Deprecated WiseVector Free AI Driven Security

WiseVector

From WiseVector
Verified
Top Poster
Developer
Well-known
Dec 14, 2018
643
Thanks for the test. I didn't notice that the malicious samples were causing serious damage to the system. For example, I didn't see files being encrypted. Most of the infected items were IEFO hijack registry keys. In addition, i saw a malicious file was found in the startup directory, normally WVSX's behavior blocker will not allow malware to create startup items or malicious IEFO keys. This may be related to the execution of multiple harmful files at the same time. It is worth mentioning that that many old samples do not exhibit malicious behavior because their CC servers were dead.

This massive old samples test is actually a test of the ability to collect malicious samples. I know these are old samples because WVSX will upload files that trigger behavior detection. These samples are about 6 months to 3 years old. The more malware you can collect, the better you can get a good score. I have observed that for some Emotet samples, Kaspersky may not be able to detect it at the first time. But at most no more than 5 hours, it will be detected by its cloud with name :"UDS:DangerousObject.Multi.Generic". Large companies are well-funded and have more channels to collect malicious samples, so static scans often score 100% in thees tests (vb100, AVC, youtube tests, etc.). The samples that can be collected by these testing are only a subset of samples be collected by these large manufacturers. For security software that uses machine learning, such as WVSX, the biggest advantage is to protect users from zero-day threats, such as malware that have just appeared for a few minutes. But unfortunately, there are too few tests to test zero-day malware, I have only seen MalwareHub which is kind of a test to test zero-day malware. Most of the malware tests are testing a lot of old samples which are very beneficial for the big players.

In fact. Defending against zero-day threats is far more difficult than detecting old threats. It is not difficult to get very good results on such tests, it might not even take a week to make one, you just need a private VT key and do a cloud hash matching for samples being scanned or launched. Samples in these tests are 100% present on VT. If only we knew that these tests had such a strong impact on users, maybe we don't need to spend years developing memory scanning, behavioral defense, instruction tracer, ransomware rollback, etc. We just need a hash checker...

We have decided to change our work plan and add cloud protection asap to achieve better results in such tests.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Between a random Youtube tester's opinion and Cruelsister's opinion I know who I should trust...
Thank you (you make me blush)! But regarding tests such as these, Quantity of samples used frequently precludes the quality of the test. Better would be to freshly code malware of diverse types, shut down any possibility of Cloud lookup (if available), then run the samples. Not having a product call home to upload the fresh malware is essential so that the test can be re-run to verify reproducibility.

As I have done a video or two in the past myself, I assure you that this is a very time consuming process and not a popular one for many to view as is the ransom gang-bang approach as was seen in this one.

(a final speculation- I noticed a number of BitCoin miner thingies were run. These will often utilize WMI which may cause changes that are not necessarily malicious.)
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Thanks for the test. I didn't notice that the malicious samples were causing serious damage to the system. For example, I didn't see files being encrypted. Most of the infected items were IEFO hijack registry keys. In addition, i saw a malicious file was found in the startup directory, normally WVSX's behavior blocker will not allow malware to create startup items or malicious IEFO keys. This may be related to the execution of multiple harmful files at the same time. It is worth mentioning that that many old samples do not exhibit malicious behavior because their CC servers were dead.

This massive old samples test is actually a test of the ability to collect malicious samples. I know these are old samples because WVSX will upload files that trigger behavior detection. These samples are about 6 months to 3 years old. The more malware you can collect, the better you can get a good score. I have observed that for some Emotet samples, Kaspersky may not be able to detect it at the first time. But at most no more than 5 hours, it will be detected by its cloud with name :"UDS:DangerousObject.Multi.Generic". Large companies are well-funded and have more channels to collect malicious samples, so static scans often score 100% in thees tests (vb100, AVC, youtube tests, etc.). The samples that can be collected by these testing are only a subset of samples be collected by these large manufacturers. For security software that uses machine learning, such as WVSX, the biggest advantage is to protect users from zero-day threats, such as malware that have just appeared for a few minutes. But unfortunately, there are too few tests to test zero-day malware, I have only seen MalwareHub which is kind of a test to test zero-day malware. Most of the malware tests are testing a lot of old samples which are very beneficial for the big players.

In fact. Defending against zero-day threats is far more difficult than detecting old threats. It is not difficult to get very good results on such tests, it might not even take a week to make one, you just need a private VT key and do a cloud hash matching for samples being scanned or launched. Samples in these tests are 100% present on VT. If only we knew that these tests had such a strong impact on users, maybe we don't need to spend years developing memory scanning, behavioral defense, instruction tracer, ransomware rollback, etc. We just need a hash checker...

We have decided to change our work plan and add cloud protection asap to achieve better results in such tests.

Thanks for taking your time to adress this test, but frankly you should not change your plans just because of such situations, I like and use your product because it isnt just a glorified hash checker that adds everything that Kaspersky or Microsoft detects at VirusTotal like some "security" vendors.

Dont worry, all the time that you spent developing memory scanning, behavioral defense, instruction tracer, ransomware rollback were worth it, your product is great and so is your support.
 

porkpiehat

Level 6
Verified
Well-known
May 30, 2015
277
Thanks for taking your time to adress this test, but frankly you should not change your plans just because of such situations, I like and use your product because it isnt just a glorified hash checker that adds everything that Kaspersky or Microsoft detects at VirusTotal like some "security" vendors.

