Windows Defender download warning

[Sharpman85]

Hi,

 

I have encountered a curious thing regarding downloading some files, i.e. on one PC torrent client downloads were flagged as potentially unwanted or malicious (I don’t remember exactly) while on another the warning was not displayed. Both ran on 20H2 and Edge, but it was a 2-3 week time span so some update might have changed. Is it some kind of heuristics? Those were secure sites but as I do not use software like that in general I’m curious why it behaved like that.

The second PC is a fresh installation fully up to date with no MS acount logged in. Can this be a factor?

[Murasaki]

It most likely would come down to what version of definitions Defender has. And I'll tell you that thing has Anti-malware delta patch updates 1-2 times a day.

[Sharpman85]

8 minutes ago, Murasaki said:

It most likely would come down to what version of definitions Defender has. And I'll tell you that thing has Anti-malware delta patch updates 1-2 times a day.

Yes, I know as I keep it up to date at least twice a day. Just curious though what could have caused it and whether it’s something on my main PC like potential malicious software or just definitions like you said.

[Murasaki]

1 minute ago, Sharpman85 said:

Yes, I know as I keep it up to date at least twice a day. Just curious though what could have caused it and whether it’s something on my main PC like potential malicious software or just definitions like you said.

There could be plenty of other complicated factors down to how the operating system behaves per system but I wouldn't know anything other than logically tell you its antimalware definitions. For example I use Autoruns which shows all startup entries and also sends them to VirusTotal. Overtime the same files could be flagged as malicious then deemed safe and then flagged again because some random AV said its suspicious. I just shrug it off as another false-positive.

[Sharpman85]

32 minutes ago, Murasaki said:

There could be plenty of other complicated factors down to how the operating system behaves per system but I wouldn't know anything other than logically tell you its antimalware definitions. For example I use Autoruns which shows all startup entries and also sends them to VirusTotal. Overtime the same files could be flagged as malicious then deemed safe and then flagged again because some random AV said its suspicious. I just shrug it off as another false-positive.

Good to know, thanks. I have used that site in the past and monitor each link so I’m pretty sure it was safe, especially since at that time 3 other sites with the same software were also flagged as suspicious/malicious. Maybe indeed those were definitions, maybe I’ll try again just to verify.

[Sharpman85]

On 3/28/2021 at 1:42 PM, Murasaki said:

There could be plenty of other complicated factors down to how the operating system behaves per system but I wouldn't know anything other than logically tell you its antimalware definitions. For example I use Autoruns which shows all startup entries and also sends them to VirusTotal. Overtime the same files could be flagged as malicious then deemed safe and then flagged again because some random AV said its suspicious. I just shrug it off as another false-positive.

I’ve done some digging about the PUA (potentially unwanted software) function and I think it’s what caused my confusion. In this article (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/criteria) it says that torrent software can be categorized as such but there is the disclaimer that it concerns enterprise while I had the normal home version on all PCs. Maybe a false positive or the function being overprotective? I did not try it again on the same PC after a clean install though, but with all the updates in between it’s not a good test.

[Murasaki]

13 minutes ago, Sharpman85 said:

I’ve done some digging about the PUA (potentially unwanted software) function and I think it’s what caused my confusion. In this article (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/criteria) it says that torrent software can be categorized as such but there is the disclaimer that it concerns enterprise while I had the normal home version on all PCs. Maybe a false positive or the function being overprotective? I did not try it again on the same PC after a clean install though, but with all the updates in between it’s not a good test.

It doesn't matter through what means you were downloading the file be it http/ftp/p2p, it all boils down to the files downloaded themselves.

[Mark Kaine]

15 minutes ago, Murasaki said:

It doesn't matter through what means you were downloading the file be it http/ftp/p2p, it all boils down to the files downloaded themselves.

That's not how I understand it,  I think they're saying defender thinks the torrent software itself is "potentially unwanted" because it can and often will download other malicious or "potentially" unwanted software. 

 

 

 

 

 

[Sharpman85]

22 minutes ago, Mark Kaine said:

That's not how I understand it,  I think they're saying defender thinks the torrent software itself is "potentially unwanted" because it can and often will download other malicious or "potentially" unwanted software. 

 

 

 

 

 

I think that’s how it exactly is, I was just curious why it was blocking one PC while not the other, but it seems that the definitions made the difference. Maybe a pointless discussion but at least I get some insight on new things. Still O regret not checking the protection history for details, but it’s water under the bridge now..

PUA leaves Defender entries, right?

[Murasaki]

23 minutes ago, Mark Kaine said:

That's not how I understand it,  I think they're saying defender thinks the torrent software itself is "potentially unwanted" because it can and often will download other malicious or "potentially" unwanted software. 

Oh you're right, definitely missread that.

[Mark Kaine]

5 minutes ago, Sharpman85 said:

I think that’s how it exactly is, I was just curious why it was blocking one PC while not the other, but it seems that the definitions made the difference. Maybe a pointless discussion but at least I get some insight on new things. Still O regret not checking the protection history for details, but it’s water under the bridge now..

PUA leaves Defender entries, right?

well,  it's not pointless,  actually if you get some defender warning it's best to do some research, especially if you think it should be safe but aren't sure. 

 

One way is to upload the program or file to virustotal they will check with many AV definitions... and usually it turns out to be at least a false positive...or a pup (potentially unwanted program) in which case you have to try understanding *why* it's a pup, there are many reasons,  for example some programs can be detected as cheats by anti cheat software (stuff like trainers, which can actually be used for cheats for example)   even if you don't even actively use it,  so it would be best to not have it running while playing games that have anti cheat... or some programs (like perhaps torrent clients) come with additional installers for stuff like Firefox,  those can also be seen as "potentially unwanted".

 

 

So in many cases it's just easier to ask on a forum like this,  and sometimes you can't even upload something to virustotal because defender prevents downloading of the files in question in the first place. 

 

[Sharpman85]

7 hours ago, Mark Kaine said:

well,  it's not pointless,  actually if you get some defender warning it's best to do some research, especially if you think it should be safe but aren't sure. 

 

One way is to upload the program or file to virustotal they will check with many AV definitions... and usually it turns out to be at least a false positive...or a pup (potentially unwanted program) in which case you have to try understanding *why* it's a pup, there are many reasons,  for example some programs can be detected as cheats by anti cheat software (stuff like trainers, which can actually be used for cheats for example)   even if you don't even actively use it,  so it would be best to not have it running while playing games that have anti cheat... or some programs (like perhaps torrent clients) come with additional installers for stuff like Firefox,  those can also be seen as "potentially unwanted".

 

 

So in many cases it's just easier to ask on a forum like this,  and sometimes you can't even upload something to virustotal because defender prevents downloading of the files in question in the first place. 

 

That’s how it was in my case, it was being blocked, but along with 2 other clients one of which has not been changed for some years now and all of them were from secure sites. I did not go that far as to add exceptions or confirm to download one of them twice (it warned a second time after confirming that I want to download it). Before I install something new I also routinely do an antivirus scan just in case.

I’ve also found that starting from the beginning of March most torrent clients were being flagged as such. It was reported on reddit, but at the time of my blocking I just shrugged it off and did not attempt to download again. I just tried it a few days later on a more “dirty” PC and the time correlation of those apps starting to run/being downloadable adds up.