How do certain administration tools get its "suspicious" mark?

rifqiramadhan — Fri, 08 Apr 2022 09:07:04 +0000

This might sound like a very broad question but I'll explain why.

I was shown a video that BitDefender was apparently white-listing a commonly used tool for reverse shell, netcat, in video below. I took the video with a grain of salt, because looking at the virtual machine, it looks like it was quite customized.

https://www.youtube.com/watch?v=Nc4J5sqUndU

I read a lot about netcat and apparently it also has uses other than reverse shell. So I began my self-research on "how do anti-malware provider decides if netcat is a malicious tool or just a very powerful tool for adminstration that needs to be whitelisted".

First I looked at VirusTotal's compiled source of threat intel. One of the netcat scan result is this:

https://www.virustotal.com/gui/file/222c75cfb301029637aea1da60e7b6fa37a1a4213fda8d014a0f01edecd47c61/detection

As you can see, even BitDefender is split on detection, BitDefenderTheta gave a detection, and normal BitDefender is not.

And then I read a publication on ResearchGate.

if the link is broken, the publication is:

"Testing antivirus engines to determine their effectiveness as a security layer" by Jameel Haffejee and Barry Irwin from Rhodes University on 2014.

The study showed that antivirus evasion may have a great impact on detection by antivirus. They used netcat as "sample malware". It shows that netcat apparently was not really detected by many antivirus provider.

While we know that netcat can be used for legit reasons, and so does many other administration tools that's even paid for instance AnyDesk, TeamViewer, and even Atera Network.

I only found 1 discussion regarding a person ranting about how strict Bitdefender can be in terms of blocking administration software.

Hello, this is my first post. I've sent a support ticket regarding Bitdefender blocking a Remote Desktop program that I use with my clients. This started beginning of Jan 2022 with new definition files I assume. The program is rutserv.exe found in the following Windows location C:\\Program Files (x86)\\Remote Utilities - Host<\/p>

When I try to restore from quarantine, the folder location is denied and therefore I cannot add as an Exception<\/p>

Has anyone else come across this issue or have any comments?<\/p>

Thx<\/p>

Tony<\/p>","bodyRaw":"[{\"insert\":\"Hello, this is my first post. I've sent a support ticket regarding Bitdefender blocking a Remote Desktop program that I use with my clients. This started beginning of Jan 2022 with new definition files I assume. The program is rutserv.exe found in the following Windows location C:\\\\Program Files (x86)\\\\Remote Utilities - Host\\nWhen I try to restore from quarantine, the folder location is denied and therefore I cannot add as an Exception\\nHas anyone else come across this issue or have any comments?\\nThx\\nTony\\n\"}]","format":"rich","dateInserted":"2022-02-03T14:20:01+00:00","insertUser":{"userID":240175,"name":"Spada4IT","url":"https:\/\/community.bitdefender.com\/en\/profile\/Spada4IT","photoUrl":"https:\/\/community.bitdefender.com\/applications\/dashboard\/design\/images\/defaulticon.png","dateLastActive":"2022-02-03T14:15:34+00:00","banned":0,"punished":0,"private":false,"label":""},"displayOptions":{"showUserLabel":false,"showCompactUserInfo":true,"showDiscussionLink":true,"showPostLink":true,"showCategoryLink":false,"renderFullContent":false,"expandByDefault":false},"url":"https:\/\/community.bitdefender.com\/en\/discussion\/90287\/remote-utilities-blocked","embedType":"quote","name":"Remote Utilities Blocked"}"> https://community.bitdefender.com/en/discussion/90287/remote-utilities-blocked

But out of curiousity, how do you weigh administration tools, between "this is totally fine and legit" and "we will delete this"?

Thank you!

Détection — Expert Community

How do certain administration tools get its "suspicious" mark?