WiseVector

From WiseVector
Developer
Verified
@WiseVector What advantages this product has among other similiar like in the security product market, why would users use it, what's so revolutionary exciting about it?
The advantages of WiseVector,

1. WiseVector does not rely on signatures, it can detect unknown malware.
2. Extremely lightweight.
3. Very easy to use
4. WiseVector doesn't upload anything except users submit files for analyzing, that is different from some other security products. WiseVector never collects privacy from users.

What is the plan how to increase the userbase, and will the priority for english users will be the same as for the non-eng customers?

The basic version of WiseVector is for free, once the users think it is good enough, they will recommend it to others. Yes, the priority will be the same no matter what kind of version customers use.

Where do you see your companies future in few years if it'll still be around? Thanks.

We believe AI technology will lead the future in some aspects and it do effects our life at present. The target of WiseVector is keeping customers from malware, and WiseVector will make every efforts to achieve it!

Happy New Year and Cheers:emoji_v:
Wendy
WiseVector
 
Last edited:

WiseVector

From WiseVector
Developer
Verified
@WiseVector: 2 more things (using WV 1.31):

1.- WV can't scan/follow a folder shortcut, tried with mouse left button setting -> Scan with WiseVector.

2.- When You start a custom scan with mouse left button setting -> Scan with WiseVector, the scanning window showing the process is not opened automatically, I had to click over the WV icon in Windows taskbar to open it.

Thanks!
Hi harlan4096,

Confirmed these two problems. We will fix them in the next version.
Thanks for your feedback.

Happy New Year!
Wendy
WiseVector
 

WiseVector

From WiseVector
Developer
Verified
How about the name "NewVector" instead? By the way, if these people are this responsive, this software will become a very good product soon hopefully. I remember the early days of OSArmor and look how good it is now.
Hi noob guy,

NewVector is really good, but WiseVector has been registered by our company.
Thanks for your positive feedback, that means a lot for us.:emoji_fist:

Happy New Year!
Wendy
WiseVector
 

WiseVector

From WiseVector
Developer
Verified
Hi

How about protection against botnets, APTs etc?

Will your network firewall be a front for Windows default firewall or a dedicated firewall?

Any android version?
Hi HarborFront,

Botnets, APT etc are malware, and most of them are common malware(like rat, etc.), which can be detected by AI. Some APT attacks are sophisticated and WiseVector will detect them through behavior protection in the future.
Wisevector will have individual network firewall. It's not a front for Windows default firewall.
We have no plan to make the android version at present.

Regards,
Wendy
WiseVector
 

HarborFront

Level 45
Content Creator
Verified
Hi HarborFront,

Botnets, APT etc are malware, and most of them are common malware(like rat, etc.), which can be detected by AI. Some APT attacks are sophisticated and WiseVector will detect them through behavior protection in the future.
Wisevector will have individual network firewall. It's not a front for Windows default firewall.
We have no plan to make the android version at present.

Regards,
Wendy
WiseVector
I supposed the CCleaner incident was a good example of an APT attack

Recent findings from CCleaner APT investigation reveal that attackers entered the Piriform network via TeamViewer | Avast

Can AI/behavior blocking detect it?

Does WiseVector protects user from data exfiltration?
 
Last edited:

WiseVector

From WiseVector
Developer
Verified
I supposed the CCleaner incident was a good example of an APT attack

Recent findings from CCleaner APT investigation reveal that attackers entered the Piriform network via TeamViewer | Avast

Can AI/behavior blocking detect it?

Does WiseVector protects user from data exfiltration?
Thanks for sharing.
1. We think AI is best in prevention and AI behavior protection works on prevention as well.
2. CCleaner attack was well known and impressed because it is a software supply chain attack. However, they use DGA to generate CC domain. DGA is an well-known technology which can be easily detected, it can even be detected by the naked eye. So CCleaner incident was not a typical example to present an APT attack. I think Duqu and Stuxnet are good examples. They were extremely sophisticated and difficult to be detected.

At present, WiseVector is focus on prevention and protecting users from attacks at the early stage. In the future, we will deploy more functions to detect malicious behavior after the system has been compromised. For example, we may add DGA detection function and data exfiltration prevention to our network firewall, AI is really good at abnormal domain detection.

Regards,
Eason
WiseVecotor
 

In2an3_PpG

Level 17
Content Creator
Verified
Hi, @WiseVector

I'd like to thank you for spending the time to read my questions and respond to them and I do apologize for the delay in this reply. Without further delay... let's just jump right in! :)

1. The officially documented mechanisms for filtering process creation from kernel-mode should be fine for on-execution scanning purposes. Who told you otherwise? I'd love to hear about why it isn't suitable for you.

