Fucking defender, again. It seems to be their "cloud" protection shit which keeps detecting ViewSecurityDescriptor.exe. If I only knew why they were detecting it I might be able to change it to avoid it but of course they probably don't know if it's an ML signature.
Try: Naming it msiexec.exe Putting it in a folder, when launced set symlink on folder ADS. Make launcher that starts it suspended, then open the file with FILE_REQUIRE_OPLOCK and resume it Detect if running in sandbox by trying opening \\?\VMSMB then exit
-
-
Thx, sure I could add some anti-emulation/anti-analysis detection but that really shouldn't be something I need to do for a benign file. They should just fix their shit.
-
Yarh- when they do stuff like that and making defender undisable they are making us forced to fix it. I mean, could i disable defender with a click i wouldnt post generic bypasses/disable methods usable for actual malware also.
- Show replies
New conversation -
-
-
Re. "Set a symlink on a folder ADS". Could you explain that a little more please?
-
look through my posting history- find the one where i disable defender
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.