mousejiggler icon indicating copy to clipboard operation
mousejiggler copied to clipboard

Published 20 hours ago verified publisher icon arkane-systems

Detected as Trojan:Win32/Pomal!rfn by Microsoft Defender

Open Lusiiky opened this issue 9 months ago • 9 comments
trafficstars

Hello,

I noticed this morning that MouseJiggler had been removed from my PC... after searching, I noticed that Microsoft Defender had removed it for the reason “This program is dangerous and executes commands from a malicious person.” like a "Trojan:Win32/Pomal!rfn". I inevitably assumed, and hope, that this is just a false positive.

Is there anything you can do to prevent Microsoft from detecting your software as such? Maybe here as "Software developer"? Or can we report your software as safe?

Thank you, Lusiiky

Lusiiky avatar Feb 05 '25 14:02 Lusiiky

I'm pretty sure it's a false positive. Are you using the latest version? There was one change that @cerebrate did recently, to replace a deprecated dependency, but that hasn't been released yet (waiting on one more fix, so it can be updated in Chocolatey).

If you're already using the latest release from here, and it still gets detected with a false positive, maybe the replacement of the deprecated package will help.

midwan avatar Feb 05 '25 15:02 midwan

Yeah, if you installed either the Chocolatey package version or the one from here, it's clean.

(I emphasize this because in the past it has been repackaged by third parties, at least some of whom included other stuff in their packages, so if they're at it again and that's where you got it from, that might be an issue.)

cerebrate avatar Feb 05 '25 21:02 cerebrate

I didn't install from Choco, I just downloaded the latest version from Github.

Lusiiky avatar Feb 06 '25 21:02 Lusiiky

Also showing as a trojan for me today. I downloaded it from this repo.

IIMacGyverII avatar Feb 07 '25 00:02 IIMacGyverII

Weird, I'm also seeing the same. I'll do a check and re-package it just in case

midwan avatar Feb 07 '25 00:02 midwan

OK, even with a fresh build and a repackage, it still detects it as a trojan when you try to download it. I guess Defender is just being picky.

I wonder if things would be better if this was signed with a digital certificate?

Either way, the file is clean from any viruses - you can compile it yourself and test it, don't take my word for it. :)

midwan avatar Feb 07 '25 00:02 midwan

i'm sure one of your competitors just submitted it to M$...

IIMacGyverII avatar Feb 07 '25 02:02 IIMacGyverII

On my windows system the jiggler has been completely wiped out by a security app which is very annoying. As a workaround I ported this app's core feature to Go today because I needed it so badly every day https://github.com/go-again/automo

arthurpro avatar Feb 14 '25 19:02 arthurpro

Also detected as Trojan:Script/Wacatac.B!ml.

Anyway, we're working on it. At least to try and get this version removed from the Microsoft Defender watch list.

That said, we've had this problem before, and it's likely to recur in the future, unfortunately, for a couple of reasons:

  1. It pushes "fake" input into the Windows input queue, which is, well, exactly what just about every remote-control Trojan ever has to do to enable remote control; and
  2. Since a very popular use of Mouse Jiggler these days is tricking school and enterprise user-monitoring software into thinking you're a busy little bee when you're not, it's fair to say that the users of academic and enterprise malware monitoring software heartily wish that it would go away, and aren't going to be complaining about false detections any time soon.

tl;dr Keep your old working versions handy, and if you trust us enough, tell your antivirus it's okay, really. Which it should be if you got it from one of our authorized sources.

But the battle's never done.

(P.S. Your other option is to buy a cheap hardware mouse jiggler, like this - https://www.amazon.com/Undetectable-Automatic-Simulator-Driver-Free-Computer/dp/B09YTB1DSB - which pretends to be a mouse. So far, only annoyingly expensive enterprise monitoring software will catch this sort of thing, and malware doesn't care about it at all.)

cerebrate avatar Feb 14 '25 20:02 cerebrate

Still displaying as virus, very annoying, it was my fave barebones app for this

dev-dakky avatar Jul 06 '25 17:07 dev-dakky

Yeah, it's a curse, and one that will probably spread to any alternative that still uses SendInput(). (Or at least all the examples of such applications I have that don't have code-signing certificates¹ suffer from it.)

I recommend the hardware option, as mentioned a little bit above, to anyone who (a) has this problem and (b) has USB port access. While it's true that this will look like your computer has an extra mouse plugged into it, if your IT department is monitoring that, you almost certainly don't have access to run the software version either.

  1. Anyone who wants to send me the money to buy a code-signing certificate, feel free to get in touch. 😁

cerebrate avatar Jul 14 '25 19:07 cerebrate

Months later, issue persists for 2.1.0... I noticed an odd behavior on my Win 11 so I came here to update the version.

Win 11 Version 24H2. Build 26100.6584. Windows Feature Experience Pack 1000.26100.234.0. Mouse Jiggler version 2.0.25.0.

The screen went dark after being idle for a bit, like your phone does right before going to the lock screen.

Update: Just went on a patrol at work (20 Minute patrol) and the screen didn't time out like it did before...

RepoDraghon avatar Sep 21 '25 02:09 RepoDraghon

Unfortunately flagged by many vendors https://www.virustotal.com/gui/file/07552cd06302ac466300cfc40a0518456065868faffa17fe6c7831f45f31f88b/detection

mikerj1 avatar Oct 16 '25 17:10 mikerj1