I am testing my application for windows and when trying to download an update file (filename.zip) from our web server. Microsoft Defender interrupts the download and detects:
Trojan:Script/Wacatac.H!ml
Actually I don’t know why Defender detects this. Anyone seeing such problem? I have submitted the file to Microsoft. Does anyone know how long Microsoft needs to update the virus definitions?
My System:
MacOS Ventura 13.2
Windows 11 ARM 22H2 (10.0.22000.1574) and 23 (10.0.22000.1641) virtual machine
The url was malformed so that the download target could not be found and the web server returned a 404 page. That return was interpreted by Defender as malicious. The returned 404 did not contain any malware just plain html. When I try to do the same within edge browser no defender warning was created. So at the moment I have no clue what was going on. I am investigating further.
With the correct url everything works as expected.
“Trojans” are malware that spread by masquerading as something else. Google suggests that “Wacatac” spreads via mislabeled e-mail attachments.
My psychic debugger says that Defender is triggered by a mismatch of filename extension (.zip) with the content (HTML/javascript), perhaps combined with other heuristics such as the URL, HTTP status code, whether HTTPS was used, the IP address/block of the server, or the file being located in an untrustworthy folder like SpecialFolder.Temporary.
I had exactly the same problem a few days ago. Not downloading any .ZIP files. What it was “detected” as the trojan is the .EXE file of one of the apps created with xojo.
I had to send instructions to restore the app from the quarantine to the affected clients.
Well it’s a signature that the virus scanner may look for so it looks more like it’s compromized and not that it could be something else. These kind of trojans could worm them selves into any software, code, memory, file etc. It’s better to do a full virus scan (or MRT) and then just remove (quarantine) the things with issues.
If you have “cracked” software, 99% of the cases the (windows) system could be infected.
Thank you for your comment. At the moment Microsoft did not consider my file to be infected, which is a result of their service to scan false positives. It seems to be a problem on the client side.
I have now changed the download to be an unzipped setup file. I have tested the download on a clean new windows 11 system with no problems. Could anyone here test the download?
It’s worth noting that if your customer already has a virus on their computer, it could be that it is infecting every exe that gets downloaded to further propagate.
Yes, I understand that. But, I usually download everything using my MBP M1, including Windows software (Windows 10 &nd 11 included), then I move the downloads to Windows (when needed).
And, nowadays, it is worth knowing everything download correctly in all possible cases (including this strange one).
I had one of my collogues try to download an update which just contained the .exe in a zip. In this case uploaded to discord.
Exact same false positive. Not using xojoscript in this desktop project. 2022r4
Uploading the whole build folder as a 7z (also to discord) did not get flagged.
Possibly a portion of the file when zipped is creating a matching signature to the mentioned malware. It happened ~20 hours ago. I cannot trigger it on any of my computers.
virustotal checked both url (exe and zip) of my file without any alarm. When my client downloads the uncompressed exe (setup file created via innosetup) there is no problem. This is weird. So it seams that distributing the uncompressed setup file is the best option.
Have you tried modifying the word size, compression method or compression level? these options may change the resulting file and therefore may resolve the issue. I use 7-Zip which offers these options.
