Windows AV blocking opening zen.exe due to virus/trojan found in the executable.

[TrueHerobrine]

[mr-cheff]

virus detection websites dont detect anything so I dont know why is windows AV complaining...

[TrueHerobrine]

I might try to whitelist the exe. I'll get back with an update.

[TrueHerobrine]

Update: Just tried again without adding an exception and it works flawlessly. TLDR: Windows is weird.

[mr-cheff]

Windows is weird. Thanks a lot for trying it out!

[TrueHerobrine]

No worries! Found it on Reddit and was actually very impressed. I have my own browser but I'm not forking it off of anything, so it's cool to see an indie browser thriving like this!

[DavidGreen63]

In the last 30 minutes, while I was accessing a site, using version 1.0.0-a.29 (64-bit), Windows Defender terminated the App and deleted the core executable.

[clembu]

Same happened to me. Admittedly my Defender is very weird and Windows Security crashes when I try to open it, so I can't open the UI to add exclusions or inspect things that way, but a.28 works

[danmaxis]

It happened to me too, mine Zen was flagged by Kaspersky when I tried to import data from another browser.

[Meathelix1]

Windows 11 Version 10.0.22631 Build 22631

Zen was installed directly from the website. https://www.zen-browser.app/

Windows Defender Picked it up as soon as I opened Zen.exe

Trojan Name = "Wacatac.B!ml"

I dont want to be excluding something with that name, a quick google search will show you this is a popular one.

[Xavi-X333]

I have the same problem, first the core executable was deleted and then a can't download the installer :/

[DavidGreen63]

Maybe it is an issue that will fade once Zen gets a signature, but as it stands, its normal operations are being flagged as Malware/Trojan like. I think I'll look into Zen again once it gets a little less alpha or beta-ish.

[Meathelix1]

The Generic Version does not pick up as a Trojan. It's just the Optimized Version.

[HamzaConcepts]

Virustotal is also showing it as some trojan script. Are all of these just false positives?

[extropyst]

Check this information: https://virustotal.readme.io/docs/false-positive

and try also analyzing the file in other places like:

https://internxt.com/virus-scanner

https://opentip.kaspersky.com/

[jakehower]

Getting blocked for me too.

[soulhax]

Exactly the same problem as others are having. Also the installer is detected as PUA:Win32/Packunwan. Idk but I'm not satisfied with the answer "Windows is weird". I guess we're going to wait until this exe and thing are going to be signed and stuff. Peace.

[MatfenV1]

Same issue here, it worked just fine when I installed it on my desktop but my laptop refuses installing it.

[Abelkrijgtalles]

Same here (Windows 11 Pro 23h2)

[J-Cake]

Just wanted to report that this is still happening. System: Windows 11 Pro 22H2 Build: 22621.3880

[MikeyA-yo]

I also get this same trojan script, this made me uninstall zen immediately

[Abelkrijgtalles]

Could this maybe have a connection to the new windows defender update? 1.0.0-a.29 was released 2 days ago, but this problem only started about 9 hours ago.

EDIT: The latest update I've installed (defender version 1.417.317.0), doesn't include anything about Trojan:Script/Wacatac.B!ml.

[alexmro]

Just tried to install the Zen browser on a Windows 10 and it blocks it claiming that there's a "PUA:Win32/Packunwan" virus

[DavidGreen63]

I am on Win 10 Pro, and after the core executable was annexed, I attempted to uninstall. The uninstall would not function, which did surprise me. Maybe the missing file was causing the uninstaller to fail. I just deleted the folder where the application had been stored. Judging from the previous posts on this thread, I will definitely consider carefully before any re-install before a signed binary is available.

[Abelkrijgtalles]

Has anyone tried to build it from source to check if the issue still there?

[mr-cheff]

What's the problem exactly? that it's not signed?

[mr-cheff]

im going to release today, see if that fixes it?

[Abelkrijgtalles]

What's the problem exactly? that it's not signed?

That is one of the theories (EDIT: or maybe the only one), but Windows is just very silent and gives no information about the trojan

[StefanKoell]

From my experience as a Windows app developer there are two major things:

• The installer/exe at least should be signed to avoid any issues with SmartScreen. Having an EV certificate helps even more because the reputation in SmartScreen starts higher already.
• AV false positives in MSI files are quite common. Almost every MSI release I make on Windows has one or two false positives in VirusTotal (out of > 70 AV tools). I haven't found a way to prevent or a root cause for those false positives. Depending on the AV tool complaining you can submit/contact the AV vendor with a link to the VirusTotal page and report a false positive.

[mr-cheff]

where do I get the license key though? Im very confused I cant find any docs about it

[StefanKoell]

@mauro-balades what license key are you referring to? Couldn't find any mention of a license in this thread.

