WiseVector

From WiseVector
Developer
Verified
Joined
Dec 14, 2018
Messages
51
Operating System
Windows 10
Antivirus
Kaspersky
#22
Hi B.Richter,

Thanks for testing WiseVector. Currently WiseVector has file monitor and pre-execution blocker. We plan to add AI-Driven behavior detection in the next version.

For now WiseVector scanning files when they’re created, and before you open them. You said "SMSvcHost32.exe" was identified as
malware by WiseVector, so it should be blocked when you open it. I don't understand why it is running like nothing happened...
For "rad4F36F.tmp", Did WiseVector identify it as malware? (Right-click on the file, scan it with WiseVector).

Please make sure Tencent PC Manager did not block anything when installing WiseVector. The installer need to make some changes to the registry, if it was blocked by Tencent. The pre-execution monitor may not work.

Eason
WiseVector, inc.
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#23
Hi B.Richter,

Thanks for testing WiseVector. Currently WiseVector has file monitor and pre-execution blocker. We plan to add AI-Driven behavior detection in the next version.

For now WiseVector scanning files when they’re created, and before you open them. You said "SMSvcHost32.exe" was identified as
malware by WiseVector, so it should be blocked when you open it. I don't understand why it is running like nothing happened...
For "rad4F36F.tmp", Did WiseVector identify it as malware? (Right-click on the file, scan it with WiseVector).

Please make sure Tencent PC Manager did not block anything when installing WiseVector. The installer need to make some changes to the registry, if it was blocked by Tencent. The pre-execution monitor may not work.

Eason
WiseVector, inc.
Hello Eason,

thank you for the very fast reply :)

*Behavior Blocker - thanks for letting me know that this will be implemented soon, should be a great addition!
*SMSvcHost32.exe - yes, you can see the alert window bottom right, I clicked it seconds after (I'm not sure if WiseVector freezes execution of malware in the current release? It seems to wait for user input (quarantine), meanwhile, malware can execute and damage the system). That should be addressed. Tencent PC Manager autodecides (intercept and autoquarantine), the warning messages are information only.
Note that I did extract the archive, WiseVector began detecting malware, I confirmed every "SHIELD_DEAL" warning. Additionally, the malware folder was scanned by Custom Scan, before I began executing the leftover malwares. It did not detect the malware on Static scan.
*rad4F36F.tmp - I might recheck, but as far as I'm aware, these payloads (presumably .exe files) are signed with a valid certificate in order to bypass security products. Those scriptor droppers (here: aaa.js) drop multiple payloads, I think they're all the same malware. Usually, it's csrss.exe, a .jpg file and one of the rad's. Trying to find another sample today, maybe I can extract the .exe for analysis, I will provide if so.
It was dropped by the scriptor (aaa.js) and executed, it wasn't in the initial download folder so I couldn't scan it. As seen in the screenshots, it did perform multiple outbound connections (which remained after the attack, Shade Ransomware has RAT abilities as far as I know), and shortly after execution, the ransomware began encrypting the system.
*Tencent PC Manager - I have another computer not yet equipped with WiseVector. I will perform some tests on that one, just to make sure. It is equipped by Tencent PC Manager as well, but I will completely disable it during installation to make sure nothing is blocked.
 

WiseVector

From WiseVector
Developer
Verified
Joined
Dec 14, 2018
Messages
51
Operating System
Windows 10
Antivirus
Kaspersky
#24
Hi B.Richter,

Before we go, you should download the English version of WiseVector at here: http://www.wisevector.com/WiseVector_Setup_EN.exe
We made it for testing purpose only:oops: . You need to first uninstall the previous version.

If WiseVector failed to freeze execution of malware. Below would be the possible reasons,

1. You didn't restart your computer after installing WiseVector.
2. Some other AV prevented WiseVector from making changes in registry.

After installing WiseVector, you should restart your computer to enable the Real-Time protection. Then open Process Hacker(If you don't have it, you can use Process Explorer instead). Double-click on "Explorer.exe", you should see two dlls belong to WiseVector have been loaded into explorer.exe.
See Screenshot below,

Capture.PNG


If you can't see these dlls, that means something goes wrong.

If all goes well, WiseVector should prevent malware from running. Like screenshot below,

Capture1.PNG



For now WiseVector implements an AI technology to detect threats is Portable Executables (PE), PDFs, RTFs, and Office Documents. Not for scripts.

Eason
WiseVector
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#26
Hi B.Richter,

Before we go, you should download the English version of WiseVector at here: http://www.wisevector.com/WiseVector_Setup_EN.exe
We made it for testing purpose only:oops: . You need to first uninstall the previous version.

