[Windows] Trojan alert from windows defender and other anti-virus providers

[Shotman]

Describe the bug

After building from source a Tauri app, Commandos after doing a npm run tauri dev, at some point Windows Defender freaks out and I get a Trojan:Script/Wacatac.B!ml alert from it

To Reproduce

Steps to reproduce the behavior:

1. Clone the repo
2. Run the dev process of the app
3. Use the app a bit
4. Alert shoudl happen at some point

Expected behavior

Windows Defender shouldn't flag this app as a Trojan

Platform and Versions (required):

Operating System - Windows, version 10.0.19043 X64
Webview2 - 92.0.902.73

Node.js environment
  Node.js - 16.5.0
  @tauri-apps/cli - 1.0.0-beta.7
  @tauri-apps/api - 1.0.0-beta.6

Global packages
  npm - 7.20.3
  yarn - 1.22.5

Rust environment
  rustc - 1.54.0
  cargo - 1.54.0

App directory structure
/.git
/.github
/.vscode
/e2e
/images
/logo
/node_modules
/src
/src-tauri

App
  tauri.rs - 1.0.0-beta.7
  build-type - bundle
  CSP - default-src blob: data: filesystem: ws: wss: http: https: tauri: 'unsafe-eval' 'unsafe-inline' 'self' img-src: 'self'
  distDir - ../dist/commandos
  devPath - http://localhost:5200
  framework - Angular
  bundler - Webpack

Additional context

Not my app just wanted to tested it and ran into this issue

[nothingismagick]

Should we escalate this to the webview2 crew? @wusyong

[lemarier]

MS thread; https://docs.microsoft.com/en-us/answers/questions/465937/msi-is-detected-by-windows-defender-and-it-shows-3.html

[lemarier]

Not my app just wanted to tested it and ran into this issue

Could you make a virustotal.com submission and include the report link here, please? Thanks

[Shotman]

Not my app just wanted to tested it and ran into this issue

Could you make a virustotal.com submission and include the report link here, please? Thanks

https://www.virustotal.com/gui/file/d582212961c8d2fe95b700d721d8972aa52d0b6c978e93917fddb85e419f1687/detection

[Verequies]

During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.

[frnco]

During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.

Just wanted to add that I never compiled a debug build for Windows, and Windows never complained like that for any of my non-debug-builds. Dunno if there's actually any relation to using a debug build, but I've built a few things on windows and shared with a few friends and family, and although Windows does complain quite a bit about signing and not knowing the publisher or whatever, windows defender never reported any threats like viruses or trojans or whatever, so this doesn't apply to all windows builds, and if it's not the debug-thing there's something else causing this.

[lucasfernog]

@Shotman do you still see this alert? No one else has reported it :/

[Shotman]

@lucasfernog I haven't tried it so far, but recently I've set up Tauri 1.0 on a few PCs and it didn't trigger anything sooo I guess it might be safe to assume something between beta7 and 1.0 fixed it
Closing the issue for now but let's reopen if it ever comes back

[giohappy]

FYI it also happens to me. Tauri 1.1, Windows 11, on a couple of PCs.
I built the react template, as it is.

[Endunry]

A friend of mine sent his .exe and .msi to test it on my system and my MS-Defender instantly alarms me about "Trojan:Script/Wacatac.B!ml". He doesnt get the same error as i and virustotal says its harmless.

So the issue is defently not fixed

Version used: Tauri 1.2
Windows Version: Windows 11 21H2

[kbeirne]

We've had similar experience with our Tauri app v1.2. No problems from several playtesters but have 2 new testers now and they immediately got it, as well as a block from both Chrome and Edge. Testers were on Windows 10. Similar trojan alert but slightly different name:

I've noticed a commonality between our project and Commandos. Both uses Windows cmd direct in the project. See here.
I was trying to avoid this if possible because of problems just like this. I'm gonna run a build with cmd removed and see if the issues persist.

Update: Got a second playtester recreating the issue. Tried a build without any cmd or any interop at all really except for some REST APIs (and UI), practically no extra rust outside some empty tauri::commands and an empty on_window_event->WindowEvent::Destroyed hook) and got the same result.

[mrjackwills]

I had the Trojan:Script/Wacatac.H!ml trojan alert when I installed the latest version of my application.

Installing fresh on a different machine didn't cause the alert. Removing all traces of the application before installing also again didn't cause any Security alert.

However, I am now unable to re-create the Trojan alert (I have made sure what Microsoft Security Centre is NOT allowing it), so I am none the wiser.

The only aspect of my application that I think might trigger an alert is a dependency, auto-launch, to allow the application to, as the name suggests, run at boot. On windows, I think this is achieved via a registry change

[kbeirne]

Anyone tested with/without certs out of interest? Hadn't signed our msi yet, will try that.

