[Suspicious]: The file "WAU Configurator.lnk" has been marked as "Suspicious"

[priechodsky]

The problem

The file "WAU Configurator.lnk" has been marked as "Suspicious" https://www.virustotal.com/gui/url/4070ea70761d0c04badf00b5b1e3dc873c925d161159e88234b9f90883ef1c0d

What version of WAU has the issue?

19.0

What version of Windows are you using (ex. Windows 11 22H2)?

No response

What version of winget are you using?

19.0

Log information

No response

Additional information

No response

[Romanitho]

Probably a dangerous shortcut?

[KnifMelti]

One false positive out of... ...you can't please them all. Local *.lnk security on user level? Well...

[jozwikkarol]

my antivirus (Bitdefender) found Heur.BZC.YAX.Boxter.800.4534E935 in C:\ProgramData\Winget-AutoUpdate\WAU_update\WAU Configurator.lnk

[Romanitho]

😅

[rohancragg]

Same issue here, immediately on downloading it, so I have not created a dangerous shortcut, I don't even get the opportunity to get that far.

https://go.microsoft.com/fwlink/?linkid=142185&name=Trojan:Script/Wacatac.B!ml&threatid=2147735503

I eventually saw this and decided to use WiGui.exe to install autoupdate instead (albeit I had to disable Defender Realtime Protection temporarily so that I could download WiGui.exe! ;-)

see https://github.com/Romanitho/Winget-Install-GUI/issues/84

[Romanitho]

I will create 2 WAU packages. One for updates (without shortcut) and for IT, and another one with the shortcut (to simplify user installation).

[priechodsky]

I will create 2 WAU packages. One for updates (without shortcut) and for IT, and another one with the shortcut (to simplify user installation).

the Gui.ps1 is also not needed for deploy via intune or GPO

[Romanitho]

True. But I replied to the shortcut issue.

[rohancragg]

What works best for me is to clone the repo and run Winget-AutoUpdate-Install.ps1 as an administrator.

[Romanitho]

Should be fixed by #526 But I still don't understand why some AV let download a zip with dozens of powershell scripts but panic on a simple shortcut...

[KnifMelti]

Bing Chat Enterprise answers:

Why does antivirus flag a shortcut containing %WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; ".\Gui.ps1"}" as a virus, such as Trojan:Script/Wacatac.H!ml in Microsoft Defender

Antivirus programs, such as Microsoft Defender, are designed to protect your computer from malicious software. They do this by scanning files and processes for patterns of code or behavior that are known to be indicative of malware.

In the case of the command you provided, it’s invoking PowerShell with the -ep Bypass flag, which stands for “Execution Policy Bypass”. This allows the script to run without any restrictions, which is a common technique used by malware to execute malicious scripts. The -w h flag hides the PowerShell window, another technique often used by malware to operate without the user’s knowledge.

The command also includes gci -R | Unblock-File, which unblocks all files recursively. This could potentially unblock malicious files that have been previously blocked by the system. Finally, it’s executing a script named Gui.ps1. Without knowing the contents of this script, an antivirus program may flag this behavior as suspicious because it’s a common pattern used by malware.

The specific detection name you mentioned, Trojan:Script/Wacatac.H!ml, is a heuristic detection used by Microsoft Defender. Heuristic detections are not based on specific malware signatures, but on certain patterns of code or behavior that are often associated with malware. In this case, the command line you provided matches a pattern that’s often seen in a type of trojan known as “Wacatac”.

It’s important to note that just because a file or process is flagged by an antivirus program, it doesn’t necessarily mean it’s malicious. It could be a false positive. If you believe this is the case, you should submit the file or process to the antivirus vendor for further analysis12.

In conclusion, the command you provided is flagged by antivirus programs because it uses techniques commonly associated with malware, such as bypassing execution policies, hiding windows, unblocking files, and executing scripts. However, whether it’s truly malicious would require further investigation. If you’re unsure, it’s always best to err on the side of caution and let the antivirus program block the process. If you believe it’s a false positive, you should submit it to the antivirus vendor for further analysis.

[rohancragg]

Tested on two Windows 11 devices and v.1.19.1 no longer triggers this in Microsoft Defender Antivirus.

However, the command in the .lnk has remained the same %WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; ".\WAU\Gui.ps1"}" so I'm not sure how this has resolved the issue.

[Romanitho]

Thanks guys for investigation and tests.

[KnifMelti]

Tested on two Windows 11 devices and v.1.19.1 no longer triggers this in Microsoft Defender Antivirus.

Exact the same in Win 10

[Arne-RFA]

Just to add, Sentinel One also blocks the .lnk when I clone the git repo. Other EDR platforms may produce different results,

[evgend]

HI, I also have some problem with downloading zip file. But I used Invoke-WebRequest to avoid this issue. Invoke-WebRequest -Uri https://github.com/Romanitho/Winget-AutoUpdate/releases/download/v1.19.1/WAU-Configurator.zip -OutFile $env:USERPROFILE\Downloads\WAU-Configurator.zip

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity.

[Romanitho]

Hi guys, Can you check the latest prerelease (1.19.2-6) to see if your antiviruses are still unhappy? Thanks.

[Romanitho]

What can be done, is to create one version without any wrapper (no shortcut or anything) that will continue to be generated as WAU.zip and create an EXE like we did in the WiGui repo and put it as replacement of .lnk shortcut and continue to generate WAU-Configurator.zip. Probably antivirus would continue to be unhappy, but if the EXE remain the same, its reputation would change in the future. And WiGui could be decommissioned in the future.

[AndrewDemski-ad-gmail-com]

What can be done, is to create one version without any wrapper (no shortcut or anything) that will continue to be generated as WAU.zip and create an EXE like we did in the WiGui repo and put it as replacement of .lnk shortcut and continue to generate WAU-Configurator.zip. Probably antivirus would continue to be unhappy, but if the EXE remain the same, its reputation would change in the future. And WiGui could be decommissioned in the future.

Interesting :) https://github.com/AndrewDemski-ad-gmail-com/InvisiLauncher It passed the snyk.io scanning flawlessly and is simple enough to not raise suspicion in AVs.

[Romanitho]

:)

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity.

[github-actions[bot]]

This issue was closed because it has been inactive for 14 days since being marked as stale.