opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

Windows Defender falsely flags new releases as trojans

Open riatzukiza opened this issue 2 months ago • 13 comments

Summary Recent OpenCode Windows release assets are being flagged by Windows Defender with ML/heuristic signatures (e.g. Trojan:Script/Wacatac.C!ml, Program:Script/Wacapew.A!ml). Based on prior reports and cross-checks, this appears to be a recurring false positive, not evidence of compromise.

Affected / reports

  • 2025-10-24: v0.15.16 quarantined by Windows Security as Trojan:Script/Wacatac.C!ml (Windows 11 Pro)

  • Prior threads showing the same class of detection:

    • #3388 (Wacapew.A!ml heuristic)
    • #1103 (Windows detects virus on opencode-windows-x64.zip; mixed results across AV engines; some require Defender exclusions)

Hypothesis This is a heuristic / ML false positive common to bundled CLI/GUI binaries (compression/packing, embedded resources, or unsigned artifacts) and often “goes away” after Defender definition updates. No evidence of compromise has been presented.

What we’ll do

  • [ ] Publish checksums (SHA256) for all release assets.
  • [ ] Code-sign Windows artifacts (Authenticode; timestamped) to reduce AV false positives.
  • [ ] Generate an SBOM (CycloneDX) and attach to releases.
  • [ ] Avoid packers (e.g., UPX) for Windows release builds if used.
  • [ ] Add CI AV scans for every release: Windows Defender (Windows runner), ClamAV (Linux runner), and OWASP Dependency-Check for dependencies. If any scanner flags, CI will fail and post logs.
  • [ ] Submit false positives to Microsoft with SHA256 + sample upload whenever a Defender flag occurs.
  • [ ] Track detections in this issue with dates, signatures, engine/sig versions, and hashes.

How to verify locally (Windows)

# 1) Hash
Get-FileHash -Algorithm SHA256 .\opencode-windows-x64.zip

# 2) Signature (if EXE/MSI)
Get-AuthenticodeSignature .\OpenCodeSetup.exe | Format-List *

# 3) Defender versions
Get-MpComputerStatus | Select AMEngineVersion, AntivirusSignatureVersion

# 4) Re-scan file to reproduce
"$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File .\OpenCodeSetup.exe

References

  • Current report: #3406 (Wacatac.C!ml)
  • Similar: #3388 (Wacapew.A!ml) , #1103 (zip flagged; mixed vendor results)

riatzukiza avatar Oct 24 '25 16:10 riatzukiza

This issue might be a duplicate of existing issues. Please check:

  • #3406: Same Wacatac.C!ml detection for v0.15.16
  • #3388: Windows Defender Wacapew.A!ml detection (same ML heuristic family)
  • #1103: Windows detects virus on opencode-windows-x64.zip file

Feel free to ignore if none of these address your specific case.

github-actions[bot] avatar Oct 24 '25 16:10 github-actions[bot]

Don't know if it's any help, but I encountered it on a Debian machine running wdavdaemon (https://github.com/sst/opencode/issues/3388, maybe should've written it here)

Sacquer avatar Oct 25 '25 08:10 Sacquer

Don't know if it's any help, but I encountered it on a Debian machine running wdavdaemon (#3388, maybe should've written it here)

It would help me figure this out if you could take a look at this pr on my fork and look at the defender workflow specifically. I have no idea what I'm doing with defender, but I have the other workflows working as secondary verification that there aren't any viruses so we could automaticly compile a report to send off to microsoft to get ahead of user's experiencing the false positives. @Sacquer

riatzukiza avatar Oct 26 '25 23:10 riatzukiza

Sadly I don't think I'm much of help here, don't use Windows or PowerShell @riatzukiza 😿 .

Sacquer avatar Oct 27 '25 20:10 Sacquer

Workaround - Settings Virus & threat protection Image

Protection history

Image

Find the opencode entry Select allow on device

Image

Tyler-widd avatar Oct 30 '25 16:10 Tyler-widd

Think you might be able to tell the daemon to ignore certain directories as well, for those that run in daemon mode, i.e. without a UI.

Sacquer avatar Oct 30 '25 19:10 Sacquer

I believe that the problem is that the installer does not have a publisher and in turn Windows marks the uninstaller EXE as "Blocked".

As a workaround you can right click on the uninstaller in Explorer and there will be a check box for "Unblock". Check that, click OK.

The root cause though is that the uninstaller is missing a publisher.

Edit: This is most likely the same issue that you will encounter when running the when you are prompted to upgrade to 1.0.164.

jimroberts-tamu avatar Dec 17 '25 15:12 jimroberts-tamu