Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How to prevent efficiently Defender from considering a given VBS script as containing a threat
Message
<blockquote data-quote="LaurentG" data-source="post: 935098" data-attributes="member: 91050"><p>Hi Andy,</p><p></p><p>I just did a quick test this morning with VirusTotal.</p><p>I have submitted THREE versions of the same script.</p><p>The ONLY difference between the 3 versions is that</p><p>- I have moved the order of some variable initializations in the top first 10 lines in second version,</p><p>- and in more changed the name of the objects : XHR -> XHttpReg, WshShell -> WSHRun in the 3rd one.</p><p></p><p>As a result, the three scripts are <strong>the same</strong>, but since they do not have the same SHA256, they are analysed 3 times separately.</p><p>And what is fantastic is that we do not have the same result !!!!!</p><p></p><p>Here are the three VirusTotal URL :</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/6f3555298f326bc1c0de37e4f86c9c2e6643360b4af2b658f302f9f1cbdaaf4e/detection[/URL]</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/b0c19a3f687ef51794ed518211de2d2f5d0b08421b22835b9e155b849e433c82/detection[/URL]</p><p>[URL unfurl="true"]https://www.virustotal.com/gui/file/e37ac74afddbf2b78995abfba099b7e10635f98425799975d90b468d70206847/detection[/URL]</p><p></p><p>In particular, Microsoft Defender sees again the TrojanDownloader:HTML/Adodb.gen!A except in the first version, the one you submitted as "false positive".</p><p></p><p>My conclusion : All the AV that give the same result for the three are maybe good analysts (and maybe not), but those that do not even give the same result cannot be trustful !</p><p>Only McAfee, Nano and Rising, plus of course the 50+ AV that say (and it's the reality...) that there is no threat in the script, are then "credible"</p><p>In particular, for this reason, I'm now very reluctant to keep Microsoft Defender.... How to be confident ?</p></blockquote><p></p>
[QUOTE="LaurentG, post: 935098, member: 91050"] Hi Andy, I just did a quick test this morning with VirusTotal. I have submitted THREE versions of the same script. The ONLY difference between the 3 versions is that - I have moved the order of some variable initializations in the top first 10 lines in second version, - and in more changed the name of the objects : XHR -> XHttpReg, WshShell -> WSHRun in the 3rd one. As a result, the three scripts are [B]the same[/B], but since they do not have the same SHA256, they are analysed 3 times separately. And what is fantastic is that we do not have the same result !!!!! Here are the three VirusTotal URL : [URL unfurl="true"]https://www.virustotal.com/gui/file/6f3555298f326bc1c0de37e4f86c9c2e6643360b4af2b658f302f9f1cbdaaf4e/detection[/URL] [URL unfurl="true"]https://www.virustotal.com/gui/file/b0c19a3f687ef51794ed518211de2d2f5d0b08421b22835b9e155b849e433c82/detection[/URL] [URL unfurl="true"]https://www.virustotal.com/gui/file/e37ac74afddbf2b78995abfba099b7e10635f98425799975d90b468d70206847/detection[/URL] In particular, Microsoft Defender sees again the TrojanDownloader:HTML/Adodb.gen!A except in the first version, the one you submitted as "false positive". My conclusion : All the AV that give the same result for the three are maybe good analysts (and maybe not), but those that do not even give the same result cannot be trustful ! Only McAfee, Nano and Rising, plus of course the 50+ AV that say (and it's the reality...) that there is no threat in the script, are then "credible" In particular, for this reason, I'm now very reluctant to keep Microsoft Defender.... How to be confident ? [/QUOTE]
Insert quotes…
Verification
Post reply
Top
