OneLauncher icon indicating copy to clipboard operation
OneLauncher copied to clipboard

Published 20 hours ago verified publisher icon JuneStepp

Windows Defender tagging it as malicious

Open salvoza opened this issue 1 year ago • 10 comments
trafficstars

I downloaded the latest Windows version as of today (5 August 2024) and installed it. As soon as the installation finished, my Windows Defender kicked out the following error:

error

salvoza avatar Aug 05 '24 11:08 salvoza

I have submitted it to MS Defender website as a potential false positive, so will leave it in their hands. There are quite a few other GitHub repos also potentially getting flagged by the same MS Defender issue

salvoza avatar Aug 05 '24 11:08 salvoza

sigh Thought it might have been because of upgrading the compiler, but I just re-scanned 2.0's exe, and it's flagged now, too. Getting anti-virus hits is pretty common when freezing or compiling Python code. One of the reasons I don't make a one-file Windows build is to try and avoid this.

For those concerned about security, I'd recommend this:

  • Scan and/or audit the source code. This is the Virus Total for 2.0.1's source code: https://www.virustotal.com/gui/file/5a38df07f543aa050042196c16fec310432242e933b5b9d8c3a815e7c4bc421f
  • Read the build workflow and associated build Python package so you know that nothing fishy happens during the build process.
  • Compare the hashes of the workflow artifacts to the downloads on the releases page to make sure they haven't been changed after being uploaded by the build workflow.
  • Be proud that you actually check this stuff but keep your guard up; security is never guaranteed, and it's actually more likely for there to be malicious or vulnerable code in one of the dependencies than OneLauncher itself.

Relevant VirusTotal Links

2.0.1 installer: https://www.virustotal.com/gui/file/c28abc8c9657dfc31363eadac341fa19472237a4226e4cebac52c02315e9e033/detection 2.0.1 onelauncher.exe (included in installer): https://www.virustotal.com/gui/file/5c6a8161b2ec0602d3f7bc710e0470a64fa06e52bb307fa7158a2d54d3da0629/detection 2.0.1 Nexus package (installer in zip): https://www.virustotal.com/gui/file/2d7632a4957a464e0540f1ce9ce3eba628187eeab9011118e233d1cf25182a67/detection/f-2d7632a4957a464e0540f1ce9ce3eba628187eeab9011118e233d1cf25182a67-1722752350 2.0 installer: https://www.virustotal.com/gui/file/0cb71a2805052aaebfc24fdc8ebe347806748793bd17b88779bba44a8f300d47 2.0 onlauncher.exe (included in installer): https://www.virustotal.com/gui/file/a84d3fec93f01b3cf4d800c54baf85e27d1b46a5e533f6b82e0243dde1e9c5bd

small rant: It's frustrating that all the work to make something easier to use for non-technical users on Windows just ends up giving scary messages like this or the warning from running unsigned executables. (signing certificates cost hundreds of dollars per year). The last thing I want to do is ask people to ignore warnings likes this when it's vital that they stay cautious. Especially when it comes to random software from the internet like this.

JuneStepp avatar Aug 05 '24 13:08 JuneStepp

Thanks for your efforts, I have submitted it to Windows for them to reclassify it - its going through scanning now, so should be with us shortly!

salvoza avatar Aug 05 '24 18:08 salvoza

Hi @JuneStepp is there anything we can do to help like submitting MS Defender website as a potential false positive like @salvoza did?

liamfrost avatar Aug 08 '24 18:08 liamfrost

Thought my installation deleted itself randomly today, but turns out Defender quarantined it. Trojan:Win32/Wacatac.B!ml

I assume false positive as I've been using Onelauncher for years now.

Samus4145 avatar Aug 09 '24 00:08 Samus4145

Hi @JuneStepp is there anything we can do to help like submitting MS Defender website as a potential false positive like @salvoza did?

All I know to do is contact each vendor that flags the file. I don't know if submitting it to Windows Defender multiple times speeds up the process or not. It's also quite possible that the vendors will only whitelist this specific file, meaning new releases would still get flagged.

I've confirmed that only the compiled versions and not the source code are flagged. That suggests that the only way for me to fix it is using a different distribution method. The downside to that would be larger file sizes, longer startup times, and development time.

JuneStepp avatar Aug 09 '24 00:08 JuneStepp

Thought my installation deleted itself randomly today, but turns out Defender quarantined it. Trojan:Win32/Wacatac.B!ml

I assume false positive as I've been using Onelauncher for years now.

This is indeed a false positive, but do keep in mind that software can always be compromised regardless of track record. Use your best judgment.

JuneStepp avatar Aug 09 '24 01:08 JuneStepp

BitDefender also blocks OneLauncher.exe, puts it into quarantine and blocks network access in its firewall.

Crolug avatar Aug 13 '24 22:08 Crolug

This looks like it has been resolved by Microsoft Defender.

salvoza avatar Sep 09 '24 08:09 salvoza

Adding onelauncher.exe to the exceptions in Bitdefender resolved it for me.

Crolug avatar Sep 09 '24 15:09 Crolug

I've done some work to remove dependencies from the builds that are more likely to get flagged. With the latest changes, only 1-2 minor vendors are causing trouble. Hopefully the next release will be all good without manual exceptions.

JuneStepp avatar Dec 20 '24 05:12 JuneStepp