Virus found false positive
Hey there,
so I recently created an avalonia C# application for my racing team. It just contains some UI aswell as some HTTP requests to my api hosted on a Server to get discord user data and so on. So really a „clean code“ without any trojan or virus. As soon as i want to publish it and open it on my 2nd pc, windows recognized it as a virus (trojan/… I dont know the exact anymore).
I‘ve done some research and found out that I may need an EV cert. But to be honest, for an simple project, what I dont want to sell or publish that big, I dont want to spend 300$ on a cert. So here comes my question: Is there any way to remove that false positive? Also I‘ll publish the code on github so anyone can see. Are there stepa how I can debug whats triggering that false positive?
Thank you very much!
21 Replies
If it is Microsoft Defender reporting the false positive, please submit the file that is being detected as a false positive here:
https://www.microsoft.com/en-us/wdsi/filesubmission?msockid=04e8ec0b8dac64072f2df8608c8b6518
Submit a file for malware analysis - Microsoft Security Intelligence
Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.
Also, do you happen to know the name of the detection?
Yeah okay, I‘ve already done this. Chrome and some other browsers are reporting the same, is there any connection between Windows Defender and the browsers download protection?
As far as I know those are separate. You are downloading / running the executable through the browser?
Yeah basicly I‘ve added all files for testing purposes to a .rar folder and uploaded them onto discord. After that I tried to download it on my second PC.
I‘ve sent it to Microsoft, let me look it up quickly.
The browser thing might just be the default behavior for unsigned, not-widely-known executables that is just a precaution that you can usually bypass if you know it's safe.
Do you know the link where I can see my submitted rewiev requests?
Mmm...not offhand.
trojan:win32/wacatac.C!ml
This is the detection
I expected wacatac.
That damn wcatac signature has been the source of false positives for a long time.
@rtreit can you guys just nuke this thing from orbit...?
Ah I see
Do I actually have to send Microsoft my code or do they decompile my exe themselfs?
Shouldn't need the code.
Alright, thank you for your fast help! One last question, do I have to submit a review everytime I update the code? (for example I add a new feature for i dont know, fancy animated login screen)
You shouldn't need to, the false positive is a fairly broad issue with this type of signature - it's not very specific to your actual implementation.
Alright thats it, thank you for your fast help!
What exactly does it do?
I can send you a video of it.
(With setup installer at the beginning)
I see, then it might just be the web requests throwing false positives.
It's usually a big cause with false positives
note that your authorization code was showing, so delete that video
Oh thanks
Was not aware 😂
some part of your compiled file just happens to look close enough to a known virus that it's getting flagged, there's not a lot you can do about it besides randomly changing the code until it stops getting flagged or sending it in for the AV developer to update their hueristics
the AV my work used to use suddenly started flagging one of my applications after i changed the color of a button
I see, maybe I rework my code anywayw since some functions are very very messy.
Probably that color was a virus :kekw: