SeriousHoax

Level 26
Verified
Malware Tester
Hi,

Of course, not. If an application utilizes Isass.exe for internet connection, it must be malware...

Since the communication is not encrypted (http 80 from your screenshot). You can use WireShark to capture the traffic between your computer and the remote IP.
The network packets are plain texts, you can easily inspect what caused this behavior.
It only happens when WiseVector is run for the first time after installation. So, currently I'm not able to reproduce it. But this happened too the last time I tried WiseVector so I'm sure something related to WiseVector is triggering it. In my case the domain it tried to connect is owned by cloudflare. Let us know if you can reproduce this on your end and if yes then whether the domain is different in your case or not.
Can you please tell me what is the CPU usage usually when your system is idle?
WiseVector StopX scans the new files added in your computer, so it uses CPU when your system is updating or something else may cause new file added.
After asking that I personally installed it and the CPU usage is fine now but still it's never 0% when idle. Is this normal? Check this gif file.
wise.gif
 

WiseVector

From WiseVector
Verified
Developer
It only happens when WiseVector is run for the first time after installation. So, currently I'm not able to reproduce it. But this happened too the last time I tried WiseVector so I'm sure something related to WiseVector is triggering it. In my case the domain it tried to connect is owned by cloudflare. Let us know if you can reproduce this on your end and if yes then whether the domain is different in your case or not.

After asking that I personally installed it and the CPU usage is fine now but still it's never 0% when idle. Is this normal? Check this gif file.
View attachment 234850
Hi,

After doing some search. I've found similar behavior here: Automatic connection from LSASS to different IPs. Is this the usual behavior?
More details: Certificate Revocation Checking in Windows Vista and Windows Server 2008

And from this page Performance Report for ocsp2.globalsign.com/gsdomainvalsha2g2 | Netcraft We will know "104.18.20.226 " belongs to globalsign. So don't worry, you don't get hacked. It's just OCSP protocol.

CPU usage below 1% is normal. As i mentioned before. WV will scan newly added files. After 2.5 WV will also scan newly allocated memory page so it can detect advanced memory attack techniques. Which include:

Reflective Dll Injection,
Process Hollowing,
Manually PE loading (Exe and Dll),
DotnetToJS, Sharpshooter, .Net code in PowerShell.
Process Doppelgänging
Process Reimaging
Mimikatz

WV will also scan the system to identify hijacked or remote threads. All of this need to consume CPU. Though we have designed a good algorithm to cache clean memory pages and threads, you will still notice a small amount of CPU usage.
 

oldschool

Level 50
Verified
After 2.5 WV will also scan newly allocated memory page so it can detect advanced memory attack techniques. Which include:

Reflective Dll Injection,
Process Hollowing,
Manually PE loading (Exe and Dll),
DotnetToJS, Sharpshooter, .Net code in PowerShell.
Process Doppelgänging
Process Reimaging
Mimikatz

WV will also scan the system to identify hijacked or remote threads. All of this need to consume CPU. Though we have designed a good algorithm to cache clean memory pages and threads, you will still notice a small amount of CPU usage.
Very nice. I'm looking forward to it. Thank you! (y)
 

oldschool

Level 50
Verified
@WiseVector I enabled ransomware protection and started getting a few alerts. I could not find any Help files or FAQ in GUI or on your website. I think you should consider adding these in order to make the ransomware protection more user-friendly. I believe an average user would find it difficult to make use of this feature without more info. Otherwise, the GUI is simple and functional.(y):)
 

cosmos

Level 1
Thanks for the clarification. I've run into some quirks, like receiving errors during installation of Adobe Reader and Acronis Drive Monitor. Uninstalling wisevector solved the issues. Not good first impressions here.
Although these issues did not appear again, I've bumped into some other ones:
1) After installing LibreOffice Still (stable) LibreOffice_6.2.8_Win_x64.msi (MD5: 4ef6b10fb4861cdc14671938759c78ba) and trying to start the program for the first time, Libreoffice went into a boot loop and finally presented me a window to boot in LibO safe mode or boot normally. Selecting the latter continued the boot loop. I did not receive any message from wisevector at the time. After disabling it though, Libreoffice started normally.

