-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Windows] Trojan alert from windows defender and other anti-virus providers #2486
Comments
Should we escalate this to the webview2 crew? @wusyong |
Could you make a virustotal.com submission and include the report link here, please? Thanks |
|
During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well. |
Just wanted to add that I never compiled a debug build for Windows, and Windows never complained like that for any of my non-debug-builds. Dunno if there's actually any relation to using a debug build, but I've built a few things on windows and shared with a few friends and family, and although Windows does complain quite a bit about signing and not knowing the publisher or whatever, windows defender never reported any threats like viruses or trojans or whatever, so this doesn't apply to all windows builds, and if it's not the debug-thing there's something else causing this. |
@Shotman do you still see this alert? No one else has reported it :/ |
@lucasfernog I haven't tried it so far, but recently I've set up Tauri 1.0 on a few PCs and it didn't trigger anything sooo I guess it might be safe to assume something between beta7 and 1.0 fixed it |
FYI it also happens to me. Tauri 1.1, Windows 11, on a couple of PCs. |
A friend of mine sent his .exe and .msi to test it on my system and my MS-Defender instantly alarms me about "Trojan:Script/Wacatac.B!ml". He doesnt get the same error as i and virustotal says its harmless. So the issue is defently not fixed Version used: Tauri 1.2 |
We've had similar experience with our Tauri app v1.2. No problems from several playtesters but have 2 new testers now and they immediately got it, as well as a block from both Chrome and Edge. Testers were on Windows 10. Similar trojan alert but slightly different name: I've noticed a commonality between our project and Commandos. Both uses Windows cmd direct in the project. See here. Update: Got a second playtester recreating the issue. Tried a build without any cmd or any interop at all really except for some REST APIs (and UI), practically no extra rust outside some empty tauri::commands and an empty |
I had the Installing fresh on a different machine didn't cause the alert. Removing all traces of the application before installing also again didn't cause any Security alert. However, I am now unable to re-create the Trojan alert (I have made sure what Microsoft Security Centre is NOT allowing it), so I am none the wiser. The only aspect of my application that I think might trigger an alert is a dependency, auto-launch, to allow the application to, as the name suggests, run at boot. On windows, I think this is achieved via a registry change |
Anyone tested with/without certs out of interest? Hadn't signed our msi yet, will try that. Also, @Shotman, are we alright to reopen this? Happy to help if I can, this is a blocker for me atm. |
I reopened the issue to allow referencing and data collection etc |
Sent out a new version with an IV sha256 code-sign and the problem was not reproducible for the two testers who were previously having trouble (they had each tried at least two previous versions without code-sign that were reproducing the issue). Will update again if I get more trojan reports. |
I actually have this issue with Windows 11. The release here got the issue : https://github.com/vasilvestre/totk-mod-manager-for-yuzu/releases/tag/v0.6.0 |
Hello! The release is here: https://github.com/Bigaston/PatThePupuce/releases/download/app-v1.1.0/patthepupuce_1.1.0_x64-setup.exe |
I just ran into the same issue here. The following release I have is marked in the same way: https://github.com/Raphiiko/Oyasumi/releases/download/oyasumi-v1.7.0/OyasumiVR_1.7.0_x64-setup.exe |
I did get the same issue. I'm really surprised how developers would be able to develop an app while at the same time having to disable their antivirus. How do you even go to the internet to see how to code an specific thing you need for your project? |
@Kespuzzuo Most anti virus programs really don't like compiled programming languages, and i guess rust especially so since it often compiles multiple executables and executes them to create the actual app executable. On normal user systems, which anti virus software primarily targets, this is a big no-no. fwiw even without the warnings, i personally can't live without whitelisting my dev folder because the real-time scanning often causes insane compilation slowdowns... Either way, this is something we can control even less then issues when running the resulting tauri app. |
Trying to install "DataFlare", not open source from what I understand, from the showcase channel on Discord, I got another warning with the nsis exe setup |
is there a solution in mind? |
Well, if someone has a solution for us, we're all ears. Or at least knows what could cause this. To react to the only comment in that direction:
Hmm, i guess that's valid, other installers/updaters do the same but i can see how this can be problematic. One problem is that the app's root folder is read only for msi and nsis@perMachine apps.
