[Windows] Trojan alert from windows defender and other anti-virus providers
Shotman opened this issue ยท 62 comments
Describe the bug
After building from source a Tauri app, Commandos after doing a npm run tauri dev, at some point Windows Defender freaks out and I get a Trojan:Script/Wacatac.B!ml alert from it
To Reproduce
Steps to reproduce the behavior:
- Clone the repo
- Run the dev process of the app
- Use the app a bit
- Alert shoudl happen at some point
Expected behavior
Windows Defender shouldn't flag this app as a Trojan
Platform and Versions (required):
Operating System - Windows, version 10.0.19043 X64
Webview2 - 92.0.902.73
Node.js environment
Node.js - 16.5.0
@tauri-apps/cli - 1.0.0-beta.7
@tauri-apps/api - 1.0.0-beta.6
Global packages
npm - 7.20.3
yarn - 1.22.5
Rust environment
rustc - 1.54.0
cargo - 1.54.0
App directory structure
/.git
/.github
/.vscode
/e2e
/images
/logo
/node_modules
/src
/src-tauri
App
tauri.rs - 1.0.0-beta.7
build-type - bundle
CSP - default-src blob: data: filesystem: ws: wss: http: https: tauri: 'unsafe-eval' 'unsafe-inline' 'self' img-src: 'self'
distDir - ../dist/commandos
devPath - http://localhost:5200
framework - Angular
bundler - Webpack
Additional context
Not my app just wanted to tested it and ran into this issue
Should we escalate this to the webview2 crew? @wusyong
Not my app just wanted to tested it and ran into this issue
Could you make a virustotal.com submission and include the report link here, please? Thanks
Not my app just wanted to tested it and ran into this issue
Could you make a virustotal.com submission and include the report link here, please? Thanks
During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.
During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.
Just wanted to add that I never compiled a debug build for Windows, and Windows never complained like that for any of my non-debug-builds. Dunno if there's actually any relation to using a debug build, but I've built a few things on windows and shared with a few friends and family, and although Windows does complain quite a bit about signing and not knowing the publisher or whatever, windows defender never reported any threats like viruses or trojans or whatever, so this doesn't apply to all windows builds, and if it's not the debug-thing there's something else causing this.
@Shotman do you still see this alert? No one else has reported it :/
@lucasfernog I haven't tried it so far, but recently I've set up Tauri 1.0 on a few PCs and it didn't trigger anything sooo I guess it might be safe to assume something between beta7 and 1.0 fixed it
Closing the issue for now but let's reopen if it ever comes back
FYI it also happens to me. Tauri 1.1, Windows 11, on a couple of PCs.
I built the react template, as it is.
A friend of mine sent his .exe and .msi to test it on my system and my MS-Defender instantly alarms me about "Trojan:Script/Wacatac.B!ml". He doesnt get the same error as i and virustotal says its harmless.
So the issue is defently not fixed
Version used: Tauri 1.2
Windows Version: Windows 11 21H2
We've had similar experience with our Tauri app v1.2. No problems from several playtesters but have 2 new testers now and they immediately got it, as well as a block from both Chrome and Edge. Testers were on Windows 10. Similar trojan alert but slightly different name:
I've noticed a commonality between our project and Commandos. Both uses Windows cmd direct in the project. See here.
I was trying to avoid this if possible because of problems just like this. I'm gonna run a build with cmd removed and see if the issues persist.
Update: Got a second playtester recreating the issue. Tried a build without any cmd or any interop at all really except for some REST APIs (and UI), practically no extra rust outside some empty tauri::commands and an empty on_window_event->WindowEvent::Destroyed hook) and got the same result.
I had the Trojan:Script/Wacatac.H!ml trojan alert when I installed the latest version of my application.
Installing fresh on a different machine didn't cause the alert. Removing all traces of the application before installing also again didn't cause any Security alert.
However, I am now unable to re-create the Trojan alert (I have made sure what Microsoft Security Centre is NOT allowing it), so I am none the wiser.
The only aspect of my application that I think might trigger an alert is a dependency, auto-launch, to allow the application to, as the name suggests, run at boot. On windows, I think this is achieved via a registry change
Anyone tested with/without certs out of interest? Hadn't signed our msi yet, will try that.
Also, @Shotman, are we alright to reopen this? Happy to help if I can, this is a blocker for me atm.
I reopened the issue to allow referencing and data collection etc
Sent out a new version with an IV sha256 code-sign and the problem was not reproducible for the two testers who were previously having trouble (they had each tried at least two previous versions without code-sign that were reproducing the issue).
Will update again if I get more trojan reports.
I actually have this issue with Windows 11. The release here got the issue : https://github.com/vasilvestre/totk-mod-manager-for-yuzu/releases/tag/v0.6.0
Hello!
I've just discover Tauri yesterday and build one of my app with it. I use the official Github Actions template to build the thing. It's seems to work with the .MSI file, but the NSIS is flagged as a virus, and VirusTotal said it's safe
The release is here: https://github.com/Bigaston/PatThePupuce/releases/download/app-v1.1.0/patthepupuce_1.1.0_x64-setup.exe
I just ran into the same issue here. The following release I have is marked in the same way: https://github.com/Raphiiko/Oyasumi/releases/download/oyasumi-v1.7.0/OyasumiVR_1.7.0_x64-setup.exe
I did get the same issue.
I created an app through cmd, and then opened it on VS Code and BOOM! my antivirus was sending me messages upon messages saying they're deleting the libs stored in a folder deep inside the project folder I created.
I'm really surprised how developers would be able to develop an app while at the same time having to disable their antivirus. How do you even go to the internet to see how to code an specific thing you need for your project?
@Kespuzzuo Most anti virus programs really don't like compiled programming languages, and i guess rust especially so since it often compiles multiple executables and executes them to create the actual app executable. On normal user systems, which anti virus software primarily targets, this is a big no-no.
fwiw even without the warnings, i personally can't live without whitelisting my dev folder because the real-time scanning often causes insane compilation slowdowns...
Either way, this is something we can control even less then issues when running the resulting tauri app.
Trying to install "DataFlare", not open source from what I understand, from the showcase channel on Discord, I got another warning with the nsis exe setup
Any updates?
I just built and released an app that is encountering this problem. I have not had any issues during development at all, but sometimes the release build is flagged by Windows Defender (and some other AV). Frustratingly, it doesn't seem to be entirely consistent in what it flags it as and when.
My app uses the updater, which I think may be a factor in this.
My time & productivity tracking app BigBro suffers from this issue.
I use the NSIS installer and whenever the users receive an update through the updater Windows Defender immediately raises a flag.
I've submitted the NSIS setup executable to Microsoft as a false-positive through here, maybe you can do the same.
Note that the app executable itself doesn't raise any flags, only the installers/updaters get detected as malware.