Virus Detected with AI Exe

[Frank Bastiaens]

Hi,

I get a message via Defender that a AI created executable is a Virus. (Windows Defender)

Name: Trojan:Win32/Wacatac.B!ml
Alert Level: Severe
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

Kind Regards

PS, Attached the AIP

[Catalin]

Hello Frank,

Most likely, that happens because you did not digitally sign your setup.

What is a Code Signing Certificate and how to ensure digital trust for your application

Hope this helps!

Best regards,
Catalin

[Frank Bastiaens]

Hi Catalin,

You would think so, but then this should already happen 2 weeks ago when I created this package for the first time.

Kind Regards.

[Catalin]

Hello Frank,

I can assure you this is because your setup is not digitally signed (I've had many users in the same scenario and the detection went off after the setup was signed).

And I also can assure you that this is a false-positive detection. If you'd like, you can submit it for whitelisting to Microsoft:

Submit a file for malware analysis

Hope this helps!

Best regards,
Catalin

[Catalin]

Hello and welcome to our forums,

You're always welcome!

And sure, let me know if you got any questions.

Best regards,
Catalin

[JGwinner]

I know what code signing is, but some guidance on how to include that with Advanced Installer would really be helpfull

Especially as without this, AI basically won't work at all. You have no idea how many angry phone calls we got that our software is virus riddled.

== John ==

[Catalin]

Hello John,

First of all, I am sorry to hear about the angry phone calls - we ourselves have faced a similar problem in the past so I definitely can understand your pain.

I know what code signing is, but some guidance on how to include that with Advanced Installer would really be helpfull

Regarding this, fortunately it's pretty easy to achieve - simply go to "Digital Signature" page and sign your package from there.

Digital Signature: Sign MSI, EXE and MSP files

Now, besides that, what I would also suggest is the following - before each release, scan your MSI/EXE & binaries using VirusTotal. If anything comes up there, I would advise contacting the specific AntiVirus vendor for whitelisting - most of them have a section on their website where you can input files for whitelisting.

A little note here, I would advise doing so for well known Antivirus vendors, not for unknown ones (e.g. Rise is one of those if I remember correctly - a Chinese vendor who no longer have English support).

This is something we do before each release as well - our support team gathers the MSI and all its resources (dll files, exe files, etc.) and scans them. If something comes up, we postpone the release for 1-2 days until we get an answer from the vendors.

Even with this, considering how fast the AntiVirus heuristics change, we might be ok now and flagged the next day - but I have to admit this is quite rare and this solution has worked for us so far pretty well.

Hope this helps!

Best regards,
Catalin

[wingers]

Hello Frank,

I can assure you this is because your setup is not digitally signed (I've had many users in the same scenario and the detection went off after the setup was signed).

And I also can assure you that this is a false-positive detection. If you'd like, you can submit it for whitelisting to Microsoft:

Submit a file for malware analysis

Hope this helps!

Best regards,
Catalin

Had same issue - and it is NOT because it is not digitally signed, as reported on another forum post it gets flagged by defender even if digitally signed...

I tried submitting it to Microsoft Security Intelligence but report came back as "Analyst comments: Your submission has been rejected due to too many files."

2023-06-07_18-55-39.png (148.63 KiB) Viewed 27828 times

[Catalin]

Hello Darren,

In most cases so far, if the setup was signed with a trusted certificate (e.g. EV which has instant reputation), the Defender's complaints went away.

Not quite sure why this is not your case here.

Regarding the submission, how many files have you tried to submit that it complains there are too many files? So far I never encountered this behavior.

Best regards,
Catalin

[wingers]

I just submitted the one file - updater.exe (as can be seen in the screenshot) - I just assumed it is looking inside it and finding other files or similar?

perhaps try submitting it yourself?

was definitely signed with a digital signature and was definitely detected multiple times by defender - never had this issue before

[wingers]

just submitted it again - this time the original file from stub folder, rather than the signed file which was detected - hopefully this time it will be accepted, will report back later

[Catalin]

Hello Darren,

I've tested the updater.exe file with the latest security update from Microsoft I was not able to reproduce the false-positive issue.

Security intelligence version: 1.391.828.0

Can you please test this again with the latest virus database update from Microsoft?

https://www.microsoft.com/en-us/wdsi/defenderupdates

Best regards,
Catalin

[wingers]

seems okay this morning so far.

Did try uploading it again to the website for testing - and definitely just uploaded the one exe from the stubs directory, but it still reports too many files - very strange, so we can't submit it as you keep asking.

2023-06-08_11-03-17.png (170.77 KiB) Viewed 27804 times

[Catalin]

Hello Darren,

Thank you for your followup on this!

Glad to hear things are working as expected as expected now.

Regarding the issue, it is indeed strange as I've never encountered it when submitting files at Microsoft.

Best regards,
Catalin

[guygodin]

Hi, sorry for reviving an old thread but we are seeing the same issue with the updater.exe getting flagged by Windows Defender and other antiviruses even though it is digitally signed with our EV code signing certificate. I recently renewed my license from version 19.x and now have latest 21.9 version. It was not an issue on 19.x but it is now with 21.9.

When I scan the original Updater.exe located in C:\Program Files (x86)\Caphyon\Advanced Installer 21.9\stubs\x86
I get the attached results in VirusTotal and a lot of users (in the thousands), not all, are getting a PUA warning in Windows Defender.

Let me know if you need anything else