Dont worry, all the time that you spent developing memory scanning, behavioral defense, instruction tracer, ransomware rollback were worth it, your product is great and so is your support.
totally agree.. (y)
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,264
Only if it is second-tier antivirus, I guarantee that Norton, G Data, Kaspersky, Trend Micro and etc. would block almost 100% of that package there, well, I would not risk using this program alone

Just your assuming, you and nobody cannot "guarantee" that major AVs doing better in this kind of tests, your comment is rather just bashing a product you seems to dislike, that's is more close to be true than your biased opinion claiming as fact...

Note: I'm using WD/MD as my AV, so it's clear that I'm far away from a fanboy of WiseVector ;)
 

Mariihh

Level 3
Verified
Well-known
Mar 30, 2018
139
Just your assuming, you and nobody cannot "guarantee" that major AVs doing better in this kind of tests, your comment is rather just bashing a product you seems to dislike, that's is more close to be true than your biased opinion claiming as fact...

Note: I'm using WD/MD as my AV, so it's clear that I'm far away from a fanboy of WiseVector ;)
I think you need to learn to respect different opinions, if I don't like the program what's the problem with that? I want the best for me, if the program works for you it's fine, but not for me, If the program has not served me and is not useful to me, I have the right to speak about, simple :)
 
  • Like
Reactions: AtlBo

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,264
I think you need to learn to respect different opinions, if I don't like the program what's the problem with that? I want the best for me, if the program works for you it's fine, but not for me, If the program has not served me and is not useful to me, I have the right to speak about, simple :)
I'm sure that I have to learn more for real life but never to respect nonsense claimed as facts...

Of course, it's true that everyone has the right for his personal opinion, but in your case #1,369 it's just assuming that major AVs doing better on this kind of tests, without to be able proven as fact, that is what I dislike only, nothing more!
 

SomeRandomCat

Level 3
Well-known
Dec 23, 2020
124
It might be cool to eventually see WV utilize some sort of white-listing. Most users wouldn't have a need to run unpopular software in the first place.

Regardless, I really like the way the development is going, and think it will be interesting to see how they implement their firewall.

Like others have said already in this thread, most the AV companies just follow around the big dogs and don't really put in the work of proper heuristics and behavior blocking, which is why I always preferred a solid HIPS.

Edit: Some sort of sandboxing would be dope as well.
 

SomeRandomCat

Level 3
Well-known
Dec 23, 2020
124
@WiseVector , I think this should read "statistics", not "statics".
sshot-001.png
 

SomeRandomCat

Level 3
Well-known
Dec 23, 2020
124
So, I added a few folders to 'Document Protection', and have been noticing 'RuntimeBroker.exe' occasionally trigger alerts.

sshot-001.png


This is part of MS Windows, so I am wondering if it should be excluded by default?

If I select 'End task', then I just get another alert in an hour or two.

It would be nice if there were more options, maybe some way to 'End task' + 'Add to block list'?

The little black scroll bar thing seems a bit buggy as well, I am not sure if that is a known issue, or if it has something to do with a tweak I applied to Windows, but if it is an issue on my end, it might have something to do with one of the 'Interface' configurations in 'Win 10 Tweaker', specifically the scroll bar modification?:

sshot-002.png
 

WiseVector

From WiseVector
Verified
Top Poster
Developer
Well-known
Dec 14, 2018
643
So, I added a few folders to 'Document Protection', and have been noticing 'RuntimeBroker.exe' occasionally trigger alerts.

View attachment 253441

This is part of MS Windows, so I am wondering if it should be excluded by default?

If I select 'End task', then I just get another alert in an hour or two.

It would be nice if there were more options, maybe some way to 'End task' + 'Add to block list'?

The little black scroll bar thing seems a bit buggy as well, I am not sure if that is a known issue, or if it has something to do with a tweak I applied to Windows, but if it is an issue on my end, it might have something to do with one of the 'Interface' configurations in 'Win 10 Tweaker', specifically the scroll bar modification?:
Hi,
Thanks for your suggestions.
It's recommended to click " Exclude" when the alert apears again. Since "RuntimeBroker.exe" usually doesn't access to "desktop.ini" in our testing, it's not the trusted application by default. No matter the app is a part of MS Windows or not, without being trusted, it can't modify or write files in the protected folders.
Do you mean this little black scroll bar in the red circle seems a bit buggy?
sshot-001.png

It is used to check the full App Path in case the path is very long.
 
F

ForgottenSeer 89360

Well I might be a bit late to join the YouTube test discussion, but here is my opinion.

I am specifically interested only in evasive and interesting malware. For me to "like" a sample it must have a very low detection rate on VT, which may have become known from various posts I have created here.

I have tested WiseVector against plethora of such malware and it has always detected all samples I have thrown at it. For example when I discovered the fileless RATs repository, which contained more than 100 ultra-evasive threats, some top-tier paid products didn't block a single one of them, WiseVector blocked them all even without submission. Same can be said about many other samples I have discovered.
Regarding the claims that it can only be used as a second-tier antivirus, maybe some users haven't noticed that WV doesn't register itself in WSC, which means that MD (at the very least) will be running alongside WV. At this stage the feature set of WV is very basic and I don't believe it has been designed to be your security be-all end-all, though with some additional work in the form of browser plug-ins, etc., it can easily be transformed into that.

We should also keep in mind that Norton and Trend Micro are paid products and WiseVector at this stage is still free.

Regarding the PUP detection, what's considered a PUP is very subjective. To me personally, any non-top-notch software is a PUP and I will never install it. Any bundlers may or may not be considered PUP. The PUP subject is very sensitive and causes lengthy discussions + numerous emails from vendors. This has caused many companies to be very careful as to what they classify as PUP and this can be easily noticed even in products such as Kaspersky and Bitdefender. These companies know very well what's potentially unwanted, but there are other legal reasons behind their decision not to remove certain programs.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top