search

pal1000 / Realtek-UAD-generic

An unofficial package of generic Realtek Universal Audio Driver made from parts of various OEM specific Reatek Universal Audio drivers intended to work on legacy systems lacking OEM UAD support.
1.1k stars 41 forks source link

Virus Detected in Unofficial-Realtek-UAD-generic-6.0.9632.1 - Possible false positive. #159

Open rfpm opened 7 months ago

rfpm commented 7 months ago

When downloading "Unofficial-Realtek-UAD-generic-6.0.9632.1.7z" Windows Defender will automatically flag the file and class it as a severe virus, stating:

Detected: Trojan:Script/Wacatac.B!ml Status: Removed Details: This program is dangerous and executes commands from an attacker.

file: C:\Users\\Downloads\Unofficial-Realtek-UAD-generic-6.0.9632.1.7z webfile: C:\Users\\Downloads\Unofficial-Realtek-UAD-generic-6.0.9632.1.7z|about:internet|pid:864,ProcessStart:133523368934018872

DymondZ commented 7 months ago

Can confirm.

image

Weirdo1312 commented 6 months ago

looks like it's related to "nircmd.exe" and "nircmdc.exe" according to this users are reporting that it's a false positive but you never know

pal1000 commented 6 months ago

Nircmd falls in category of riskware. It's safe on its own but malware can do nasty things if it's using it.

This is what Realtek UAD Generic does with NirCMD.

j77h commented 6 months ago

It's a 7z file. A lot of clean 7z files are getting blocked by Defender. Google for "defender" "7z" "wacatac".

rfpm commented 5 months ago

Nircmd falls in category of riskware. It's safe on its own but malware can do nasty things if it's using it.

This is what Realtek UAD Generic does with NirCMD.

Thanks for the answer, this makes sense for NirCMD but Windows is identifying this "Trojan:Script/Wacatac.B!ml", is this not different?

It's showing the same for "Unofficial-Realtek-UAD-generic-6.0.9655.1.7z", "Trojan:Script/Wacatac.B!ml"

pal1000 commented 5 months ago

Windows Defender doesn't complain about NirCMD. it instead complains about setup script . Trojan:Script/Wacatac.B!ml detection had been a constant source of false positives since Microsoft Security Essentials era, wrongly fired by heuristics when Microsoft AV scanners analyze scripts. Unfortunately I don't know in which script the false positive is fired.

rfpm commented 4 months ago

Thanks for the responses, the randomness of it is curious. It showed up in the Feb 13 release, then it was fine in the Mar 6 release, once again showed up in either the Mar 12 or Apr 8 release (I can't quite remember which). Not sure I checked the Apr 30 release but now again with the latest version today there seems to be no issue.

j77h commented 4 months ago

I believe it's because of Windows Defender's AI wrongly suspecting that some 7z files are infected. The AI is not consistent with its diagnoses.

I tested a few weeks ago and saw it change its mind about the exact same files from one day or hour to the next. I used different VMs to avoid the effect of having downloaded to the machine from the same site before.

This was only when downloading in Edge. When I sideloaded the same files from a VM shared folder and scanned them with Defender, it did not detect malware. So in security settings I turned off download checking. No problems since.