Windows Defender reports Trojan:Script/Wacatac.H!ml on LLBLGenPro-v594-Full-setup.exe

Posts   
 
    
cn
User
Posts: 2
Joined: 09-Feb-2023
# Posted on: 09-Feb-2023 13:17:08   

I downloaded your latest version (LLBLGenPro-v594-Full-setup.exe) and on installing windows defender (on Windows 11) reported that it had detected a severe threat. It detected the following: Trojan:Script/Wacatac.H!ml

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aScript%2fWacatac.H!ml&threatid=2147814524

Can you please explain me why this happened? I downloaded from my account downloads page.

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39753
Joined: 17-Aug-2003
# Posted on: 09-Feb-2023 15:11:29   

Huh... The !ml suffix means it's by machine learning, and this is a false positive. I've pulled it through virustotal.com and none of the 60 virusscanners flagged it: https://www.virustotal.com/gui/file/21719a5d0419bf963039df9cab0a1af882f4fc98fd5555631de45fe5c4b30239?nocache=1

So it's a bit weird why it is flagged by your system. I scanned the exe locally here with windows defender and it didn't flag it, it found 0 issues.

The main issue I think is that it's an nsis based installer. nsis is a general purpose installer program used by many programs and we use it since 2006 or so, it works great. Perhaps it flagged it because of that, no idea. If you right click the installer exe in file explorer -> properties -> general tab, is there an unblock checkbox? If you check that windows shouldn't block it anymore.

If you have 7 zip, you can unpack the exe as a normal zip file. Windows defender won't find anything inside it.

We could distribute the files to install as a zip too btw, if you prefer that.

Frans Bouma | Lead developer LLBLGen Pro
cn
User
Posts: 2
Joined: 09-Feb-2023
# Posted on: 09-Feb-2023 15:31:09   

Thanks for your reply. I ended installing it anyway and blocking what it reported. So far it seem's to be working without any problems. I to think it's a false positive.. but I had to report so that you could analyse it. You could end up with users not installing it in the future as they mistrust the file.

Another thing that I tried was scanning with Windows Defender in WINDOWS 10 and that reported nothing. But when I tried scanning again in WINDOWS 11, it reported immediately the same threat.

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39753
Joined: 17-Aug-2003
# Posted on: 10-Feb-2023 09:02:00   

cn wrote:

Thanks for your reply. I ended installing it anyway and blocking what it reported. So far it seem's to be working without any problems. I to think it's a false positive.. but I had to report so that you could analyse it. You could end up with users not installing it in the future as they mistrust the file.

Another thing that I tried was scanning with Windows Defender in WINDOWS 10 and that reported nothing. But when I tried scanning again in WINDOWS 11, it reported immediately the same threat.

Thanks for the feedback. Very strange it reports differently with different versions of defender. It's something we have to take into account in the near future. We'll likely also distribute the system as-is as a zip (the installer basically copies files and registers the menu shortcut + file extension, that's it) if this keeps popping up... rage

Frans Bouma | Lead developer LLBLGen Pro