If WiseVector failed to freeze execution of malware. Below would be the possible reasons,

1. You didn't restart your computer after installing WiseVector.
2. Some other AV prevented WiseVector from making changes in registry.

After installing WiseVector, you should restart your computer to enable the Real-Time protection. Then open Process Hacker(If you don't have it, you can use Process Explorer instead). Double-click on "Explorer.exe", you should see two dlls belong to WiseVector have been loaded into explorer.exe.
See Screenshot below,

View attachment 203547

If you can't see these dlls, that means something goes wrong.

If all goes well, WiseVector should prevent malware from running. Like screenshot below,

View attachment 203548


For now WiseVector implements an AI technology to detect threats is Portable Executables (PE), PDFs, RTFs, and Office Documents. Not for scripts.

Eason
WiseVector
Good morning Eason,

thank you for providing a English version so soon, looks good :)
English.png

Set it up now, uninstalled previous WV via RevoUninstaller.
Made sure to deactivate Tencent PC Manager Global.
WiseVector asked to reboot the system after installation, done.

One thing I've noticed the update process did not work when VPN was on (unfortunately, it's mandatory for Malware HUB testing - "needed to protect your real IP from malware processing "). This could be a reason for some detections missing?
However, with VPN on, the AI still was working for most files.
Tencent PC Manager works flawlessly with VPN.

I've found the .dll, and WiseVector is in AutoRuns, it should work well.

wise.png
 

WiseVector

From WiseVector
Developer
Verified
Joined
Dec 14, 2018
Messages
51
Operating System
Windows 10
Antivirus
Kaspersky
#27
Good morning Eason,

thank you for providing a English version so soon, looks good :)
View attachment 203577

Set it up now, uninstalled previous WV via RevoUninstaller.
Made sure to deactivate Tencent PC Manager Global.
WiseVector asked to reboot the system after installation, done.

One thing I've noticed the update process did not work when VPN was on (unfortunately, it's mandatory for Malware HUB testing - "needed to protect your real IP from malware processing "). This could be a reason for some detections missing?
However, with VPN on, the AI still was working for most files.
Tencent PC Manager works flawlessly with VPN.

I've found the .dll, and WiseVector is in AutoRuns, it should work well.

View attachment 203576
Hi Der.Reisende,

When VPN is on, can you open our official website (https://www.wisevector.com/)?

According to the screenshot, WiseVector was not working, because there should be two DLLs, but you had only one.
If the secure boot(you can see it in your BIOS) is enabled, Explore.exe would not load WiseVector's DLLs. Because WiseVector uses Appinit_DLLs to load dlls. Yes, it's a problem, we will not use Appinit_DLLs in the next version of WiseVector.

Please read: AppInit DLLs and Secure Boot - Windows applications for more details about Secure Boot.

Wendy
WiseVector
 

WiseVector

From WiseVector
Developer
Verified
Joined
Dec 14, 2018
Messages
51
Operating System
Windows 10
Antivirus
Kaspersky
#28
Hi @WiseVector

I have some questions for you

1. How can I submit Samples to you for analyze

2. Any Infos for the multilanguage Version of it

3. Will you add the Scan Engine to virustotal

With best Regards
Mops21
Hi Mops21,

Thank you for your interest in WiseVector.
1. Please submit samples by "Upload File" at the bottom of WiseVector.
2. Please download the English version at
Code:
http://www.wisevector.com/WiseVector_Setup_EN.exe
3. Yes, we will.

Best regards,
Wendy
WiseVector
 

Mops21

Level 24
Verified
Joined
Oct 25, 2014
Messages
1,395
#29
Hi Mops21,

Thank you for your interest in WiseVector.
1. Please submit samples by "Upload File" at the bottom of WiseVector.
2. Please download the English version at
Code:
http://www.wisevector.com/WiseVector_Setup_EN.exe
3. Yes, we will.


Best regards,
Wendy
WiseVector

Hi @WiseVector

Thank you very much for your Infos

1. Will you release more languages as example German Version of it

2. When you add it to virustotal how can I submit samples to you

With best Regards
Mops21
 
Likes: Der.Reisende

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#30
Hi Der.Reisende,

When VPN is on, can you open our official website (https://www.wisevector.com/)?

According to the screenshot, WiseVector was not working, because there should be two DLLs, but you had only one.
If the secure boot(you can see it in your BIOS) is enabled, Explore.exe would not load WiseVector's DLLs. Because WiseVector uses Appinit_DLLs to load dlls. Yes, it's a problem, we will not use Appinit_DLLs in the next version of WiseVector.

