Advice Request Windows Defender extension?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,574
Hello @BryanB
I cannot access this site "AndyFul", are you sure that it is clean ?
1.PNG
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Hello @BryanB
I cannot access this site "AndyFul", are you sure that it is clean ?
View attachment 188809

It is clean, the problem is that Norton/Symantec is a piece of garbage that relies nowdays almost entirely on cloud detection and reputation, so it isnt a surprise to see it detecting harmless files (because of low prevalence), it is a False Positive galore.

I fully agree with Firecat (a wilders security forum member) about Symantec:


AV-Comparatives: Malware Protection Test - March 2018

Comparative Malware Protection Assessment
 

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,574
No, I don't know for sure but both github and Andy Ful are well respected.

Thanks @BryanB :)
Of course you are right ! VT said that this site is clean but Norton is not used for this analysis !
2.PNG

3.PNG


It is clean, the problem is that Norton/Symantec is a piece of garbage that relies nowdays almost entirely on cloud detection and reputation, so it isnt a surprise to see it detecting harmless files (because of low prevalence), it is a False Positive galore.

I fully agree with Firecat (a wilders security forum member) about Symantec:


AV-Comparatives: Malware Protection Test - March 2018

Comparative Malware Protection Assessment

Thanks @Nightwalker :)
Firecat comments are very uplifting for me :eek:
Now my next aim is to change my antivirus !
 
F

ForgottenSeer 72227

It is clean, the problem is that Norton/Symantec is a piece of garbage that relies nowdays almost entirely on cloud detection and reputation, so it isnt a surprise to see it detecting harmless files (because of low prevalence), it is a False Positive galore.

I fully agree with Firecat (a wilders security forum member) about Symantec:


AV-Comparatives: Malware Protection Test - March 2018

Comparative Malware Protection Assessment


I don't know if we should write off Symantec because of their cloud component. It does work, there's no denying it, but as you said it will result in some false positives. I'm not being a Symantec apologist, but to be fair to them I don't know what major AV company doesn't use the cloud? Lets take Kaspersky for example, personally I think they offer some of the best protection out there, but the moment you disable KSN, you effectively kill a major portion of their detection/protection capabilities. Same goes for Eset, Bitdefender, heck even Windows Defender (there's many more vendors). I really don't think Microsoft is making the detection improvements they are making without their cloud component. IMO I think more, if not all Anti-Malware companies are moving more and more to the cloud. They cannot keep up with all the malware that is released everyday, so evidently, they need cloud/ML components to help.

I've seen false positives myself, for example when I was trialing Emsisoft a while back their cloud network would flag the uninstaller of new versions of Firefox. Does that mean Emsisoft is garbage? No, I just submitted the false positive to them. Another recent example for me was with the Malwarebytes extension. It was blocking some pages on Symantec's site for some odd reason (when I was looking for the uninstaller removal tool), so I guess I should just remove the Malwarebytes extension cause its garbage.

Don't get me wrong, false positives are annoying as heck, but sitting here crying about it is not going to fix it. Take the time to submit it to the vendor so they can fix it. As I mentioned, it happens to everyone, some are better at it than others, but we have to realize more and more of the industry is moving/relying on the cloud, so these things may become more common place, hopefully not too much though :)

Thanks @BryanB :)
Of course you are right ! VT said that this site is clean but Norton is not used for this analysis !
View attachment 188810
View attachment 188811



Thanks @Nightwalker :)
Firecat comments are very uplifting for me :eek:
Now my next aim is to change my antivirus !

