search

Chocobo1 / opus-tools_win32-build

opus-tools Unofficial Builds - Win32 & x64
55 stars 5 forks source link

2024.03.19 = Trojan:Win32/Wacatac.B!ml (Win11) #8

Closed dcog989 closed 5 months ago

dcog989 commented 6 months ago

Windows (virus sigs 1.407.543.0 on Win11 beta) is quarantining https://github.com/Chocobo1/opus-tools_win32-build/releases/download/2024.03.19/opus-tools.exe as Trojan:Win32/Wacatac.B!ml

But VirusTotal reports clean.

The extracted files are reported clean by Windows. Perhaps future releases could be packaged in a zip rather than an exe to maybe avoid this?

Chocobo1 commented 5 months ago

It is a false positive.

I too encountered it myself when it was released. I was testing if the download URL was working. Now I tested again (a few hours later now) and antivirus is reporting clean.

It happens all the time to open source projects. https://github.com/search?q=windows+defender&type=issues&s=&o=desc https://github.com/clsid2/mpc-hc/issues/2573 https://github.com/Imagick/imagick/issues/663

The extracted files are reported clean by Windows. Perhaps future releases could be packaged in a zip rather than an exe to maybe avoid this?

It wouldn't matter. Antivirus programs will extract .zip files (or any archive format) and inspect the contents. Otherwise how would they know if an .zip is safe or not?

dcog989 commented 5 months ago

Thanks. Yeah, I 'm aware it's a common issue. I just thought a zip might be less likely to trigger a false positive than an executable - plus most people should be wary of running an unsigned exe....

Chocobo1 commented 5 months ago

I just thought a zip might be less likely to trigger a false positive than an executable -

Perhaps it is just me, I remember email attachments (mostly .zip files) were being flagged by antivirus commonly.

plus most people should be wary of running an unsigned exe....

BTW, if you have 7z program installed on your computer, you can use it to extract the .exe file and you won't need to run it (the .exe).

You are right about running untrusted exe. However talking from my experience, a signed exe could still be flagged by antivirus. It wouldn't be of much help in this regard.

dcog989 commented 5 months ago

Ha, I remember back when it was a constant stream of real and false flags from email.

I'm using https://github.com/M2Team/NanaZip/releases/tag/3.0.756 for ZST - the difference in compression speed is nuts compared to LZMA, and it takes care of 7z as well - although I didn't realise the exe was a self-extracting 7z at first. Perhaps a note could be added to clarify that?

Thanks for your time.