Windows security issues with Livebook desktop installer and app

[bmitc]

Environment

• Elixir & Erlang/OTP versions (elixir --version): n/a?
• Operating system: Windows 11
• How have you started Livebook (mix phx.server, livebook CLI, Docker, etc): download and install desktop app
• Livebook version (use git rev-parse HEAD if running with mix): LivebookInstall-0.6.3-windows-x86_64.exe, latest desktop app download from website
• Browsers that reproduce this bug (the more the merrier): Microsoft Edge (for download warning)
• Include what is logged in the browser console: n/a
• Include what is logged to the server console: n/a

Current behavior

• The Livebook installer is detected as an unsafe app when downloaded via Microsoft Edge (untested on other browsers) on Windows 11.

  • 
  • Microsoft Defender SmartScreen documentation

• During install, Microsoft Defender flags LivebookLauncher.exe as containing a severe threat and Trojan.

  • 
  • Microsoft documentation on Trojan:Win32/Wacatac.B!ml

Expected behavior

No security warnings and no viruses or no false positives.

[josevalim]

Based on my experience with SmartScreen, there is nothing we can do. We can sign the installer (and we did this for the Elixir installer), but that's not enough for SmartScreen to stop the warnings. The only guaranteed way to address it is for enough people to download it, so it becomes "known".

The defender is also known to have false positives. The !ml means the recognition was done based on Machine Learning (hence the false positives?). If you search for "trojan:win32/wacatac.b!ml false positives", you actually get plenty of results.

We can submit both the .exe and the installer as false positives to Microsoft, and we will do so, but my attempts to do so in the past did not yield improvements. All we can do is wait.

TL;DR: this is mostly out of our hands. We will go through the hoops but I don't expect it to make a difference.

[bmitc]

That's my loose understanding of SmartScreen as well, in that it will eventually (?) go away. Just wanted to bring awareness. I or other users can report the download as known or good as well.

For the Microsoft Defender issue, I figured it might be a false positive, but just wanted to double-check since the warning was serious. Haha. Does the Livebook team have confidence that it's a false positive? Are there other anti-virus scans ran on the build artifacts? Just wanting to be careful. 🙂

I'm excited to use the desktop version!

[josevalim]

It is a false positive. We build that executable ourselves from this file: https://github.com/livebook-dev/livebook/blob/main/app_bundler/lib/templates/windows/Launcher.vb.eex - which is a very tiny script that shells out to the Erlang VM release.

[bmitc]

Sounds good! Thanks for the info! Always nice to double-check. Hopefully this stuff sorts itself out. I believe users can report/submit things as known to Microsoft through links in the dialogs that pop up, so if this issue is good for anything, it points Windows users to do that.

[wojtekmach]

@bmitc I've pushed a patch that hopefully helps with this issue (again, we may not be able to solve it for all cases as mentioned above), if you could test it, it would be great. I've updated the builds at: https://github.com/livebook-dev/livebook/releases/tag/v0.6.3.

[bmitc]

@wojtekmach Thanks for the update! I tested it today. The download process still warns about the file, but upon installation Microsoft Defender doesn't flag any file. However, I'm not sure the installation process necessarily updates the file that Defender previously flagged. The installer now shows several warnings like this:

It does that for a lot of files. Retry doesn't work, and to get through the install process I just clicked ignore a bunch. Should I file a separate issue for that?

[wojtekmach]

Could you try uninatalling and installing again? Uninstall.exe is somewhere in …/AppData/Local/Livebook