Also, @Shotman, are we alright to reopen this? Happy to help if I can, this is a blocker for me atm.

[Shotman]

I reopened the issue to allow referencing and data collection etc

[kbeirne]

Sent out a new version with an IV sha256 code-sign and the problem was not reproducible for the two testers who were previously having trouble (they had each tried at least two previous versions without code-sign that were reproducing the issue).

Will update again if I get more trojan reports.

[vasilvestre]

I actually have this issue with Windows 11. The release here got the issue : https://github.com/vasilvestre/totk-mod-manager-for-yuzu/releases/tag/v0.6.0

[Bigaston]

Hello!
I've just discover Tauri yesterday and build one of my app with it. I use the official Github Actions template to build the thing. It's seems to work with the .MSI file, but the NSIS is flagged as a virus, and VirusTotal said it's safe

The release is here: https://github.com/Bigaston/PatThePupuce/releases/download/app-v1.1.0/patthepupuce_1.1.0_x64-setup.exe

[Raphiiko]

I just ran into the same issue here. The following release I have is marked in the same way: https://github.com/Raphiiko/Oyasumi/releases/download/oyasumi-v1.7.0/OyasumiVR_1.7.0_x64-setup.exe

[Kespuzzuo]

I did get the same issue.
I created an app through cmd, and then opened it on VS Code and BOOM! my antivirus was sending me messages upon messages saying they're deleting the libs stored in a folder deep inside the project folder I created.

I'm really surprised how developers would be able to develop an app while at the same time having to disable their antivirus. How do you even go to the internet to see how to code an specific thing you need for your project?

[FabianLars]

@Kespuzzuo Most anti virus programs really don't like compiled programming languages, and i guess rust especially so since it often compiles multiple executables and executes them to create the actual app executable. On normal user systems, which anti virus software primarily targets, this is a big no-no.

fwiw even without the warnings, i personally can't live without whitelisting my dev folder because the real-time scanning often causes insane compilation slowdowns...

Either way, this is something we can control even less then issues when running the resulting tauri app.

[Shotman]

Trying to install "DataFlare", not open source from what I understand, from the showcase channel on Discord, I got another warning with the nsis exe setup

[ddublon]

I dont know if i need this service right now , but might maybe in the future

[SommerEngineering]

In our AI Studio app, we have the same issue (link to our issue). However, the virus scanners (as expected) seem to be a little more critical once a sidecar comes into play: we use a .NET server as a sidecar.

[betamos]

Another affected developer here.

• tauri 1.5.3 with auto updater
• auto-launch 0.5.0
• not signed with any cert
• sidecar written in Go that does a bunch of networking (although that executable isn't flagged itself)

Detections (will update if I see more):

• Trojan:win32/Bearfoos.A!ml in Windows Defender
• Trojan:Script/Wacatac.H!ml in Windows Defender

Strangely, Virustotal currently says it's clean.

Notes:

• The !ml suffix apparently indicates that it's not a hash match but a machine learning heuristic (sad yay)
• The installation works fine and the exe is allowed to run for some time before it gets force-killed and quarantined, possibly suggesting that it's runtime/behavior analysis (as opposed to static analysis)
• This is a massive UX issue especially for non-technical users, since (1) it's easy to miss or misunderstand the notification and (2) it's very much non-obvious how to restore it without googling, and knowing what to search for
• Microsoft Defender (realtime protection) is disproportionally crucial to address, since it's enabled by default and may skew towards less technical users. A quick search suggests >50% of users use system defaults.
• Updating the app creates a new binary with a new signature, which then needs to rebuild reputation. This may disincentivize developers to release updates as frequently as appropriate. We may lose users permanently, unless they manually restore the executable.

Questions:

• Does code signing help mitigate or stop the false positives and force-quarantine behavior from occurring?
• Any information as to why detection occurs would be very helpful in triaging these issues and help developers. Right now it's very hard to say what role Tauri plays, if any.

[kbeirne]

Does code signing help mitigate or stop the false positives and force-quarantine behavior from occurring?

It doesn't stop it. We have a full hardware EV on ours now and we got another report on our Tauri 1.6 app. Wacatac Trojan warning that auto-uninstalled the app.

