Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"naps2-8.0b2-win-x64.zip" detected as malware by Microsoft Defender #516

Open
tomasz1986 opened this issue Jan 7, 2025 · 5 comments
Open

"naps2-8.0b2-win-x64.zip" detected as malware by Microsoft Defender #516

tomasz1986 opened this issue Jan 7, 2025 · 5 comments

Comments

@tomasz1986
Copy link

Describe the bug

Microsoft Defender incorrectly flags the Windows installer from https://github.com/cyanfish/naps2/releases/tag/v8.0b2 as "Trojan:Script/Wacatac.B!ml".

To Reproduce

Steps to reproduce the behavior:

  1. Try downloading https://github.com/cyanfish/naps2/releases/download/v8.0b2/naps2-8.0b2-win-x64.zip on a Windows 10/11 machine with the newest Microsoft Defender definition updates.
  2. The downloaded file is immediately blocked by Microsoft Defender.

Expected behavior

The downloaded file should not be flagged by Microsoft Defender as malware.

Desktop (please complete the following information):

  • OS: Windows 11
  • Version 8.0b2

Additional context

I know that this is likely a false positive, but I'm posting this just in case. I have also submitted the file to Microsoft for revision. The submission is available at https://microsoft.com/en-us/wdsi/submission/438cf6d7-2b41-4459-9d8c-48524533d52a, but I think you need to have a Microsoft account in order to view it.

image

For the record, Microsoft Defender is not the only antivirus software that has issues with the file, which on Virus Total currently has a score of 15/66 (see https://www.virustotal.com/gui/file/5589df0eef6fca5ab39b0f91a00cd1ee5b3ad1bb320c6c4c04891279e5703e95).

image
@borouhin
Copy link

To be more specific, it's not ZIP archive itself, but "NAPS2.Worker.exe" file inside it. It raises Defender Alarm avter v. 8.0b2 is installed via installer too. This file scores 27/71 on Virustotal currently, which IMO is rather alarming.
image

@cyanfish
Copy link
Owner

The zip is down to 8 (from 15) as some of the false positives have been resolved which is progress at least.

@tomasz1986
Copy link
Author

tomasz1986 commented Jan 12, 2025
edited
Loading

I can also add that just today the detected "malware" in Windows Defender has changed from "Trojan:Script/Wacatac.B!ml" to "Virus:Win32/virut". Microsoft hasn't responded to my submission yet (and I somewhat doubt they ever will).

Edit:

@borouhin Interestingly enough, the same file from the previous beta (which I'm still using right now) shows zero detections on Virus Total.

image

@cyanfish
Copy link
Owner

I suspect the change from 8.0b1 to 8.0b2 is related to changing the .NET toolchain from 9RC2 to 9.0.101. Presumably there's been some change in the way the new version builds NAPS2 that is being flagged by the signature detection.

Ah yeah looks like others have similar issues:
dotnet/runtime#110541
https://dylanbeattie.net/2024/12/09/dotnet-9-aot-zip-file-windows-defender-false-positives.html

@cyanfish
Copy link
Owner

It also looks like I introduced a bug where the worker isn't signed properly (now fixed in 6ea12cf). While there's clearly still an issue with the detection, at least that should fix the problems for the next beta.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cyanfish @borouhin @tomasz1986