OmniDefender - New Antivirus Software 2025

[HydraDragonAntivirus]

@XylentAntivirus was discrediting OmniDefender's detection engine so I decided to take a look at his test video to see where we could improve.

​

Turns out he's running linux malware (ELF, Bash, sh) and .unknown files and APK malware on windows that he downloaded from MalwareBazaar to test OmniDefender. I don't know why he's trying to run linux's executable linkable format on windows nor why he's including them in his tests. He seems to be running them all manually without providing any information on how many were blocked so it's quite hard to tell which ran successfully. I suppose they were just waiting to see if any false positive slipped by and ignoring the detection rate.

I took a further look at the missed samples, out of all the windows malware he tried to run from MalwareBazaar's 2025-07-23.zip sample, which contains exactly:

.exe: 155
.zip: 14
.js: 24
.sh: 15
.elf: 78
.msi: 5
.lnk: 5
.ps1: 4
.apk: 1
.xlsm: 1
.jar: 2
.vbe: 5
.rar: 4
.vbs: 4
.zipx: 1
.dll: 1
.ace: 1
.pyc: 1
.unknown: 3
.bat: 2
.gz: 1
.url: 1

Starting from 1:08 in the video, Eraser.exe in his malware test ran successfully, which has a hash of 113639d811695718906264e37ef179c1 and is benign in virustotal. They didn't bother to check if it was malware.

22:27, Missed Sample, Fixed.
22:48, Missed Sample, Fixed.
37:17, Missed Sample, Fixed.
40:17, Missed Sample, Fixed

The other missed samples all the way to 55:58 in the video were .ps1 or .pyc which is not currently pro-actively detected so they'll be missed.

False positives included x86 versions of microsoft at 5:46 and around 52:00 and which have been fixed.

I don't know of @XylentAntivirus's qualifications, their misunderstanding on linux and windows and suspended and blocked processes which they assumed were running without simply looking at the CPU Tab showing the suspended and blocked malware led them to believe everything was running despite over 96% of them being blocked, discounting linux files which can't natively run on Windows without something like WSL.

Ok then I will tesst with my new malware finder script which generally finds executables related to windows and never uploaded to virustotal. I was testing with malwarebazaar because he should detect known examples at least.

 

[Trident]

Ok then I will tesst with my new malware finder script which generally finds executables related to windows and never uploaded to virustotal. I was testing with malwarebazaar because he should detect known examples at least.

On Bazar not everything is known, there are many MSP employees and so on that upload unique malware from targeted attacks.

Though it has been made known already that F-Secure is subscribed to these feeds and detect everything uploaded there (including the FPs), a lot of companies prefer more curated, less community sources.

So the understanding that from MalwareBazar everything must be detected is wrong.
MalwareBazar is not some sort of cyber security reference that AV vendors patrol day and night.

 

[Trident]

@OsirisXD I’m assuming you know the Sophos Sorel collection, right?

 

[OsirisXD]

@OsirisXD I’m assuming you know the Sophos Sorel collection, right?

Yes, the Sorel-20M containing 20 million Portable Executable files, I've stumbled upon it many times while searching for samples. Unfortunately their redistributed samples do not include the benign files as ReversingLabs, the company that contains an enormous repository of over 422 Billion samples includes copyrighted software that forbid redistribution unlike malware samples which inherently have no rights. So Sophos can't directly distribute the benign samples but if you have access to ReversingLabs database which contains everything, you can use them all at your own discretion.

However access to their samples also comes at a very steep price, per year, not lifetime.

Though these pricings include access to everything not just their database. So it's possible to get it at a slightly lower price but still overall steep.

 

[Trident]

Yeah, at these prices I don’t think a lot of vendors will subscribe, maybe Palo Alto

 

[OsirisXD]

Yeah, at these prices I don’t think a lot of vendors will subscribe, maybe Palo Alto

Exactly, VirusTotal is a better option but I got quoted 27k/year and unfortunately there's no single "Download Batch files" button much less a "Download All" button or on their API on their database even if you do get Premium.

1000 Daily API lookups - €14k / year
5000 Daily API lookups - €27k / year
10000 Daily API lookups - €43k / year
20000 Daily API lookups - €75k / year
30000 Daily API lookups - €103k / year
50000 Daily API lookups - €159k / year

Virustotal Premium API Key documentation:

VirusTotal - Premium (API v3) | Cortex XSOAR

This Integration is part of the VirusTotal Pack.

xsoar.pan.dev

However there is the option to batch download by containing them all in a single large ZIP file and download them in one go.