Any information as to why detection occurs

Not much help here, but see comments on an earlier post: #2486 (comment)

[kbeirne]

Tried converting our nsis installer to msix so we can run the Microsoft App Store validator:
https://techcommunity.microsoft.com/t5/modern-work-app-consult-blog/how-to-validate-if-your-application-is-compliant-with-the/ba-p/316783

It passed but with the following errors:

FAILED Registry checks

    Error Found: The registry checks test detected the following errors:
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\AARSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\bam] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\BCASTDVRUSERSERVICE_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\BLUETOOTHUSERSERVICE_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CAPTURESERVICE_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CBDHSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CDPUSERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CONSENTUXUSERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\CREDENTIALENROLLMENTMANAGERUSERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DEVICEASSOCIATIONBROKERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DEVICEPICKERUSERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DEVICESFLOWUSERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\LXSSMANAGERUSER_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\MESSAGINGSERVICE_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\ONESYNCSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\PIMINDEXMAINTENANCESVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\PRINTWORKFLOWUSERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\UDKUSERSVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\UNISTORESVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\USERDATASVC_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\WPNUSERSERVICE_133933BFD] found.
        NT Services cannot be installed. Registry path REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] found.
    Impact if not fixed: Apps should not install drivers or NT services.
    How to fix: Do not install drivers or NT services.  
    
    FAILED:  Blocked executables
    Error Found: The blocked executables test has detected the following errors:    
        File VFS\Local AppData\MyApp\uninstall.exe contains a reference to a "Launch Process" related API kernel32.dll!CreateProcessW
        File VFS\Local AppData\MyApp\uninstall.exe contains a reference to a "Launch Process" related API shell32.dll!ShellExecuteExW
        File VFS\Local AppData\MyApp\MyApp.exe contains a reference to a "Launch Process" related API kernel32.dll!CreateProcessW
        File VFS\Local AppData\MyApp\MyApp.exe contains a reference to a "Launch Process" related API shell32.dll!ShellExecuteW
        File Registry.dat contains a blocked executable reference to "\Device\HarddiskVolume2\Windows\System32\cmd.exe".
        File nvdrsdb0.bin contains a blocked executable reference to "powershell_ise.exe".
        File nvdrsdb0.bin contains a blocked executable reference to "powershell.exe".
        File nvdrsdb0.bin contains a blocked executable reference to "cmd.exe".
        File nvdrsdb0.bin contains a blocked executable reference to "WinDbg".
        File nvdrsdb0.bin contains a blocked executable reference to "PowerShell".
        File IconCache.db contains a blocked executable reference to "\system32\cmd.exe".
        File IconCache.db contains a blocked executable reference to "PowerShell".
        File IconCache.db contains a blocked executable reference to "menu\programs\powershell\powershell".
        File IconCache.db contains a blocked executable reference to "pinned\taskbar\powershell".
        File IconCache.db contains a blocked executable reference to "bash.exe".
        File MyApp.exe contains a blocked executable reference to "cmd".
        File MyApp.exe contains a blocked executable reference to "\System32\WindowsPowerShell\v1.0\powershell.exe".
        File uninstall.exe contains a blocked executable reference to "cDb".
        
    Impact if not fixed: Launching executable files is restricted on Windows 10 S systems. Apps that rely on this capability might not run correctly on Windows 10 S systems.
    How to fix: Identify which of the flagged entries represent a call to launch an executable file that is not part of your app and remove those calls. If the flagged files are part of your application, you may ignore the warning.

This isn't proof that these are related to the trojan but it shows some issues Microsoft cares about that might be causing problems.

Some errors similar to the "Launch Process" errors above were found in an electron app that was caused by temp file creation. Someone earlier also mentioned deleting temp files helped their tauri issue so perhaps it is related:
https://github.com/electron-userland/electron-builder/issues/2029#issuecomment-335375161

Would also apply to potential issue with the installer mentioned earlier in the thread:

Don't download files to random names in temp, download them to a fixed folder under the app's root folder, with predictable names and proper extensions

@FabianLars

[vednig]

If the code signing isn't working, then the problem could be memory consumption on start, when in dev atleast is high. Slowing down the timeline of resource utilisation may help.
Similar to how Antivirus Work.
Another implementation could be asking user to disable path to repo for scanning, how Android Studio works.
Would need to understand each aspect of the Windows Native Build Process and compare it with Tauri's build process.

[martpie]

Windows Code certificates are crazy expensive though. As a a dev working on personal projects, paying 100 bucks per year for an Apple dev license is ok, but it's 300-500 for Windows ._.

Publishing to Microsoft Store apparently helps with this issue though.

[jf908]

To add another data point, I encountered this issue with a Tauri 1.8.0 .msi installer being flagged as Trojan:Script/Wacatac.B!ml by Windows Defender when the file was downloaded, even before it was executed. The installer + app were even signed using Trusted Signing.

I tried upping the version number, updating dependencies and building the application again and it didn't happen again. It seems like an issue that appears randomly.

[anggoran]

I think this issue is not specific to Tauri. I've ever found it in Flutter. It's either the Windows Security Defender did false positive detection, or something wrong with how we sign the code.

