How do certain administration tools get its "suspicious" mark?
This might sound like a very broad question but I'll explain why.
I was shown a video that BitDefender was apparently white-listing a commonly used tool for reverse shell,
netcat, in video below. I took the video with a grain of salt, because looking at the virtual machine, it looks like it was quite customized.
I read a lot about netcat and apparently it also has uses other than reverse shell. So I began my self-research on "how do anti-malware provider decides if netcat is a malicious tool or just a very powerful tool for adminstration that needs to be whitelisted".
First I looked at VirusTotal's compiled source of threat intel. One of the netcat scan result is this:
As you can see, even BitDefender is split on detection, BitDefenderTheta gave a detection, and normal BitDefender is not.
And then I read a publication on ResearchGate.
if the link is broken, the publication is:
"Testing antivirus engines to determine their effectiveness as a security layer" by Jameel Haffejee and Barry Irwin from Rhodes University on 2014.
The study showed that antivirus evasion may have a great impact on detection by antivirus. They used netcat as "sample malware". It shows that netcat apparently was not really detected by many antivirus provider.
While we know that netcat can be used for legit reasons, and so does many other administration tools that's even paid for instance AnyDesk, TeamViewer, and even Atera Network.
I only found 1 discussion regarding a person ranting about how strict Bitdefender can be in terms of blocking administration software.
But out of curiousity, how do you weigh administration tools, between "this is totally fine and legit" and "we will delete this"?