Windows Defender false positive?

[Jism]

I run my windows 10 installation for over 2.5 years with no antivirus. I dont need it really because, well i dont do the obvious. But lately since the last Windows 10 update 21H2 Windows defender is suddenly acting up. It found a iframe or framework in my sent items under thunderbird, in one of my accounts used.

Technically i cant send virusses, and i'm 99% confident it's a false positive. The reason why is that my server always scans incoming and outgoing email, no matter from what device i send email with. I have my own, 15 servers hardened since i run my own business for 14 years primarily based on internet services for 77 clients with over 2700 websites.

But how do i determine here which "specific" email it is? If i click remove it will just re-download the email (sync due to IMAP) and the cycle repeats. It is only showing a folder inside Thunderbird. Perhaps a last modification?

Edit: it is simply attempting to quarantaine or delete the complete "sent" file of thunderbird in this case.

 

[lexluthermiester]

Do you know what the file is?

 

[Jism]

Yes,

The "sent" file which is one generic file holding multiple sent messages. So basicly in there is one message with appearantly a framework or iframe that should be "harmfull". But i know a legitimate iframe could be flagged as dangerous these days. It started since most commercial anti-virus throwing in all sorts of frameworks now.

 

[lexluthermiester]

Yes,

The "sent" file which is one generic file holding multiple sent messages. So basicly in there is one message with appearantly a framework or iframe that should be "harmfull". But i know a legitimate iframe could be flagged as dangerous these days. It started since most commercial anti-virus throwing in all sorts of frameworks now.

What kind of file and what kind of messages?

 

[Steevo]

If you are absolutely certain you could just remove the directory from Windows Defender scans. Absolutely certain, as in, download and run another virus checker or two on it and maybe run a offline scan from a removable drive as well, or let windows defender do it offline. Remember the definition of a virus according to most heuristic applications which most are anymore is something that executes a known rise in security or privileges or attempts to read and write to a system or user specific area. The days of drive by downloads aren't over, and a application asking to launch a browser or service it isn't able to from a user level account would send up a flag if not get blocked by most good AV/AMs

That being said I gained 25% performance on a networked SQL database by telling windows defender to ignore it and its processes.

 

[Jism]

What kind of file and what kind of messages?

It's the same as a "Inbox.pst" or something simular. Its a file which holds messages instead of seperate files.

But even if i was infected, i still woud'nt be able to send emails containing some virusses or malicious stuff like frameworks or iframe's. My server would block it and message me about it.

 

[lexluthermiester]

It's the same as a "Inbox.pst" or something simular. Its a file which holds messages instead of seperate files.

But even if i was infected, i still woud'nt be able to send emails containing some virusses or malicious stuff like frameworks or iframe's. My server would block it and message me about it.

Tell Defender to make an exception. Doing so is in the settings somewhere.

If you are absolutely certain you could just remove the directory from Windows Defender scans.

Or this.

 

[Bill_Bright]

I run my windows 10 installation for over 2.5 years with no antivirus. I dont need it really because, well i dont do the obvious.

Best not to assume you are more clever than all the bad guys out there. While avoiding the obvious may provide 99.9% protection, the clever bad guys are looking for that tiny o.1% crack to weasel in through. This simple precaution is even more prudent if you are not the only user here.

Plus, it should be noted that businesses have become a target of choice by the more experienced bad guys.

No security solution is perfect. False positives are a PITA, but inevitable - but still way WAY better than false negatives. At least at this point, you know the suspect file is safely contained. That's a good thing.

You told Lex you know what file it is. Then I recommend you verify it is safe (or not) with VirusTotal, or Jotti, or both. If clean, then I agree you can tell Defender to make an exception.

And, and this is what I recommend, you do nothing with the file or Defender - for now. For sure, verify with those other sites but also send the file to Microsoft for malware analysis. The antimalware industry (the good guys) need front-line "in the field" people like you to help them fight the bad guys. They cannot rely on honey-buckets alone. You can help by reporting these incidents. This is one of the major methods the security industry learns of new vulnerabilities and new (zero-day) exploits/malware.

Microsoft will analyze the file(s) and determine if truly malicious, or not. If malicious, they will share that malware's profile with the rest of the antimalware/security industry. But if safe and it really is a "false positive", they will fix that in an upcoming Defender update.

By doing nothing now (other than reporting them), if truly a false positive, your problem will go away by itself in the near future without you making any exceptions - and that, at least to me, is the better result.