SasView.exe Quarantined in Windows

[krzywon]

Describe the bug sasview.exe, from the Windows installation at https://github.com/SasView/sasview/actions/runs/8802166371, produced for PR #2859, is being quarantined on my machine. I'm not sure if this is a false positive, but we cannot ship like this.

Window Security message:

Detected: Trojan:Win32/Wacatac.B!ml Status: Quarantined Affected Items: file: C:\SasView-6.0.0a-de-release\sasview.exe

SasView version (please complete the following information):

• Version: ausaxs branch releases

Operating system (please complete the following information):

• OS: Windows 10

[klytje]

On a clean Windows 11 VM I can download & install it just fine, though I do get smartscreen warnings due to it being from an unknown publisher (I assume these will go away when the sasview executable is signed). I also do not have any issues on my usual Windows systems, though that might be because they've seen the dll before.

I've had multiple people using my library on their own computers as well before, and except for the smartscreen warnings and a short delay due to a quick scan from MS Defender, they've all successfully run it, so it is weird that it suddenly decided it is not okay.

Can anyone else replicate this? @krzywon can you replicate this again now, a day later? Also when did this quarantine happen - before starting sasview, right after starting, or in the middle of using it?

[smk78]

I just downloaded & extracted ausaxs Win installer actions/runs/8802165981 and scanned both the zip and application with Endpoint.

No threats detected.

[krzywon]

The quarantine happened twice for me. The first time was on launching SasView. The second time was on installation.

[krzywon]

I just downloaded the latest installer from the ausaxs branch and can no longer replicate the issue. This was likely a false positive. I'm leaving this issue open for now, just in case anyone else has it happen.

[krzywon]

Another data point: sasview.exe from the Windows installer at https://github.com/SasView/sasview/actions/runs/8848780399 was quarantined again. Can someone else please try this same installer?

[smk78]

Another data point: sasview.exe from the Windows installer at https://github.com/SasView/sasview/actions/runs/8848780399 was quarantined again. Can someone else please try this same installer?

It's absolutely fine as far as my system is concerned, no flags on download, extract, install or execution.

[krzywon]

I haven't seen this in a bit. Closing for now

[krzywon]

This issue has also been reported by @XaelShan, so I am reopening this.

[butlerpd]

Question: is this because we are not signing all builds? if so this should not impact the actual release which should be signed for windows? If windows defender is still flagging this despite being signed that would suggest a problem with the windows signing?

[rozyczko]

I believe we are signing each build now. This shouldn't be an issue anymore.

[wpotrzebowski]

We need to check if this is still the issue or we can close it.

[krzywon]

I believe digitally signing all installers may have fixed this. After removing all SasView-related exceptions from my anti-virus, I tested the latest successful build of the release branch and the executable launched and was not quarantined.

Unless someone else is seeing an issue with this, I am planning to close this again.

[krzywon]

Verified by multiple people now. The code signing appears to have fixed this issue. Closing