pyfa-v2.57.0-win.exe reported as Trojan:Win32/Wacatac.B!ml in Windows Defender

[diamondmx]

Bug Report

Windows Defender reports latest patch as Trojan:Win32/Wacatac.B!ml

Expected behavior:

No infection warnings

Actual behavior:

Windows believes this file contains a specific threat

Detailed steps to reproduce:

Run latest windows installer, then execute PyFA

Fits involved in EFT format (Edit > To Clipboard > EFT):

N/A

Release or development git branch? Please note the release version or commit hash:

pyfa-v2.57.0-win.exe

Operating system and version (eg: Windows 10, OS X 10.9, OS X 10.11, Ubuntu 16.10):

Win10 Home 22H2

Other relevant information:

Previous install (2 versions ago) did not trigger this warning, merely the unknown program warning.

[DarkFenX]

Older versions use very old pyinstaller version (I upgraded from pyinstaller 3.6 to 6.2 this release). Given it has lots of security issues I'd try to stay on current one if possible.

There are lots of reports in pyinstaller repository: https://github.com/pyinstaller/pyinstaller/issues?q=is%3Aissue+trojan+is%3Aclosed Specifically on this trojan version: https://github.com/pyinstaller/pyinstaller/issues?q=is%253Aissue+wacatac+is%253Aclosed

Seems like the only way to deal with it is to report to microsoft as false positive, and add exception (is there a way to do it?) as a temporary measure. What pyinstaller maintainers say about the issue (here):

The reason that this is happening only on the latest PyInstaller is because the cycle of PyInstaller users reporting false positives to MS Defender Services -> MS Defender memorises the new bootloaders baked into PyInstaller built programs and adds it to its whitelist -> that whitelist gets put into a security update -> you install said update on your machine (probably automatically). This happens every new release...

Given that it's demonstrated that it is nothing more than a big cache of checksums (just much less efficient), I generally recommend that you turn MS Defender off.

The only way I could fix that is downgrading pyinstaller until first version which doesn't get false positives, but even if nothing breaks, it will take effort and time.

[DarkFenX]

For the reference:

• .exe scan: https://www.virustotal.com/gui/file/273aa8f7a4ff31792abe312956aaf7283179c07c24cbb8aec1855de5ad73200a?nocache=1
• .zip scan: https://www.virustotal.com/gui/file/a71745030c5ef4d79f0f8a3d71906e599d8af69712e70e32c537b0185d4b6af3?nocache=1

Zip has quite a few of reds, but I guess it's because pyinstaller 6.2 was released just 3 weeks ago: https://github.com/pyinstaller/pyinstaller/releases/tag/v6.2.0 (and exe doesn't get them because some AV tools can't read inno setup files)

[Madman045]

Hi, not just windows defender, Bitdefender is also reporting it as an infected file, this time its W64/S-4497c8ad!Eldorado

Virus Total also confirms this

[DarkFenX]

I know. I just linked it. Doesn't make it a true positive nevertheless. Anyone who's able to read the code can inspect diff between v2.57.0 and v2.56.0 and see there is no trojan.

Tomorrow I will try building with older pyinstaller versions (e.g. 6.1.0 and 6.0.0) and see how AV monitors react to that. If it solves the issue, I can move to those just for windows.

[PlutusPleion]

Hybrid-Analysis:

https://www.hybrid-analysis.com/sample/34bb4da701f57403a9df423cf9551404ccf41586b930fd9432ffbda795cbbcff

100% malicious? Can we get a 3rd party opinion? Do I need to reinstall windows?

[DarkFenX]

It has happened before multiple times. Once it even reached reddit, you can read it here.

Don't reinstall windows (although I won't hold you back if you really want to).

If you are really paranoid, you can take those steps to ensure build wasn't compromised by me (or ask an IT guy you trust):

• Check code changes relatively previous (trusted) release here
• Check that SSH was not turned on for builder hosts for release build here (lines 64-66 commented out - I cannot connect to builder and interfere with build process in any way)
• Check release build log here
• Check that timestamp of upload matches time in the log here
• Download build artifacts (follow log link, click artifact tab) and confirm that it's exact byte match to exe/zip uploaded to release page (note: today project reached download limiit 1 gb/day, so this will be doable only tomorrow)

This should prove that there was no tampering with code on my side.

Or just upload to virustotal and see it for yourself, that most AV monitors don't detect anything. Follow links I provided above for explanation of why new versions of pyinstaller trigger it. Since this issue keeps reappearing, I am really annoyed about the way (mostly) lower-end AV tools handle it (or, rather, sharing sentiment of the pyinstaller development team).

As I said, I will try rolling back pyinstaller versions one by one and using virustotal to see which one is mostly red-free. But, it will take time.

[DarkFenX]

pyinstaller 6.1.0:

• .exe: https://www.virustotal.com/gui/file/be41b504a27a9df6ac2c36ce57319d5272193e1d5b91919c95544f2df832b759?nocache=1
• .zip: https://www.virustotal.com/gui/file/2d3cf2b589c4dfb603d0c0a39e4871dd6ce8560bf8c1a41e3e280aab73138883?nocache=1

Seems to be much better. I will fix some issues related to linux build and make a release later today/tomorrow.

[DarkFenX]

Fixed in v2.57.1

[lynkfox]

fyi - its popped back up in 2.57.2 on windows - same threat.

[DarkFenX]

• .exe: https://www.virustotal.com/gui/file/acf94f756edd701209b9e2ebe3678275a96e5058d9abf119a4175fb5bc51ad4e
• .zip: https://www.virustotal.com/gui/file/8c887e9926dfc0611c18180830ae832587faa9b80600c8e3ac97f3de2ecb5269?nocache=1

I don't see anything flipping back, at least on virustotal. I also didn't change anything relevant. Make a screenshot of the issue. I suspect it's regular warning of defender when it sees new binary which wasn't launched by sufficient amount of users. If not... no idea why it could flip back.

[lynkfox]

Oh don't worry I 100% know it's a false positive - as you said earlier the code is clear. And I looked to see if an old file got reverted too in the commits :)

(Date is EU format d/m/y)