[betamos]

Follow-up. Still struggling with false positives. Still don't have my code signing in place (but keep in mind code signing is not a panacea and still affects people with $500 EV certs). Some more notes:

• Updating tauri and other crates had no effect
• Removing auto-launch (crate which can modify startup registry items) had no effect
• Swapping build settings (lto, debug, panic_abort, etc) had no effect
• Disabling clipboard-scanning (which I use in my app), had no effect

I've noticed that if you turn "Cloud-delivered protection" off, the detection won't occur. Manual local scan doesn't find anything.

This, together with the !ml suffixes, suggest that the detection occurs online in their Cloud, by first uploading a the exe as a "sample", if it's previously unseen. I believe their ml models use static analysis, because the analysis of a novel binary completes within a few seconds (not enough time for full behavioral analysis?). After initial detection, WD will detect the same binary again but faster, probably because it's matching the hash Cloud-side. If static analysis can be confirmed, we can narrow the search further.

Furthermore, I believe this Cloud service is related to "Windows Defender Advanced Threat Protection (ATP)", but MS product suite is too complex to determine what's what. If anyone here has access to an Enterprise "endpoint security" (or whatever it's called), they might let you access their scanning logs or otherwise give more insights into the causes. Happy to share my binary as a sample if needed.

Useful tools for testing:

• When WD quarantines your binary, don't click on restore. That puts the file-path in the temporary allow-list which is difficult to remove. Instead, regenerate the binary or keep it in an excluded folder.
• While testing/building, turn real-time protection off until you want to run detections again.

Edit: Submitting manually to Microsoft comes back as not malware. Which is strange, because it consistently gets flagged.

[kbeirne]

I just went through the Microsoft support gauntlet and finally got an answer:

So at least in our case the app was not the issue, defender caught malware attaching itself to the app.

For the affected machine they recommended running malicious software removal tool full scan:
https://www.microsoft.com/en-us/download/details.aspx?id=9905&msockid=3fdc5a4116a2625827404f6617f76337

and a "Windows defender offline scan":

Our next steps will be to try and find out what kind of malware likes to glue itself to our app (and perhaps other tauri apps in general) and why. We will post any info we learn.

[mrjackwills]

Have to say I don't think that is a convincing, nor truthful, answer at all.

Everyone just happens to be building an application on infrastructure that is already infected. I am building via GitHub code actions - and still get the malware alert - therefore they would be suggesting that the GitHub machines are infected?

[betamos]

If you're paranoid about injection attacks, then you can always compare the checksum of the suspicious .exe or simply check the code cert.

The probability of a sophisticated supply chain- or injection attack against Tauri (or Tauri apps) is extremely small. Windows Defender has a track record of false positives, even for hello world binaries, and sometimes even C# binaries built with Visual Studio. The customer service rep is either not educated, or don't have time or incentive to educate people about this. Instead, they recommend more Microsoft solutions to Microsoft problems. There are many sad facts about the state of security on Windows, most of which can be attributed to the company simply not prioritizing it, for decades.

Anyway, maybe it's better to keep this thread focused by assuming that we're affected by false positives, which is widely reported in every corner of software development for Windows.

[erikpa1]

Golang has totally same problem, you have to distribute signed .exe files... In golang there is also problem that "go run main.go" takes on windows sometimes 5 minutes for simple app and on linux / mac it takes 1 second.... It's something what should rust and golang creators discuss with microsoft, because c++ apps developed by me don't have this problem....

[ShaunSHamilton]

I have seen a similar trojanware error for our application: Trojan:Win32/Bearfoos.A!ml

If it helps, I was using the app for a while before Defender killed it. I suspect what did it was when the app ran: window.set_content_protected(false)

I suspect this came up, because we publish the app to Microsoft Store, and use the updater plugin. Windows was happy with the app, until I did an automated update.

I am hoping to find a solution that does not involve too much custom logic for if update && on_windows && originally_downloaded_via_store { tell_user_to_update_via_store() }.

[rockfactory]

I've got a report about this too, Trojan:Script/Wacatac.B!ml.
I've tried updating Cargo.lock dependencies, but it didn't work.
Application signed locally was undetected.

What I tried was:

• Instead of installing cargo install trusted-signing-cli, downloading binaries directly (https://github.com/rockfactory/civ7-mods-hub/blob/main/.github/workflows/publish.yml#L98)
• Removed app.path().temp_dir() and replaced it with app.path().app_local_data_dir(). I understand the implications, but well I gave it a shot (rockfactory/civ7-mods-hub@e01ed2c)
• Rolled back from tauri-plugin-http 2.4.2 to 2.4.0

After these changes it stopped being recognized as trojan. I hope this could help someone, but I don't want to raise false hopes: it's still possible the build stopped being flagged by pure randomness. Nope, still got detected as a virus

Update: right now it seems the MSI is ok, but only if I don't sign it with Azure Trusted Signing.

[ev3nst]

i just wanted to say that, i also get false flagging but my case i think more about app's reputation. as soon as i switched from .nsis to .msi no more false flagging.