Jump to content
Tuts 4 You

Windows Defender Strange behavior!


Recommended Posts

LCF-AT

Hi guys,

I found something strange today.I was checking some of my folders I did uncompress a while ago.Now on checking those folders via mouse I got a detected message by WDefender about found Virus xy bla bla.I thought ok, but why was it not detected before!?WDefender did removed some files now when I was checking some folders manually.Now I wanted to know what it is and got 2 diffrent names....

Trojan:Win32/Ymacco.AA41
Trojan:Win32/Ymacco.AA51

...some trojan and I just did wonder and thought it would be maybe a false alert and to verfiy that I did started by VBox with Windows 10 x64 (same OS I also work as normal OS).I also updated WIndows 10 today to have same update status on my real OS & VM too = same Windows Defender updates status definitions files etc.All same now so far.Now I just did copy my "trojan files" detected by Windows Defender into my VM OS and did checked the files with Windows Defender too of course but surprise surprise Windows Defender tells me that everything is alright and nothing was detected.Hm!Pretty STRANGE!Now I did drag / drop the files back to my main OS but it wasnt possible because Windows Defender did stopped it and tells me that Trojan was found in the files I wanted to drag.Hm!

Now the big question is.....WHAT THE HECK is going on!?How can this be possible?The same file get detected as trojan and also as clean using the same Windows Defender app which are both up2date!=?Of course I am pretty sure that its a false alert about those files but how can it be possible to get those diffrent results?Normaly I should get the same results of course because Windows Defender is up2date.Pretty strange.Has anyone any exlanation for that behavior?

greetz

Link to post
Kurapica

you shouldn't be using WD in first place.

  • Like 2
Link to post
atom0s

Updates between Windows 10 machines are not always equal regardless of what date/version things say. They roll things out in batches and based on each devices hardware and other qualifying identifiers. Windows Defender symbols and definitions work in a similar manner. So both of your setups may show the same version of WD, but the definitions could be different as one of the machines probably hasn't gotten "permission" to obtain the latest stuff yet.

That said, the detection difference could just be an updated difference in the definitions they pushed or that the way WD detected things was done in a different order. (Pretty sure their scanner does multi-threaded scans for performance purposes so one of the threads may have hit the other detection before another thread completed etc. and it just shows what was found first.)

  • Like 1
Link to post
Progman
Posted (edited)

Also Windows Defender might have options to do live cloud verification or other levels of threat verification like generic heuristics.  Is the web connection enabled in the VM and all Windows Defender settings the same?  Virustotal style hash checking and stuff are becoming more common in antivirus apps lately for having access to a more up to date and broader database that allows vendors to find viruses earlier as well.  Could even be some random spyware setting in your Windows account profile usually under the title of "help Microsoft improve our products and user experience" type of option.

Or Windows Defender is so smart that it knows when you are in a VM or sandbox probably you are studying the viruses and do not want to block them.  But doubt it :)

Edited by Progman (see edit history)
  • Like 1
Link to post
LCF-AT

Hi guys,

thanks for your feedbacks so far.

Today I found a new strange behavior of WD!Right now I did started my PC and see that WD did update already a new def file see the version..

2020-07-05_203002.png.7019ec778e23cc9deff5e4b7a906b139.png

....now I do the same as yesterday and did copy the BAD files from my rar package into a free folder.So remember, when I did this yesterday WD did prevent it because of alert etc but today oh wonder it does work and WD dosent say anything!=?So I got 2 diffrent file versions of the same file which got yesterday detected on my main OS but today all is fine.But I also see some diffrents.One file gets marked with that WD shield icon on icon (dont remember anymore what that means etc) but the other file dosent get that shileld icon on icon.Another diffrent to yesterday is that both files had missing entrys in the details tab (right mouse / details) but today all details are present!=?Whats this?How can this be?Do you have any clues about that?Yesterday all bad (main OS only) and today all fine.Hm.Maybe you are right atom0s with that scan thing there.

So I am using same setting for WD in VM too.Just enabled realtime scan option and manipulution option.The other cloud stuff / sending examples I have disabled.

So what app should I use in first place then?

greetz

Link to post
deepzero

WD is fine. Modern AV arent exactly very deterministic things. If you have a problem with a false positive, just disable it.

  • Like 1
Link to post
LCF-AT

Hi deep,

so I also thought too that WD would be fine for my tasks (more as normal user) specially when using Windows 10.So sometimes WD dosent react for 100% when I disable the realtime scanner for a while and WD still does say something / detect.Otherwise when WD moves any file in Q then its easy to restore it but the problem in this case is that sometimes just works for few days and then it gets detected again.I mean its not working for 100% to mark any file manually as clean or telling WD no more to say anything about that file XY.Not sure why.

greetz

  • Thanks 1
Link to post
dcybergeek

Defender is not a real AV, like any other free AV.

May be the your issue is an update related issue.

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...