Trojan:Win32/Wacatac.B!ml windows 10 - chia.exe

[technologiespro]

win defender: after start chia-gigahorse-farmer\chia.exe

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FWacatac.B!ml&threatid=2147735505

[scoville07]

Yes, I have the same issue, my farm stopped working while I found Defender has deleted the executables!!!

I have rolled back to giga13 for now!

[Jacek-ghub]

Unfortunately, this is due to aggressiveness of MS Defender when seeing new binaries. The bottom line is that the owner of the binary (i.e., @madMAx43v3r) would need to contact MS to potentially get permanently whitelisted his repositories. The way to do it is to use a Win machine, and follow the options given while trying to download the binary. There is an option there to contact MS, and further specify that you are the site owner, etc. The process is rather slow (a week or so to get them to respond. I am also not too sure how it could be resolved, as I tried to do it once for my binary, but gave up on that process.

In the meantime, MS Defender (one that kills those binaries) has an option to have Defender exclude a given binary (by name, so applies to all updates) - Settings / Privacy * security / Virus & threat protection / Manage settings / Add or remove exclusions. I am not trying to say that this is a preferred way, or a good way as I only use it for my own binaries.

The exclusion above only applies to a given binary / folder. However, MS Defender is also preventing such file downloads, but this can be bypassed by navigating given prompts during the download (I am not sure if there is a way to make an exclusion for this part).

[scoville07]

Thanks for that input.

Would that mean from now on every version could be potentially a risk for defender or just this one?

Don't wanna end up creating an exception for every version again and again.

@madMAx43v3r would you consider reaching out to MS on that?

Regards Christian

[Jacek-ghub]

For my app, I did app-name exception (don't remember if folder as well, maybe not). This takes care of only OS based defender.

However, I still have to go through the nonsense of all those extra prompts while downloading it from my build server (browser based Defender).

As I mentioned, I started the process with MS, but gave up, as it was rather slow (for me), plus I don't build it that often and that is more or less a limited app. However, for project like MMX, Max should try to work with MS (maybe with Github as well) to get them whitelist his github repository. Otherwise, this crap most likely will repeat for every new build, but maybe it goes away when more people tell browser Defender to buzz off (there is an option to tell Defender to buzz off during the download process, but I think more people need to do it to whitelist that particular release as it never worked for me).

@madMAx43v3r By the way, that option to reach out to MS is available when going through those prompts while trying to download that offending file. There is an option to specify that you own that server, and a brief form to contact them. They take about a week for the first response. Not sure about the second, as I gave up at that point.

[madMAx43v3r]

I don't own github servers though. Defender probably just looks at the domain name and checks if it's in the whitelist or not.

The other way would be to whitelist the binary hash, but that needs to be done for every new release...

[madMAx43v3r]

And obviously Microsoft won't whitelist github.com

[madMAx43v3r]

By the way, that option to reach out to MS is available when going through those prompts while trying to download that offending file.

Do you mean downloading the *.zip for a Gigahorse Windows release? I thought the ZIP file prevents this issue...

[Jacek-ghub]

I don't own github servers though.

Sorry, maybe it was just too crude description. Sure, you don't 'own' github, but "https://github.com/madMAx43v3r/chia-gigahorse/" is clearly identifiable / unique site where you are the "owner." I have no doubts that MS can whitelist just your repositories.

I thought the ZIP file prevents this issue...

Nah, any standard compression / archiving doesn't do anything to prevent [browser] Defender from suppressing a file.

Click "Report this as a safe file" (cannot get a screenshot of this one) And you write your story there.

[madMAx43v3r]

Sorry, maybe it was just too crude description. Sure, you don't 'own' github, but "https://github.com/madMAx43v3r/chia-gigahorse/" is clearly identifiable / unique site where you are the "owner." I have no doubts that MS can whitelist just your repositories.

Yeah but then any criminal could do the same right? Get their repo whitelisted first and then upload some bad stuff.

Is there any reports that Microsoft ever did whitelist repos on github like that?

It's a different story for something like bankofamerica.com, of course they can whitelist that.

[Jacek-ghub]

Yeah but then any criminal could do the same right?

Well, that is not an automatic process, as you need to write your story, and they will really run through it. You can point to your Discord channel, or any other sites that talk about it. You also have some traffic already there, so you are not an overnight dev dropping a sweat app that solves all the problems out there.

Some time ago, the same thing hit Chia, and they mentioned that they also approached Github for help. Don't know how that ended, but somehow they sorted it out.

It's a different story for something like bankofamerica.com

Really, no need to be that negative. That form is not that difficult. I am sharing my file with one friend, and still approached MS to get it whitelisted, as that was (still is) pissing me off that there is no easy way to pass binaries around.

[madMAx43v3r]

Some time ago, the same thing hit Chia, and they mentioned that they also approached Github for help. Don't know how that ended, but somehow they sorted it out.

Chia Inc. is a US company with famous CEOs and millions in funding ;)

The real problem is that a Windows user cannot whitelist a webpage or specific download themselves easily.

