tauri
tauri copied to clipboard
tauri-apps
[Windows] Trojan alert from windows defender
Describe the bug
After building from source a Tauri app, Commandos after doing a npm run tauri dev, at some point Windows Defender freaks out and I get a Trojan:Script/Wacatac.B!ml alert from it
To Reproduce
Steps to reproduce the behavior:
- Clone the repo
- Run the dev process of the app
- Use the app a bit
- Alert shoudl happen at some point
Expected behavior
Windows Defender shouldn't flag this app as a Trojan
Platform and Versions (required):
Operating System - Windows, version 10.0.19043 X64
Webview2 - 92.0.902.73
Node.js environment
Node.js - 16.5.0
@tauri-apps/cli - 1.0.0-beta.7
@tauri-apps/api - 1.0.0-beta.6
Global packages
npm - 7.20.3
yarn - 1.22.5
Rust environment
rustc - 1.54.0
cargo - 1.54.0
App directory structure
/.git
/.github
/.vscode
/e2e
/images
/logo
/node_modules
/src
/src-tauri
App
tauri.rs - 1.0.0-beta.7
build-type - bundle
CSP - default-src blob: data: filesystem: ws: wss: http: https: tauri: 'unsafe-eval' 'unsafe-inline' 'self' img-src: 'self'
distDir - ../dist/commandos
devPath - http://localhost:5200
framework - Angular
bundler - Webpack
Additional context
Not my app just wanted to tested it and ran into this issue
MS thread; https://docs.microsoft.com/en-us/answers/questions/465937/msi-is-detected-by-windows-defender-and-it-shows-3.html
Not my app just wanted to tested it and ran into this issue
Could you make a virustotal.com submission and include the report link here, please? Thanks
Not my app just wanted to tested it and ran into this issue
Could you make a virustotal.com submission and include the report link here, please? Thanks
https://www.virustotal.com/gui/file/d582212961c8d2fe95b700d721d8972aa52d0b6c978e93917fddb85e419f1687/detection
During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.
During testing my app on Windows I also had this experience. Came up as "Trojan:Script/Wacatac.B!ml". This was a debug build as well.
Just wanted to add that I never compiled a debug build for Windows, and Windows never complained like that for any of my non-debug-builds. Dunno if there's actually any relation to using a debug build, but I've built a few things on windows and shared with a few friends and family, and although Windows does complain quite a bit about signing and not knowing the publisher or whatever, windows defender never reported any threats like viruses or trojans or whatever, so this doesn't apply to all windows builds, and if it's not the debug-thing there's something else causing this.
@lucasfernog I haven't tried it so far, but recently I've set up Tauri 1.0 on a few PCs and it didn't trigger anything sooo I guess it might be safe to assume something between beta7 and 1.0 fixed it Closing the issue for now but let's reopen if it ever comes back
FYI it also happens to me. Tauri 1.1, Windows 11, on a couple of PCs. I built the react template, as it is.
A friend of mine sent his .exe and .msi to test it on my system and my MS-Defender instantly alarms me about "Trojan:Script/Wacatac.B!ml". He doesnt get the same error as i and virustotal says its harmless.
So the issue is defently not fixed
Version used: Tauri 1.2 Windows Version: Windows 11 21H2
We've had similar experience with our Tauri app v1.2. No problems from several playtesters but have 2 new testers now and they immediately got it, as well as a block from both Chrome and Edge. Testers were on Windows 10. Similar trojan alert but slightly different name:
I've noticed a commonality between our project and Commandos. Both uses Windows cmd direct in the project. See here. I was trying to avoid this if possible because of problems just like this. I'm gonna run a build with cmd removed and see if the issues persist.
Update: Got a second playtester recreating the issue. Tried a build without any cmd or any interop at all really except for some REST APIs (and UI), practically no extra rust outside some empty tauri::commands and an empty on_window_event->WindowEvent::Destroyed hook) and got the same result.
I had the Trojan:Script/Wacatac.H!ml trojan alert when I installed the latest version of my application.
Installing fresh on a different machine didn't cause the alert. Removing all traces of the application before installing also again didn't cause any Security alert.
However, I am now unable to re-create the Trojan alert (I have made sure what Microsoft Security Centre is NOT allowing it), so I am none the wiser.
The only aspect of my application that I think might trigger an alert is a dependency, auto-launch, to allow the application to, as the name suggests, run at boot. On windows, I think this is achieved via a registry change
Anyone tested with/without certs out of interest? Hadn't signed our msi yet, will try that.
Also, @Shotman, are we alright to reopen this? Happy to help if I can, this is a blocker for me atm.
Sent out a new version with an IV sha256 code-sign and the problem was not reproducible for the two testers who were previously having trouble (they had each tried at least two previous versions without code-sign that were reproducing the issue).
Will update again if I get more trojan reports.
I actually have this issue with Windows 11. The release here got the issue : https://github.com/vasilvestre/totk-mod-manager-for-yuzu/releases/tag/v0.6.0
Hello! I've just discover Tauri yesterday and build one of my app with it. I use the official Github Actions template to build the thing. It's seems to work with the .MSI file, but the NSIS is flagged as a virus, and VirusTotal said it's safe
The release is here: https://github.com/Bigaston/PatThePupuce/releases/download/app-v1.1.0/patthepupuce_1.1.0_x64-setup.exe
I just ran into the same issue here. The following release I have is marked in the same way: https://github.com/Raphiiko/Oyasumi/releases/download/oyasumi-v1.7.0/OyasumiVR_1.7.0_x64-setup.exe
I did get the same issue. I created an app through cmd, and then opened it on VS Code and BOOM! my antivirus was sending me messages upon messages saying they're deleting the libs stored in a folder deep inside the project folder I created.