[mr-cheff]

like, how do I sign the app? For macos, I need a developer key but I have no idea about windows

[alexmro]

like, how do I sign the app? For macos, I need a developer key but I have no idea about windows

https://learn.microsoft.com/en-us/windows/win32/appxpkg/how-to-sign-a-package-using-signtool

[StefanKoell]

oh, I see. It's not that complicated ;)

You need to obtain a code signing certificate from a vendor who provides those things and then use the signtool from the Microsoft/Windows SDK to sign the .exe/.msi (and maybe also .dll) files.

[StefanKoell]

I also found this but I have no idea if this is already available and if there's a free/cheap tier available: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669

[alexmro]

oh, I see. It's not that complicated ;)

You need to obtain a code signing certificate from a vendor who provides those things and then use the signtool from the Microsoft/Windows SDK to sign the .exe/.msi (and maybe also .dll) files.

I believe you can create a self-signing certificate and use that

[StefanKoell]

I believe you can create a self-signing certificate and use that

Technically correct but it doesn't help with SmartScreen alerts. The point of a (EV) certificate is that there's a vetting process and reputation system behind that. Self signed certificates work on a technical level but you will still see the warnings because the cert is not trusted.

[alexmro]

I believe you can create a self-signing certificate and use that

Technically correct but it doesn't help with SmartScreen alerts. The point of a (EV) certificate is that there's a vetting process and reputation system behind that. Self signed certificates work on a technical level but you will still see the warnings because the cert is not trusted.

Right. I did get a message about the application coming from an untrusted source but that comes from Windows, while the virus alert came from Defender. A trusted certificate would fix that first issue but for the second one there should be done an investigation on what those "virus" are, in order to understand why they are detected, I guess

[StefanKoell]

@alexmro correct, that's what I wrote here: https://github.com/zen-browser/desktop/issues/37#issuecomment-2309859491

[alexmro]

False positives can also be reported at https://www.microsoft.com/en-us/wdsi/filesubmission/ and maybe they will take care of it

[mr-cheff]

I've bought the key from certum

[mr-cheff]

In a couple of days, I'll receive a mail with a physical key and I'll need to figure out how to use it

[mr-cheff]

Ok, due to the insane amount of issues regarding windows having a virus, file not found, etc.

Im going to release this new version: https://github.com/zen-browser/desktop/actions/runs/10558905630

see if it fixes something. I dont think anyone has access to upload files into the releases or had any sort of access regarding changes to the release files.

But just in case, im going to release version 30, let's see how things go.

Regarding the key, it will be delivered in some days and ill start singing the app.

Remember to ONLY download zen from the official website, there has been some sort of bot infestation in github that tells users to download it from a mediafire link, do NOT listen to them.

[LordMrcS]

Ok, due to the insane amount of issues regarding windows having a virus, file not found, etc.

Im going to release this new version: https://github.com/zen-browser/desktop/actions/runs/10558905630

see if it fixes something. I dont think anyone has access to upload files into the releases or had any sort of access regarding changes to the release files.

But just in case, im going to release version 30, let's see how things go.

Regarding the key, it will be delivered in some days and ill start singing the app.

Remember to ONLY download zen from the official website, there has been some sort of bot infestation in github that tells users to download it from a mediafire link, do NOT listen to them.

Why was it cancelled?

[mr-cheff]

I just did a last minute fix: https://github.com/zen-browser/desktop/issues/593

new workflow:

• https://github.com/zen-browser/desktop/actions/runs/10559555546

[J-Cake]

False positives can also be reported at https://www.microsoft.com/en-us/wdsi/filesubmission/ and maybe they will take care of it

Knowing Microsoft they'll probably keep letting Windows Defender bitch about it because their pride and joy Edge is being actually challenged

[wakeuphaku]

In the end, everyone decided that the defender deceives everyone

[Iziram]

1.0.0-a.30 seems fine for now. I hope Windows Defender is not gonna go off again.

[FelipeGlauber]

Here just to give @mauro-balades a huge THANK YOU and share my great admiration by his professionalism and humble talk with people here, assuming his limitations. For me as a development student you gave me some inspiration.

[sitiom]

This is preventing the winget package from being merged:

• https://github.com/microsoft/winget-pkgs/pull/168942

[nsde]

I love this browser, but unfortunately it suddenly got deleted by Kaspersky. In hope of helping devs, I will provide as much info about this as possible:

• AV: Kaspersky Free

Event: Object deleted
Application: Zen Browser
User: FIERY\Lynx
User type: Initiator
Component: System Watcher
Result description: Deleted
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Program Files\Zen Browser
Object name: zen.exe
MD5: F65A002208E471404726B4142AEC8550