TypeTreeGenerator detected as a virus

[dyaricoderman]

i have no idea why this only just happened now, but uabe 3.0's version of typetreegenerator was flagged as a false positive by windows defender

dunno why it thinks it's a virus, i literally have used it a few days ago when uabe 3.0 got released

[Stephenm64]

I can confirm windows defender detects the file as a trojan Trojan:Win32/Wacatac.B!ml

[SeriousCache]

I have just submitted a report to Microsoft, hopefully it will be fixed soon. It's kind of weird why specifically the file that is easiest to analyze (being a C#/.NET application) is flagged.

[SeriousCache]

It's quite interesting to see how there are more and more scanners that flag it (with 'generic'/'AI' detection). At least Microsoft appears to have reviewed it. I'm not inclined to run after all the others, though.

Several of the analysis sandboxes in the virustotal results more or less show what Windows' crash handler WerFault does. Probably those are missing the correct .NET versions and the application crashes. This results in a Microsoft IP to be listed in the Relations tab that, for whatever reason, some scanners list as "malicious". Maybe that's where all the detections come from?

[mskgroup]

360 will also give false positives, I have already reported it to 360

[Veradra]

Seems like WinDef will only flag the 64bit download, but doesn't seem to care about the 32bit one.

[mrImperator]

In the implementation of the UABE project viruses Trojan:Script/Oneeva.A!ml Trojan:Script/Wacatac.B!ml

[rzbig]

I seem to be getting other results. 32bit download seemingly contains Backdoor:Win32/Bladabindi!ml 64 bit download seemingly contains Trojan:Script/Wacatac.B!ml, Trojan:Script/Oneeva.A!ml and Trojan:AndroidOS/ZkarletFlash

All detected by Windows Defender. I was able to download and run the 32 bit download yesterday, but Windows seems to have deleted it and now I can no longer download either.

[ComradeCheekiBreeki]

Forced Windef to redetect it a few times and tried downloading it in multiple different ways. 64bit archive (just the archive download) tripped every time. I only got Trojan:Script/Wacatac.B!ml, but it seems that all the "specific" threat results don't really matter and are very generic "this behavior is not expected so it is probably malicious" type things that windows, in its infinite wisdom, tries to associate with specific malware. Based on the behavior trees it looks like the registry key read/write calls (triggered by the windows error reporting software) get flagged since it detects suspicious internet behavior (probably from microsoft's error reporter trying to send debug data). What's extra strange is that only some of the Microsoft IPs get flagged, when realistically none of them should be ever, and one of the Akami CDN IPs is as well.

The VirusTotal results show that TypeTreeGenerator returns a .NET Framework 4.* CLR version, which is to be expected, but the crash is then especially confusing considering 4.8 has been the expected .NET Framework version for more than 3 years and obviously not every .NET Framework 4.8 program is getting flagged as a trojan. If I had to guess some random thing in the program set off alarm bells in the autodetection system that led it to find and flag the registry key/IP contact behavior but I'm no antimalware engineer.

[miscreatality]

Windows 11, extractor 64-bit version:

[VladWinner]

Yandex Browser also blocks files immediately after downloading. I have already sent them a message and I will update the post when I get a response. UPD: "Hello! Thank you for the message. We will check the information you provided. Your letter has been sent to the developers." UPD2: Congratulations! Yandex Browser devs have added these files to the exceptions, now downloading archives is allowed.

[enumag]

Is it just the TypeTreeGenerator.exe that's being flagged? That sounds like a separate program, right? Can you create a zip without this file?

[Legokid210]

I want to make a baldi mod but I can't use older versions like the 2.2 stabled of this program because it apparently says its missing a file. and I have no choice but to use this but I don't trust it because windows defender says its really bad. and I am scared to trust it .

[douglasg14b]

Not bundling malware?

A lot of reputable malware & virus detection vendors seem to disagree:

What code is triggering this?

https://www.virustotal.com/gui/file/a6b68f9f565bf81819465b3d41e11da4c7ef1e5e5f677ebc66f04f594dd18d87

[septichacker]

It's a false positive, maybe some of the code matched some other malicious samples that many malware detectors have in their data base. I highly doubt this trusted creator would bundle in malware into software lots of people use.

[douglasg14b]

It's a false positive

A definitive statement requires a definitive explanation for the false positive, otherwise it's presumed malicious for safety reasons. Moreso when the majority of vendors flag it.

That said, please backup the claim with an explanation of the mode that causes the false positive, and even better how it can be resolved.

I'm not claiming the dev is intentionally bundling malicious code, but it's presumed the binary is malicious until proven otherwise.

I highly doubt this trusted creator would bundle in malware into software lots of people use.

Is not that.

"I don't think someone would bundle malware" is not what a security stance makes. When it's proven it's not, then it's not.

[septichacker]

If it was malware why is it still available for download? It's been up for nearly 4 months now, multiple people are sure to report to github staff

[SeriousCache]

It is open source, feel free to audit it and build it yourself. The file that all these scanners don't like (TypeTreeGenerator) is a bog standard program generated with MS' tool that just happened to run into some heuristic detection that more and more scanners appear to imitate, without any person ever checking if it makes sense. That cycle may end if I recompile it for whatever the newest .NET version is, but I'm leaning towards scanners continuing to be a nuisance one way or another.

[SlugFiller]

Since another topic was marked a duplicate of this, I'll repeat what I said there:

First, since the issue is in just this one (non-critical) file, there should be a release bundle/option with the file removed. It's only needed for C# disassembly, and from what I gather, it doesn't work with IL2CPP games anyway. I've successfully used UABE with the file deleted, and honestly think it should be left as an option only for those who absolutely need it.

Second, I've built the file from source, and it triggered 4 detections (behavior check was clean). That's way less than what the official build is triggering. I don't know if the vendors just gradually copy from each other after it triggered a behavior flag, or if there's something in the official build that triggers a detection.

And to all the people who claim it's a false positive without evidence: Remember, that just because a source is safe, doesn't mean the build is clean. Not unless you have a reproducible build process, and actually ran it on an independent machine. The fact that my own build did not trigger a fifth of the same number of detections IS something worth investigating. A build environment can be compromised as well.

[dyaricoderman]

you might actually be on to something; i was curious and went ahead and built the .exe myself, and i haven't gotten as much detections as the official build this is definitely something worth investigating

[SlugFiller]

@dyaricoderman Hmm, 9 on yours vs 4 on mine. I triggered "Google", though, which is not on your list.

My build was a bit unusual, though. I'm not a fan of CMake, so I improvised a csproj by copying and editing from another project I'm working on, then built it using MSBuild 12. I also downloaded Mono.Cecil.dlll and Mono.Cecil.Rocks.dll from the official release, to use as linked assemblies. Also, the ToolsVersion and TargetFrameworkVersion in my csproj are set to 4.0, so that could also be a factor.

I am noticing your triggers are things like "Ai", "Generic" and "Unsafe", suggesting higher likelihood of overeager heuristics.

[dyaricoderman]

I also downloaded Mono.Cecil.dlll and Mono.Cecil.Rocks.dll from the official release

i also tried building with the official mono.cecil dlls but they gave me the same result

[Hedreon]

Can't you just buy a certificate? 🤓