Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Of LoLBins, 0-Days, ESET, and Microsoft Defender
Message
<blockquote data-quote="Andy Ful" data-source="post: 1083239" data-attributes="member: 32260"><p>Home users do not use Certutil (and most of LOLBins) at all. It is a tool used mostly by <strong>developers</strong> and <strong>IT administrators. </strong>The Microsoft Defender detection of Certutil will be the same for home users and organizations.</p><p></p><p></p><p></p><p>This is not true. In many cases, the legal Administrative tools are detected as malware. For example, many of my applications are initially detected as malicious. The detection can survive for a long time until the developer reports it as a false positive (sometimes this will not help too). Also, SmartScreen in Edge can block many legal applications if they do not have a good reputation.</p><p></p><p>Another example can be the latest AVLab test, where most AVs detected two legal remote admin applications as malware. Microsoft left those tools undetected. Many PUAs can be detected as malicious, especially when they are abused as a part of an attack.</p><p>It can happen that the attack will be stopped by detecting/blocking legal PUA or by blocking the LOLBin which wants to download PUA. Such differences can be interesting for some people.</p><p></p><p>Anyway, you are right in saying that tests with POCs cannot say much about the overall AV protection. Such tests are often misinterpreted by people.</p><p>Are tests with POCs informative? Yes, some of them can show interesting differences between the AV detections.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1083239, member: 32260"] Home users do not use Certutil (and most of LOLBins) at all. It is a tool used mostly by [B]developers[/B] and [B]IT administrators. [/B]The Microsoft Defender detection of Certutil will be the same for home users and organizations. This is not true. In many cases, the legal Administrative tools are detected as malware. For example, many of my applications are initially detected as malicious. The detection can survive for a long time until the developer reports it as a false positive (sometimes this will not help too). Also, SmartScreen in Edge can block many legal applications if they do not have a good reputation. Another example can be the latest AVLab test, where most AVs detected two legal remote admin applications as malware. Microsoft left those tools undetected. Many PUAs can be detected as malicious, especially when they are abused as a part of an attack. It can happen that the attack will be stopped by detecting/blocking legal PUA or by blocking the LOLBin which wants to download PUA. Such differences can be interesting for some people. Anyway, you are right in saying that tests with POCs cannot say much about the overall AV protection. Such tests are often misinterpreted by people. Are tests with POCs informative? Yes, some of them can show interesting differences between the AV detections. [/QUOTE]
Insert quotes…
Verification
Post reply
Top