WiseVector Free AI Driven Security

F

ForgottenSeer 92963

Hi,

Can you please tell me what type of Scriptors are hard to detect? We can adjust the Automatic Mode. Thanks.
Do you have a look at the "other Microsoft Binaries" executables and pay special attention to the ones with download and execute capabilities see LOLBAS

Two examples Squirrel and Appvlp

Squirrel.exe is part of Microsoft Teams and is intended to update (a part) of Microsoft teams, but it has generic download and limited execute capabilities or
Appvlp.exe which is part of Microsoft Office can execute stuff and the beauty of most of the "other Microsoft Binaries" is all their all M$ signed and run with standard user rights.

1642365360849.png
 
Last edited by a moderator:

ticklemefeet

Level 26
Well-known
Jan 31, 2018
1,522
Anyone has any experience of their Webprotection. I think i remember that they where against it`s necessity in the beginning but changed view of that and implemented one. So, is it good, or do you who use this have another browser protection? Can i rely on it or is this the weak spot of WVSX.
Can you install it in a VM or say Shadow Defender and check it out?
 

WiseVector

From WiseVector
Verified
Top poster
Developer
Well-known
Dec 14, 2018
618
Anyone has any experience of their Webprotection. I think i remember that they where against it`s necessity in the beginning but changed view of that and implemented one. So, is it good, or do you who use this have another browser protection? Can i rely on it or is this the weak spot of WVSX.
It is a complement to the Behavior Detection and makes WVSX protection system more robust.
 

WiseVector

From WiseVector
Verified
Top poster
Developer
Well-known
Dec 14, 2018
618
Do you have a look at the "other Microsoft Binaries" executables and pay special attention to the ones with download and execute capabilities see LOLBAS

Two examples Squirrel and Appvlp

Squirrel.exe is part of Microsoft Teams and is intended to update (a part) of Microsoft teams, but it has generic download and limited execute capabilities or
Appvlp.exe which is part of Microsoft Office can execute stuff and the beauty of most of the "other Microsoft Binaries" is all their all M$ signed and run with standard user rights.
Hi,

Thanks.
1. An attack includes various stages. Bypass ASR doesn't mean the system has been compromised , since WVSX or other AV can prevent, detect or intercept attack in any stage.
2. We have visited lolbas-project many times. However, we designed WVSX to fight in-the-wild threats. Usability and security should go hand in hand, so we can't block lolbins from running, otherwise there will be lots of FPs or Popups to interrupt users.
 

robboman

Level 1
Jul 11, 2018
44
I'm thinking about installing Wisevector on my grandparents laptops. They are both running Windows 10 with MS defender using simple windows hardening and defenderUI to harden both.

I think Wisevector would be a nice additional layer of protection. I have a few questions though. My grandparents get confused when presented with messages asking them to allow/quarantine treats in case any malicious items are encountered.

Can Wisevector be configured that it automatically quarantines any threats found? I see Wisevector added a hips module, in automatic mode will this allow safe files to run without any issues? And lastly does Wisevector auto update to newer program versions when released? Any answers to my questions is greatly appreciated!
 

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,831
SO are you saying blocking LOLBins in Userspace would cause too many problems for home users or buisness users? Or both?
As I kind of intimated about this in a previous post, perhaps a simple (but I'm sure overly Wordy and unclear) explaination is needed:

The problem with LoLbin's is that an anti-malware application must not only be aware of What a file does but also WHY it is doing it. For instance, there is nothing wrong with a user writes a script to delete a given file, but there is an issue when a script attempts to delete many files (like for a System Wiper). In this case the security application used must differentiate between the two, flagging one (to avoid a false positive) and not the other (to catch a malicious action).

On the whole, WVSX walks this line nicely using both standard AV detection and AI functionality. However some things (like Scriptors) can get by such protection by being just a tad on the darker side of legitimate, something which I believer the brilliant folk at WV realize and so have added the FW and HIPS modules.

As a (very) simple example of the above, consider a Scriptor coded in Python (similar stuff can be done most popularly with Java or Go). One can use the "import socket" command to get Outbound access while also including a KeyboardEvent (pyhook, various commands) to monitor and package user input and then send it out to friends from the Steppes of Central Asia). This in essence will code what amounts to a LoLbin keylogger (can be prettied up to make it quite cool) and over all would not be a good thing.

If such a Scriptor was indeed coded AND was a true Zero-day, it would bypass most things (WVSX included) as these commands, both legitimate and used normally for High and Noble purposes have now in combination been perverted into creating something malicious. An anti-malware application that was not sensitive enough will allow this, while one far too sensitive will detect not only this but many, many other things resulting in a host of False Positives (and a product that detects everything really detects nothing).

WVSX seems to have been aware of this issue with the inclusion of the FW and HIPS modules as both the Network connection activity as well as the logging aspects would be blocked by changing the WV settings of FW and HIPS to the High Security level.

Of course one can also be well protected by the (cruel)CF + (default) WVSX combination.

Hope this helped...
 
Last edited:

WiseVector

From WiseVector
Verified
Top poster
Developer
Well-known
Dec 14, 2018
618
Can Wisevector be configured that it automatically quarantines any threats found?
Yes, please ensure the Default Action ( in the basic settings) is Quarantine.
I see Wisevector added a hips module, in automatic mode will this allow safe files to run without any issues?
Yes.
lastly does Wisevector auto update to newer program versions when released?
Sorry. It doesn't auto update to the latest version now. Overwrite installation is need or waiting a bit longer to get the newer program.:)
 
Last edited:

WiseVector

From WiseVector
Verified
Top poster
Developer
Well-known
Dec 14, 2018
618
Does WVSX have a permanent cache or whitelist for safe files to reduce system impact on execution?
During the first scan, WVSX will scan all the files including whitelisting files. In the process, lots of metadata is extracted from the files and will be stored. Next time the scanning speed will be much more faster.
WVSX will not conduct in-depth behavior detection for some specific whitelisting files to improve performance.
 