Please read: AppInit DLLs and Secure Boot - Windows applications for more details about Secure Boot.

Wendy
WiseVector
Good evening Wendy!

Unfortunately, I cannot reach the page when VPN is on.
I’m using F-Secure FreeDome VPN.
F-Secure FREEDOME VPN — Schutz der Online-Privatsphäre
Can reach Tencent page, but it’s delayed. Cannot reach Rising homepage. It’s difficult to reach Chinese pages with VPN on.

Will check for Secure Boot ASAP, currently, I’m not at home, so I’m replying by mobile.

Thank you very much for your help, highly appreciated :)
 

WiseVector

From WiseVector
Developer
Verified
Joined
Dec 14, 2018
Messages
51
Operating System
Windows 10
Antivirus
Kaspersky
#31
Good evening Wendy!

Unfortunately, I cannot reach the page when VPN is on.
I’m using F-Secure FreeDome VPN.
F-Secure FREEDOME VPN — Schutz der Online-Privatsphäre
Can reach Tencent page, but it’s delayed. Cannot reach Rising homepage. It’s difficult to reach Chinese pages with VPN on.

Will check for Secure Boot ASAP, currently, I’m not at home, so I’m replying by mobile.

Thank you very much for your help, highly appreciated :)
Hi Der.Reisende,

You are welcome, this is my job :)
Can you switch your VPN server's IP?
Our server is in Hongkong and it's out of the control of the Great Fire Wall, so I think the update process should goes well.

Best regards,
Wendy
WiseVector
 

WiseVector

From WiseVector
Developer
Verified
Joined
Dec 14, 2018
Messages
51
Operating System
Windows 10
Antivirus
Kaspersky
#32
Hi @WiseVector

Thank you very much for your Infos

1. Will you release more languages as example German Version of it

2. When you add it to virustotal how can I submit samples to you

With best Regards
Mops21
Hi Mops21,

You are welcome.
1.Yes we will, but now we only have Chinese and English version.
2.You can submit samples by "Upload File" at the bottom of WiseVector directly, no matter we add it to virustotal or not. I think it's more convenient and efficient.

Best regards,

Wendy
Wisevector
 

Mops21

Level 24
Verified
Joined
Oct 25, 2014
Messages
1,395
#33
Hi Mops21,

You are welcome.
1.Yes we will, but now we only have Chinese and English version.
2.You can submit samples by "Upload File" at the bottom of WiseVector directly, no matter we add it to virustotal or not. I think it's more convenient and efficient.

Best regards,

Wendy
Wisevector
Hi @WiseVector

Thank you very much for your Infos

With best Regards
Mops21
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#34
Hi Der.Reisende,

You are welcome, this is my job :)
Can you switch your VPN server's IP?
Our server is in Hongkong and it's out of the control of the Great Fire Wall, so I think the update process should goes well.

Best regards,
Wendy
WiseVector
Hello Wendy,

had no time to check Secure Boot yet (will soon leave for Munich to see a concert), but I had time to check the VPN issue.
Now switched to Windscribe VPN (Free), I can confirm that the webpage can be opened flawlessly by HK server location.
Had to replace F-Secure FreeDome, my internet was unusable with their HK server (it did not open your page, and all others were super slow loading).

Anmerkung 2018-12-17 111623.png

Thank you for your help, have a fantastic day :)
 

Der.Reisende

Level 37
Content Creator
MWT-Tester
Verified
Joined
Dec 27, 2014
Messages
2,665
Operating System
Windows 10
Antivirus
Tencent
#39
Hi Der.Reisende,

Please see the red circle of the screenshot.
Sorry for this problem, it has been fixed, please update WiseVector, it will show correctly.
Have a nice day!

Wendy
WiseVector
View attachment 203667
Thanks Wendy!
Wouldn’t have noticed ;)
You take the product very serious & offer great support, I like that a lot!
 

Mahesh Sudula

Level 12
Verified
Joined
Sep 3, 2017
Messages
558
Operating System
Windows 8.1
Antivirus
Doctor Web
#40
Hi harlan4096,

Which OS are you running?
Please see the red circle of the screenshot. It looks bad...we want to know why.
Looking forward to your reply.
Thank you.

Wendy
WiseVector
View attachment 203671
Hi ,
I am impressed with your product. How ever i have few queries :
. I see a lot of Heur.PE detections sort of static signature based detections.
Normally heuristics come into action after execution ? or is that a default signature based detection (Known Signatures)
Thanks in Advance