2. There is no point in you trying to justify your decisions by piggybacking off the choices made by a third-party vendor you are not even a partner of - you should be making your own decisions based on your own judgement, otherwise you may as well just be a re-seller for someone else's product.

My point of view on the matter is that relying on code injection and API hooking to achieve results that can be achieved without code injection and API hooking (in this case, they can, and the implementation would be far more reliable) is nothing but ignorance.

Kind Regards,

In2an3_PpG
 
  • Like
Reactions: Nevi and WiseVector

WiseVector

From WiseVector
Developer
Verified
Hi In2an3_PpG ,

Thanks for your reply.

For now WiseVector only hooks API to monitor process creation. But we want to monitor more APIs in the future. In kernel mode you only have Callbacks (Process, Registry, Object). They are not enough because you won't get notification when a lot of APIs is being called.
For example, you will not get notification when malware call SetWindowsHookEx to install a Keylogger.

By the way, you can get thread's context via API hooking, that is better than Callbacks.

Eason
Regards
 

In2an3_PpG

Level 17
Content Creator
Verified
Hi, @WiseVector

Thanks for your reply to the reply of your reply.

For now, my point of view is that WiseVector still has a bad underlying design for on-execution scanning support, and the second bad justification attempt has done nothing in regards to changing this.

1. I've told you several times that there's an officially supported and documented mechanism for filtering process creation which has a well-tested use case of on-execution scanning. It wouldn't be used by Microsoft themselves in Windows Defender as well as a dozen well-established, reputable and wide-spread vendors who have a good stance in the enterprise market if it wasn't as good as the idea you've been proposing and using in WiseVector.

2. WiseVector's on-execution scanning will only be supported when the process creation operation is performed by a process which has been injected into, which isn't reliable when you remember that WiseVector's relying on AppInit_DLLs that only supports processes which load USER32.DLL, does not support Secure Boot systems, and can be blocked with process mitigation policies. Last but not least for this point, in the event of a vulnerability being exploited to cause arbitrary code execution, all you need to do is manually perform a system call, and WiseVector's on-execution scanning will be oblivious.

3. Vendors like Google Chrome have started fighting back against people injecting into their processes. How will you monitor process creation from users opening downloads on Google Chrome when they start blocking your DLL injection? Even if you have fall-back plans for this, you can just eliminate the problem instead of masking it by using what everyone else in the real world is using. You know, the ones who have 100x more market share than you and cater to millions worldwide when the numbers are combined?

4. Why would you hook SetWindowsHookEx? At the least, if you're going to do that, target NtUserSetWindowsHookEx instead. Also, there's other ways to log the user's keystrokes other than NtUserSetWindowsHookEx. One minute your focus is on prevention, now it is post-compromisation? You are focusing on way too much at once. Calm it down and improve what you already have before you end up doing a Microsoft... (this is the part where the borked update gets released).

Bottom line: use a kernel-mode callback when there's a suitable one available for you because it is officially supported, documented, and reliable. Your little hack tricks do not make you a security magician, they make you a security fool... use officially supported when there's sufficient documentation and more than enough use of the feature in question to know it is robust to a reasonable extent.

Roses are Red,
Violets are Blue,
WiseVector's on-execution scanning belongs down the loo,
With the funding you have you could do something great and following the documentation for on-execution scanning is as easy as baking a cake,
If you do not understand what I've said then you probably never will and there's samples online which outline what you need to do,
It looks like the market share doesn't want WiseVector but you gave it a shot and it's about the taking part that counts,
If it makes you feel better you can dress up and cuddle your WiseVector in bed but...
It's evident that I don't recommend WiseVector and if you've already installed it, I'd uninstall it quick!

My conclusion of this debate is:
I think that WiseVector are just another "latest and greatest" hype vendor jumping onto the "Artificial Intelligence" bandwagon for the computer geek teens on the block and would advise for anyone to avoid them at all costs.

I REALLY wanted to avoid hostility on this thread... either way, maybe this time you'll get the memo.

Kind Regards,
in2an3_PpG
 
D

Deleted member 178

@In2an3_PpG I agree that if you can get the same result without dll injections by using well documented methods, it would be far better. I'm not a coder but the logic behind your explanation is face-slapping.

Now maybe WiseVector has some specific reasons to do the way they are doing, we can't impose them our way.

Just hoping they will consider your point-of-view.
 

