No, I do think even 1 second that the script can be dangerous, the problem is not at all there...
You submitted the script to Microsoft, and they declared it was safe, and updated their detection rules to do not have the script detected.
But you forgot one (very important) point : Following Microsoft update, the script is actually no more detected as TrojanDownloader:HTML/Adodb.gen!A when loaded,
but continue to be detected as Trojan:VBS/Mountsi.A!ml at run !!
This means that even after been recognized as a false positive by Microsoft, it continue to be not usable !
So, let me sum up the situation.
1) I wrote myself a script, that is 100% safe without any possible discussion.
Nevertheless, Defender considers it as containing
- TrojanDownloader:HTML/Adodb.gen!A when it is loaded
- Trojan:VBS/Mountsi.A!ml when it runs.
This is typically a "false positive", which is per se acceptable : All antivirus have "false positive"
2) If we create an "Exception" on the script (or on the containing folder) in Defender's parameters, this removes the first detection (TrojanDownloader:HTML/Adodb.gen!A at load) but do not remove the second one (Trojan:VBS/Mountsi.A!ml at run).
Despite this "exception", script continue to be un-usable.
3) You proposed me (and I warmly accepted) to send the script to Microsoft as "false positive".
MS agreed with the fact that it is a false positive, and Defender's rules have been updated accordingly.
But (even after receiving and updated Defender to latest rules), if this update done by MS removes also the first detection (TrojanDownloader:HTML/Adodb.gen!A at load), it does not remove the second one (Trojan:VBS/Mountsi.A!ml at run).
Despite Microsoft agreement and update, script continue to be un-usable.
4) The ONLY solution to be able to use the script would be to accept, as you showed it 3 or 4 posts above, the threat Trojan:VBS/Mountsi.A!ml
But as I showed you (and you eventually agreed with me), such exception decreases the global scripting detection...
This was my initial assumption, in my 1st post, when I started this thread.... We are still at the same point
Hopefully, rewriting completely the script, and in particular splitting it in two scripts, I've been able to avoid Defender's detection, and if I still cannot run my initial script, I'm at least able to run another couple of scripts that do the same job. Thanks to this re-writing, I'm not blocked.
But this re-writing is not always feasible (in particular if you haven't written the initial script yourself)
So, since you seem to have good and efficient relationship with Microsoft's teams, couldn't you explain them the problem, and ask them to create in Defender, a new kind of "Exception" in which absolutely no detection could not occur any more, neither at load, nor at run, when a script (or an exe) having this kind of "super exception" runs.
Of course, to declare such a "super exception" would remain 100% under user responsibility.
But if he/she is sure (and I'm sure in case of my script), why do not allow him/her to take such a responsibility ?
Like in Defender, in AVAST too, there are also two kinds (and maybe more...) of detection : static (at load) and behavioural (at run).
And I agree it's great to do not have only static detection, but also at run, based on what script or exe actualy does.
But contrary to Defender, in AVAST, if you have set an exception on your script (or program), it is completely excluded of any kind of detection : static AND behavioural.
With my proposal (if you send it to Microsoft and they accept ), Defender would become even better, with two levels of exception : one for static detections, and one for "at run" detections.... Would be great !
You submitted the script to Microsoft, and they declared it was safe, and updated their detection rules to do not have the script detected.
But you forgot one (very important) point : Following Microsoft update, the script is actually no more detected as TrojanDownloader:HTML/Adodb.gen!A when loaded,
but continue to be detected as Trojan:VBS/Mountsi.A!ml at run !!
This means that even after been recognized as a false positive by Microsoft, it continue to be not usable !
So, let me sum up the situation.
1) I wrote myself a script, that is 100% safe without any possible discussion.
Nevertheless, Defender considers it as containing
- TrojanDownloader:HTML/Adodb.gen!A when it is loaded
- Trojan:VBS/Mountsi.A!ml when it runs.
This is typically a "false positive", which is per se acceptable : All antivirus have "false positive"
2) If we create an "Exception" on the script (or on the containing folder) in Defender's parameters, this removes the first detection (TrojanDownloader:HTML/Adodb.gen!A at load) but do not remove the second one (Trojan:VBS/Mountsi.A!ml at run).
Despite this "exception", script continue to be un-usable.
3) You proposed me (and I warmly accepted) to send the script to Microsoft as "false positive".
MS agreed with the fact that it is a false positive, and Defender's rules have been updated accordingly.
But (even after receiving and updated Defender to latest rules), if this update done by MS removes also the first detection (TrojanDownloader:HTML/Adodb.gen!A at load), it does not remove the second one (Trojan:VBS/Mountsi.A!ml at run).
Despite Microsoft agreement and update, script continue to be un-usable.
4) The ONLY solution to be able to use the script would be to accept, as you showed it 3 or 4 posts above, the threat Trojan:VBS/Mountsi.A!ml
But as I showed you (and you eventually agreed with me), such exception decreases the global scripting detection...
This was my initial assumption, in my 1st post, when I started this thread.... We are still at the same point
Hopefully, rewriting completely the script, and in particular splitting it in two scripts, I've been able to avoid Defender's detection, and if I still cannot run my initial script, I'm at least able to run another couple of scripts that do the same job. Thanks to this re-writing, I'm not blocked.
But this re-writing is not always feasible (in particular if you haven't written the initial script yourself)
So, since you seem to have good and efficient relationship with Microsoft's teams, couldn't you explain them the problem, and ask them to create in Defender, a new kind of "Exception" in which absolutely no detection could not occur any more, neither at load, nor at run, when a script (or an exe) having this kind of "super exception" runs.
Of course, to declare such a "super exception" would remain 100% under user responsibility.
But if he/she is sure (and I'm sure in case of my script), why do not allow him/her to take such a responsibility ?
Like in Defender, in AVAST too, there are also two kinds (and maybe more...) of detection : static (at load) and behavioural (at run).
And I agree it's great to do not have only static detection, but also at run, based on what script or exe actualy does.
But contrary to Defender, in AVAST, if you have set an exception on your script (or program), it is completely excluded of any kind of detection : static AND behavioural.
With my proposal (if you send it to Microsoft and they accept ), Defender would become even better, with two levels of exception : one for static detections, and one for "at run" detections.... Would be great !