opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 3 hours ago verified publisher icon anomalyco

[False Positive?] Windows Defender detects `Trojan:Win32/Wacatac.H!ml` when running opencode

Open saliksik opened this issue 5 days ago • 2 comments

Description I am encountering a critical issue where Windows Security (Windows Defender) flags and quarantines files immediately upon running opencode in PowerShell. The detection is identified as Trojan:Win32/Wacatac.H!ml.

I am strictly using opencode-antigravity-auth from this repository.

To Reproduce

  1. Open PowerShell.
  2. Run opencode.
  3. Windows Security immediately triggers a "Threat quarantined" notification.

Expected behavior The tool should execute without triggering antivirus heuristics.

Screenshots

Image

Note: The affected items point to temporary .dll files generated in AppData\Local\Temp.

Environment

  • OS: Windows 11 Pro
  • Shell: PowerShell
  • OpenCode: 1.1.11
  • Plugin Version: opencode-antigravity-auth@beta

Configuration Files Here is my current configuration setup:

antigravity.json:

{
  "$schema": "https://raw.githubusercontent.com/NoeFabris/opencode-antigravity-auth/main/assets/antigravity.schema.json",
  "auto_update": true
}

opencode.json:

{
  "$schema": "https://opencode.ai/config.json",
  "model": "google/antigravity-claude-opus-4-5-thinking:max",
  "plugin": ["opencode-antigravity-auth@beta"],
  "agent": {
    "build": {
      "mode": "primary",
      "model": "google/antigravity-claude-opus-4-5-thinking",
      "thinkingConfig": { "thinkingBudget": 32768 },
      "tools": {
        "write": true,
        "edit": true,
        "bash": true
      }
    },
    "plan": {
      "mode": "primary",
      "model": "github-copilot/claude-opus-4.5",
      "tools": {
        "write": false,
        "edit": false,
        "bash": false
      }
    },
    "code-reviewer": {
      "description": "Reviews code for best practices and potential issues",
      "mode": "subagent",
      "model": "google/antigravity-claude-opus-4-5-thinking",
      "thinkingConfig": { "thinkingBudget": 32768 },
      "prompt": "You are a code reviewer. Focus on security, performance, and maintainability.",
      "tools": {
        "write": false,
        "edit": false
      }
    }
  },
  "mcp": {
    "context7": {
      "type": "remote",
      "url": "https://mcp.context7.com/mcp",
      "headers": {
        "CONTEXT7_API_KEY": "XXXXXX"
      },
      "enabled": true
    }
  },
  "provider": {
    "google": {
      "models": {
        "antigravity-gemini-3-pro": {
          "name": "Gemini 3 Pro (Antigravity)",
          "limit": { "context": 1048576, "output": 65535 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingLevel": "low" },
            "high": { "thinkingLevel": "high" }
          }
        },
        "antigravity-gemini-3-flash": {
          "name": "Gemini 3 Flash (Antigravity)",
          "limit": { "context": 1048576, "output": 65536 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "minimal": { "thinkingLevel": "minimal" },
            "low": { "thinkingLevel": "low" },
            "medium": { "thinkingLevel": "medium" },
            "high": { "thinkingLevel": "high" }
          }
        },
        "antigravity-claude-sonnet-4-5": {
          "name": "Claude Sonnet 4.5 (no thinking) (Antigravity)",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "antigravity-claude-sonnet-4-5-thinking": {
          "name": "Claude Sonnet 4.5 Thinking (Antigravity)",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        },
        "antigravity-claude-opus-4-5-thinking": {
          "name": "Claude Opus 4.5 Thinking (Antigravity)",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        },
        "gemini-2.5-flash": {
          "name": "Gemini 2.5 Flash (Gemini CLI)",
          "limit": { "context": 1048576, "output": 65536 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "gemini-2.5-pro": {
          "name": "Gemini 2.5 Pro (Gemini CLI)",
          "limit": { "context": 1048576, "output": 65536 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "gemini-3-flash-preview": {
          "name": "Gemini 3 Flash Preview (Gemini CLI)",
          "limit": { "context": 1048576, "output": 65536 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "gemini-3-pro-preview": {
          "name": "Gemini 3 Pro Preview (Gemini CLI)",
          "limit": { "context": 1048576, "output": 65535 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        }
      }
    }
  }
}

Additional Context The !ml suffix in the threat name suggests this is a Machine Learning heuristic detection, which is often a false positive for unsigned binaries or tools that generate temporary DLLs at runtime. Could you please verify if the release binaries are signed or if there is a known issue with the unpacking process?

saliksik avatar Jan 10 '26 07:01 saliksik