Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How to prevent efficiently Defender from considering a given VBS script as containing a threat
Message
<blockquote data-quote="LaurentG" data-source="post: 935435" data-attributes="member: 91050"><p>No, I do think even 1 second that the script can be dangerous, the problem is not at all there...</p><p></p><p>You submitted the script to Microsoft, and they declared it was safe, and updated their detection rules to do not have the script detected.</p><p>But you forgot one (very important) point : Following Microsoft update, the script is actually no more detected as TrojanDownloader:HTML/Adodb.gen!A when loaded,</p><p><strong>but continue to be detected as Trojan:VBS/Mountsi.A!ml at run !!</strong></p><p>This means that even after been recognized as a false positive by Microsoft, <strong>it continue to be not usable !</strong></p><p></p><p>So, let me sum up the situation.</p><p></p><p>1) I wrote myself a script, that is 100% safe without any possible discussion.</p><p>Nevertheless, Defender considers it as containing</p><p>- TrojanDownloader:HTML/Adodb.gen!A when it is loaded</p><p>- Trojan:VBS/Mountsi.A!ml when it runs.</p><p></p><p>This is typically a "false positive", which is per se acceptable : All antivirus have "false positive"</p><p></p><p>2) If we create an "Exception" on the script (or on the containing folder) in Defender's parameters, this removes the first detection (TrojanDownloader:HTML/Adodb.gen!A at load) <strong>but do not remove the second one (Trojan:VBS/Mountsi.A!ml at run).</strong></p><p>Despite this "exception", script continue to be un-usable.</p><p></p><p>3) You proposed me (and I warmly accepted) to send the script to Microsoft as "false positive".</p><p><strong>MS agreed with the fact that it is a false positive</strong>, and Defender's rules have been updated accordingly.</p><p>But (even after receiving and updated Defender to latest rules), if this update done by MS removes also the first detection (TrojanDownloader:HTML/Adodb.gen!A at load)<strong>, it does not remove the second one (Trojan:VBS/Mountsi.A!ml at run).</strong></p><p><strong>Despite Microsoft agreement and update, script continue to be un-usable.</strong></p><p></p><p>4) The ONLY solution to be able to use the script would be to accept, as you showed it 3 or 4 posts above, the threat Trojan:VBS/Mountsi.A!ml</p><p>But as I showed you (and you eventually agreed with me),<strong> such exception decreases the global scripting detection</strong>...</p><p></p><p>This was my initial assumption, in my 1st post, when I started this thread.... We are still at the same point <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite111" alt=":(" title="Frown :(" loading="lazy" data-shortname=":(" /></p><p></p><p>Hopefully, rewriting completely the script, and in particular splitting it in two scripts, I've been able to avoid Defender's detection, and if I still cannot run my initial script, I'm at least able to run another couple of scripts that do the same job. Thanks to this re-writing, I'm not blocked.</p><p></p><p>But this re-writing is not always feasible (in particular if you haven't written the initial script yourself)</p><p></p><p>So, since you seem to have good and efficient relationship with Microsoft's teams, <u><strong>couldn't you explain them the problem, and ask them to create in Defender, a new kind of "Exception"</strong></u> in which absolutely no detection could not occur any more, <strong>neither at load, <u>nor at run</u></strong>, when a script (or an exe) having this kind of "super exception" runs.</p><p>Of course, to declare such a "super exception" would remain 100% under user responsibility.</p><p>But if he/she is sure (and I'm sure in case of my script), <strong>why do not allow him/her to take such a responsibility ?</strong></p><p></p><p>Like in Defender, in AVAST too, there are also two kinds (and maybe more...) of detection : static (at load) and behavioural (at run).</p><p>And I agree it's great to do not have only static detection, but also at run, based on what script or exe actualy does.</p><p>But contrary to Defender, in AVAST, if you have set an exception on your script (or program), it is <strong>completely </strong>excluded of any kind of detection : static <strong>AND behavioural</strong>.</p><p></p><p>With my proposal (if you send it to Microsoft and they accept <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" />), Defender would become even better, with two levels of exception : one for static detections, and one for "at run" detections.... Would be great !</p></blockquote><p></p>
[QUOTE="LaurentG, post: 935435, member: 91050"] No, I do think even 1 second that the script can be dangerous, the problem is not at all there... You submitted the script to Microsoft, and they declared it was safe, and updated their detection rules to do not have the script detected. But you forgot one (very important) point : Following Microsoft update, the script is actually no more detected as TrojanDownloader:HTML/Adodb.gen!A when loaded, [B]but continue to be detected as Trojan:VBS/Mountsi.A!ml at run !![/B] This means that even after been recognized as a false positive by Microsoft, [B]it continue to be not usable ![/B] So, let me sum up the situation. 1) I wrote myself a script, that is 100% safe without any possible discussion. Nevertheless, Defender considers it as containing - TrojanDownloader:HTML/Adodb.gen!A when it is loaded - Trojan:VBS/Mountsi.A!ml when it runs. This is typically a "false positive", which is per se acceptable : All antivirus have "false positive" 2) If we create an "Exception" on the script (or on the containing folder) in Defender's parameters, this removes the first detection (TrojanDownloader:HTML/Adodb.gen!A at load) [B]but do not remove the second one (Trojan:VBS/Mountsi.A!ml at run).[/B] Despite this "exception", script continue to be un-usable. 3) You proposed me (and I warmly accepted) to send the script to Microsoft as "false positive". [B]MS agreed with the fact that it is a false positive[/B], and Defender's rules have been updated accordingly. But (even after receiving and updated Defender to latest rules), if this update done by MS removes also the first detection (TrojanDownloader:HTML/Adodb.gen!A at load)[B], it does not remove the second one (Trojan:VBS/Mountsi.A!ml at run). Despite Microsoft agreement and update, script continue to be un-usable.[/B] 4) The ONLY solution to be able to use the script would be to accept, as you showed it 3 or 4 posts above, the threat Trojan:VBS/Mountsi.A!ml But as I showed you (and you eventually agreed with me),[B] such exception decreases the global scripting detection[/B]... This was my initial assumption, in my 1st post, when I started this thread.... We are still at the same point :( Hopefully, rewriting completely the script, and in particular splitting it in two scripts, I've been able to avoid Defender's detection, and if I still cannot run my initial script, I'm at least able to run another couple of scripts that do the same job. Thanks to this re-writing, I'm not blocked. But this re-writing is not always feasible (in particular if you haven't written the initial script yourself) So, since you seem to have good and efficient relationship with Microsoft's teams, [U][B]couldn't you explain them the problem, and ask them to create in Defender, a new kind of "Exception"[/B][/U] in which absolutely no detection could not occur any more, [B]neither at load, [U]nor at run[/U][/B], when a script (or an exe) having this kind of "super exception" runs. Of course, to declare such a "super exception" would remain 100% under user responsibility. But if he/she is sure (and I'm sure in case of my script), [B]why do not allow him/her to take such a responsibility ?[/B] Like in Defender, in AVAST too, there are also two kinds (and maybe more...) of detection : static (at load) and behavioural (at run). And I agree it's great to do not have only static detection, but also at run, based on what script or exe actualy does. But contrary to Defender, in AVAST, if you have set an exception on your script (or program), it is [B]completely [/B]excluded of any kind of detection : static [B]AND behavioural[/B]. With my proposal (if you send it to Microsoft and they accept ;)), Defender would become even better, with two levels of exception : one for static detections, and one for "at run" detections.... Would be great ! [/QUOTE]
Insert quotes…
Verification
Post reply
Top
