> These tools scan the executables without executing them, don't they? No, modern AV software executes unknown binaries in an emulated system environment. Defender has an x86-to-safe-x86 JIT compiler built in to make…
Interesting. Presumably this breaks the emulated environment in which Defender is running the executable, and when this fails Defender assumes the executable is safe rather than suspicious?
> These tools scan the executables without executing them, don't they? No, modern AV software executes unknown binaries in an emulated system environment. Defender has an x86-to-safe-x86 JIT compiler built in to make…
Interesting. Presumably this breaks the emulated environment in which Defender is running the executable, and when this fails Defender assumes the executable is safe rather than suspicious?