[Windows] Trojan alert from windows defender and other anti-virus providers

[Shotman]

Describe the bug

After building from source a Tauri app, Commandos after doing a npm run tauri dev, at some point Windows Defender freaks out and I get a Trojan:Script/Wacatac.B!ml alert from it

To Reproduce

Steps to reproduce the behavior:

1. Clone the repo
2. Run the dev process of the app
3. Use the app a bit
4. Alert shoudl happen at some point

Expected behavior

Windows Defender shouldn't flag this app as a Trojan

Platform and Versions (required):

Operating System - Windows, version 10.0.19043 X64
Webview2 - 92.0.902.73

Node.js environment
  Node.js - 16.5.0
  @tauri-apps/cli - 1.0.0-beta.7
  @tauri-apps/api - 1.0.0-beta.6

Global packages
  npm - 7.20.3
  yarn - 1.22.5

Rust environment
  rustc - 1.54.0
  cargo - 1.54.0

App directory structure
/.git
/.github
/.vscode
/e2e
/images
/logo
/node_modules
/src
/src-tauri

App
  tauri.rs - 1.0.0-beta.7
  build-type - bundle
  CSP - default-src blob: data: filesystem: ws: wss: http: https: tauri: 'unsafe-eval' 'unsafe-inline' 'self' img-src: 'self'
  distDir - ../dist/commandos
  devPath - http://localhost:5200
  framework - Angular
  bundler - Webpack

Additional context

Not my app just wanted to tested it and ran into this issue

[nothingismagick]

Should we escalate this to the webview2 crew? @wusyong

[lemarier]

MS thread; https://docs.microsoft.com/en-us/answers/questions/465937/msi-is-detected-by-windows-defender-and-it-shows-3.html

[lemarier]

Not my app just wanted to tested it and ran into this issue

Could you make a virustotal.com submission and include the report link here, please? Thanks

[Shotman]

Not my app just wanted to tested it and ran into this issue

Could you make a virustotal.com submission and include the report link here, please? Thanks

https://www.virustotal.com/gui/file/d582212961c8d2fe95b700d721d8972aa52d0b6c978e93917fddb85e419f1687/detection

[Verequies]

During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.

[frnco]

During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.

Just wanted to add that I never compiled a debug build for Windows, and Windows never complained like that for any of my non-debug-builds. Dunno if there's actually any relation to using a debug build, but I've built a few things on windows and shared with a few friends and family, and although Windows does complain quite a bit about signing and not knowing the publisher or whatever, windows defender never reported any threats like viruses or trojans or whatever, so this doesn't apply to all windows builds, and if it's not the debug-thing there's something else causing this.

[lucasfernog]

@Shotman do you still see this alert? No one else has reported it :/

[Shotman]

@lucasfernog I haven't tried it so far, but recently I've set up Tauri 1.0 on a few PCs and it didn't trigger anything sooo I guess it might be safe to assume something between beta7 and 1.0 fixed it Closing the issue for now but let's reopen if it ever comes back

[giohappy]

FYI it also happens to me. Tauri 1.1, Windows 11, on a couple of PCs. I built the react template, as it is.

[Endunry]

A friend of mine sent his .exe and .msi to test it on my system and my MS-Defender instantly alarms me about "Trojan:Script/Wacatac.B!ml". He doesnt get the same error as i and virustotal says its harmless.

So the issue is defently not fixed

Version used: Tauri 1.2 Windows Version: Windows 11 21H2

[kbeirne]

We've had similar experience with our Tauri app v1.2. No problems from several playtesters but have 2 new testers now and they immediately got it, as well as a block from both Chrome and Edge. Testers were on Windows 10. Similar trojan alert but slightly different name:

I've noticed a commonality between our project and Commandos. Both uses Windows cmd direct in the project. See here. I was trying to avoid this if possible because of problems just like this. I'm gonna run a build with cmd removed and see if the issues persist.

Update: Got a second playtester recreating the issue. Tried a build without any cmd or any interop at all really except for some REST APIs (and UI), practically no extra rust outside some empty tauri::commands and an empty on_window_event->WindowEvent::Destroyed hook) and got the same result.

[mrjackwills]

I had the Trojan:Script/Wacatac.H!ml trojan alert when I installed the latest version of my application.

