Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows reports "Trojan:Win32/Wacatac.B!ml" in x86_64-pc-windows-msvc.tar #55

Open
jbrown123 opened this issue Oct 7, 2024 · 8 comments
Open

Windows reports "Trojan:Win32/Wacatac.B!ml" in x86_64-pc-windows-msvc.tar #55

jbrown123 opened this issue Oct 7, 2024 · 8 comments

Comments

@jbrown123
Copy link

Here's the report I get from the Windows 10 virus and threat protection.

image
@e-dant
Copy link
Owner

e-dant commented Oct 7, 2024

Hmm, I'm not completely sure what to do about that.

Does it give more detail about why it detected it as a trojan? The Microsoft page itself on this virus redirects me to an error page: https://www.microsoft.com/en-us/wdsi/Error/500?aspxerrorpath=/en-us/wdsi/threats/threat-search (original was: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FWacatac.B!ml )

This is a relatively simple program, it won't access the network, do anything with video or peripheral input. The only system calls should be around... filesystem events.

Maybe if we attest the provenance of our builds it will help? I have to imagine that, Windows and GitHub being owned by the same company, Windows might look up the origin of a binary by its attestation on GitHub? (If so, we can add those, it's just a lot of code to spell out every single binary we have, not that I'm opposed to it.)

(These files themselves were from CI builds here: https://github.com/e-dant/watcher/releases/tag/release%2F0.12.0)

@e-dant
Copy link
Owner

e-dant commented Oct 7, 2024

Out of caution, I also checked that both the shamus and the files themselves are the same from CI and from the release page.

So, this file from the release: https://github.com/e-dant/watcher/releases/tag/release%2F0.12.0

And this file from CI: https://github.com/e-dant/watcher/actions/runs/11224226016/artifacts/2026312266

Are the same:

$ diff from-ci-dist.x86_64-pc-windows-msvc.tar.zip from-release.x86_64-pc-windows-msvc.tar.zip ; echo $?
0

@jbrown123
Copy link
Author

I see no additional information. The "Learn More" link goes to an error page, as you were describing.

It's likely a signature overlap between something in your code and the actual trojan.

You can submit the file for analysis by MS here ...
https://www.microsoft.com/en-us/wdsi/filesubmission

@jbrown123
Copy link
Author

When I extract the "offending" DLL and upload it to MS (see link above) it says there's no malware.

image

@jbrown123
Copy link
Author

I submitted the entire archive (x86_64-pc-windows-msvc.tar) to MS online scanning. Same result; "No malware detected". No idea why my system is freaking out about it ... I'm using the same version of detection libraries (1.419.390.0) according to the info MS provides.

image

Here's the scan results from MS ...

image
image

@e-dant
Copy link
Owner

e-dant commented Oct 7, 2024

I created a dummy outlook account (it needed to be a Microsoft account, and I didn't know how to make one without an outlook account) to submit this as a mistake, but I think the form doesn't like my email address... Or something?

Screenshot 2024-10-07 at 7 10 30 PM

@e-dant
Copy link
Owner

e-dant commented Oct 7, 2024

Thanks for your help here, submitting the report.

@e-dant
Copy link
Owner

e-dant commented Oct 22, 2024

Curious if this is still an issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbrown123 @e-dant