Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How to prevent efficiently Defender from considering a given VBS script as containing a threat
Message
<blockquote data-quote="Andy Ful" data-source="post: 935357" data-attributes="member: 32260"><p>Yes, I am sure. AMSI-based detection does not make an exclusion for the command <strong>"Wshshell.run" </strong>in your script. It does not block this command but simply interrupts the script execution at that moment, because this command increases the suspiciousness above the detection threshold (like<a href="https://pl.bab.la/slownik/angielski-polski/it-is-the-last-straw-that-breaks-the-camel-s-back" target="_blank"> the last straw that breaks the camel's back</a>). The interruption is also caused by the sum of all suspicious features that happened before <strong>"Wshshell.run" </strong>command.</p><p></p><p>If you split the script into two scripts (in a smart way) then the suspiciousness is divided between these scripts. So, the suspiciousness of each script is far below the detection threshold, and <strong>"Wshshell.run"</strong> command can be executed (also the commands after it) - the script execution is not interrupted.</p><p></p><p>After making AMSI-based exclusion, the script is still monitored and evaluated. But, the Defender machine models use different evaluation criteria (as compared to the non-exclusion case) and can recognize that your modified script is not malicious. You should not be surprised because your brain is able to do it, too.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p>The AMSI-driven detection includes features extracted from the script content by machine learning, partial fuzzy hashes, etc. Additionally, it can use metadata and other signals like file age, prevalence, or behavior-based script logs. At the runtime, the behavior monitoring can also extract the set of libraries, COM objects, and function names used by the script.</p><p>All of this and more can be used to classify the script as malicious or not.</p><p><strong>Of course, it would not be wise to exclude detections of dangerous scripts used in the wild. This could decrease the detection of other malicious scripts.</strong></p><p><strong></strong></p><p><strong>Post was edited a few times to make it more informative.</strong></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 935357, member: 32260"] Yes, I am sure. AMSI-based detection does not make an exclusion for the command [B]"Wshshell.run" [/B]in your script. It does not block this command but simply interrupts the script execution at that moment, because this command increases the suspiciousness above the detection threshold (like[URL='https://pl.bab.la/slownik/angielski-polski/it-is-the-last-straw-that-breaks-the-camel-s-back'] the last straw that breaks the camel's back[/URL]). The interruption is also caused by the sum of all suspicious features that happened before [B]"Wshshell.run" [/B]command. If you split the script into two scripts (in a smart way) then the suspiciousness is divided between these scripts. So, the suspiciousness of each script is far below the detection threshold, and [B]"Wshshell.run"[/B] command can be executed (also the commands after it) - the script execution is not interrupted. After making AMSI-based exclusion, the script is still monitored and evaluated. But, the Defender machine models use different evaluation criteria (as compared to the non-exclusion case) and can recognize that your modified script is not malicious. You should not be surprised because your brain is able to do it, too.:) The AMSI-driven detection includes features extracted from the script content by machine learning, partial fuzzy hashes, etc. Additionally, it can use metadata and other signals like file age, prevalence, or behavior-based script logs. At the runtime, the behavior monitoring can also extract the set of libraries, COM objects, and function names used by the script. All of this and more can be used to classify the script as malicious or not. [B]Of course, it would not be wise to exclude detections of dangerous scripts used in the wild. This could decrease the detection of other malicious scripts. Post was edited a few times to make it more informative.[/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
