- Dec 23, 2014
- 8,592
The script is also blocked by Defender ASR rules. After splitting the script into two scripts, these scripts are allowed both by AMSI and ASR rules.
Please provide comments and solutions that are helpful to the author of this topic.
Defender is known for strong and restrictive protection against scripting
I have sent 2 of those 3 scripts to Kaspersky, and in both cases, the final verdict from the analyst was "No malicious..."Here are the three VirusTotal URL :
You are not obliged to use scripting when managing files in the protected folders. If you cannot skip scripts for that then you can use Windows built-in solutions like ASR rules or SRP-based (Applocker or Defender Application Control) solutions to block/whitelist scripts. Of course, you can also use another AV or dedicated 3-rd party anti-ransomware solution.Another point that makes me doubtful with Defender (and is about scripts) is the following : The Anti-ransomware protection of Defender prevents scripts to modify files in protected folders, that is OK.
But if you want to create an exception (because you have a script you want to allow).... with Defender you are obliged to create an exception on wscript.exe.... which means that ANY script becomes allowed.... which means that there is no more any anti-ransomware protection, as soon as ransomware uses script technology.
While with Avast, you have to put an exception script per script, and then to allow a specific script do not become a full breach.
So, I can agree with your analysis (at least some parts of it). Nevertheless, a big concern with Defender (IMHO) is that it is not "specific enough" when you create exceptions :
- it was my initial problem : I wouldn't care that Defender "detects" Trojan:VBS/Mountsi.A!ml in my script, if I were able to put an exception ONLY for my script, and not be obliged to put a global exception on any Trojan:VBS/Mountsi.A!ml
- and this second point with Anti-Ransomware protection against malicious scripts
I do not know. For me, it would not be a problem.For me, the main problem with Avast which makes me still a little bit hesitant to use it again is the fact they have been told recently to be SELLING privacy data of their users.
Do you know if this is still the case, or did they go back on this point ?
I have sent 2 of those 3 scripts to Kaspersky, and in both cases, the final verdict from the analyst was "No malicious..."
The whitelisting made by the Microsoft analyst strongly suggests that AMSI-paired ML detections are just like other behavior-based detections, as @struppigel suggested (I will make an additional test to confirm this). From your own test, it follows that whitelisting one script (antimalware detection) does not whitelist the modified scripts. From my tests, it follows that whitelisting one of AMSI-paired ML detections for the same script does not automatically whitelist another possible AMSI-paired ML detection....
But the topic we discuss on this thread is not : is this script malicious or not, but rather : How to do with Defender when it considers it (erroneously) as malicious, and this without creating a large breach that would put the Pc at risk.
Clearly, the answer is : There is no solution in Defender other than
- to get a "False Positive" verdict from Microsoft, and removing the script from Defender's detection (quite "huge" process...)
- reorganize the script (inc. splitting it in several scripts).... when it is possible....
This is for me a strong limitation to Defender...
It is true that many commercial (paid) AVs can provide a more flexible way of anti-ransomware protection than Defender
So, choose Avast. You know well its pros and cons.What I mention about AVAST for anti-ransomware is in the free verssion, not in the paid...
I did not say that it should not be a problem for you.BTW, I've been a little bit surprise that you consider as a "no-problem" the fact that Avast could sell privacy data of its users.... For me it's a HUGE problem.
Are you sure that this exclusion do not have such consequence ?
Understand. Yes, such exclusion can decrease the scripting detection if it was done for the dangerous script, especially when used in the wild. That is why I suggested you rather split the script to avoid detection. But, as you concluded by yourself you do not think that this particular script is dangerous and it was not used in the wild (it is your own script). I submitted this script to Microsoft and the analyst also thinks so.I never imagine that the "Wshshell.run" in itself would be excluded. It's NOT my purpose.
But if I do what you show it in your post above, afterwards, if I click on
Windows Security / Virus & Threat protection on "Allowed threats"...
It's the reason why I remain convinced that excluding such threat decreases the detection of other malicious scripts.