Windows Defender finds Malware Trojan:Script/Wacatac.B!ml and keeps deleting Comicrack.exe

[saskir12]

I know we had the same Problem with the OG CR. But I never had it that it keeps deleting the exe no matter what. Interestingly it did not say anything for the 4 days I used it prior. It just started doing this today. If it would be rght after a big update I could understand it more (had a Windows Udate 3 days ago).

So can we do anything except sendind the exe to MS for false positive?

[Totengeist]

I think the best bet for now is to add an exception in Windows Defender.

Was there any indication from cYo what changes he made when this was an issue previously? Based on this, he just recompiled the same source.

[maforget]

I've seen the Wacatac a lot before in my own program. There was even a kind of epidemic of Wacatac once, Comics in rar files were detected has such. This is even a reason I made sure that the build be done on Github servers, so it's wouldn't be something infecting my PC. This is due to the cloud portion of Defender. You can also see that it is caught by Machine Learning (hence the !ml at the end). It's always correct at the beginning, but when you start distributing it, it starts to think it's a virus. My guess is that it's something in the .NET framework it's confused about. Or it's just that it has a confidence score and since it's not widely circulated it gets triggered. The fact that the assembly aren't signed isn't helping also. Kind of pointless when an AV just flags anything it doesn't know, making people always believe it's a false positive until it would not be.

The first build did start getting the message, and I did submitted it to MS. They removed it, even if in submitting, it wasn't detected. I tested the build prior to last and didn't have anything, and this last build also isn't doing anything. So in the mean time I suggest you update and see if it comes back.

Also checked VirusTotal, and it isn't even detected there, at least by MS, Sophos says it's a Crack Tool? Maybe it's too similar to my cracked exe of the original. Also if you check behavior it says that it detects debug. AFAIK ComicRack doesn't do that, it's the framework that does that. So if it's using these behavior to guess no wonder it getting confused.

Something that could be affecting it, is the way I am inserting icons in the exe. By default you can't have more than 1 icon in a .NET program. So I am using a program that inserts the icon after the build. It can mess with key signing, but since this isn't signed. There is a second way that it could be done, but that would remove the version information in the details tab (I believe that is the way cYo used, because his had no version info). I wanted to keep this info.

The solution I am using: https://stackoverflow.com/questions/8913018/adding-multiple-icons-win32-resource-to-net-application https://einaregilsson.com/add-multiple-icons-to-a-dotnet-application/

[maforget]

I've changed the way the icons are done, there is no information in the details tab though because of that. So please tell me, if there are any changes. Will the latest build be flagged also.

[saskir12]

Will check for it. Strangely it did complain only after 4 days of using it. Only thing I did remotely with this is putting a link to the program in the program start (1-2 days prior) and removing the Original install of CR from cYo.

[maforget]

It's not something you did, it's just the cloud portion of Defender that see's this unknown code. At first it doesn't see anything problematic, but then the more person download it and it starts seeing it more and more. Then it starts flagging it, just because it was use by more than 1 people.

[saskir12]

Hmmm, Defender does not say anything against the files itself. Would need to test while it runs. But is it intentional that the newest nightly release form 8 hours ago has no .exe in it?

EDIT: Seems the Windows Defender deleted in the nightly the exe. Tried it again and extracted it with 7zip and there is the exe.

[maforget]

This build was very fast to be flagged, as soon as it was build it was flagged. So the changes I made didn't help.

I've submitted it again and it was removed.

[saskir12]

Atleast it seems to not delete it immediatelly. Although I am not sure if this is because it is in the same folder where I made the exceptions (which would yield a poor performance for an antivirus if it excludes a changed program from the scan) or if it will randonmly again delete it.

Only readabout someone who had the same problem with something he mad ehimself in VB. And after simply recompiling it again it worked without triggering a flag.

[maforget]

Because even if you exclude a folder, when you extract a zip, it usually extracts it first in a temp folder, then moves it. Your temp folder isn't excluded, so it removes it before it even arrives in your destination folder. You should just allow Wacatac, it will not flag it anymore, anywhere it is.

[maforget]

Seems better, Sunday never seemed to have been flagged? Maybe the new installer is helping.

[saskir12]

Seems that way. Did not delete it till now.

[maforget]

I will be moving this to discussions for now, since it seems to not be an issue anymore.