An option on Stinger (one of my on-demand AVs) is to have it scan WMI (Windows Management Instrumentation). That option is unchecked by default. Here is the introductory part of Wikipedia's definition of WMI... Hmmm -- should I check-mark this option thereby causing Stinger to scan WMI --- or NOT?
WMI can be used for FileLess attacks so in order to detect such entries it is recommended to enable it. MBAM scan for suspicious WMI entries as well.
Below are a few references on WMI attacks. The last one by Matt Graeber is by far the most comprehensive on the subject: https://www.cybereason.com/blog/fileless-malware-wmi https://digital-forensics.sans.org/blog/2019/02/09/investigating-wmi-attacks/ https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
It seems that TrendMicro moved their PDF to a new location. It is a good read as well: The old location is no longer working => https://www.trendmicro.com/media/misc/understanding-wmi-malware-research-paper-en.pdf Here is the new location => https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf
The question that needs answering here is why is it deselected by default if it's recommended to have it on? This is often the case with rootkit scans as that needs a driver and is time/resource demanding. Without trying it out myself, is it the same with WMI scan?