Installing fresh on a different machine didn't cause the alert. Removing all traces of the application before installing also again didn't cause any Security alert.

However, I am now unable to re-create the Trojan alert (I have made sure what Microsoft Security Centre is NOT allowing it), so I am none the wiser.

The only aspect of my application that I think might trigger an alert is a dependency, auto-launch, to allow the application to, as the name suggests, run at boot. On windows, I think this is achieved via a registry change

[kbeirne]

Anyone tested with/without certs out of interest? Hadn't signed our msi yet, will try that.

Also, @Shotman, are we alright to reopen this? Happy to help if I can, this is a blocker for me atm.

[Shotman]

I reopened the issue to allow referencing and data collection etc

[kbeirne]

Sent out a new version with an IV sha256 code-sign and the problem was not reproducible for the two testers who were previously having trouble (they had each tried at least two previous versions without code-sign that were reproducing the issue).

Will update again if I get more trojan reports.

[vasilvestre]

I actually have this issue with Windows 11. The release here got the issue : https://github.com/vasilvestre/totk-mod-manager-for-yuzu/releases/tag/v0.6.0

[Bigaston]

Hello! I've just discover Tauri yesterday and build one of my app with it. I use the official Github Actions template to build the thing. It's seems to work with the .MSI file, but the NSIS is flagged as a virus, and VirusTotal said it's safe

The release is here: https://github.com/Bigaston/PatThePupuce/releases/download/app-v1.1.0/patthepupuce_1.1.0_x64-setup.exe

[Raphiiko]

I just ran into the same issue here. The following release I have is marked in the same way: https://github.com/Raphiiko/Oyasumi/releases/download/oyasumi-v1.7.0/OyasumiVR_1.7.0_x64-setup.exe

[Kespuzzuo]

I did get the same issue. I created an app through cmd, and then opened it on VS Code and BOOM! my antivirus was sending me messages upon messages saying they're deleting the libs stored in a folder deep inside the project folder I created.

I'm really surprised how developers would be able to develop an app while at the same time having to disable their antivirus. How do you even go to the internet to see how to code an specific thing you need for your project?

[FabianLars]

@Kespuzzuo Most anti virus programs really don't like compiled programming languages, and i guess rust especially so since it often compiles multiple executables and executes them to create the actual app executable. On normal user systems, which anti virus software primarily targets, this is a big no-no.

fwiw even without the warnings, i personally can't live without whitelisting my dev folder because the real-time scanning often causes insane compilation slowdowns...

Either way, this is something we can control even less then issues when running the resulting tauri app.

[Shotman]

Trying to install "DataFlare", not open source from what I understand, from the showcase channel on Discord, I got another warning with the nsis exe setup

[APerson4f]

Any updates?

[Gawdl3y]

I just built and released an app that is encountering this problem. I have not had any issues during development at all, but sometimes the release build is flagged by Windows Defender (and some other AV). Frustratingly, it doesn't seem to be entirely consistent in what it flags it as and when.

My app uses the updater, which I think may be a factor in this.

[Selyatin]

My time & productivity tracking app BigBro suffers from this issue.

I use the NSIS installer and whenever the users receive an update through the updater Windows Defender immediately raises a flag.

I've submitted the NSIS setup executable to Microsoft as a false-positive through here, maybe you can do the same.

Note that the app executable itself doesn't raise any flags, only the installers/updaters get detected as malware.

NSIS Installer VirusTotal Results

BigBro.exe VirusTotal Results

[podarcis]

Unfortunately, we're also hit with this problem. In our case it's not the NSIS, but the Tauri executable itself.

As a test, I created a fresh Tauri v2 application without code modifications but only edited tauri.conf.json and altered identifier and bundle. Here's the analyzer result of VirusTotal: https://www.virustotal.com/gui/file/e2842d9e1c2e1241b2a86b72065ac7d1823280bc52ee544895313de648ff316c/detection

As you can see Windows Defender already doesn't like it and it's flagged as Program:Win32/Wacapew.C!ml.

In the behavior analysis there isn't anything too suspicious. The DNS resolving of fp2e7a.wpc.2be4.phicdn.net and fp2e7a.wpc.phicdn.net seem to be a service for checking for certificate revocation - but it would be interesting which module does this and if it can be turned off. But I wonder why login.live.com is resolved and which module is doing this. Also why there's TCP/IP activity on 20.99.133.109:443, which seems to be Microsoft as well. Could that be something put by MSVC?

