Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Security detects Trojan:Win32/Wacatac.B!ml #6

Open
youri-- opened this issue Jan 4, 2025 · 2 comments
Open

Windows Security detects Trojan:Win32/Wacatac.B!ml #6

youri-- opened this issue Jan 4, 2025 · 2 comments

Comments

@youri--
Copy link

youri-- commented Jan 4, 2025
edited
Loading

Windows Security (Win 11 version 23H2) detects Trojan:Win32/Wacatac.B!ml in file TWLMagician_Win_x64_v1.3\TWLMagician.exe.

Any specific reason why this would be a false-positive, to set my mind at ease, or should I be worried?

Thanks.

EDIT:
I downloaded and scanned previous versions and they are not detected as such. Might be good to check if the machine compiling and uploading to the github release page is infected.

Also Windows Security logs Protected folder access blocked concerning Protected folder: %userprofile%\Documents\My Data Sources\. I don't think the app needs or should want this access. So if possible, would be good to prevent this access attempt.

EDIT 2:
This Reddit comment makes a lot of sense, could be that (and perhaps be easily fixed):

No, it's because AV's use heuristic analysis rather than a simple 1:1 checksum that would be easy to fake.

Most malicious programs use very simple instruction sets and call for functions in a manner that aren't necessary. It's usually resolved by rewriting a single function in manner that doesn't behave like commonplace malware. I've never experienced a time where I needed to get whitelisted and not just revise my code to not be suspicious as hell.

EDIT3:
VirusTotal scan: https://www.virustotal.com/gui/file/873ff5ba4aa1033c30134d2aedc14c8c205ad86206c0584f21d14fab8ee02b51
@R-YaTian
Copy link
Owner

R-YaTian commented Jan 5, 2025

Could you please try x86 build of TWLMagician? The x64 target of TWLMagician building using nuitka's onefile mode which will extract required files to user's "Temp" folder and antiviruses hate that.
The previous versions of x64 target using enigmavb packing instead of nuitka onefile mode. The source code is in the repo and feel free to look for malicious code in there. I just provide the exe for convenience as most people don't have Python installed.
The v1.3 x86 version of TWLMagician do not use nuitka's onefile mode. If Windows Security do not detects it as a virus, I will changing the building mode for x64 target also.

@R-YaTian
Copy link
Owner

R-YaTian commented Jan 6, 2025

The Hotfix 2 using the same building and/or packing mode with the v1.2 release which will hopefully fix the false-positive. Please try again by downloading it on release page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@youri-- @R-YaTian