Windows Defender Trojan detected

Unimus support forum
Post Reply
ablanken
Posts: 5
Joined: Fri Jun 21, 2019 12:26 pm

Fri Jun 21, 2019 12:29 pm

Hi there,

Windows Defender is blocking access to the latest installer again (Trojan:Win32/Wacatac.B!ml detected)
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Thu Jul 04, 2019 2:48 pm

We apologize for this ... sadly Unimus Installer had multiple false-positive detections from Windows Defender a few times already:
viewtopic.php?f=9&t=469
viewtopic.php?f=9&t=216

We have reported this to Microsoft multiple times, but it keeps coming back.

We are currently in the application process for a code-signing certificate, which should hopefully improve the situation.
We expect to have a code-signed Installer (and the Portable .exe) ready for the next major (2.0.0) release.

EDIT:
Here is a VirusTotal scan showing which AV currently false-positive identify the Installer.exe:

Just wanted to provide an update on the MS Defender false-positive.
We are currently reporting the false-positive to Microsoft.

In the meantime, please feel free to verify the installer using VirusTotal:
https://www.virustotal.com/gui/url/4ca1 ... /detection

Apologies again you ran into this,

Only the Installer is getting false-positive hits, our Portable Unimus.exe is currently getting 0 hits:
https://www.virustotal.com/gui/file/407 ... 86b56cfe0c
ablanken
Posts: 5
Joined: Fri Jun 21, 2019 12:26 pm

Tue Aug 27, 2019 8:57 pm

Nearly two months on and the situation hasn't changed unfortunately. Maybe there should be a disclaimer on the download page as this will be affecting most Windows users.

What is the installer technology being used?
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Tue Aug 27, 2019 10:04 pm

Update:
1) Code Signing certificate
EDIT: Starting with 2.1.0 all Unimus release binaries and now code-signed.

2) Reporting false-positive to MS
We have reported the false-positive detection to Microsoft multiple times now.
This has resulted in no change to the situation

3) Why are we being false-positive identified
The Unimus installer includes an embedded Corretto JRE (Java Runtime Environment).
This is to make it easy for the user - you don't have to install a JRE yourself (which Unimus requires).

Apparently, MS Defender doesn't like that we include a JRE in our installer, and flags it as a suspicious / malicious executable.

So all-in-all, this is a multi-faceted problem. We are still working hard to resolve this asap.
We will add a message to the download page with the link to this thread.

I will post updates as they come.

EDIT:
Here is a VirusTotal scan showing which AV currently false-positive identify the Installer.exe:
https://www.virustotal.com/gui/url/4ca1 ... /detection

As mentioned previously, only the Installer is being hit with false-positives due to the included Corretto embedded JRE.
Our Portable version is 100% identified as clean by all AVs. Here is a VirusTotal link for the Portable versions:
https://www.virustotal.com/gui/file/407 ... 86b56cfe0c
Post Reply