Any chance that "ncat" doesn't get rated as threat anymore?

%3CLINGO-SUB%20id%3D%22lingo-sub-1171947%22%20slang%3D%22en-US%22%3EAny%20chance%20that%20%22ncat%22%20doesn't%20get%20rated%20as%20threat%20anymore%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171947%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Eme%20an%20my%20colleagues%20use%20OpenVPN-client%20in%20combination%20with%20some%20%22up%22-scripts%20to%20automatically%20execute%20%22ncat%22.%20The%20OVPN-tunnel%20are%20created%20manually%20using%20its%20default%20GUI%20and%20once%20in%20a%20while%20Windows%20Defender%20rates%20%22ncat%22%20as%20a%20threat%20and%20puts%20it%20into%20quarantine.%20One%20needs%20to%20get%20things%20back%20from%20there%2C%20create%20an%20exception%20for%20that%20Exe%20and%20things%20work%20for%20some%20weeks%2C%20until%20Windows%20Defender%20decided%20the%20same%20Exe%20to%20be%20a%20threat%20again.%20That%20is%20really%20annoying%20and%20I%20didn't%20find%20why%20one%20needs%20to%20repeat%20the%20exception-process%20once%20in%20a%20while.%20The%20Exe%20it%20self%20definitely%20did%20not%20change.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETreating%20%22netcat%22%20that%20way%20is%20even%20documented%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Fthreats%2Fmalware-encyclopedia-description%3FName%3DHackTool%3AWin32%2FNetCat%26amp%3BThreatID%3D2147593673%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fwdsi%2Fthreats%2Fmalware-encyclopedia-description%3FName%3DHackTool%3AWin32%2FNetCat%26amp%3BThreatID%3D2147593673%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20article%20is%20from%202007%2C%20so%20why%20need%20to%20be%20these%20Exes%20still%20treated%20as%20threat%3F%20I'm%20a%20developer%2C%20Microsoft%20even%20developed%20Windows%20Subsystem%20for%20Linux%20these%20days%20and%20though%20basic%20tools%20like%20that%20are%20threats%3F%20Even%20if%20indirectly%20started%20using%20some%20GUI%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20doesn't%20make%20much%20sense%20to%20me%20and%20I%20would%20like%20to%20suggest%20reconsidering%20that%20decision.%20AV-scanners%20are%20a%20constant%20source%20of%20%3CSPAN%3Eannoyance%20anyway%20already%3A%20They%20slowdown%20your%20system%2C%20annoy%20you%20with%20false-positives%20like%20this%2C%20contain%20bugs%20regularly%20making%20your%20system%20less%20secure%20etc.%20And%20this%20is%20%22ncat%22%2C%20it%20has%20very%20limited%20file%20handling%20and%20whatever%20might%20threaten%20you%20at%20all%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman1%2Fncat.1.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman1%2Fncat.1.html%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet%20them%20free!%20%3A)%3C%2Fimg%3E%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1396469%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20chance%20that%20%22ncat%22%20doesn't%20get%20rated%20as%20threat%20anymore%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1396469%22%20slang%3D%22en-US%22%3EYou%20can%20whitelist%20this%20particular%20application%20in%20your%20MDATP%20tenant%20if%20you%20weigh%20the%20risks%20and%20want%20to%20permit%20it.%20As%20for%20me%2C%20I%20want%20it%20blocked%20on%20my%20network%20thank%20you%20very%20much%20%3D)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Visitor

Hi,

me an my colleagues use OpenVPN-client in combination with some "up"-scripts to automatically execute "ncat". The OVPN-tunnel are created manually using its default GUI and once in a while Windows Defender rates "ncat" as a threat and puts it into quarantine. One needs to get things back from there, create an exception for that Exe and things work for some weeks, until Windows Defender decided the same Exe to be a threat again. That is really annoying and I didn't find why one needs to repeat the exception-process once in a while. The Exe it self definitely did not change.

 

Treating "netcat" that way is even documented:

 

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Ne...

 

That article is from 2007, so why need to be these Exes still treated as threat? I'm a developer, Microsoft even developed Windows Subsystem for Linux these days and though basic tools like that are threats? Even if indirectly started using some GUI?

 

That doesn't make much sense to me and I would like to suggest reconsidering that decision. AV-scanners are a constant source of annoyance anyway already: They slowdown your system, annoy you with false-positives like this, contain bugs regularly making your system less secure etc. And this is "ncat", it has very limited file handling and whatever might threaten you at all:

 

http://man7.org/linux/man-pages/man1/ncat.1.html

 

Set them free! :) Thanks!

1 Reply
You can whitelist this particular application in your MDATP tenant if you weigh the risks and want to permit it. As for me, I want it blocked on my network thank you very much =)