Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Microsoft just killed the Windows 10 Beta Channel again

Featured Deal: Get this $35 ethical hacking bundle deal for the IT job seeker on your list

Latest Buyer's Guide:    PureVPN review: How good is it in 2024?

Generic User Avatar

General AV question regarding MS Defender for Endpoint

Started by Jerako92 , Nov 12 2024 10:07 AM

  • Please log in to reply
1 reply to this topic

#1 Jerako92

Jerako92

  • Avatar image
  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:12:42 AM

Posted 12 November 2024 - 10:07 AM

Doing a proof of concept on MS defender for endpoint. It's been deployed to a limited scope of systems as an alternate AV package. Weekly I have to research various files stuck in quarantine that are of various virus detections such as Wacatac and Phonzy. So far, after roughy a dozen detections, I have proven that they are false positives. This is based on using a sheep dip machine and processing the files with multiple AV packages such as Sophos Intercept with XDR and Malware Bytes. My question is, has anyone else had a similar experience with MS Defender? I can't imagine the amount of time I'll be putting in to researching false positives based on the PoC.


BC AdBot (Login to Remove)

 

#2 SwimminThruGrey

SwimminThruGrey

  • Avatar image
  • Members
  • 22 posts
  • OFFLINE
    •  
  • Local time:08:42 AM

Posted 12 November 2024 - 01:12 PM

AV Detections are tough - it all depends on the who the company is to be perfectly honest. Some use some pretty wide ML models to detect and diagnose which can mean a shotty TP:FP ratio.

  • What are the exact detection names you saw? Often these companies have naming heuristics which might point to whether or not its a broad detection and, thus, FP prone.
  • What file types were being detected specifically? Sometimes file types are filled with sufficient entropy that they're statistically more likely to hit a yara rule just right to trigger a detection
  • Are there any functionality ties consistent across the affected machines? This might either further explain FPs or give you insight as to an infection vector if they are actually TP and being missed by other AV prods.

Edited by SwimminThruGrey, 12 November 2024 - 01:13 PM.

Back to Anti-Virus, Anti-Malware, and Privacy Software


2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Anti-Virus, Anti-Malware, and Privacy Software
  4. Privacy Policy
  5. Rules ·