This reminds me of may of one of my favourite piece of software, Mail PassView, which is (AFAIK) considered Malware bei Windows/Defender because it shows you the passwords you entered yourself in Outlook (but forgot to write down somehwere).
Flagging Malware is hard, and research/dev tools are always behaving at least similar to Malware (because we want to get data/do stuff regular users won't do).
More likely/precisely, it's flagged as malware because it's bypassing protections build into windows credential guard- eg, impersonating(or injecting code into) outlook.exe.
making an exception for such a heuristic is, in all cases, wrong since it will always be abused.
The actual answer is: Defender needs a PUP category.
My question was rhetorical and intended to point out that granting an exception for 'good' software to do a bad thing is just allowing bad actor to do the bad thing.
Then, when the exception has to be revoked, the backlash is massive. Look up the recent example of the driver FanControl used to issue SMBus commands being blacklisted.
I was pointing out that keystroke injection is already the norm. The exception is banning it for some software.
It has been the norm since we first started automating processes designed more for people than automation. It will remain the norm for as long as that exists.
Ehh. The only structural gap from a local password logger to a universal account takeover is whether you’re receptive to nice men who explain that they’d like you to send them a “log file”. Working on a user’s behalf has to include protecting them from security holes they might not expect.
My favourite one of these has to be Outlook Online blocking nearly all Python, Bash and exe files sent via email...at the Faculty of computer science. Who would ever need to send code to others at the computer faculty? And it's not like it prevents you from sending it, it just prevents the recipient from downloading it, so there's no indication of anything wrong until it might be too late. Oh, and it doesn't even say "hey, that's malware". It just shows a little red X and removes the download button. No tooltip or popup, it just looks like a generic error. Had to go to Reddit to find out it's an antimalware thing.
I have the same problem because my installer uses NSIS. And once my DLL also was flagged as a virus / malware even though it's completely legit :/ , everything is signed properly. Anyone knows how to improve this situation ?
This reminds me of may of one of my favourite piece of software, Mail PassView, which is (AFAIK) considered Malware bei Windows/Defender because it shows you the passwords you entered yourself in Outlook (but forgot to write down somehwere).
Flagging Malware is hard, and research/dev tools are always behaving at least similar to Malware (because we want to get data/do stuff regular users won't do).
More likely/precisely, it's flagged as malware because it's bypassing protections build into windows credential guard- eg, impersonating(or injecting code into) outlook.exe.
making an exception for such a heuristic is, in all cases, wrong since it will always be abused.
The actual answer is: Defender needs a PUP category.
But the main characteristic of malware is that it works for someone other than the user, no? Research software works for the user themselves.
And something using keystroke injection to abuse the exception?
Is called an automation tool.
Like Powershell, or Microsoft Automate or Tosca, who can all run keystroke injection, but aren't flagged.
My question was rhetorical and intended to point out that granting an exception for 'good' software to do a bad thing is just allowing bad actor to do the bad thing.
Then, when the exception has to be revoked, the backlash is massive. Look up the recent example of the driver FanControl used to issue SMBus commands being blacklisted.
I was pointing out that keystroke injection is already the norm. The exception is banning it for some software.
It has been the norm since we first started automating processes designed more for people than automation. It will remain the norm for as long as that exists.
Ehh. The only structural gap from a local password logger to a universal account takeover is whether you’re receptive to nice men who explain that they’d like you to send them a “log file”. Working on a user’s behalf has to include protecting them from security holes they might not expect.
False detection is a nightmare in the corporate world and this IT worker bashes his head every time he runs across it.
Nirsoft tools? Bam, "virus" and "malware". How dare you!
Tailscale website? Uh-oh, ZScaler thinks that's a "remote access tool" so you're being given a click-through formal warning!
The Framework website? Uh-oh, .work is a bad TLD! Can't browse to that, it could be evil!
My favourite one of these has to be Outlook Online blocking nearly all Python, Bash and exe files sent via email...at the Faculty of computer science. Who would ever need to send code to others at the computer faculty? And it's not like it prevents you from sending it, it just prevents the recipient from downloading it, so there's no indication of anything wrong until it might be too late. Oh, and it doesn't even say "hey, that's malware". It just shows a little red X and removes the download button. No tooltip or popup, it just looks like a generic error. Had to go to Reddit to find out it's an antimalware thing.
I mean - Tailscale is a remote access tool...
got to prevent you from looking at competitors
I have the same problem because my installer uses NSIS. And once my DLL also was flagged as a virus / malware even though it's completely legit :/ , everything is signed properly. Anyone knows how to improve this situation ?
Malware scanners are such trash.