Open Shotman opened 3 years ago
Is there any chance this will get investigated before the stable 2.0 release? This is kind of a big issue for distributing binaries to people that may not trust your product and just think you are disturbing a Trojan horse.
Yes and no, we won't do a special investigation session or will delay stable for this but it's really under constant investigation. We unfortunetely don't have any more insight (into AV software etc) either and even the friends we have at relevant companies couldn't help us yet.
I was told that someone saw similar reports (including Wacatac) with basically a plain Wry app which is pretty concerning.
I am at a point where i think that it's the use of WebView2 itself and/or Rust that's the issue here. Considering that projects like Wails also seem to deal with false positives (Wacatac being among them) the former seems to be even more likely...
For now it seems like we can only keep asking you to submit your apps to AV software providers :(
I'm thinking of building a solution to automate this submission process since it's a pain in the ass to do it manually every time and I don't think paying few hundred bucks for a license is the way. Should I make it a cheap SaaS (like 3.50$/month cheap), are you guys interested?
I dont know if i need this service right now , but might maybe in the future
In our AI Studio app, we have the same issue (link to our issue). However, the virus scanners (as expected) seem to be a little more critical once a sidecar comes into play: we use a .NET server as a sidecar.
Another affected developer here.
Detections (will update if I see more):
Trojan:win32/Bearfoos.A!ml
in Windows DefenderTrojan:Script/Wacatac.H!ml
in Windows DefenderStrangely, Virustotal currently says it's clean.
Notes:
!ml
suffix apparently indicates that it's not a hash match but a machine learning heuristic (sad yay)Questions:
Does code signing help mitigate or stop the false positives and force-quarantine behavior from occurring?
It doesn't stop it. We have a full hardware EV on ours now and we got another report on our Tauri 1.6 app. Wacatac Trojan warning that auto-uninstalled the app.
Any information as to why detection occurs
Not much help here, but see comments on an earlier post: https://github.com/tauri-apps/tauri/issues/2486#issuecomment-2191224172
Tried converting our nsis installer to msix so we can run the Microsoft App Store validator: https://techcommunity.microsoft.com/t5/modern-work-app-consult-blog/how-to-validate-if-your-application-is-compliant-with-the/ba-p/316783
It passed but with the following errors:
FAILED Registry checks
Error Found: The registry checks test detected the following errors:
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\AARSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\bam] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\BCASTDVRUSERSERVICE_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\BLUETOOTHUSERSERVICE_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CAPTURESERVICE_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CBDHSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CDPUSERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CONSENTUXUSERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CREDENTIALENROLLMENTMANAGERUSERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DEVICEASSOCIATIONBROKERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DEVICEPICKERUSERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DEVICESFLOWUSERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\LXSSMANAGERUSER_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\MESSAGINGSERVICE_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\ONESYNCSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\PIMINDEXMAINTENANCESVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\PRINTWORKFLOWUSERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\UDKUSERSVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\UNISTORESVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\USERDATASVC_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\WPNUSERSERVICE_133933BFD] found.
NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] found.
Impact if not fixed: Apps should not install drivers or NT services.
How to fix: Do not install drivers or NT services.
FAILED: Blocked executables
Error Found: The blocked executables test has detected the following errors:
File VFS\Local AppData\MyApp\uninstall.exe contains a reference to a "Launch Process" related API kernel32.dll!CreateProcessW
File VFS\Local AppData\MyApp\uninstall.exe contains a reference to a "Launch Process" related API shell32.dll!ShellExecuteExW
File VFS\Local AppData\MyApp\MyApp.exe contains a reference to a "Launch Process" related API kernel32.dll!CreateProcessW
File VFS\Local AppData\MyApp\MyApp.exe contains a reference to a "Launch Process" related API shell32.dll!ShellExecuteW
File Registry.dat contains a blocked executable reference to "\Device\HarddiskVolume2\Windows\System32\cmd.exe".
File nvdrsdb0.bin contains a blocked executable reference to "powershell_ise.exe".
File nvdrsdb0.bin contains a blocked executable reference to "powershell.exe".
File nvdrsdb0.bin contains a blocked executable reference to "cmd.exe".