I'm really surprised how developers would be able to develop an app while at the same time having to disable their antivirus. How do you even go to the internet to see how to code an specific thing you need for your project?
@Kespuzzuo Most anti virus programs really don't like compiled programming languages, and i guess rust especially so since it often compiles multiple executables and executes them to create the actual app executable. On normal user systems, which anti virus software primarily targets, this is a big no-no.
fwiw even without the warnings, i personally can't live without whitelisting my dev folder because the real-time scanning often causes insane compilation slowdowns...
Either way, this is something we can control even less then issues when running the resulting tauri app.
Trying to install "DataFlare", not open source from what I understand, from the showcase channel on Discord, I got another warning with the nsis exe setup
I just built and released an app that is encountering this problem. I have not had any issues during development at all, but sometimes the release build is flagged by Windows Defender (and some other AV). Frustratingly, it doesn't seem to be entirely consistent in what it flags it as and when.
My app uses the updater, which I think may be a factor in this.
My time & productivity tracking app BigBro suffers from this issue.
I use the NSIS installer and whenever the users receive an update through the updater Windows Defender immediately raises a flag.
I've submitted the NSIS setup executable to Microsoft as a false-positive through here, maybe you can do the same.
Note that the app executable itself doesn't raise any flags, only the installers/updaters get detected as malware.
NSIS Installer VirusTotal Results
Unfortunately, we're also hit with this problem. In our case it's not the NSIS, but the Tauri executable itself.
As a test, I created a fresh Tauri v2 application without code modifications but only edited tauri.conf.json and altered identifier and bundle. Here's the analyzer result of VirusTotal: https://www.virustotal.com/gui/file/e2842d9e1c2e1241b2a86b72065ac7d1823280bc52ee544895313de648ff316c/detection
As you can see Windows Defender already doesn't like it and it's flagged as Program:Win32/Wacapew.C!ml.
In the behavior analysis there isn't anything too suspicious. The DNS resolving of fp2e7a.wpc.2be4.phicdn.net and fp2e7a.wpc.phicdn.net seem to be a service for checking for certificate revocation - but it would be interesting which module does this and if it can be turned off. But I wonder why login.live.com is resolved and which module is doing this. Also why there's TCP/IP activity on 20.99.133.109:443, which seems to be Microsoft as well. Could that be something put by MSVC?
I second @Selyatin regarding submitting samples to VirusTotal and Microsoft as false positives. Also, I think it might be useful to rate known false positives on VirusTotal as "good" (Community Score).
(AV heuristic detection is AFAIK score-based. Each little behavior adds to the score and if a threshold is reached, your binary is getting flagged. In our case Windows Defender does not detect a virus on our original binary. However, when we apply the required copy protection (USB-Dongle; basically patches the binary with custom executable) lots of AV engines also detect Program:Win32/Wacapew.C!ml. My explanation is that the additional suspicious behavior (accessing USB media, copying binaries around, try loading DLLs and stuff...) leads to a higher score and therefore it's flagged.)
$ yarn tauri info
yarn run v1.22.21
$ tauri info
[✔] Environment
- OS: Windows 10.0.17763 X64
✔ WebView2: 121.0.2277.112
✔ MSVC: Visual Studio Build Tools 2022
✔ rustc: 1.76.0 (07dca489a 2024-02-04)
✔ cargo: 1.76.0 (c84b36747 2024-01-18)
✔ rustup: 1.26.0 (5af9b9484 2023-04-05)
✔ Rust toolchain: stable-i686-pc-windows-msvc (default)
- node: 20.10.0
- pnpm: 8.15.2
- yarn: 1.22.21
- npm: 10.2.3
[-] Packages
- tauri [RUST]: 2.0.0-beta.2
- tauri-build [RUST]: 2.0.0-beta.1
- wry [RUST]: 0.35.2
- tao [RUST]: 0.25.0
- @tauri-apps/api [NPM]: 2.0.0-beta.0
- @tauri-apps/cli [NPM]: 2.0.0-beta.1
[-] App
- build-type: bundle
- CSP: unset
- frontendDist: ../dist
- devUrl: http://localhost:1420/
- framework: Vue.js
- bundler: Vite
Done in 14.78s.
I also got false positive on the NSIS installer, but not on the MSI or the main .exe itself. (Tauri 2.0.0-beta.2, with plain JS and Bevy but otherwise hello-world-ish program.)
I can vouch for @Selyatin 's comment above: report false positives to Microsoft, they will add the program signature to their allowed database. It's free, it's fast - in my case it took less than 6 hours. https://www.microsoft.com/en-us/wdsi/filesubmission
This happened when I tried to install Tauri from cargo install [email protected].
Can't send to VirusTotal to check because Windows says that I don't have permission (from me) to handle the file.
This seems to still be causing trouble for projects based on Tauri: https://github.com/gitbutlerapp/gitbutler/issues/3518
This is also happening to us, using the beta. Sending it in to Windows like suggested above works, but that's not a permanent solution.
Started happening with our builds from yesterday too. I had no issues before, but the new builds (The main executable) from yesterday going on Windows Defender is reporting it as Trojan:Script/Wacatac.H!ml and put in quarantine.
