Trojan:Script/Wacatac.H!ml when running winget install Docker.DockerDesktop

[shellwhale]

Brief description of your issue

~ ❯ winget install Docker.DockerDesktop
Found Docker Desktop [Docker.DockerDesktop] Version 4.17.0
This application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
Successfully verified installer hash
Starting package install...
  /Installation failed
Manifest extraction failed: Operation did not complete successfully because the file contains a virus or potentially unwanted software.

   at CommunityInstaller.InstallWorkflow.<DoHandleD4WPackageAsync>d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at CommunityInstaller.InstallWorkflow.<DoProcessAsync>d__23.MoveNext()
Installer failed with exit code: 1

Steps to reproduce

winget install Docker.DockerDesktop

Expected behavior

Installing Docker

Actual behavior

Virus report and Windows Defender notification of Trojan:Script/Wacatac.H!ml

Environment

Windows Package Manager v1.4.10173
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19045.2728
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.19.10173.0

Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir

User Settings: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json

[denelon]

I've run the install in a VM with Defender enabled. I'm currently running a full scan on the machine.

[denelon]

I did not see any detections during the full scan.

I did a quick search to see if there is any known fix: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Script/Wacatac.H!ml

https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-trojanscriptwacatachml-keeps/93ef0ec1-3170-48d6-86af-5373ff6c3cd1

[denelon]

@shellwhale, one of our testers was able to reproduce this detection. We will submit this package for evaluation to attempt to determine if this is a false positive or not. If we have any detections, we will remove this package version.

[denelon]

The latest version has been removed.

[shellwhale]

@denelon so it's not a false positive? If so, how did you make sure it was not and how did that happen?

[BrandonWanHuanSheng]

I am currently investigating that issue where does the trojan come from.

[ItzLevvie]

cc @StefanScherer

[BrandonWanHuanSheng]

This is most likely when the app is outdated. The newer update will apply and fix the bug.

[BrandonWanHuanSheng]

Sometimes: The Trojan is easily to get in if you don't update to the latest version on the web. The release notes is available right over here. Sometimes, it fixed to the update when your build is in the latest version. Important Security App Update: Docker.DockerDesktop 4.17.1 Most of the people experienced this issue if you don't update to Docker.DockerDesktop4.17.1 Comparing from Previous Version to a Newer Version Release Notes from 4.17.0 to 4.17.1 Docker Desktop now allows Windows containers to work when BitLocker is enabled on C: Fixed a bug where docker buildx container builders would lose access to the network after 24hrs. Fixed a bug where Registry Access Management policy updates were not downloaded. Improved debug information to better characterise failures under WSL 2. Release Notes can be found in https://docs.docker.com/desktop/release-notes/ Newer version fixes bug and improve the features

[BrandonWanHuanSheng]

Where the trojan come from "%TEMP%\DockerDesktop\ykigawhnt2d" Do not recommend download previous version of Docker.DockerDesktop because it might contain a malware or unwanted software. Docker.DockerDesktop 4.17.0 is infected with Backdoor:Win32/Bladabindi!ml Docker.DockerDesktop 4.17.1 was fixed 2 security-bug because people can't access docker buildx container builders would lose access to the network after 24hrs and Registry Access Management policy updates were not downloaded on the previous version where is the Trojan is not resolved on Docker.DockerDesktop 4.17.0 that you used during the creation of manifest.

[denelon]

@denelon so it's not a false positive? If so, how did you make sure it was not and how did that happen?

We're still investigating. We've already started communicating with our security team. It "may" be a false positive, but since we were able to reproduce on an internal device, we removed the package. If it's determined to be a false positive, we will allow the package to be re-submitted. The detection is coming from one of the most recent AV/PUA definition updates. We're investigating how frequently the definition updates are happening in our validation environment, and we're validating the rescan logic.

[jonathandinu]

FWIW, I've got the same detection (Trojan:Script/Wacatac.H!ml) when trying to downgrade to 4.17.0 using the official Docker Desktop 4.17.0 installer (SHA-256 69ea659b0ca0e160a1de9bd63dc5697f5eb89fff1d33484fb8ef9793e43d0d45) from their release notes. docker/for-win issue tracking here: https://github.com/docker/for-win/issues/13324#issuecomment-1483041947

So it likely is not a winget package specific issue and is related to Docker Desktop itself or Windows Defender.