In2an3_PpG

Level 17
Content Creator
Verified
@WiseVector

Roses are Red,
Violets are Blue,
My last response was too hostile and this was uncalled,
Here at MalwareTips we are a family so I am sorry if anyone is upset,
I will try my best to not be rude and reduce hostility instead

Bottom line: I was too hostile in my previous post and there was no need for this and I shouldn't have been... I am merely disappointed because WiseVector has the financing support to let them access a wide range of resources to do a really good job, but I think they are being held back by ancient, compatibility-troublesome and undocumented techniques which are doomed for hassle. WiseVector are in charge of their product and if they do not want to take my advice then they do not have to, but it'll be their problem when they are avoided in the enterprise market or when problems start to arise.

I hope that no feelings have been hurt and I wish WiseVector a happy new year.Kind

Regards,
In2an3_PpG
 
  • Like
Reactions: BryanB and Nevi

WiseVector

From WiseVector
Developer
Verified
Hi @In2an3_PpG ,

Thank you for sharing your opinion with us, but there are some points that I cannot understand.

1. Why do you not recommend even uninstall a security product because it just uses API HOOK technology? It's more reasonable to evaluate a product by the effects. Actually, API hooking is a well-known technology that has been used over 20 years. Microsoft also has Detours library for API hooking.

2. There are so many malware use API hooking, but AV vendors can't? Sounds like put AV in a zoo but leave malware in the wild.;)

3. I agree that the process creation callback is the proper way to perform pre-execution scanning. However, as I said before, we need to monitor more APIs in the future. In the next version of WiseVector, API Call Sequence is a very important factor for the AI-based Behavior detection. Without it, the AI may make wrong decisions, so monitoring a large number of API calls is required.

4. We have a different understanding of prevention. My understanding is to stop the malicious program before attackers gain access to the system. If the malware get killed by WiseVector when they are trying to install a Keylogger, I think it is a successful prevention.

5. We make the decisions by ourselves 100%. In the previous conversion, you said it was incorrect to quote Comodo to support our ideas, by now you used Windows Defender and other wide-spread vendors to support your ideas....:emoji_cold_sweat:

Anyway, thanks for your advice. In the future we may use document ways as you said to perform pre-execution scanning. But we still need to monitor a lot of APIs to achieve AI-based behavior detection, if you have better idea to monitor APIs without doing API hooking, please let me know.

Regards
Eason
 

In2an3_PpG

Level 17
Content Creator
Verified
Hi, @WiseVector

1. I do not believe for one second you've been doing this type of stuff for a long time, which would explain why you are under the impression that you cannot obtain a threads context from kernel-mode or that you must prohibit yourself from using kernel-mode callbacks like PsSetCreateProcessNotifyRoutine/Ex/Ex2 or PsSetLoadImageNotifyRoutine/Ex (you can wait for NTDLL.DLL) for on-execution scanning on the grounds that you have plans to use user-mode API hooking for other things in the future.

I do not recommend people to uninstall security software because they are using API hooking technology - I rely on API hooking myself. I recommend people to uninstall security software like WiseVector because the people behind it are incapable of understanding simple things and do not seem to know why a security solution should be stable and reliable. I do not recommend people to use software which blindly uses flawed underlying designs for parts which can be implemented with a secure design with a bit of work.

Microsoft Detours is an open-source project which was published by Microsoft's research team, but this does not mean that user-mode API hooking is going to be safe 24/7 and is a stable thing to do, which is why I think that it should be done to the best possible minimum where applicable. You may need to do things in WiseVector which cannot be done using officially supported and documented mechanisms, this is perfectly understandable, but you do not need to explicitly rely on user-mode API hooking so you can filter process creation for the on-execution scanning. Period.

What you're failing to understand here is just because you plan to use API hooking for other things which cannot be achieved using officially supported and documented mechanisms, it does not mean that you must resort to non-officially supported and undocumented techniques for things that can be achieved using an officially supported and documented techniques. You're allowed to do a pick and mix, you do not have to limit yourself to official or unofficial... use both if you must, most vendors do.

Things have existed for years and years until they become obsolete due to new things showing up which produce results and are more secure/efficient/both... progress forwards, not backwards.

2. Security software is not malicious software and the fact that you have even just said what you've just said has raised huge red alarms in my mind about WiseVector and WiseVector's future - companies turn rogue all of the time and get busted. Security software should behave ethically and be as stable as it can possibly be to prevent damage to the customers of the product. But... as long as WiseVector have their brand new "Ai", who cares about collateral damage, right boys?