We don't. We use /passive, but even apps that use a user interaction UI have the same issues.
This issue is older than our switch to ShellExecute. Before that we used CreateProcess via Rust's Lastly, apps without the updater also see those same alerts (potentially less often, maybe the same) |
I can confirm that point, I built binaries for an app without auto-updater, and the Trojan alert is still present. |
What solved the issue for us was updating the version number of the app in the config file, updating cargo and all the dependencies and then generate a new build. |
I, too, was impacted by this issue. VirusTotal and my Windows Defender also flagged the ( |
Is there any chance this will get investigated before the stable 2.0 release? This is kind of a big issue for distributing binaries to people that may not trust your product and just think you are disturbing a Trojan horse. |
a coworker of mine solve this issue with this
|
i don't think your customers will see this issue , due the the comment I just put above^^^ only the PC that do the build process get the alert |
I don't think this is true, multiple people I sent the binary had it flagged as a virus until I sent it in to Windows |
Our installer is built on a build server, and we get the virus warning locally on our local machines, so it's definitely not only related to the machine that does the build |
Yes and no, we won't do a special investigation session or will delay stable for this but it's really under constant investigation. We unfortunetely don't have any more insight (into AV software etc) either and even the friends we have at relevant companies couldn't help us yet. I was told that someone saw similar reports (including Wacatac) with basically a plain Wry app which is pretty concerning. I am at a point where i think that it's the use of WebView2 itself and/or Rust that's the issue here. Considering that projects like Wails also seem to deal with false positives (Wacatac being among them) the former seems to be even more likely... For now it seems like we can only keep asking you to submit your apps to AV software providers :( |
I'm thinking of building a solution to automate this submission process since it's a pain in the ass to do it manually every time and I don't think paying few hundred bucks for a license is the way. Should I make it a cheap SaaS (like 3.50$/month cheap), are you guys interested? |
I dont know if i need this service right now , but might maybe in the future |
In our AI Studio app, we have the same issue (link to our issue). However, the virus scanners (as expected) seem to be a little more critical once a sidecar comes into play: we use a .NET server as a sidecar. |
Another affected developer here.
Detections (will update if I see more):
Strangely, Virustotal currently says it's clean. Notes:
Questions:
|
It doesn't stop it. We have a full hardware EV on ours now and we got another report on our Tauri 1.6 app. Wacatac Trojan warning that auto-uninstalled the app.
Not much help here, but see comments on an earlier post: #2486 (comment) |
Tried converting our nsis installer to msix so we can run the Microsoft App Store validator: It passed but with the following errors:
This isn't proof that these are related to the trojan but it shows some issues Microsoft cares about that might be causing problems. Some errors similar to the "Launch Process" errors above were found in an electron app that was caused by temp file creation. Someone earlier also mentioned deleting temp files helped their tauri issue so perhaps it is related: Would also apply to potential issue with the installer mentioned earlier in the thread:
|
If the code signing isn't working, then the problem could be memory consumption on start, when in dev atleast is high. Slowing down the timeline of resource utilisation may help. |
Windows Code certificates are crazy expensive though. As a a dev working on personal projects, paying 100 bucks per year for an Apple dev license is ok, but it's 300-500 for Windows ._. Publishing to Microsoft Store apparently helps with this issue though. |
To add another data point, I encountered this issue with a Tauri 1.8.0 .msi installer being flagged as Trojan:Script/Wacatac.B!ml by Windows Defender when the file was downloaded, even before it was executed. The installer app were even signed using Trusted Signing. I tried upping the version number, updating dependencies and building the application again and it didn't happen again. It seems like an issue that appears randomly. |
I think this issue is not specific to Tauri. I've ever found it in Flutter. It's either the Windows Security Defender did false positive detection, or something wrong with how we sign the code. |
Describe the bug
After building from source a Tauri app, Commandos after doing a npm run tauri dev, at some point Windows Defender freaks out and I get a Trojan:Script/Wacatac.B!ml alert from it
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Windows Defender shouldn't flag this app as a Trojan
Platform and Versions (required):
Additional context
Not my app just wanted to tested it and ran into this issue
The text was updated successfully, but these errors were encountered: