[NtGuy25]

It depends, but most consumer AV's upload. And alot of EDR's are implimenting cloud based detections, with the option for companies with IP risks to run an on prem version of their cloud server.

A good example is this hackernews post from not long ago detailing how Windows Defender uploaded a beacon he made from a VM with no internet access (But connected to a LAN with his main computer) and exfiltrated it from there to Redmond and ran it, most likely in some automated scanner. https://news.ycombinator.com/item?id=21180019

[mikeiz404]

Wow that’s kind of alarming; I wouldn’t have expected that behavior from an OS provided AV (I would have assumed it would be more conservative) but maybe I shouldn’t be too surprised given the trends these days (and microsoft’s decisions with their recent OS’s too).

Thanks for sharing.