2) On the same system, I ran hiren's bootcd which contains a small utility named All users cleaner. While running, wisevector popped up informing me that both that as well as the hiren's startup bat are trojans and asked me to whitelist them. I did but then the same prompt appeared again and again.

I'm sorry, but ΙΜΗΟ this product is clearly far away from being ready for production use, considering the issue it caused on an application like LibreOffice alone, so I would hesitate to use it even on my own rigs. I do hope the best thogh for the development team, since there are clearly signs of innovative technology.
 
Last edited:

WiseVector

From WiseVector
Verified
Developer
Hi@oldschool,

Thank you for your advice and feedback.
When you enabled ransomware protection, please don't try to open or modify the bait files for protection. For example, when you use Microsoft Office to open the bait file, Microsoft Office will create a new ".tmp" file in the bait folder which exhibits ransomware-like behavior. That's why you got a few alerts.
Please refer to the screenshot. When clicking "set up", you will see all the files. They are the bait files used to entice ransomware.

3.JPG
 
Last edited:

WiseVector

From WiseVector
Verified
Developer
Although these issues did not appear again, I've bumped into some other ones:
1) After installing LibreOffice Still (stable) LibreOffice_6.2.8_Win_x64.msi (MD5: 4ef6b10fb4861cdc14671938759c78ba) and trying to start the program for the first time, Libreoffice went into a boot loop and finally presented me a window to boot in LibO safe mode or boot normally. Selecting the latter continued the boot loop. I did not receive any message from wisevector at the time. After disabling it though, Libreoffice started normally.

2) On the same system, I ran hiren's bootcd which contains a small utility named All users cleaner. While running, wisevector popped up informing me that both that as well as the hiren's startup bat are trojans and asked me to whitelist them. I did but then the same prompt appeared again and again.

I'm sorry, but ΙΜΗΟ this product is clearly far away from being ready for production use, considering the issue it caused on an application like LibreOffice alone, so I would hesitate to use it even on my own rigs. I do hope the best thogh for the development team, since there are clearly signs of innovative technology.
Hi,

Thank you for your feedback.
Can you please tell me what's the version of WiseVector StopX you are using and what's your operating system? We will download LibreOffice for a test.
Can you please send Hiren's BootCD to "support@wisevector.com" or tell me where did you download it? We would like to have a analysis.

Regards,
WiseVector
 
Last edited:

cosmos

Level 1
Can you please tell me what's the version of WiseVector StopX you are using and what's your operating system?
2.53 on Windows 10 Home 64bit, build 1909.

We will download LibreOffice for a test.
You should try to download the specific version I had the issue with, if possible

Can you please send Hiren's BootCD to "support@wisevector.com" or tell me where did you download it? We would like to have a analysis.
Should be version 15.2, check Old Versions | Hiren's BootCD PE
 

oldschool

Level 50
Verified

WiseVector

From WiseVector
Verified
Developer
2.53 on Windows 10 Home 64bit, build 1909.


You should try to download the specific version I had the issue with, if possible


Should be version 15.2, check Old Versions | Hiren's BootCD PE
Hi,

1. We have downloaded LibreOffice_6.2.8_Win_x64.msi which contains several Apps ( for example, Writer, Calc, Math and ect.) We tried all these Apps one by one, but unfortunately we didn't reproduce the problem you encountered. Can you please tell me which application you were using?
2. All Users Cleaner performed dangerous actions. We whitelisted it and WiseVector StopX didn't alarm again. Can you please send me the screenshot of the prompt?

Regards,
WiseVector
 

cosmos

Level 1
Hi,

1. We have downloaded LibreOffice_6.2.8_Win_x64.msi which contains several Apps ( for example, Writer, Calc, Math and ect.) We tried all these Apps one by one, but unfortunately we didn't reproduce the problem you encountered. Can you please tell me which application you were using?
I simply executed the libreoffice desktop link. But it kept crashing and restarting, until it presented me with a prompt to start libreoffice in a safe mode.

2. All Users Cleaner performed dangerous actions. We whitelisted it and WiseVector StopX didn't alarm again. Can you please send me the screenshot of the prompt?
Unfortunately I did not keep a screenshot, sorry.
 
Top