto run again, had to click manually over the WV short-cut and then I got 2.09

Update: a different WV 2.08 in a laptop has just auto updated to 2.09
 
Last edited:

WiseVector

From WiseVector
Verified
Developer
Hi Evjl's Rain ,


Very happy to know you are one user of WiseVector StopX.

1. Can you please tell me why you need disable StopX's realtime protection?
When you have the advanced detection enabled (although you disabled the realtime protection), the behavior detection is still recording every important action, such as process creation, remote thread and Windows hook. This is consuming CPU. When a suspicious behavior is detected, StopX will trace whole behavior chain to clean up malware leftover parts. If you just want to use StopX as a scanner, you have to disable realtime protection, advanced detection, ransomware detection and document protection.

2. When the size of file is over 20M, you will be informed the upload is failed. When upload is completed, there will be a notification "File has been uploaded successfully!". The file you wanted to submit is a false positive or a suspicious one? No notification? It was abnormal. Can you please submit another file to have a test?

3. You can hide the ransomware bait folders manually, but it's not suggested, since most ransomware don't encrypt hidden files. You can also customize your own bait folders look pleasant.:)

4. Maybe there is problem of auto update, we will have a update server located in Europe to resolve this soon. (@harlan4096 )

Best Regards,
WiseVector
 
Last edited:

Evjl's Rain

Level 42
Verified
Trusted
Content Creator
Malware Hunter
1. Can you please tell me why you need disable StopX's realtime protection?
When you have the advanced detection enabled (although you disabled the realtime protection), the behavior detection is still recording every important action, such as process creation, remote thread and Windows hook. This is consuming CPU. When a suspicious behavior is detected, StopX will trace whole behavior chain to clean up malware leftover parts. If you just want to use StopX as a scanner, you have to disable realtime protection, advanced detection, ransomware detection and document protection.

2. When the size of file is over 20M, you will be informed the upload is failed. When upload is completed, there will be a notification "File has been uploaded successfully!". The file you wanted to submit is a false positive or a suspicious one? No notification? It was abnormal. Can you please submit another file to have a test?

3. You can hide the ransomware bait folders manually, but it's not suggested, since most ransomware don't encrypt hidden files. You can also customize your own bait folders look pleasant.:)

4. Maybe there is problem of auto update, we will have a update server located in Europe to resolve this soon. (@harlan4096 )
hello:
1/ I disabled WV because it would speed up sfc /scannow (a known script to repair windows) => I didn't do anything during the repair, just waiting, so there was no problem to to temporarily turned off WV
2/ My file was only 775KB (SunsetScreen.exe), WV never showed anything after I clicked upload. I repeated it at least 10 times, no message. Smaller files are okay.
this is the VT link to the file: VirusTotal

I submitted because it was detected by WV version 1 and I failed to submit it at that time. Now, it is not detected anymore but I just want to test the file submission

3/ I understand. It's fine. I can live with it

4/ Maybe WV can update itself to a +2 version? like from 2.07 -> 2.09, but not from 2.08 to 2.09?

so far, I'm quite happy with WV
I just wonder why WV is so big on private bytes/commited size of RAM?
Capture.PNG
 

WiseVector

From WiseVector
Verified
Developer
I just wonder why WV is so big on private bytes/commited size of RAM?
Hi,
Commit size is the amount of space reserved in the paging file for the process. Used when its pages need to be swapped out to make room in RAM for other processes. it refers to the amount of memory that the process executable has asked for - not necessarily the amount it is actually using.
WIseVector StopX uses memory-mapped files (create file mapping) to load the files to the virtual memory, some of them are stored on the external disk storage which can be used to exchange data when needed.
If you checked Google Chrome, you could find it is huge on commit size. In my computer, it is consuming around 900000K at present, so no worry here.
When you do nothing with WiseVector StopX, but still consuming CPU, it's probably because of streaming update.
4/ Maybe WV can update itself to a +2 version? like from 2.07 -> 2.09, but not from 2.08 to 2.09?
Yes, it can do this.