Windows defender false positive - forced to allow threat

WD let's you download Eicar.com, yes. But it detects and blocks it at any attempt to acces the file. And Yes, it will remove it.



Actually, you don't even need to download it to test this. You can create the EICAR test virus in Notepad. Just type the text:
X5O!P%%@AP[4\PZX54(P%^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
as one line (do not press Enter at the end) and save it as eicar.com. In fact, at a pinch you can do without Notepad, just open a command prompt and use ECHO to pipe the text directly to the file.
echo X5O!P%%@AP[4\PZX54(P%^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>eicar.com

But Eicar.com is not detected as PUA malware, it is a test virus that is detected on any attempt to access the file (it's also a 16-bit app).


The PUP/PUA test is the EICAR potentially unwanted application test here: Feature Settings Check - Potentially Unwanted Applications | AMTSO

Defender will stop you from downloading that one, but you'll need to enable PUA detection first.

Enable or Disable Windows Defender PUA Protection in Windows 10

I tried the AMTSO page first with Firefox, then Chrome

I think I have my Avast settings on something other than the default, from a while back, I think from this page . . . Access denied | www.winhelp.info used Cloudflare to restrict access

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Detects manually downloaded malware
. . . Avast: Web Shield / Connection aborted
. . . Chrome: Secure Connection Failed

Detects drive-by downloads of malware
. . . Avast did not appear to do anything, but I don't see this file either
. . . Tried it again . . . Avast: Web Shield / Connection aborted
. . . Chrome - Avast did not appear to do anything, but I don't see this file either

Detects compressed malware
. . . Avast: Web Shield / Connection aborted . . . 7-zip, Zip, Jar
. . . Chrome - Avast: Web Shield / Connection aborted . . . 7-zip, Zip, Jar

Detects potentially Unwanted Applications (PUAs)
. . . Detected by. . . File Shield / Moved to Virus Chest
. . . Chrome - Avast: Web Shield / Connection aborted ... File Shield / Moved to Virus Chest

Detects phishing pages
. . . Avast Online Security (a browser Add-on) / Connection aborted
. . . Chrome - Avast: Web Shield / Connection aborted

Is connected to a cloud-based lookup system
. . . Avast: Web Shield / Connection aborted
. . . Chrome - Avast: Web Shield / Connection aborted

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I installed all the options of Avast Free, except for these three:

File Shield
Behavior Shield
Web Shield
Mail Shield
Software Updater
Browser Cleanup
Rescue Disk
Wi-Fi Inspector

Security browser extension
. . . SafePrice browser extension
. . . Passwords
. . . Cleanup
Do Not Disturb Mode

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Avast seems to be more effective than WD

- - - Updated - - -

Then, I found the fake positives in the Virus Chest, and see that they deleted easily - this interface is better than WD . . . I ran another scan - nothing found.

Why would you want to use Win Defender, when Avast Free can keep these malwares from even getting on your SSD?

- - - Updated - - -

I asked WD about their AMTSO fail with a text file, through the virus submission page:

Submit a file for malware analysis - Microsoft Security Intelligence . . . https://www.microsoft.com/en-us/wdsi/filesubmission/

It's nice that you can get an answer! It shows that someone is there.

They said:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The submitted files do not meet our criteria for detection. No detection will be added for these files.

More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here:
https://www.microsoft.com/en-us/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

So, apparently, Win Defender sees that some of what the AMTSO test puts on your computer (ie. the Phishing test) as being ok - but Avast Free does not.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My original post / question on WD was here:

Trojan:Win32/Powessere.G . . . False Positive (?) . . . https://social.technet.microsoft.com/Forums/en-US/321e274c-4bd5-4f1b-9f55-8a047123f168/trojanwin32powessereg-false-positive-?forum=WindowsDefenderATPPreview

I also asked, in my above question:

Why is the forum called: Windows Defender Advanced Threat Protection (ATP) Support

And not just: Windows Defender Antivirus (Windows 10) . . . Am I in the wrong place? I can't tell.

And they didn't say anything.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

So, I'm taking another look now. Here it is:

Microsoft Community / Virus and Malware . . . Solution: Windows Defender . . . Topic: Show All

https://answers.microsoft.com/en-us/protect/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore= &threadType=All&isFilterExpanded=false&page=1

That's kind of confusing / buried / hard to find / hard to distinguish from WD ATP

Do you have a page here that is just devoted to WD for Win 10, and the link to where to find the WD Win 10 forum?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -