Microsoft Defender - "Threat Detected" and then, later, it seems to change its mind . . .

[britechguy]

A few days back (during the "immense conflagration" period where my non-supported machine seemed to go off the rails with Windows 11) I decided during that time to download and unzip Nir Sofer's Nir Launcher. Windows Defender went wild, which was not totally unexpected, though I would have thought that ALL of his utilities would have been whitelisted on any antivirus by now (indeed, long ago, for that matter). When I decided to restore from a full system image backup I thought little more of it.

Well, today, I decided to try again, but this time I made a point of downloading the ZIP file to a thumb drive and keep all the action going on the thumb drive, looking to see if it might make a difference. It didn't. As the package unzipped I kept getting threat detection after threat detection, yet any time you'd open Protection History during the earlier ones it showed nothing, which is weirdness number one. Then, after a while, it was showing a long series of the detections, all of which had as part of the detection "HackTool," then, later on those disappeared (weirdness number two). There's no trace of any action having been taken by Windows Defender (weirdness number three).

I created a Feedback Hub issue, https://aka.ms/AAkup43, about the beginning of all this but that was submitted even before the mysterious disappearance of all the detections as though they never happened.

I do not believe my machine is compromised in any way, as this seems to be Windows Defender not liking some of the hacking techniques that the NirSoft utilities employ. But, I can't understand why it would present a long string (I think there were 18 or 19) of detections only to have those vanish from Protection History.

Has anyone experienced something similar or the same in the past with Windows Security/Windows Defender? I went from having the Defender shield with the red stop sign overlay straight back to the green checkmark overlay over the course of an hour or two without my having taken any actions and without any record of Defender itself having quarantined or otherwise acted on anything.

 

[Porthos]

Defender killed most of the apps on its own.

Then left a yellow triangle for a PUA.

 

[britechguy]

@Porthos

Your Protection History, and my Protection History, are very, very different:


If I'd had the usual stream of quarantined messages (or PUP messages) I'd never have posted this query in the first place. I got nada where I'd expect to have something precisely like what you're seeing.

 

[Porthos]

If I'd had the usual stream of quarantined messages (or PUP messages) I'd never have posted this query in the first place. I got nada where I'd expect to have something precisely like what you're seeing.

Went back and re-read your post and you stated Win 11. My screenshots are from 10 sorry.

 

[nlinecomputers]

I decided during that time to download and unzip Nir Sofer's Nir Launcher. Windows Defender went wild, which was not totally unexpected, though I would have thought that ALL of his utilities would have been whitelisted on any antivirus by now (indeed, long ago, for that matter).

They never will because too many malware tools roll in those tools. They can be easily used for evil so they will always be flagged. Sometimes it is the ONLY item in a malware stack that gets found and said malware can't do its stuff because the AV killed the support tool. Annoying as hell for legitimate users but I can see the AV programer's point.

 

[britechguy]

They never will because too many malware tools roll in those tools.

Figuring out *who* is using those tools (as in "it's a part of . . . ") isn't rocket science. I guess if I ever want to be able to use these things I'm going to have to create a folder exception and place stuff there, but that certainly doesn't help much when it comes to portable use, which is mainly how I want to be able to do this.

I don't get the point. If something like ChatGPT is possible, this kind of differentiation should be less than child's play.

 

[nlinecomputers]

If it was child's play then the malware calling the app would always be detected. You do realize that these are apps engineered to avoid detection by the OS or other applications? By using exploits.

 

[britechguy]

They can be easily used for evil so they will always be flagged.

To add to this, though, that's my problem with what's happening with Windows Defender on my machine. They're flagged, not shown in Protection History for a while, then show in Protection History for a while, then disappear entirely. Under the current circumstances, I have no earthly idea what Defender actually did, or didn't do, when all is said and done.

If I had something in Protection History like @Porthos did, I could take certain actions. But I've got nada, zip, zilch when all is said and done. Supremely useless and unhelpful!

 

[britechguy]

You do realize that these are apps engineered to avoid detection by the OS or other applications? By using exploits.

You do realize that this has been the case since time immemorial, don't you? And you do realize that most of these things "carry with them" everything they need, so they're not looking for NirSoft utilities for part of their nefarious plans.

Apples and oranges.

 

[britechguy]

Adding exclusions for the folder on my computer and the folder on my thumb drive (with letter changed to U) for Nir Launcher gets rid of the circus, but it still doesn't solve the mystery of why said circus doesn't leave a trace after the fact. It's very disturbing for Protection History to show nothing whatsoever after a string of detections that triggered an "Actions necessary" red stop-sign overlay on the Windows Security icon, only to have that disappear back to "happy green check" without any explanation, too.

I don't care so much about what it's doing, or not doing, as I do having a way to determine what that was, exactly, after the fact.

 

[John Kennedy]

My guess for the behavior you've seen is that Windows Defender flags it as a hacking tool due to it being a known attack vector, realizes there's no payload, AI turns around and allows it afterward. If you've been eventually able to use the tool (wasn't sure based on what you wrote), then it makes sense, though obviously not the ideal logging situation.

If it just blocked it and never let it through, then maybe it blocked it while it was doing the suspicious activity, saw that it was a standalone tool by itself, then chose not to actually prosecute and delete/quarantine the file. Again, bad logging method, but understandable result.

 

[xrobwx71]

They never will because too many malware tools roll in those tools. They can be easily used for evil so they will always be flagged. Sometimes it is the ONLY item in a malware stack that gets found and said malware can't do its stuff because the AV killed the support tool. Annoying as hell for legitimate users but I can see the AV programmer's point.

Yet, WD does not flag similar tools from Sysinternal Suite.
I use an app that aggregates Nirsoft and Sysinternals called WSCC and Nir's tools always get flagged after every update. Excluding them works until they get updated.

@britechguy I have also had this experience and reported on the Hub. No answers as of yet.

 

[britechguy]

Yet, WD does not flag similar tools from Sysinternal Suite.

Whitelisting is not rocket science. And the IT community knows, and knows well, that NirSoft utilities are legitimate tools.

If we can't have our security suites grant needed exceptions for known needed exceptions, in the year 2023, then something is profoundly wrong. And updates to existing software happen all the time, so recognizing that, for an already recognized legitimate tool, isn't rocket science, either.

I believe I reported the "disappearing warnings" in Feedback Hub as well, and I know I've never heard back on that one.