 

[Trident]

Yeah, it could be necessary this subscription though, you can hunt for samples with very low detection and so on and so on. But a community-driven list like MalwareBazar and all their child services (URLHaus, Yara Ify and so on) could do the job to some extent.

Man this threat intelligence is costly

 

[HydraDragonAntivirus]

Here is the demo which my automation find and executable only Kaspersky finds (and my automation said it's malware) VirusTotal they generally collect random executable so that's why it's apk. I don't think he doesn't have change against these executables (with PE versions) let's see. It didn't even uploaded to virustotal.

 

[Trident]

Here is the demo which my automation find and executable only Kaspersky finds (and my automation said it's malware) VirusTotal they generally collect random executable so that's why it's apk. I don't think he doesn't have change against these executables (with PE versions) let's see. It didn't even uploaded to virustotal.

I didn’t really understand. How is the file malicious (apart from the one detection by Kaspersky). Can you post a screenshot of the malicious class?
Also, how did you find it, where is your automation checking for these files and how?

 

[HydraDragonAntivirus]

I didn’t really understand. How is the file malicious (apart from the one detection by Kaspersky). Can you post a screenshot of the malicious class?
Also, how did you find it, where is your automation “checking” for these files and how?

VirusTotal Visit that website. I generally trust the Kaspersky because only he detects the zeroday contents correctly.

VirusTotal Here is the another sample which found by me and flagged as malware by DOCGuard.

 

[Fan-of-spyshelter]

@XylentAntivirus I have seen some sub link from Mister Power Consomption, do you know what this does mean in a good english without technical word ?

autodiscover.omni-defender.com

 

[HydraDragonAntivirus]

@XylentAntivirus I have seen some sub link from Mister Power Consomption, do you know what this does mean in a good english without technical word ?

autodiscover.omni-defender.com

Admin panel?

 

[Trident]

VirusTotal Visit that website. I generally trust the Kaspersky because only he detects the zeroday contents correctly.

VirusTotal Here is the another sample which found by me and flagged as malware by DOCGuard.

In that document sample I don’t see anything malicious. That’s just the normal document viewer behaviour. It dropped a shortcut, but this shortcut is not written programmatically by the document author.

Microsoft office added a shortcut in the recent files.

The rest looks like minimalistic and perfectly benign behaviour.

So what exactly is malicious about this document, apart from the docguard flag?

 

[HydraDragonAntivirus]

Wait second one probably false positive (XLSX) because it has weird payload but doesn't mean it's malware.

 

[Trident]

Wait second one probably false positive (XLSX) because it has weird payload but doesn't mean it's malware.

Definitely a false positive.

 

[HydraDragonAntivirus]

The first one is broken APK from website but get flagged by Kaspersky weird.

 

[Trident]

The first one is broken APK from website but get flagged by Kaspersky weird.

It could be a detection that specifically targets malformed APK files. The detection name is very generic and vague, no conclusions can be drawn by the name. The real APK for this app is much larger. It could have been partially downloaded.

 

[HydraDragonAntivirus]

It could be a detection that specifically targets malformed APK files. The detection name is very generic and vague, no conclusions can be drawn by the name. The real APK for this app is much larger. It could have been partially downloaded.

Ok I fixed script now it works purporely VirusTotal

 

[OsirisXD]

@XylentAntivirus doesn't seem to be doing any rigorous malware analysis and is operating on a very simple vendor trust heuristic and blames OmniDefender for missing some benign files that he classifies as malware and immediately revisits his assumptions when questioned further without going into any detail on the sample. What are your qualifications on this field? I'm still trying to understand why you didn't know the difference between linux and windows executables and tried to execute linux's ELF, Bash and Shell files on Windows.

 

[HydraDragonAntivirus]

@XylentAntivirus doesn't seem to be doing any rigorous malware analysis and is operating on a very simple vendor trust heuristic and blames OmniDefender for missing some benign files that he classifies as malware and immediately revisits his assumptions when questioned further without going into any detail on the sample. What are your qualifications on this field? I'm still trying to understand why you didn't know the difference between linux and windows executables and tried to execute linux's ELF, Bash and Shell files on Windows.

I will post some zeroday pe executables wait. I know the difference but they still malware. They are different platforms which doesn't work on Windows.