Update WiseVector Free AI Driven Security

EASTER

Level 3
Verified
May 9, 2017
120
I have found no issues with the dumb detection routines as for in the wild malware there were samples caught by one and allowed by others but overall leading to additive protection. But the AI component of WV still impresses, and along with Comodo's auto-sandbox true zero day malware really don't have much of a chance. Last week I coded up a ransomware file loosely based on Ryuk (true zero-day) and although undetected by the dumb components, the WV AI after less than a minutes "thought" came back with a detection (potential.ransomware.A), detected and cleaned up my ransomware nor and some trivia dropped in AppData/Local). Poor malware didn't even make it to the sandbox.

(and regarding WF- seems not to matter if it is enabled or disabled as it neither helps nor detracts)
Excellent initiative and result speaks volumes to such combo. Very persuasive and formidable. Helpful challenges and appreciate the results and opinions.
 

Stas

Level 9
Feb 21, 2015
439
Here got false positive
notepad.jpgnotepad2.jpg
 

WiseVector

From WiseVector
Verified
Developer
Dec 14, 2018
489
Hi @WiseVector

It's great your new version comes with FW and HIPS

Any comment on Kaspersky FW in KIS? Is yours better in any way? I already have KIS so should I disable one FW

Can attach some screenshots of WV's FW and HIPS settings pages?

Thanks

We heard there is no conflict between WVSX and KIS, so you can enable both FW.
But if you feel any lag, such as slow website loading, you can try to turn off KIS's firewall.

If you are not so familiar with computer knowledge you can just keep the default settings of WVSX.
 

WiseVector

From WiseVector
Verified
Developer
Dec 14, 2018
489
On admin account I try to add WiseVector.exe shortcut to startup folder WiseVector did not start and adding run reg keys did not work.

WVSX relies on scheduled tasks to start with Windows. Windows + R-> Run, and then type taskschd. msc.
Then you can check if the WVSX's items exist in Task Scheduler. If not, open WV->settings->disable->re-enable "Automatically launch at system startup".
 

WiseVector

From WiseVector
Verified
Developer
Dec 14, 2018
489

Please do not use notepad to modify the files in the ransomware trap folder of WVSX. To see all ransomware trap folders, open WV->Settings->Advanced->Anti-Ransomware settings->Enable deception-based ransomware detection->Set up.

Also for ransomware, uploading to VT doesn't make sense. Legitimate programs can be used by ransomware to bypass AV.
For example, Netwalker->explorer.exe, Sodinokibi->Windows Defender's binaries.
 

Correlate

Level 16
Verified
May 4, 2019
737
MSITC WiseVector StopX AI based detection and prevention of HiveNightmare aka SeriousSAM
This video shows how WiseVector StopX uses artificial intelligence to detect an exploit for a security vulnerability, initially with real-time protection activated and real-time protection deactivated. HiveNightmare is the name of a proof of concept, i.e. a functioning code with which vulnerabilities in operating systems can be exploited.
 

Terry Ganzi

Level 26
Verified
Feb 7, 2014
1,546
hxxps://www.youtube.com/watch?v=csHGxDqf_wQ
Intermission - WiseVector StopX 2.73 Test vs Fresh Malware Samples Part 2
League of Antivirus
hxxps://www.youtube.com/watch?v=vTnZSu51-G0&t=0s
Intermission - WiseVector StopX 2.73 Test vs Fresh Malware Samples Part 1
 
Last edited:

WiseVector

From WiseVector
Verified
Developer
Dec 14, 2018
489
hxxps://www.youtube.com/watch?v=csHGxDqf_wQ
Intermission - WiseVector StopX 2.73 Test vs Fresh Malware Samples Part 2
League of Antivirus
hxxps://www.youtube.com/watch?v=vTnZSu51-G0&t=0s
Intermission - WiseVector StopX 2.73 Test vs Fresh Malware Samples Part 1
Thanks the author for the testing, any testing of WVSX will help us to improve.

First of all, I don't think these are fresh malware samples, as I understand fresh malware samples should appear at least within one month, preferably not present in Virustotal or at least less than 30 detections, or less than 20 in VT. According to the video we can tell that these samples probably come from Virussign or Virusshare, because Virussign often has many normal files that are infected with Floxif virus, Virusshare are full of PUPs. Samples from Virussign are definitely not fresh samples.

In the end of the video, most of the infected files are files infected by Floxif virus and PUPs, with a few worms we think they are the same file and one Quasar malware.

1. We are confident that our behavior detection is able to block Floxif virus. In the author's test WVSX has blocked one, please see screenshot below. We have tested several files infected by Floxif virus by ourselves and we can sure WVSX is able to block them all. If there are testers willing to test Floxif samples with WVSX, we would appreciate it. If WVSX failed to block any Floxif sample, please post it here. Testers can disconnect from the network to prove we haven't updated anything。

2. We observed that WVSX's own files are also infected by Floxif virus, which should not be possible because our kernel drivers prevent other programs from writing to WVSX's installation folder. This should be result in running a large number of Floxif virus at the same time.

3. For PUPs, if we do not observe any advertising or spying behavior in our environment, we will not add the detection. For example, there are several mail.ru PUPs in the vlogger's test, we have analyzed many samples developed by mail.ru and didn't observe advertising behavior in our environment. Also, as far as we know, mail.ru has a large number of users in Russia, so we would be quite cautious to flag these files.

4. For older malware samples like Quasar, they may not exhibit malicious behavior if their CC server is dead.

We think that the reason for these infections may be due to running a large number of samples at the same time, and WVSX have some problems when faced stress test. We will do more stress tests ourselves in the future, but you should know that it is impossible for a normal user to run a large number of malicious programs at once.

Capture10.PNG
 

cruelsister

Level 38
Verified
Trusted
Content Creator
Apr 13, 2013
2,752
We think that the reason for these infections may be due to running a large number of samples at the same time
I have no doubt that this would have played a significant part. Running a great deal of potentially malicious files simultaneously is as far from real-world as one can get. Although perhaps a test like this has some use when tested against a solely signature based (dumb) security application, it can have little value against a product that operates on a different level (HIPS, Sandbox, AI).

Personally I coded various types of malware, ensuring true zero day status, and have notes that WV will take time (sometimes up to 30 seconds) before a detection will occur. What would happen if 5 of these were gang-banged on the system was something that I felt would be of no interest as it would be hardly a true and accurate scenario.

So although a video such as this could be mesmerizing to watch with all the flashing stuff on the screen, one would not be wrong to question its validity (but that's just the opinion of lonely girl in an increasingly confusing universe).
 
Top