Windows Defender Trojan detected

Unimus support forum
Post Reply
ablanken
Posts: 2
Joined: Fri Jun 21, 2019 12:26 pm

Fri Jun 21, 2019 12:29 pm

Hi there,

Windows Defender is blocking access to the latest installer again (Trojan:Win32/Wacatac.B!ml detected)
User avatar
Tomas
Posts: 743
Joined: Sat Jun 25, 2016 12:33 pm

Thu Jul 04, 2019 2:48 pm

We apologize for this ... sadly Unimus had multiple false-positive detections from Windows Defender a few times already:
viewtopic.php?f=9&t=469
viewtopic.php?f=9&t=216

We have reported this to Microsoft multiple times, but it keeps coming back.

We are currently in the application process for a code-signing certificate, which should hopefully improve the situation.
We expect to have a code-signed Installer (and the Portable .exe) ready for the next major (2.0.0) release.

EDIT:
Here is a VirusTotal scan showing which AV currently false-positive identify the Installer.exe:
https://www.virustotal.com/gui/file/83f ... /detection
ablanken
Posts: 2
Joined: Fri Jun 21, 2019 12:26 pm

Tue Aug 27, 2019 8:57 pm

Nearly two months on and the situation hasn't changed unfortunately. Maybe there should be a disclaimer on the download page as this will be affecting most Windows users.

What is the installer technology being used?
User avatar
Tomas
Posts: 743
Joined: Sat Jun 25, 2016 12:33 pm

Tue Aug 27, 2019 10:04 pm

Update:
1) Code Signing certificate
We have applied for a code-signing certificate, but sadly it is proving problematic to receive it.
We are a Slovakian (European) company, and all CAs (Certificate Authorities) which issue code-signing certs we found are either US or UK based.

Sadly the continental-European laws and legislature are quite different from the Anglo-American law systems.
As such, we are having difficulties getting the appropriate validations and paperwork that the CAs require.

The processes the CAs have in place for code-signing cert issuance are different than getting a normal SSL/TLS server cert, and it requires validating the company identity through pre-defined processes.
We are looking for solutions and working on this actively at the moment.

2) Reporting false-positive to MS
We have reported the false-positive detection to Microsoft multiple times now.
This has resulted in no change to the situation

3) Why are we being false-positive identified
The Unimus installer includes an embedded Corretto JRE (Java Runtime Environment).
This is to make it easy for the user - you don't have to install a JRE yourself (which Unimus requires).

Apparently, MS Defender doesn't like that we include a JRE in our installer, and flags it as a suspicious / malicious executable.

So all-in-all, this is a multi-faceted problem. We are still working hard to resolve this asap.
We will add a message to the download page with the link to this thread.

I will post updates as they come.

EDIT:
Here is a VirusTotal scan showing which AV currently false-positive identify the Installer.exe:
https://www.virustotal.com/gui/file/83f ... /detection
Post Reply