New Update Defender Hardening Console Executable

Trident said:
I will submit to them. Strangely there is no detection here.
Click to expand...
It is triggered by the health check module

Program:Win32/Wacapew.C!ml​

Detected by Microsoft Defender Antivirus
Aliases: No associated aliases

Summary​

Program:Win32/Wacapew.C!ml is a heuristic detection by Microsoft Defender for programs that exhibit suspicious behaviors commonly associated with potentially unwanted applications (PUAs) or malware. While this detection may indicate malicious intent, it can also trigger false positives due to borderline behavior. It detects the import of the specified file to the registry with regedit.exe.
1767814643473.png
 
  • Like
  • +Reputation
Reactions: SeriousHoax, Jack, Zero Knowledge and 3 others
Gandalf_The_Grey said:
Can not download because it is blocked by Microsoft Defender as Trojan:Win32/Wacatac.H!ml
Same detection on VirusTotal:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Click to expand...
The detection vanished on VirusTotal…

It’s just 3 top-quality products that detect it. They detect everything and nothing.

IMG_3354.jpeg
 
  • Like
  • HaHa
  • +Reputation
Reactions: Jonny Quest, Jack, Morro and 5 others
tiktoshi said:
Removing the Windows Defender disable code eliminates fp
Click to expand...
The false positive was caused due to refactor that makes the backend and frontend communication more secure.

Previously, a lot of hard work was assigned to the frontend.

Detection details, health fixes and so on were passed as escaped JSON from the frontend to the C++ backend. This is still secure as it passes validation.
The logic uses std::expected and other error handling methods.

Tonight's update uses vectors to store all information in RAM, passing to the frontend a numerical ID -- to remediate the detection, the frontend passes only a number, which is way more secure.

However, this also means that some strings like registry entries related to health reparation moved from the IDR_HTML1 (likely not checked at all by static analysis) to the .text section where the logic of C++ apps is contained. The .text section is indeed monitored by static analysis.

Nevertheless, looks like Microsoft is clearing the detection.

On another note, looks like between Kingsoft and Huorong, there is some sort of information exchange/api integration, as they both detect "wannamine.i".

I tried sending Huorong an email, but it bounced back.
 
Last edited:
  • Like
  • +Reputation
Reactions: Jack, Zero Knowledge, Jonny Quest and 3 others
TuxTalk said:
View attachment 294462
Click to expand...
This is to be expected with executables that change often.

Having an official website plays a huge role in clearing the detection, it shows clearly the program intent. Hence MS cleared the detection minutes after it was reported.

Plus, they can see all the security flags like CET, CFG, ASLR, Large Address Awareness (HEASLR), continuous eh continuation, DEP, buffer security check and so on, and the frontend. All these exploit protections are not what a malware author will enable.
 
  • Like
Reactions: Jack, Jonny Quest, TuxTalk and 1 other person
Trident said:
This is to be expected with executables that change often.

Having an official website plays a huge role in clearing the detection, it shows clearly the program intent. Hence MS cleared the detection minutes after it was reported.

Plus, they can see all the security flags like CET, CFG, ASLR, Large Address Awareness (HEASLR), continuous eh continuation, DEP, buffer security check and so on, and the frontend. All these exploit protections are not what a malware author will enable.
Click to expand...
I know, just want to show that ESET does not block or flag it. So keep up the good work !
 
  • Like
Reactions: Jack, Trident and Jonny Quest
TuxTalk said:
I know, just want to show that ESET does not block or flag it. So keep up the good work !
Click to expand...
For Eset maintaining accuracy is very important, they won’t flag it. Though they can’t reverse engineer the logic due to the Profile Guided Optimisation and AVX instructions (everything is scrambled and looks nothing like what I initially wrote), what they can see is enough to explain the software behaviour and avoid detection.
 
  • Like
Reactions: SeriousHoax, Jack, TuxTalk and 1 other person
New update has been released today.

-Implemented Quarantine: this was previously just a placeholder, until I design a secure quarantine storage strategy.
1767884199191.png


-Improved safety, stability and performance, multi-threaded several operations
-Improved UI, home screen no longer plain dark. An icon has now been added as well, to replace the generic VS graphic application "gift" icon.
1767884478161.png


-Improved ASR rules, included "audit" option
1767884276732.png


 
  • Like
  • +Reputation
  • Love
Reactions: Behold Eck, Kongo, SeriousHoax and 8 others
Trident said:
New update has been released today.

-Implemented Quarantine: this was previously just a placeholder, until I design a secure quarantine storage strategy.
View attachment 294467

-Improved safety, stability and performance, multi-threaded several operations
-Improved UI, home screen no longer plain dark. An icon has now been added as well, to replace the generic VS graphic application "gift" icon.
View attachment 294470

-Improved ASR rules, included "audit" option
View attachment 294468

Click to expand...
I have not stayed up to date with this. What is this for and i would love to try it!
 
  • Like
Reactions: Jack, simmerskool, Gandalf_The_Grey and 1 other person
  • Like
  • +Reputation
Reactions: Jack, simmerskool, Gandalf_The_Grey and 1 other person
I will upload to both MS and McAfee

McAfee was detecting earlier versions of this whilst it was still a modest script, then it auto-uploaded the script to them and they never detected it again.

Till I sign it, that’s how it’s gonna be.

I am contemplating whether to get EV or OV signature.
 
  • Like
Reactions: Sunqfu, Gandalf_The_Grey and SeriousHoax

You may also like...