How do certain administration tools get its "suspicious" mark?

This might sound like a very broad question but I'll explain why.

I was shown a video that BitDefender was apparently white-listing a commonly used tool for reverse shell, netcat, in video below. I took the video with a grain of salt, because looking at the virtual machine, it looks like it was quite customized.

I read a lot about netcat and apparently it also has uses other than reverse shell. So I began my self-research on "how do anti-malware provider decides if netcat is a malicious tool or just a very powerful tool for adminstration that needs to be whitelisted".

First I looked at VirusTotal's compiled source of threat intel. One of the netcat scan result is this:

As you can see, even BitDefender is split on detection, BitDefenderTheta gave a detection, and normal BitDefender is not.

And then I read a publication on ResearchGate.

if the link is broken, the publication is:

"Testing antivirus engines to determine their effectiveness as a security layer" by Jameel Haffejee and Barry Irwin from Rhodes University on 2014.

The study showed that antivirus evasion may have a great impact on detection by antivirus. They used netcat as "sample malware". It shows that netcat apparently was not really detected by many antivirus provider.

While we know that netcat can be used for legit reasons, and so does many other administration tools that's even paid for instance AnyDesk, TeamViewer, and even Atera Network.

I only found 1 discussion regarding a person ranting about how strict Bitdefender can be in terms of blocking administration software.

But out of curiousity, how do you weigh administration tools, between "this is totally fine and legit" and "we will delete this"?

Thank you!

Best Answer

  • Flexx
    Flexx mod
    Answer ✓

    Let me narrow this down for you. Virustotal has 3 engines available with respect to bitdefender.

    1) Bitdefender Flax: Only shows detection related to Android (malware detection created by malware researchers)

    2) Bitdefender: Apart from Android, all other OS detection are showed up (malware detection created by malware researchers)

    3) Bitdefender Theta: All detections are based on machine learning which do not include detection created by malware researchers. High chances of false positive.

    Hence, there will be instances where you will see detection under Bitdefender Theta but not under Bitdefender.

    Additionally, I had shared the hash of the file in the virustotal link with the malware researchers but as of now the hash seems to be non malicious according to them.

    Will check with them to see if the correction can be made for the detection under Bitdefender Theta also.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

Answers

  • Flexx
    Flexx mod
    edited May 2022

    Just a update to previous comment. I received a confirmation from malware research through support team and as per malware researchers the signature based detection for the hash in the virustotal link as shared above is only available for business products of bitdefender and not for consumer products.

    Below is the reply from malware researchers through support team.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)