WiseVector

From WiseVector
Verified
Top poster
Developer
Well-known
Dec 14, 2018
618
As I kind of intimated about this in a previous post, perhaps a simple (but I'm sure overly Wordy and unclear) explaination is needed:

The problem with LoLbin's is that an anti-malware application must not only be aware of What a file does but also WHY it is doing it. For instance, there is nothing wrong with a user writes a script to delete a given file, but there is an issue when a script attempts to delete many files (like for a System Wiper). In this case the security application used must differentiate between the two, flagging one (to avoid a false positive) and not the other (to catch a malicious action).

On the whole, WVSX walks this line nicely using both standard AV detection and AI functionality. However some things (like Scriptors) can get by such protection by being just a tad on the darker side of legitimate, something which I believer the brilliant folk at WV realize and so have added the FW and HIPS modules.

As a (very) simple example of the above, consider a Scriptor coded in Python (similar stuff can be done most popularly with Java or Go). One can use the "import socket" command to get Outbound access while also including a KeyboardEvent (pyhook, various commands) to monitor and package user input and then send it out to friends from the Steppes of Central Asia). This in essence will code what amounts to a LoLbin keylogger (can be prettied up to make it quite cool) and over all would not be a good thing.

If such a Scriptor was indeed coded AND was a true Zero-day, it would bypass most things (WVSX included) as these commands, both legitimate and used normally for High and Noble purposes have now in combination been perverted into creating something malicious. An anti-malware application that was not sensitive enough will allow this, while one far too sensitive will detect not only this but many, many other things resulting in a host of False Positives (and a product that detects everything really detects nothing).

WVSX seems to have been aware of this issue with the inclusion of the FW and HIPS modules as both the Network connection activity as well as the logging aspects would be blocked by changing the WV settings of FW and HIPS to the High Security level.

Of course one can also be well protected by the (cruel)CF + (default) WVSX combination.

Hope this helped...

Thanks for the info.

An in-the-wild keylogger needs to know the current active window, and also needs to find a way to persistence, finally it may use smtp or other protocols to send the collected information to the hacker. All of this will result it can be easily detected in auto mode.

Actually there are many games intend to log keystrokes, If WVSX is too aggressive there will be a lot of popups. We need to think about whether WVSX need to be more strict about keylogging in auto mode.:giggle:
 

ticklemefeet

Level 26
Well-known
Jan 31, 2018
1,522
As I kind of intimated about this in a previous post, perhaps a simple (but I'm sure overly Wordy and unclear) explaination is needed:

The problem with LoLbin's is that an anti-malware application must not only be aware of What a file does but also WHY it is doing it. For instance, there is nothing wrong with a user writes a script to delete a given file, but there is an issue when a script attempts to delete many files (like for a System Wiper). In this case the security application used must differentiate between the two, flagging one (to avoid a false positive) and not the other (to catch a malicious action).

On the whole, WVSX walks this line nicely using both standard AV detection and AI functionality. However some things (like Scriptors) can get by such protection by being just a tad on the darker side of legitimate, something which I believer the brilliant folk at WV realize and so have added the FW and HIPS modules.

As a (very) simple example of the above, consider a Scriptor coded in Python (similar stuff can be done most popularly with Java or Go). One can use the "import socket" command to get Outbound access while also including a KeyboardEvent (pyhook, various commands) to monitor and package user input and then send it out to friends from the Steppes of Central Asia). This in essence will code what amounts to a LoLbin keylogger (can be prettied up to make it quite cool) and over all would not be a good thing.

If such a Scriptor was indeed coded AND was a true Zero-day, it would bypass most things (WVSX included) as these commands, both legitimate and used normally for High and Noble purposes have now in combination been perverted into creating something malicious. An anti-malware application that was not sensitive enough will allow this, while one far too sensitive will detect not only this but many, many other things resulting in a host of False Positives (and a product that detects everything really detects nothing).

WVSX seems to have been aware of this issue with the inclusion of the FW and HIPS modules as both the Network connection activity as well as the logging aspects would be blocked by changing the WV settings of FW and HIPS to the High Security level.

Of course one can also be well protected by the (cruel)CF + (default) WVSX combination.

Hope this helped...
THanks much

You are you saying a standard user still needs to use LOLBins and not just Admins? I get so confused these days.
 

Chuck57

Level 7
Verified
Well-known
Oct 22, 2018
317
Anyone seen how good the wisevector firewall is vs comodo? I'm wondering if I even need the firewall on comodo at all and just use the sandbox feature or just wisevector alone. I'm not sure what tweaking wisevector needs when running alone other than hips and firewall running on high setting.
I haven't found any tests or reviews focusing on wisevector's firewall and HIPS. Since Comodo went crazy on me a few days ago, I've been hesitant to try it again. So, I've been running wisevector 3.03, everything on HIGH along with browser in the latest Sandboxie.

I doubt wisevector's HIPS and firewall have the power of Comodo firewall; I don't think any firewall/HIPS can match a properly configured Comodo firewall.