Windows Defender flagged nw.exe as Trojan:Win32/Doplik

nwjs / nw.js

Call all Node.js modules directly from DOM/WebWorker and enable a new way of writing applications with all Web technologies.

https://nwjs.io

MIT License

40.3k stars 3.88k forks source link

Windows Defender flagged nw.exe as Trojan:Win32/Doplik #8054

Closed andreescocard closed 1 year ago

andreescocard commented 1 year ago

Current/Missing Behavior

After download finishes Windows Defender pops a message showing threats were found. Virus total flags as virus too: https://www.virustotal.com/gui/file/4906524473eb3f7b530d4993906f4418141aba025dced23a4f541ddd110769ec

Expected/Proposed Behavior

Windows Defender not flagging executable as trojan.

Additional Info

Operating System: Windows 11 Pro
NW.js Version: nwjs-v0.74.0-win-x64.zip

ElPrudi commented 1 year ago

Same here on Windows 10. Cant build anything with nw-builder without Windows Defender automatically deleting the executable.

rogerwang commented 1 year ago

This is a false positive in Windows Defender.

ElPrudi commented 1 year ago

Yes, but that should not be a thing at all. I can't create apps built on nw.js if the user has to explicitly allow it to run, or in my case, download it again because Windows Defender automatically deletes the executable.

bluthen commented 1 year ago

How to control, what malware/antivirus programs want to do?

I think some malware writers use things like nwjs, python, pyinstaller, node, and other open source software. In turn sometimes the signatures for those end up in the vendors database and legit software ends up getting flagged.

The software I work on we give instructions to whitelist our software for different antivirus/malware detectors.
Make sure our executable/installer are signed.
If particular complaints keep coming up, we try to submit our app as something unfairly detected to the vendor of the antivirus/malware. https://www.microsoft.com/en-us/wdsi/filesubmission

But also see comments in #7725 #6507 #5457 #4023 #3946 #7418

jssuttles commented 1 year ago

I ran into this today. Windows Defender removed my entry point html file.

anker9 commented 1 year ago

Looks like u ar' tryin' to put zipped sources into nw.exe. and then run nw.exe It's really 'fine' malware tactic - put self-data to normal .exe, so WD triggered(( Btw i have same issue)))) In dat case i 'solved' this just using Enigma Virtual Box from nwjs docs

ayushmanchhabra commented 1 year ago

https://github.com/nwjs/nw.js/issues/8054#issuecomment-1497841550

ElPrudi commented 1 year ago

Really? Just randomly close it?

Damn, this is getting more and more hilarious.

bluthen commented 1 year ago

What is a better solution @ElPrudi ? I don't like things getting flagged either, but again, how do you control what those vendors do?

andreescocard commented 1 year ago

I am just curious to understand why using electron the executable don't get flagged the same way. Anyway i gave up using nw.js, to everyone that will use the software have to add it on whitelist is inviable for me.

bluthen commented 1 year ago

@andreescocard It does happen to electron also, but maybe there are more people to submit builds to the malware detector vendors:

https://github.com/electron/electron/issues/4485

Electron also I think signs their builds. Anyway good luck!

top-5 commented 10 months ago

This issue happens with both Windows Defender and Kaspersky, which both identify nw.exe as the culprit : Trojan:Win32/Doplik - This program is dangerous and executes commands from an attacker.