I wouldn't necessary change your AV just because of what has been said here. As I mentioned above, false positives happen to everyone. Symantec is a great product, and unless you have been having some issues with it I wouldn't worry too much about what has been said here or else where. It's still your decision regardless :)
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thanks @Deletedmessiah :)
and apologies at @Andy Ful
@dJim is right. ConfigureDefender changes the Windows Defender settings. Most of them are not available for users on Windows Home versions (except when using PowerShell or reg tweaks). ConfigureDefender executables were sent to Microsoft for making a manual analysis, so they are already whitelisted by Defender. But, other AVs (like Norton) can flag them as malicious.
The 64-bit version (more popular than 32-bit) is also accepted by Windows SmartScreen. The version for 32-bit Windows is not so popular, so it did not get the sufficient reputation to be accepted by SmartScreen.(y)
 
Last edited:

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
I don't know if we should write off Symantec because of their cloud component. It does work, there's no denying it, but as you said it will result in some false positives. I'm not being a Symantec apologist, but to be fair to them I don't know what major AV company doesn't use the cloud? Lets take Kaspersky for example, personally I think they offer some of the best protection out there, but the moment you disable KSN, you effectively kill a major portion of their detection/protection capabilities. Same goes for Eset, Bitdefender, heck even Windows Defender (there's many more vendors). I really don't think Microsoft is making the detection improvements they are making without their cloud component. IMO I think more, if not all Anti-Malware companies are moving more and more to the cloud. They cannot keep up with all the malware that is released everyday, so evidently, they need cloud/ML components to help.

I've seen false positives myself, for example when I was trialing Emsisoft a while back their cloud network would flag the uninstaller of new versions of Firefox. Does that mean Emsisoft is garbage? No, I just submitted the false positive to them. Another recent example for me was with the Malwarebytes extension. It was blocking some pages on Symantec's site for some odd reason (when I was looking for the uninstaller removal tool), so I guess I should just remove the Malwarebytes extension cause its garbage.

Don't get me wrong, false positives are annoying as heck, but sitting here crying about it is not going to fix it. Take the time to submit it to the vendor so they can fix it. As I mentioned, it happens to everyone, some are better at it than others, but we have to realize more and more of the industry is moving/relying on the cloud, so these things may become more common place, hopefully not too much though :)



I wouldn't necessary change your AV just because of what has been said here. As I mentioned above, false positives happen to everyone. Symantec is a great product, and unless you have been having some issues with it I wouldn't worry too much about what has been said here or else where. It's still your decision regardless :)

I am not criticizing the Cloud usage, I am criticizing Symantec overrelying in it and the False Positive galory that it causes, not mentioning the fact that Symantec seems to have forgot the importance of human analysts and traditional signatures/emulation/heuristics.

It isnt the same case with Kaspersky, it has great signatures and powerful heuristics without causing massive false positives even without KSN assistance, same situation with Eset, Bitdefender and Emsisoft.

Those antivirus solutions that you mentioned are actually very good, my problem is with the cloud troop and with the solutions that over-rely on URL detection (Trend Micro, Panda, Symantec) because if you change the infection vector you are screwed.
 
F

ForgottenSeer 72227

I am not criticizing the Cloud usage, I am criticizing Symantec overrelying in it and the False Positive galory that it causes, not mentioning the fact that Symantec seems to have forgot the importance of human analysts and traditional signatures/emulation/heuristics.

It isnt the same case with Kaspersky, it has great signatures and powerful heuristics without causing massive false positives even without KSN assistance, same situation with Eset, Bitdefender and Emsisoft.

Those antivirus solutions that you mentioned are actually very good, my problem is with the cloud troop and with the solutions that over-rely on URL detection (Trend Micro, Panda, Symantec) because if you change the infection vector you are screwed.

That's fair :)

It's very evident that Symantec's solution is very reputation based and very sledge hammer like. I'm no expert in how these cloud solutions work, but I think it really depends on what algorithms they use. Some of the vendors I mentioned may have much more refined algorithms (for those that know better, please feel free to correct me :) ), hence why they have less false positives. I guess the next question which is better? I mean in Symantec's case, it does work, but results in more false positives. Also, if something were to get past the URL detection (in Symantec's case), isn't this where SONAR would kick in? It's very evident that these companies have really taken the approach to block everything and anything that is not well known/used on the internet. To be fair, this is where quite a lot of malware infections come from (I know malware infections can come from many other places as well), so I can see their point of view.