File nvdrsdb0.bin contains a blocked executable reference to "WinDbg".
File nvdrsdb0.bin contains a blocked executable reference to "PowerShell".
File IconCache.db contains a blocked executable reference to "\system32\cmd.exe".
File IconCache.db contains a blocked executable reference to "PowerShell".
File IconCache.db contains a blocked executable reference to "menu\programs\powershell\powershell".
File IconCache.db contains a blocked executable reference to "pinned\taskbar\powershell".
File IconCache.db contains a blocked executable reference to "bash.exe".
File MyApp.exe contains a blocked executable reference to "cmd".
File MyApp.exe contains a blocked executable reference to "\System32\WindowsPowerShell\v1.0\powershell.exe".
File uninstall.exe contains a blocked executable reference to "cDb".
Impact if not fixed: Launching executable files is restricted on Windows 10 S systems. Apps that rely on this capability might not run correctly on Windows 10 S systems.
How to fix: Identify which of the flagged entries represent a call to launch an executable file that is not part of your app and remove those calls. If the flagged files are part of your application, you may ignore the warning.
This isn't proof that these are related to the trojan but it shows some issues Microsoft cares about that might be causing problems.
Some errors similar to the "Launch Process" errors above were found in an electron app that was caused by temp file creation. Someone earlier also mentioned deleting temp files helped their tauri issue so perhaps it is related:
https://github.com/electron-userland/electron-builder/issues/2029#issuecomment-335375161
Would also apply to potential issue with the installer mentioned earlier in the thread:
Don't download files to random names in temp, download them to a fixed folder under the app's root folder, with predictable names and proper extensions
@FabianLars
If the code signing isn't working, then the problem could be memory consumption on start, when in dev atleast is high. Slowing down the timeline of resource utilisation may help. Similar to how Antivirus Work. Another implementation could be asking user to disable path to repo for scanning, how Android Studio works. Would need to understand each aspect of the Windows Native Build Process and compare it with Tauri's build process.
Windows Code certificates are crazy expensive though. As a a dev working on personal projects, paying 100 bucks per year for an Apple dev license is ok, but it's 300-500 for Windows ._.
Publishing to Microsoft Store apparently helps with this issue though.
To add another data point, I encountered this issue with a Tauri 1.8.0 .msi installer being flagged as Trojan:Script/Wacatac.B!ml by Windows Defender when the file was downloaded, even before it was executed. The installer + app were even signed using Trusted Signing.
I tried upping the version number, updating dependencies and building the application again and it didn't happen again. It seems like an issue that appears randomly.
I think this issue is not specific to Tauri. I've ever found it in Flutter. It's either the Windows Security Defender did false positive detection, or something wrong with how we sign the code.
Follow-up. Still struggling with false positives. Still don't have my code signing in place (but keep in mind code signing is not a panacea and still affects people with $500 EV certs). Some more notes:
I've noticed that if you turn "Cloud-delivered protection" off, the detection won't occur. Manual local scan doesn't find anything.
This, together with the !ml
suffixes, suggest that the detection occurs online in their Cloud, by first uploading a the exe as a "sample", if it's previously unseen. I believe their ml models use static analysis, because the analysis of a novel binary completes within a few seconds (not enough time for full behavioral analysis?). After initial detection, WD will detect the same binary again but faster, probably because it's matching the hash Cloud-side. If static analysis can be confirmed, we can narrow the search further.
Furthermore, I believe this Cloud service is related to "Windows Defender Advanced Threat Protection (ATP)", but MS product suite is too complex to determine what's what. If anyone here has access to an Enterprise "endpoint security" (or whatever it's called), they might let you access their scanning logs or otherwise give more insights into the causes. Happy to share my binary as a sample if needed.
Useful tools for testing:
Edit: Submitting manually to Microsoft comes back as not malware. Which is strange, because it consistently gets flagged.
Describe the bug
After building from source a Tauri app, Commandos after doing a npm run tauri dev, at some point Windows Defender freaks out and I get a Trojan:Script/Wacatac.B!ml alert from it
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Windows Defender shouldn't flag this app as a Trojan
Platform and Versions (required):
Additional context
Not my app just wanted to tested it and ran into this issue