[neko_koneko]

Malware authors often incorporate legitimate software into their malware - e.g. Nir Sofer's Mail PassView and Web PassView are used in Emotet spam bot to harvest user credentials. Usually such files are marked as "Potentially unsafe software" by analysts, or in some cases could be detected as part of a malware family by AV companies' automated detection tools.

[digi_owl]

Another thing is that actions malware take and actions legitimate "power user" software takes are separated only by context. Thus automated behavior analysis is always going to produce false positives.

[voltagex_]

Is there much behaviour analysis done by consumer AV? Even Defender seems to be mostly signature based.

[neko_koneko]

Yep. Malware is constantly repacked/encrypted. It is impractical/impossible to write static unpacking engines for every type of malware packing technique, so behavioral analysis engine is a must (btw, behavioral engines still detect malware using signatures).

[rurban]

Same for psexec and xexec for remote execution.