waratah-v1.5.0 published binary gets tagged as a severe trojan threat by Defender - Trojan:Win32/Wacatac.H!ml

microsoft / hidtools

Human Interface Device (HID) Tools for Windows and Devices

MIT License

146 stars 20 forks source link

waratah-v1.5.0 published binary gets tagged as a severe trojan threat by Defender - Trojan:Win32/Wacatac.H!ml #18

Closed tanant closed 8 months ago

tanant commented 8 months ago

Not quite sure what exactly causes Windows Defender to tag it as such, but wasn't an issue in 1.4.0, just recently in 1.5.0. I can pull source locally and compile from that so not a major issue but it was a bit unexpected to have Defender quarantining the zip.

(if this is expected then all good, feel free to close this btw)

matwilli commented 8 months ago

Thanks @tanant for bringing this to my attention. I haven't seen this before (but can now repro it on a Win10 system), but it is unexpected. I'll run this by our security team to see if this is a real issue (e.g. caused by an ingested dependency) or a false-positive.

matwilli commented 8 months ago

I brought this up to the Windows Defender team and they agreed it's a false positive, and they have updated the Defender rules accordingly. I can no longer repro this on my Win10 machine with the latest rules (see below)

Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
Run "MpCmdRun.exe -SignatureUpdate"

Thanks again for reporting!

tanant commented 8 months ago

Great, thanks!