Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
AV-Comparatives Real-World protection July-Nov
Message
<blockquote data-quote="Andy Ful" data-source="post: 787206" data-attributes="member: 32260"><p>It is totally different from whitelisting, because it is blacklisting.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite135" alt=":giggle:" title="Giggle :giggle:" loading="lazy" data-shortname=":giggle:" /></p><p>"When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean."</p><p><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus" target="_blank">Enable Block at First Sight to detect malware in seconds</a></p><p></p><p>So, the suspicious but <span style="color: rgb(184, 49, 47)"><strong>undetected</strong></span> file is not checked against a kind of whitelist (like SmartScreen Application Reputation).</p><p>BAFS can produce false positives, because the blacklisting in done by AI. You can see this on VirusTotal, just see how many false positives have some AVs based on the AI detection.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p><p>If you will submit the false positive to Microsoft, then the whitelisting signature is created for WD, and the file is considered as <span style="color: rgb(184, 49, 47)"><strong>detected</strong></span> but clean (excluded from BAFS AI). Such whitelisting, cannot produce the false positives.</p><p>If the file (undetected by signatures) flagged in BAFS as malicious is executed by someone, then it is first checked in the cloud blacklist, and <strong>immediately blocked</strong> (this can produce false positives).</p><p></p><p>Edit.</p><p>There is one thing that can be slightly similar to whitelisting. The execution of the suspicious but undetected file is suspended for some seconds, by default (but not totally blocked). If the AI thinks too long or makes the wrong decision, then the malware will be executed, anyway. Yet, another user who will try to execute the same malware later, will be safe in most cases.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 787206, member: 32260"] It is totally different from whitelisting, because it is blacklisting.:giggle: "When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean." [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus']Enable Block at First Sight to detect malware in seconds[/URL] So, the suspicious but [COLOR=rgb(184, 49, 47)][B]undetected[/B][/COLOR] file is not checked against a kind of whitelist (like SmartScreen Application Reputation). BAFS can produce false positives, because the blacklisting in done by AI. You can see this on VirusTotal, just see how many false positives have some AVs based on the AI detection.(y) If you will submit the false positive to Microsoft, then the whitelisting signature is created for WD, and the file is considered as [COLOR=rgb(184, 49, 47)][B]detected[/B][/COLOR] but clean (excluded from BAFS AI). Such whitelisting, cannot produce the false positives. If the file (undetected by signatures) flagged in BAFS as malicious is executed by someone, then it is first checked in the cloud blacklist, and [B]immediately blocked[/B] (this can produce false positives). Edit. There is one thing that can be slightly similar to whitelisting. The execution of the suspicious but undetected file is suspended for some seconds, by default (but not totally blocked). If the AI thinks too long or makes the wrong decision, then the malware will be executed, anyway. Yet, another user who will try to execute the same malware later, will be safe in most cases. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