[thadwald]

Installing a freshly downloaded version 4.17.1 this evening triggered windows defender also. Attempt to run the same version 4.17.1, but downloaded and installed without an issue earlier today, triggered windows defender with the same Trojan alarm.

[tonholis]

Mar 25, 2023

Same for me.

[avgerion]

ditto for 4.17.1. Does this mean Docker is compromised? Is there a known safe version available?

[jan-baer]

It's most probably a false positive. The latest windows defender update doesn't detect it anymore.

[Mx7ca]

I can't confirm that the latest Windows Defender update fixes the issue. I still get the error that the Docker Desktop 4.17.1 (101757) contains a virus or potentially unwanted software. My Windows Defender security updates are on version 1.385.1102.0

[jwielink]

Manifest extraction failed: Operation did not complete successfully because the file contains a virus or potentially unwanted software.

at CommunityInstaller.InstallWorkflow.d30.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at CommunityInstaller.InstallWorkflow.d23.MoveNext()

I am also afflicted by this issue /w version 4.17.1, I did not use winget I downloaded the installer from the page https://docs.docker.com/desktop/install/windows-install/ .

Since the winget pkg is already pulled, I suggest removing it from there also.

[scyto]

https://github.com/docker/for-win/issues/13335 this is a docker issue not a winget issue

[StefanScherer]

Thanks for the heads-up. We at Docker are investigating this, but from what we can see at the moment we strongly believe it's a false positive.

You can also check the virustotal scan of the installer, which shows the correct checksum and doesn't report any malware.

We're sorry for the inconvenience/scares this might have caused.

@denelon Is there a way to work together or how to escalate that to get it double checked with Window Defender? The official submit form only allows 500MB uploads.

[maksoid]

Hello, faced the same issue:

[shawnaxsom]

Update from our Docker GitHub Issue, we still believe it is a false positive.

So far we're seeing some users report success with our latest v4.17.1 installation when updating to Microsoft Defender's latest version v1.385.1188.0 released today.

See: https://github.com/docker/for-win/issues/13335#issuecomment-1484217706

[BrandonWanHuanSheng]

I am still communicating the Microsoft Team

[StefanScherer]

With Windows Defender 1.385.1217.0 I’m able to install DD 4.17.0 and 4.17.1 without any error.

[BrandonWanHuanSheng]

Don't install docker.

[denelon]

@StefanScherer feel free to e-mail me directly. I'd be happy to share progress.

[shawnaxsom]

We've released Docker Desktop v4.18.0 yesterday, which has never been flagged with an assumed false positive.

We've also had no recent reports of assumed false positive flagging within newer definitions of Windows Defender with Docker Desktop v4.17.0 and v4.17.1.

@denelon I see Winget is still on v4.16.3, can the team look at reinstating the latest versions of Docker Desktop (v4.17.0, v4.17.1, or at least v4.18.0)?

[denelon]

@shawnaxsom I'm waiting for the appropriate response from our internal security teams. If it is confirmed as a false positive we will be able to reinstate as soon as PUA definitions are updated, and we aren't getting detections.

[BrandonWanHuanSheng]

Can Install Docker

[denelon]

All, we've gotten the response from our security team. There are no detections associated with the installer. The manifests may be resubmitted.

If anyone does get a detection, there is a process to clear cached detections and apply the latest security intelligence update. If you still get a detection after this, please capture support log files, submit a report with the log files captured, and share the submission ID with us. If you would prefer not to post the submission ID via GitHub, you can e-mail the submission ID to winget-feedback@microsoft.com.

Clear cached detections

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Apply latest security intelligence update

https://www.microsoft.com/en-us/wdsi/definitions

If the detection is still observed

Do not share the logs via GitHub or expose them externally.

On Windows 10, from elevated command prompt, navigate to directory : c:\program files\windows\defender    and execute mpcmdrun.exe with option GetFiles:      mpcmdrun.exe -GetFiles     On Windows 7, from elevated command prompt, navigate to directory:    c:\program files\microsoft security client    and execute mpcmdrun.exe with option GetFiles:           mpcmdrun.exe -GetFiles     All created log files will be compressed into MPSupportFiles.cab and saved to folder :   C:\ProgramData\Microsoft\Windows Defender\Support\       Please send the MPSupportFiles.cab collected by following the instructions above through the web portal https://aka.ms/wdsi and share submission ID with us.