Trojan Trojan:Win32/Wacatac.B!ml found in Windows executable

[arnehaese]

Hi,

the executalbles (standalone and the one in setup downloadable on https://suurjaak.github.io/h3sed/downloads.html) are infected with Trojan:Win32/Wacatac.B!ml - you might want to recompile :)

Thx, best, A

[suurjaak]

There is no infection here. It's just that antivirals often get triggered by PyInstaller-packaged executables, apparently since such packaging uses methods that are often also used by actual trojans (PyInstaller has dozens of issues on this: https://github.com/pyinstaller/pyinstaller/issues?q=is%3Aissue+trojan).

The only solution has been to contact those specific antivirals individually and ask them to run a proper full analysis. If and when they have responded, the resolution has always been acknowledging that the detection was a false positive. It's like an endless game of whack-a-mole..

Where did this specific infection report come from? Current reports on www.virustotal.com list a few detections for each of the released binaries, pretty much all of them different and none of them Wacatac.B!ml:

• h3sed_2.1.exe: https://www.virustotal.com/gui/file/5b80e6532e55ead1d011ad777f4992752e6c6cb6f4d6286213b3dc06c9b2fb52
• h3sed_2.1_x64.exe: https://www.virustotal.com/gui/file/837789e12139e92ca66bb70d86d60fb5862588b33ee7c23b03b4c358c57102a1
• h3sed_2.1_setup.exe: https://www.virustotal.com/gui/file/27818ce8fd87b2aef7ca2073f68493b2a74b0ebcbe772d7e73d8d05f7c894229
• h3sed_2.1_x64_setup.exe: https://www.virustotal.com/gui/file/35ca3737c98528a17372920fe5523975285ea97956c01d8cd1de946aedac7c5b

[arnehaese]

Thx for the quick answer - I see, had sth similar some years ago with Autoit automation on Windows, did not guess this could be similar here - sorry for any confusion I might have caused.

Thx a lot, best, A

PS: Great tool!

[suurjaak]

Thank you!

Where did this infection notice come from? If it came from Microsoft Defender or the like, I can try contacting them to run a proper analysis and whitelist the application, because a built-in antivirus flagging the program makes it quite impossible for people to use..

[arnehaese]

Indeed Microsoft Defender on upto date patched Win 11 - thx a lot :)

[suurjaak]

Thank you, I've submitted a false-positive report to Microsoft.

Will keep this issue open for now.

[suurjaak]

So far, so good, screenshot from the Microsoft Security website:

Guess we need to wait for a human to look it over.

[suurjaak]

Good news:

Analyst comments:

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

[suurjaak]

I will also try using a custom-built PyInstaller for new releases, hopefully resulting in less false-positive reports from antivirals.