Raphire
Microsoft Defender Report Trojan:Script/Wacatac.B!ml in file Get.ps1
Checklist
- [x] I have searched for existing issues/discussions and didn't find any similar ones.
- [x] I haven't used any other scripts, tools or programs that might have caused this issue.
Windows version
10.0.26100 Build 26100
Script mode/options
None -- Just performed a Download
Describe the issue
Microsoft Defender Reports the file C:\Users<removed>\Downloads\Win11Debloat-2025.06.11.zip->Win11Debloat-2025.06.11/Get.ps1 contains Trojan:Script/Wacatac.B!ml. So this is similar to Issue #248?
I found the link to download the file in the README.md file under the heading "Traditional method // Manually download & run the script."
Please note I am tangentially familiar with GitHub and don't know all about this -- noob. This is likely a false positive, however, I would like to hear what the community has to say. Of course we all know of various supply chain attacks.
Previously this last week I download the ZIP without an issue, however, I must have done this differently as the ZIP file was named Win11Debloat-master.zip.
Steps to reproduce
Just download the file /Raphire/Win11Debloat/archive/refs/tags/2025.06.11.zip (don't download as it may contain malware)
Error output
See DefenderReport.pdf
Additional context
Heya,
Thanks for reporting this. I think we're seeing this now because we recently moved to tagged releases. Because of this, after every release the script will download from a new url/file name (with new version nr), where before the url/filename was always the same. I can see how AV's would consider that suspicious, as they look at the url, filename, etc. to check whether a file is 'trusted'.
