WiseVector

From WiseVector
Verified
Developer
Falsely detects fitgirl repack compression algorithm even though i sent it as false positives a few months ago
Hi,

"fitgirl repack compression algorithm" looks like a kind of algorithm but not a file or an APP. We receive a great number of files from our users everyday, sorry, I can't help you just by knowing this info. Can you please send it to "virus@wisevector.com"? Then we can solve this as soon as possible.
Thanks!
 
@WiseVector - I've installed this one on my dad's old laptop with Windows 8.1 (cannot handle Windows 10) and during this week he's been getting this one like on 5 different occasions:

Code:
WIBD:HEUR.InfoStealer.F011
C:\Windows\System32\svchost.exe

Shoul I be worried or could this be a false positive on Windows 8.1?

Usually I would just go there and install everything from scratch but I don't have the time right now. I told my younger brother to run Norton Power Eraser and Emsisoft Emergency Kit and tell me if something appeared, but nothing came up. However when running Norton Power Eraser the warning appeared again, telling that it was blocked but there has been nothing quarantined so far.
 

WiseVector

From WiseVector
Verified
Developer
@WiseVector - I've installed this one on my dad's old laptop with Windows 8.1 (cannot handle Windows 10) and during this week he's been getting this one like on 5 different occasions:

Code:
WIBD:HEUR.InfoStealer.F011
C:\Windows\System32\svchost.exe

Shoul I be worried or could this be a false positive on Windows 8.1?

Usually I would just go there and install everything from scratch but I don't have the time right now. I told my younger brother to run Norton Power Eraser and Emsisoft Emergency Kit and tell me if something appeared, but nothing came up. However when running Norton Power Eraser the warning appeared again, telling that it was blocked but there has been nothing quarantined so far.
Hi MalwareTypes,

It's not false positive. The detection means svchost.exe is reading several sensitive data in the system.(Browser passwords, FTP passwords, mail passwors, etc.)
The behavior had been blocked by WiseVector StopX so your password is safe. The svchost.exe is system file so WVSX will not quarantine it.

Please do a full system scan use WVSX to see if it can detect the real malware. Svchost.exe can be hosted by a malicious dll. Or it can be injected by a kernel mode driver. Sometime it is difficult to find the real source of the malicious behavior. If the problem persists, you'd better reinstall your OS since the stealer malware can cause serious damage. If you have good knowledge of computer system, first disconnect your computer from network. Download process monitor to see which svchost.exe is accessing sensitive data. Then use process explorer to find possible malicious dlls in svchost.exe.
 
Hi MalwareTypes,

It's not false positive. The detection means svchost.exe is reading several sensitive data in the system.(Browser passwords, FTP passwords, mail passwors, etc.)
The behavior had been blocked by WiseVector StopX so your password is safe. The svchost.exe is system file so WVSX will not quarantine it.

Please do a full system scan use WVSX to see if it can detect the real malware. Svchost.exe can be hosted by a malicious dll. Or it can be injected by a kernel mode driver. Sometime it is difficult to find the real source of the malicious behavior. If the problem persists, you'd better reinstall your OS since the stealer malware can cause serious damage. If you have good knowledge of computer system, first disconnect your computer from network. Download process monitor to see which svchost.exe is accessing sensitive data. Then use process explorer to find possible malicious dlls in svchost.exe.

Run both the Quick and Full Scan and nothing came up. For whatever it's worth the message hasn't popped up again.

I guess I'll have to reinstall the OS in the next weeks, luckily he uses mostly his phone to check his mail and Facebook. Thanks for answering!
 

Lenny_Fox

Level 14
Verified
@WiseVector compliments for the user interface design. It is simple, but allows detailled configuration when opening the settings.

I have Code Integrity and Block Child processes enabled in Windows Defender Exploit protection. Most other AV's inject theiir DLL without user having any control on it. What I really like is the exclusion of files (excutables) for advanced protection. This prevents that the WiseVector DLL is injected (y).

WD Exploit Protection blocks all DLL's which are non-Microsoft signed for my Office apps. Most AV's don't allow this level of user configuration (causing an error when lanunching Office programs). Wisevector with its really simple user interface allows me to exclude Office programs from advanced protection (which is great because WD Exploit protection takes care of that).

Compliments to your UX designers
 

WiseVector

From WiseVector
Verified
Developer
@WiseVector compliments for the user interface design. It is simple, but allows detailled configuration when opening the settings.

I have Code Integrity and Block Child processes enabled in Windows Defender Exploit protection. Most other AV's inject theiir DLL without user having any control on it. What I really like is the exclusion of files (excutables) for advanced protection. This prevents that the WiseVector DLL is injected (y).

WD Exploit Protection blocks all DLL's which are non-Microsoft signed for my Office apps. Most AV's don't allow this level of user configuration (causing an error when lanunching Office programs). Wisevector with its really simple user interface allows me to exclude Office programs from advanced protection (which is great because WD Exploit protection takes care of that).

Compliments to your UX designers
Hi,
Thanks for your positive feedback.
I would like to tell this to our UX designer. He must be very happy.:)
 
Last edited:

Lenny_Fox

Level 14
Verified
Hi,
Yes, current features will be kept free.

That is great news. Thanks a lot.

I really like the level of control of advanced malware protection and document protection. Other AV companies (with WV's ability to exclude processes from having the WV-dll injected ) and Microsoft (with level of configuration of the protected folders) can learn a lot of WV :).

Questions: Are memory inspection and intruction tracer additional rating info for the AI or do they provide sort of behavioral protection?

1601485040503.png
 
Last edited:

bjm_

Level 8
Verified
I have increased heuristics to high, but disabled check running processes (thinking it would not touch the processes launched before WV at boot and user logon).

So far (for 2 days) no problems or false positives
Yeah, I was wondering whether Heuristic Analysis High-Aggressive (false positive) detection might stop (interrupt) Windows startup. Do all detections wait for user action Exclude or Quarantine?
Will Windows be able to reach login &or desktop with boot process Heuristic detection?
Maybe, Heuristic Analysis does not act alone. Maybe, Heuristic Analysis is part of the process flow. IDK
 
Last edited:

Lenny_Fox

Level 14
Verified
Yeah, I was wondering whether Heuristic Analysis High-Aggressive (false positive) detection might stop (interrupt) Windows startup. Do all detections wait for user action Exclude or Quarantine?
I have not seen a warning, but according to settings options, WV can warn user (probably with choice to allow or block). WV icon appears immediately after desktop displays (much earlier than SpyShelter Free). So I guessed that by not checking already running processes, it would reach the desktop in case of false positive with high heuristics.

Before trying out possible risky tweaks, I always run a quick data backup with SyncBack Free and set a restore point. I also have an image backup in case Windows restore fails.
 
Last edited:
Top