I second @Selyatin regarding submitting samples to VirusTotal and Microsoft as false positives. Also, I think it might be useful to rate known false positives on VirusTotal as "good" (Community Score).

(AV heuristic detection is AFAIK score-based. Each little behavior adds to the score and if a threshold is reached, your binary is getting flagged. In our case Windows Defender does not detect a virus on our original binary. However, when we apply the required copy protection (USB-Dongle; basically patches the binary with custom executable) lots of AV engines also detect Program:Win32/Wacapew.C!ml. My explanation is that the additional suspicious behavior (accessing USB media, copying binaries around, try loading DLLs and stuff...) leads to a higher score and therefore it's flagged.)

$ yarn tauri info
yarn run v1.22.21
$ tauri info

[✔] Environment
    - OS: Windows 10.0.17763 X64
    ✔ WebView2: 121.0.2277.112
    ✔ MSVC: Visual Studio Build Tools 2022
    ✔ rustc: 1.76.0 (07dca489a 2024-02-04)
    ✔ cargo: 1.76.0 (c84b36747 2024-01-18)
    ✔ rustup: 1.26.0 (5af9b9484 2023-04-05)
    ✔ Rust toolchain: stable-i686-pc-windows-msvc (default)
    - node: 20.10.0
    - pnpm: 8.15.2
    - yarn: 1.22.21
    - npm: 10.2.3

[-] Packages
    - tauri [RUST]: 2.0.0-beta.2
    - tauri-build [RUST]: 2.0.0-beta.1
    - wry [RUST]: 0.35.2
    - tao [RUST]: 0.25.0
    - @tauri-apps/api [NPM]: 2.0.0-beta.0
    - @tauri-apps/cli [NPM]: 2.0.0-beta.1

[-] App
    - build-type: bundle
    - CSP: unset
    - frontendDist: ../dist
    - devUrl: http://localhost:1420/
    - framework: Vue.js
    - bundler: Vite
Done in 14.78s.

[analytik]

I also got false positive on the NSIS installer, but not on the MSI or the main .exe itself. (Tauri 2.0.0-beta.2, with plain JS and Bevy but otherwise hello-world-ish program.)

I can vouch for @Selyatin 's comment above: report false positives to Microsoft, they will add the program signature to their allowed database. It's free, it's fast - in my case it took less than 6 hours. https://www.microsoft.com/en-us/wdsi/filesubmission

[glaucomorais]

This happened when I tried to install Tauri from cargo install tauri-cli@1.5.10.

Can't send to VirusTotal to check because Windows says that I don't have permission (from me) to handle the file.

[eldir]

This seems to still be causing trouble for projects based on Tauri: https://github.com/gitbutlerapp/gitbutler/issues/3518

[Nakroma]

This is also happening to us, using the beta. Sending it in to Windows like suggested above works, but that's not a permanent solution.

[merabtenei]

Started happening with our builds from yesterday too. I had no issues before, but the new builds (The main executable) from yesterday going on Windows Defender is reporting it as Trojan:Script/Wacatac.H!ml and put in quarantine.

[ananduremanan]

Any Update on this? Was working perfect for me before. Now I can't even download the msi builds on other computers. I also got a couple of dependent bot alerts on GitHub regarding certain crates used in tauri like Mio's tokens for named pipes may be delivered after deregistration #6, whoami stack buffer overflow on several Unix platforms #7

[Borber]

I encountered it too! Since recently Trojan:Script/Wacatac.B!ml appears on every build

[anaisbetts]

https://github.com/tauri-apps/plugins-workspace/blob/v2/plugins/updater/src/updater.rs literally downloads executable code from arbitrary locations to a temp file with a randomized name, then tries to ShellExecute install it on the user's computer with /quiet enabled - while this code of course is not malicious, it is clear why Antivirus vendors think that it would be!

