Virus Detected by Windows

[Murderchan]

Describe the bug
Windows Defender instantly detects the file as a virus and deletes it. It lists the threat as severe, and when clicking to 'Learn More' goes into detail that the file contained a trojan virus(Trojan:Script/Wacatac.B!ml).

To Reproduce
Steps to reproduce the behavior:

1. Download the first file listed
2. Run the file on Windows 10

Expected behavior
Windows will detect a threat, and instantly quarantine, and then delete any subsequent downloads.

Screenshots

Desktop (please complete the following information):

• OS: Windows 11
• Device: Desktop Computer

Additional context
I was able to run the app up until I tried to convert files, wherein Windows detected an issue and quarantined the program. Every download of the application afterwards was instantly deleted.
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.B!ml&threatid=2147735503

[axu2]

Ugh. I accidentally rebuilt 6.2.0 on the windows version and it seems to be causing false positive issues. Please use an older release in the meantime while I look into it. 6.0.0 is very stable, 6.1.0 had a lot of issues. @Murderchan

[axu2]

@Murderchan Tweaked the build process, please confirm if its fixed.

[alpaquito28]

@axu2 I just tried again and it is still falsely flagged as a virus by Microsoft Defender

[axu2]

@alpaquito28 is the error message any different? Screen shot and is it w10 or w11? Are you sure you downloaded the right file?

[alpaquito28]

@axu2
I downloaded at 14.15 CET multiple times the latest available version 6.2.0.exe, the first of the assets lists. It got flagged (quarantined and deleted) every time before I could run it. The trojan seems to be different than the one from the issue creator. Windows will detect a threat, and instantly quarantine, and then delete any subsequent downloads.

After that I tried with the previous version 6.1.0.exe. Before running it I also got a warning from Windows defender, but after dismissing it, it ran without issues and I could proceed as normal, so I did not try with 6.0 version.

Version: 6.2.0.exe
Trojan:Win32/Sabsik.FL.A!ml
Windows: 11 23H2 (Lenovo Laptop)

This is the link from Microsoft after clicking on more info: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FSabsik.FL.A!ml&threatid=2147780195

[Murderchan]

I was able to download and run it without issue, somehow.

[Murderchan]

Nevermind - in the middle of converting some volumes Windows flagged it and quarantined it again. I almost finished 3 volumes worth of material before it got flagged.

[AcidWeb]

Sadly this often an issue with PyInstaller binaries. !ml in threat name mean it was educated guess - bad one in this case.

Report a false positive to Microsoft.
Make sure that PyInstaller is recompiling the bootloader before using it and I would suggest to codesign the windows binaries - it helps a lot with this issue.

[axu2]

Ok, I reported it, and also did a tweak to the build process. Please report if it works now. @Murderchan @alpaquito28

And I imagine codesign costs hundreds of dollars?

[AcidWeb]

Certum have quite cheap ones for open source projects.

[darodi]

Time to make that donation button on the main page useful 😁

[axu2]

I did a little research, I think maybe publishing on Microsoft Store is cheapest option.