Malicious software has a wide-range of category types from rootkits, ransomware, crypto-currency miners and more... do you think it would be acceptable for WiseVector to start imitating them as well? I don't think so.

If an attacker can compromise the Windows kernel then they can start relying on subverting the Windows kernel with patches (Kernel Patch Protection can be bypassed, and Microsoft already know that enforcing security against an attacker running with the same privilege level is not realistically feasible) but that doesn't mean security software should go around deploying zero-days for Kernel Patch Protection. What about PatchGuard's Driver Signature Enforcement bypasses (e.g. via exploiting the VirtualBox driver)? I bet you won't be interested in exploiting that for WiseVector.

What about ELAM? You can force it without official access to ELAM but that doesn't mean vendors who are not partnered with Microsoft and have been given official access to it as well as the APIs should go around and start using it.

3. See point #1, you do not have to implement on-execution scanning in an unreliable fashion just because you plan on using user-mode API hooking for other things later down the road.

4. Yes, we do have a very big difference in our understandings of malware prevention: I think that stability and security should be two important factors and that unofficial/undocumented mechanisms should be best avoided where applicable.

-------------------------------- LINE BREAK --------------------------------
I am going to re-iterate something very important which all readers of this post need to remember:

My point of view on the matter is that relying on code injection and API hooking to achieve results that can be achieved without code injection and API hooking (in this case, they can, and the implementation would be far more reliable) is nothing but ignorance.
^^ I said that yo.

The bottom line here is that I do not have an issue with code injection and API hooking as long as it is used responsibly and is not blindly abused when it is not truly required. This is my personal opinion and marketing hype about the latest and greatest "Ai" is not going to change my opinion... I do not like security through obscurity and prefer to avoid it as much as possible.

I apologize if I have upset anyone because this was not the intention... if you give me something really interesting and funny then maybe I'll reply again, but I'm short on time for the foreseeable future because I'm currently making myself an "Ai" system which works by extracting complex patterns from a program's behavior graph.

Kind Regards,
In2an3_PpG
Self-proclaimed professional for "Ai" development
 
  • Like
Reactions: BryanB and Nevi

WiseVector

From WiseVector
Developer
Verified
Hi @In2an3_PpG ,

1. WiseVector has not so much financing support to get great amount of resources as you imagined. We are hardworking to make sure every coin is spent efficiently.
2. We have to make sure that WiseVector is compatible with other security products, because so many users take WiseVector as a Second-option scanner.
3. Anyhow, both of us think API hooking is accepted. As you posted, there are some problems in our way, like WiseVector's relying on AppInit_DLLs that only supports processes which load USER32.DLL. In the next version, AppInit_DLLs will not be used.

Regards,
Eason
 
D

Deleted Member 3a5v73x

Sorry but which Engines does use WiseVector?
Triangle and Rectangle engines because perimeter scanning to catch new malware is tops now.
 
Last edited by a moderator:

Windows_Security

Level 22
Content Creator
Trusted
Verified
@WiseVector

Eason, I applaud your company for joining this forum and reserving resources (you) to discuss your product with forum members.

I can remember a behavioral blocker called ThreatFire being blinded by a PoC of a hacker (forgot his exact name, but his nickname was EPXOF or something). This PoC simply unhooked all user land hooks TreatFire had set to monitor exeutable behavior.

Threatfire had earned a reputation in security forums as a good add-on after turning from a paid product (CyberHawk) into a free product. Many of those fans jumped ship after ThreatFire being passed by PoC malware a few times (EPXOF made a few variants to proof his point).

I have a question and a tip for you:

Question
Has WiseVecto protection mechanisms against software trying to unhook the userland hooks (making it blind for AI-learning and effectively paralyzing WiseVector defenses)?

Tip
History tends to repeat itself, so when answer to above question is no or partly. Please consider that you have competitors in global markets and one of them is known for its aggressive marketing tricks (a company which sounds like 'silence' with A instead of the E in the second syllable).

Imagine how much free publicity you would provide them when they create a targeted PoC which unhooks WiseVector learning mechanims. Also imagine how much damage to the product reputation and brand name that would cause.

In the past Chinese Browser and AV-vendors expanded their competition to the PC's of their customers by de-installing software of rivaling products, so you might not even need an American competitor to harm your brand reputation.

When your answer was no or partly I would urge to put "user land unhooking" protection on your development calendar, when you plan to use (happy user) ambassador/evangelist marketing.

Wisevector said:
The basic version of WiseVector is for free, once the users think it is good enough, they will recommend it to others. Yes, the priority will be the same no matter what kind of version customers use.
Regards Kees
 
Last edited: