Though I do wonder how much of that “detects random files as malware” is actually detecting real malware hidden inside software that also does what it claims to do. Like “this removes game’s DRM and also installs a helpful little rootkit for if we need to help you debug something, DDOS websites we hate, or act as an annonymous proxy”.
Windows does it to apps and files from people I trust or to ones I’ve created myself. I’ve even caught it basing detection on fuzzy string matching and nothing else (Bifrost vs Bifrose in the app name and that’s it).
Yeah, that’s the frustrating part, it could be either way. Could be based on a heuristic analysis that recognized a pattern associated with malware (that may be based on the malicious parts of the code or maybe some big data algorithm associated otherwise innocent code with the malicious software and flags anything with similar code), maybe it’s just some string match (ie a bad attempt but maybe in good faith), or maybe they are using the malicious code removal tool to also targer code that the user wants but MS considers malicious to their desire to make money.
Iirc, it’ll say what it matches it to but from what I remember, the actual details remain vague. Like it seems to be at a “report information that sounds useful to managers” level rather than a “report useful technical information for engineers who want to understand what’s happening at a low level”. So you get malware name but nothing about what that malware does or how this current flag associated it with that.
Though I do wonder how much of that “detects random files as malware” is actually detecting real malware hidden inside software that also does what it claims to do. Like “this removes game’s DRM and also installs a helpful little rootkit for if we need to help you debug something, DDOS websites we hate, or act as an annonymous proxy”.
Windows does it to apps and files from people I trust or to ones I’ve created myself. I’ve even caught it basing detection on fuzzy string matching and nothing else (Bifrost vs Bifrose in the app name and that’s it).
Yeah, that’s the frustrating part, it could be either way. Could be based on a heuristic analysis that recognized a pattern associated with malware (that may be based on the malicious parts of the code or maybe some big data algorithm associated otherwise innocent code with the malicious software and flags anything with similar code), maybe it’s just some string match (ie a bad attempt but maybe in good faith), or maybe they are using the malicious code removal tool to also targer code that the user wants but MS considers malicious to their desire to make money.
Iirc, it’ll say what it matches it to but from what I remember, the actual details remain vague. Like it seems to be at a “report information that sounds useful to managers” level rather than a “report useful technical information for engineers who want to understand what’s happening at a low level”. So you get malware name but nothing about what that malware does or how this current flag associated it with that.