Windows Defender claims "Win32/Wacatac.B!ml" is found in Odin compiled exe

[sortofsleepy]

👋 Hello! Came across Odin not too long ago. Given the unfortunate state of tech at the moment I find myself with a lot of free time, Odin looked interesting and so I thought I'd give it a try today.

Or so I thought... *cue dramatic music

I'm assuming what I'm experiencing is just a false positive, but just to be safe, I thought I ought to bring it up first. I somehow failed to notice the release I downloaded was a nightly - is that possibly part of the issue?

Thanks! 🍻

Context

The following Odin program

package main

import "core:fmt"

main :: proc(){
    fmt.println("HELLO")
}

when built and run, causes Windows Defender(assuming it's passively active) to quarantine the resulting .exe claiming it's associated with the trojan Win32/Wacatac.B!ml

System

        Odin: dev-2024-02-nightly:539cec74
        OS:   Windows 11 Professional (version: 23H2), build 22631.3007
        CPU:  AMD Ryzen 9 5900X 12-Core Processor
        RAM:  32669 MiB

• Also, though I imagine it's not, in case this is relevant
  • I am running ols
  • Using Emacs with this providing the major mode

Expected Behavior

Windows Defender should not get triggered and not claim to find a Trojan.

Current Behavior

Windows Defender claims a Trojan exists.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Make sure Windows Defender is turned on and actively scanning.
2. Make sure program folder and/or above trojan name is not excluded.
3. Build and attempt to run the above program.
4. This should trigger defender.

[gingerBill]

This is a false positive. If you want to make sure it doesn't happen, you can recompile the compiler yourself very easily.

[sortofsleepy]

Sounds good! Thanks for the quick response.

[Kelimion]

I'm unable to replicate it on an up-to-date Windows 10. Is there a way to submit the executable to Microsoft for analysis from the quarantine? It's definitely a false positive as Bill says.

[sortofsleepy]

@Kelimion I'm not sure as I've never tried to submit anything. That said it probably isn't a good idea; from the quick research I did it does sound like a legitimate Trojan(not in this particular situation of course). (EDIT sorry lack of sleep - I'm dumb, of course it's legitimate)

But it might be good to add a note to the readme or something along those lines mentioning that it might be possible to run into this.

[sortofsleepy]

@gingerBill @Kelimion - sorry to bother again but just an FYI, I just tried things after rebuilding the compiler from the master branch and things are still getting flagged for some reason.

Will add project to my exceptions list but it might be good to make a note somewhere in case it comes up for someone else.

[doongjohn]

I'm having the same issue 😢 (Windows 11, odin: dev-2024-02).

[sortofsleepy]

@doongjohn I know I checked but since I couldn't quite remember the results, I just double checked again with another malware scanner (Malwarebytes) and it didn't report anything; given that and Kelimion's results, I wouldn't worry about it.

Just add your project folder to the whitelist for Defender and that should stop it from automatically trying to clean up the executable.

[Kelimion]

Antivirus machine learning heuristics are notoriously prone to false positives. Compiling Odin from source rather than using the release zip may also help.

[karl-zylinski]

I think there is some confusion here. The person who created the issue says that the exe that the compiler outputted gets the false virus flag. I.e. it is not the Odin compiler that gets flagged, but the exe the compiler outputs. Using the precompiled odin compiler or compiling the odin compiler yourself does not have any impact on this as far as I know.

When I released my game on itch people who downloaded it had Windows Defender claim it contained the Win32/Wacatac.B!ml trojan and the exe was removed.

What I did to work around this:

1. Go to https://www.virustotal.com/ and upload you exe. Pay special attention to if it gets flagged by Microsoft or not. Even if it doesn't get flagged as trojan on your computer by Windows Defender, it might on other's, so check using that site (Windows Defender did not find anything on my exe even if I rightclicked and chose scan, but it automatically deleted the exe for people who downloaded my game).
2. If it does get flagged, try just fiddling around with recompiling it with slightly different compiler flags and check again.
3. Go here https://www.microsoft.com/en-us/wdsi/filesubmission and submit your false positive exe

Somehow I got my exe fixed, maybe it was because of step 3, but I'm not sure. Just make sure virustotal.com does not mark it as infected (especially not by Microsoft) before sending it out.

In any case, it does seem like the Odin compiler somehow outputs exes that for some reason look similar specifically to the Win32/Wacatac.B!ml trojan, regardless if you built the Odin compiler locally or not.

[karl-zylinski]

I just had this issue today again. Like I said above I reported it to MS using the this link https://www.microsoft.com/en-us/wdsi/filesubmission (choose the 'software developer' option). When I finished the false positive report on there and uploaded the exe, then the site said that it did not contains virus. After that I did a rescan using virustotal.com. And behold: The detection from Microsoft was gone.

[karl-zylinski]

I take the statement above back. Suddenly Windows Defender started removing the file was OK 5 mins ago again. Now Microsoft online says that my file is clean, but my computer says it is not, despite having up-to-date windows defender definitions.

[karl-zylinski]

@doongjohn @sortofsleepy A good idea might be to submit any exe this happens with to MS on this link https://www.microsoft.com/en-us/wdsi/filesubmission -> choose 'software developer'. When you make the report make sure to write what trojan the false detection is, and also tell them it was compiled using the Odin Programming Language compiler and that this kind of false detection tends to happen often with programs compiled using the Odin compiler. I'm trying to make them notice this issue, hopefully at some point their heuristics learn to recognize the harmless Odin programs :)