Trojan detected by Defender


I am testing my application for windows and when trying to download an update file ( from our web server. Microsoft Defender interrupts the download and detects:


Actually I don’t know why Defender detects this. Anyone seeing such problem? I have submitted the file to Microsoft. Does anyone know how long Microsoft needs to update the virus definitions?

My System:

  • MacOS Ventura 13.2
  • Windows 11 ARM 22H2 (10.0.22000.1574) and 23 (10.0.22000.1641) virtual machine
  • xojo 2022 R4.1
  • MBS Plugins 22.5
  • TextInputCanvas 2.0

The app uses

  • API 2.0
  • xojoscript

Do certificates and signing avoid these problems?


Anyone who wants to target your computer or app ? This malware seems to be a kind of you don’t want in your system.

Read this (in full)

Codesigning could help your code from becoming compromised, but if this is in your code (could be hidden or in a plugin, etc) then your out of luck.

Please try from your windows logo click: press “RUN” then type “mrt” (malware removal tool) and see if that sorts your issue.

After diving deeper into the topic I discovered, that Microsoft Defender misinterprets an answer from the web server… Just got it to work as expected.

THANKS for all ideas… and links…

1 Like

@Daniel_Fritzsche ok what answer from webserver?
It would help the community if you explained the problem and solution :grinning:


The url was malformed so that the download target could not be found and the web server returned a 404 page. That return was interpreted by Defender as malicious. The returned 404 did not contain any malware just plain html. When I try to do the same within edge browser no defender warning was created. So at the moment I have no clue what was going on. I am investigating further.

With the correct url everything works as expected.


“Trojans” are malware that spread by masquerading as something else. Google suggests that “Wacatac” spreads via mislabeled e-mail attachments.

My psychic debugger says that Defender is triggered by a mismatch of filename extension (.zip) with the content (HTML/javascript), perhaps combined with other heuristics such as the URL, HTTP status code, whether HTTPS was used, the IP address/block of the server, or the file being located in an untrustworthy folder like SpecialFolder.Temporary.

I had exactly the same problem a few days ago. Not downloading any .ZIP files. What it was “detected” as the trojan is the .EXE file of one of the apps created with xojo. :thinking:

I had to send instructions to restore the app from the quarantine to the affected clients.

After solving the first problem it is now the Trojan “Sabsik.TE.A!ml” which is found within the setup file at a users site.

I use innosetup to create the setup.

Any ideas except to remove quarantine? Could it be that xojoscript is problematic? Any hints would be great…

Well it’s a signature that the virus scanner may look for so it looks more like it’s compromized and not that it could be something else. These kind of trojans could worm them selves into any software, code, memory, file etc. It’s better to do a full virus scan (or MRT) and then just remove (quarantine) the things with issues.

If you have “cracked” software, 99% of the cases the (windows) system could be infected.

Thank you for your comment. At the moment Microsoft did not consider my file to be infected, which is a result of their service to scan false positives. It seems to be a problem on the client side.

I have now changed the download to be an unzipped setup file. I have tested the download on a clean new windows 11 system with no problems. Could anyone here test the download?

Just for fun:

Downloaded fine in nearly 4 minutes… on an Apple Silikon MBP M1 !!!

Thank you,

I should have mentioned that it only makes sense to download on windows in order to see if the defender generally quarantines my app :grin:

1 Like

It’s worth noting that if your customer already has a virus on their computer, it could be that it is infecting every exe that gets downloaded to further propagate.


Yes, I understand that. But, I usually download everything using my MBP M1, including Windows software (Windows 10 &nd 11 included), then I move the downloads to Windows (when needed).
And, nowadays, it is worth knowing everything download correctly in all possible cases (including this strange one).


I had one of my collogues try to download an update which just contained the .exe in a zip. In this case uploaded to discord.

Exact same false positive. Not using xojoscript in this desktop project. 2022r4

Uploading the whole build folder as a 7z (also to discord) did not get flagged.

Possibly a portion of the file when zipped is creating a matching signature to the mentioned malware. It happened ~20 hours ago. I cannot trigger it on any of my computers.

things that may contribute or may not:

  • Compiling for Windows x86 64 bit
  • Optimization Level is Aggressive
  • Sqlite Database
  • Htmlviewer
  • Searchfield
  • UrlConnection
  • Shell.execute

If I go to virustotal and upload the file, it is ok, if I provide it the discord link url, it says i malicious, even if it is just an image like:

@Daniel_Fritzsche can you do the same test against files on your webserver.

virustotal checked both url (exe and zip) of my file without any alarm. When my client downloads the uncompressed exe (setup file created via innosetup) there is no problem. This is weird. So it seams that distributing the uncompressed setup file is the best option.

Have you tried modifying the word size, compression method or compression level? these options may change the resulting file and therefore may resolve the issue. I use 7-Zip which offers these options.

have you tried instead to rename zip file to example.png
or example.html and client to rename it again to