Some things that may improve this (I can't prove any of this because it's of course, a secret heuristic):

• Don't download files to random names in temp, download them to a fixed folder under the app's root folder, with predictable names and proper extensions
• Don't run with /quiet - let the MSI pop a dialog
• Don't ShellExecute, call the MSI functions directly (or at least CreateProcess it)

[srescio]

having the same with my build, except am not using the plugin mentioned above https://github.com/srescio/hue-cleaner/blob/main/src-tauri/Cargo.toml

[thewh1teagle]

I experience the same issue with Vibe https://github.com/thewh1teagle/vibe/issues/71

I use the updater and the binary is not signed so I believe it's related.

[kjxbyz]

Same issue. Is there a solution?

[dandan2611]

Also impacted by this issue. Executable produced after install flagged as Trojan by windows.

[anatawa12]

In my case, reporting false positive with detailed information (like security intelligence version and exact name of detection name) to microsoft would fix this problem so I think we should try this.

[thewh1teagle]

I also reported false positive to AV providers and the problem solved after few days. The easiest way is to check what providers detect the software as a virus in virustotal and then go through the list in yaronelh/False-Positive-Center and report false positive one by one.

[eldir]

Surely the solution here is not to keep on informing the various AV providers to add exceptions to their heuristic and rather fix the underlying issue. See for example @anaisbetts comment: https://github.com/tauri-apps/tauri/issues/2486#issuecomment-2108208454

[ddublon]

is there a solution in mind?

[FabianLars]

Well, if someone has a solution for us, we're all ears. Or at least knows what could cause this. To react to the only comment in that direction:

Don't download files to random names in temp, download them to a fixed folder under the app's root folder, with predictable names and proper extensions

Hmm, i guess that's valid, other installers/updaters do the same but i can see how this can be problematic. One problem is that the app's root folder is read only for msi and nsis@perMachine apps.

Don't run with /quiet - let the MSI pop a dialog

We don't. We use /passive, but even apps that use a user interaction UI have the same issues.

Don't ShellExecute, call the MSI functions directly (or at least CreateProcess it)

This issue is older than our switch to ShellExecute. Before that we used CreateProcess via Rust's Commands. I don't understand the "call the MSI function directly" part (if we remove the "or at least CreateProcess" appendix).

Lastly, apps without the updater also see those same alerts (potentially less often, maybe the same)

[martpie]

Lastly, apps without the updater also see those same alerts (potentially less often, maybe the same)

I can confirm that point, I built binaries for an app without auto-updater, and the Trojan alert is still present.

[merabtenei]

What solved the issue for us was updating the version number of the app in the config file, updating cargo and all the dependencies and then generate a new build.

[AzeezDa]

I, too, was impacted by this issue. VirusTotal and my Windows Defender also flagged the (.msi) installer and the installed application of my project with, among others, the Trojan:Script/Wacatac.B!ml threat.

[martpie]

Is there any chance this will get investigated before the stable 2.0 release? This is kind of a big issue for distributing binaries to people that may not trust your product and just think you are disturbing a Trojan horse.

[ddublon]

a coworker of mine solve this issue with this

Dolev

Dublon
 No  Need  I  noticed that the Tauri generates temp files  that the anti virus deal with it as  virus all you need  is to:
1- window+r 
2-  type %temp% and remove all the Temp files  when you remove them the anti virus is no longer blocks the exe after Tauri Build 

[ddublon]

Is there any chance this will get investigated before the stable 2.0 release? This is kind of a big issue for distributing binaries to people that may not trust your product and just think you are disturbing a Trojan horse.

i don't think your customers will see this issue , due the the comment I just put above^^^ only the PC that do the build process get the alert

[Nakroma]

Is there any chance this will get investigated before the stable 2.0 release? This is kind of a big issue for distributing binaries to people that may not trust your product and just think you are disturbing a Trojan horse.

i don't think your customers will see this issue , due the the comment I just put above^^^ only the PC that do the build process get the alert

I don't think this is true, multiple people I sent the binary had it flagged as a virus until I sent it in to Windows

[devRoemer]

Is there any chance this will get investigated before the stable 2.0 release? This is kind of a big issue for distributing binaries to people that may not trust your product and just think you are disturbing a Trojan horse.

i don't think your customers will see this issue , due the the comment I just put above^^^ only the PC that do the build process get the alert

I don't think this is true, multiple people I sent the binary had it flagged as a virus until I sent it in to Windows

Our installer is built on a build server, and we get the virus warning locally on our local machines, so it's definitely not only related to the machine that does the build