Whether you agree with the approach or not, I think if you've run into a false positive and you KNOW its a false positive, just submit it so the vendor can correct it. For me anyways, even when I do get hit by a false positive (which is not very often, thank God), especially if its not a widely used program, I does give me pause to double check, which I don't think is necessarily a bad thing :)

Don't get me wrong, I've been been hit by false positives as you know, so I know it can be very annoying :)
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
That's fair :)

It's very evident that Symantec's solution is very reputation based and very sledge hammer like. I'm no expert in how these cloud solutions work, but I think it really depends on what algorithms they use. Some of the vendors I mentioned may have much more refined algorithms (for those that know better, please feel free to correct me :) ), hence why they have less false positives. I guess the next question which is better? I mean in Symantec's case, it does work, but results in more false positives. Also, if something were to get past the URL detection (in Symantec's case), isn't this where SONAR would kick in? It's very evident that these companies have really taken the approach to block everything and anything that is not well known/used on the internet. To be fair, this is where quite a lot of malware infections come from (I know malware infections can come from many other places as well), so I can see their point of view.

Whether you agree with the approach or not, I think if you've run into a false positive and you KNOW its a false positive, just submit it so the vendor can correct it. For me anyways, even when I do get hit by a false positive (which is not very often, thank God), especially if its not a widely used program, I does give me pause to double check, which I don't think is necessarily a bad thing :)

Don't get me wrong, I've been been hit by false positives as you know, so I know it can be very annoying :)

I totally agree with you, but in Symantec's case there is a aggravating factor, it auto deletes by default and in some cases it doesnt do a quarantine backup, it is a nightmare for some kind of users.

SONAR is good, it is the best thing in their product, but the rest is totally unacceptable for me (it doesnt even have full databases by default !).

I would rather use a Anti-Executable than Norton ...


More info (old threads but the issue remains):
Norton deleted my bandmaster game installer!
Norton is loosing loyal customers, because automatic deleting of threats! :( | Norton Community
Norton Launches 2012 Products
 
F

ForgottenSeer 72227

I totally agree with you, but in Symantec's case there is a aggravating factor, it auto deletes by default and in some cases it doesnt do a quarantine backup, it is a nightmare for some kind of users.

SONAR is good, it is the best thing in their product, but the rest is totally unacceptable for me (it doesnt even have full databases by default !).

I would rather use a Anti-Executable than Norton ...


More info (old threads but the issue remains):
Norton deleted my bandmaster game installer!
Norton is loosing loyal customers, because automatic deleting of threats! :( | Norton Community
Norton Launches 2012 Products

That's very true!

I guess that's the other part of this equation. I think a lot of these companies have really tried to take away control (if you will) from the user, which can be both good and bad. I think in the past and I'm sure is still very true today, traditional users really can't be trusted to make the right choice when presented with it. I mean if they really want that fantasy game they saw in an AD pop-up while browsing the internet, well by golly they will have it, regardless of what the AV says. I think sometimes we as techies have to step back and realize that many of their customers (if not the vast majority of them) are traditional users so they tend to tailor their product to them and not us. For the vendors, as long as they aren't flagging critical system files, they think they are taking the best approach to protect their users (annoying as hell to us, but its their stance).

I think at times these companies feel like they are stuck between a rock and a hard place. I mean they get criticized for auto deleting things, but on the flip side, they also get criticized for allowing malware infections when the user allowed the program to run, even though the AV flagged it.

Don't get me wrong, I agree with you about the auto delete thing and think an auto quarantine would be a better option, where it can be easily restored if it was false positive. :) In the case of Norton, I found it that too many of those stupid little bugs. When I learned about and tried SEPC, I was floored to see how much more polished and bug free it is compared to Norton. I know its because it's their enterprise product and it needs to be that way (as it should be), but I get the feeling that with their Norton products they try to mash things together, hence why they are constantly pulling product updates from their servers.
 
Last edited by a moderator:
  • Like
Reactions: JB007
F

ForgottenSeer 72227

Thanks @Andy Ful @Raiden and @Nightwalker for your comments.
An user had yet reported 20 days before that this detection is a false positive but Symantec have not corrected it.
I think that 3 weeks are a too long delay.
View attachment 188855

I'm sorry, but that's a little ridiculous if you ask me. I don't know what their process is, but whatever it is, Symantec really needs to improve it.
 
Last edited by a moderator:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top