Like this:

1. You click on download
2. It says virus detected
3. You click "I think it's a false positive, download anyways"
4. Problem solved

[madMAx43v3r]

Really, no need to be that negative.

If only somebody would pay me $100 for every hour I waste trying to work with some big corporation :)

[Jacek-ghub]

Chia Inc. is a US company with famous CEOs and millions in funding ;)

I guess, you are really trying very hard not to start the process :)

It is really not that much, and if it goes through, a lot of people will be happy. When I saw that crap happening to my tiny app, I worried that I have some crap on my Linux dev box, and it is swapping the binary for some shit. Although, my friend had more trust in me that I had in myself, so I gave up. You have few hundred people that most likely don't want to deal with it. Also, you don't want some twitter shit-stormer to make a big deal out of it.

MS actually owns Github, so they do understand the value of it and for sure have people that can go over your story and get it approved (as they can run all kind of stats on it). For sure, they don't want one of their products to abuse another.

By the way, those steps you listed are for the "browser" part of Defender. Once the file lands on disk, the "file/OS" Defender will kill it if it is touched in any way. Although, the "file/OS" can easily be whitelisted in Settings.

Oh, and "browser" Defender kicks in not just in Edge, but also in other browsers.

[madMAx43v3r]

Just a recent example, Instagram told me they were going to delete my account without giving any reason why. They said I can repeal this by jumping through some hoops, like taking a selfi with my username to prove that I own the account. They then just deleted it.

[madMAx43v3r]

I guess, you are really trying very hard not to start the process :)

Yes, my appetite for jumping through hoops is very low sorry...

[Jacek-ghub]

Yeah, I also don't deal with any shit that comes from Facebook for exactly the same reasons.

[scoville07]

Great conversation ;) thanks everyone and @madMAx43v3r for you input as well! I can imagine that it is frustrating to deal with huge companies.

I think right now I will probably stop using defender and instead maybe use another anti virus program. hoping it will not detect your binaries being malicious as well.

[madMAx43v3r]

I just downloaded 1.8.2.giga14 on my Windows 10 machine, unzipped the ZIP and ran chia.exe, without any issues.

Just the firewall requesting access to internet.

[scoville07]

Exact same behaviour on my end. BUT after a while defender kicks in, while chia.exe is doing something...and moves the files.

[madMAx43v3r]

I did "Scan with Microsoft Defender..." on chia.exe -> 0 threats found

Exact same behaviour on my end. BUT after a while defender kicks in, while chia.exe is doing something...and moves the files.

I see, let me run it for a while then.

[scoville07]

It easily ran a couple of hours, then I found that no partials where submitted anymore, so I checked my machine and found the executables being deleted/moved and the error message of defender. I deleted the whole dir, download again, extracted, no issues but then it triggered defender right when I started chia.exe again.

That being said, virues definition was updated since back then, maybe worth another try. ;)

[madMAx43v3r]

My Security Intelligence Version is: 1.393.211.0

[madMAx43v3r]

Are you using remote compute? Maybe that's what's triggering it? Or remote harvester?

[scoville07]

Are you using remote compute? Maybe that's what's triggering it? Or remote harvester?

nope, just running locally as farmer. I have the same version now, not sure on the version I had, when that issue came up. I will test again in a couple.

[scoville07]

Are you using remote compute? Maybe that's what's triggering it? Or remote harvester?

nope, just running locally as farmer. I have the same version now, not sure on the version I had, when that issue came up. I will test again in a couple.

just downloaded, extracted, scanned the zip and folder twice. no detection. just started it without issues, monitoring right now.

So maybe that old definition file...or MS has just whitelisted you, because you are such a smart guy... :D

[madMAx43v3r]

Maybe a more generic false positive (ie. affecting more than just my binary) that they fixed.

[scoville07]

Yeah, might be.

btw. two hours straight, still running. I would consider this solved. ;)

Thanks! Christian

Here is a snipped from the MS forum with a work around to avoid false positive again, seems also in the past people have complained about a possible false postive on Wacatac, maybe it is useful:

Wacatac.B!ml really is malware, but Defender detects and remediates it. See the link... https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:Win32/Wacatac.B!ml&ThreatID=2147774417 Defender has already protected you from this. However, if you continue to be alerted to its presence, that would be a false positive. You can prove that, by downloading the Microsoft Safety Scanner, and scan your PC with that. If it does not detect Wacatac, you can be sure, that you are seeing a false positive. https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download You can eliminate that false positive, by deleting Wacatac from Defender's Protection History. The following explains how to accomplish that in W10. I suspect that this applies to W11 also. Open File Explorer, and on the View Tab, check the box for "Hidden Items". Then navigate through this path. C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service Open the Service folder. If you find a folder in it, named Detection History, then W11 is the same as W10 in this regard. Delete Detection History, and the false notification regarding Wacatac will cease. Not to worry, Windows rebuilds Detection History when it is needed next.

[technologiespro]

I just added an exception to windows defender and it worked

[technologiespro]

Problem solved, thread closed