You are here

Defender detecting malware in PA.c Platform 29.1.1 updates: Trojan:Script/Wacatac.B!ml

24 posts / 0 new
Last post
wolfferine
Offline
Last seen: 8 months 2 weeks ago
Joined: 2022-08-05 03:46
Defender detecting malware in PA.c Platform 29.1.1 updates: Trojan:Script/Wacatac.B!ml

Hi,

I don't want to cause any panic - but I am facing the following issue:
Today when I started my PortableApps, and wanted to check for updates I was "greated" with the following error:

Unable to connect to PortableApps.com to retrieve portable
apps. Please try again later.
[InvalidZipFilePossibleNoConnectionOrFirewall ]

and at the same time by the following Windows Defender warning:

Virus & Threat Protection
Threats Found
...

Upon checking Defender's history, this is what I found:

Threat Blocked SEVER
Detected: Trojan:Script/Wacatac.B!ml
Details: This program is dangerous and executes commands from an attacker.
Affected items:
File: C:\Users\--------\AppData\Local\Temp\nslD733.tmp\update.7z

To be sure it wasn't my current system that got infected somehow
I did quickly installed Portable Apps on a CLEAN (ESXi) Virtual Windows 10 Pro!
And got exacltty the same warning!!!

Please review my post and let me know if it's me only or is there indeed an issue
I was running Platform 29.1 when I got the warning!
Then manually updated to Platform 29.1.1 but stll get the same error when trying to get updates!

Regards
Wolfferine

el_viejo
Offline
Last seen: 8 months 2 weeks ago
Joined: 2018-05-14 10:28
Same here, since this morning

Everytime i try to manually trigger the updater Windows Defender comes up and claims this file:

C:\Users\...\AppData\Local\Temp\nsmE448.tmp\update.7z

contains Trojan:Script/Wacatac.F!ml

I guess this is another false positive but i want to be sure Smile

Ken Herbert
Ken Herbert's picture
Online
Last seen: 56 sec ago
DeveloperModerator
Joined: 2010-05-25 18:19
Already reported

Please see this earlier post about the issue.

It makes it a lot easier for everyone if we keep all discussion about the topic in one thread. Thanks.

el_viejo
Offline
Last seen: 8 months 2 weeks ago
Joined: 2018-05-14 10:28
Well, i agree...partially :-)

The mentioned posts title is missleading. It talks about Wacatab.B!ml while this thread here is about Wacatac.B!ml.

Might be a typo or in fact two different flavours of a trojan, who knows... :-)

Ken Herbert
Ken Herbert's picture
Online
Last seen: 56 sec ago
DeveloperModerator
Joined: 2010-05-25 18:19
The body of that post says

The body of that post says Wacatac, so I'm assuming the title was just a typo.

el_viejo
Offline
Last seen: 8 months 2 weeks ago
Joined: 2018-05-14 10:28
Yes, you are right.

Maybe an admin can merge this thread with the other one and the other threads title can be corrected. By the way, i just got another signature update of my Defender hoping this will fix the most likely false positive but it just changed the detected trojan. Now it blocks and claims a Trojan:Script/Sabsik.FL.A!ml. Still wating and looking forward to see it fixed.

Ken Herbert
Ken Herbert's picture
Online
Last seen: 56 sec ago
DeveloperModerator
Joined: 2010-05-25 18:19
Title updated

I've updated the title, but there's no way for me to merge threads.

wolfferine
Offline
Last seen: 8 months 2 weeks ago
Joined: 2022-08-05 03:46
Hi Ken, No, it wasn't a typo!

Hi Ken,
No, it wasn't a typo!

John T. Haller
John T. Haller's picture
Offline
Last seen: 5 hours 36 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Update Your Definitions

Please update your definitions. VirusTotal shows clean across the board. Microsoft's online false positive submission tool shows it as clean. And it shows as clean and works without issue on an updated Windows 10 and Windows 11 machine here.

To update Defender's definitions, click Start and type security. Click on Windows Security. Click Virus & threat protection. Further down the page click Check for updates. Click check for updates. Also ensure your Windows is fully up to date as this may update Defender components.

Microsoft has had a ton of issues with Wacata* false positives in the last 3 days.

Sometimes, the impossible can become possible, if you're awesome!

wolfferine
Offline
Last seen: 8 months 2 weeks ago
Joined: 2022-08-05 03:46
FYI - Issue is now resolved

John thanks for your reply - btw I was sure it wasn't PortableApps,
I just wanted share what I was experiencing with Windows.

FYI - Issue is now resolved (after the latest update about 5 minutes ago) - as you did advice
Security Intelligence Version 1.4095.477.0
Updated 2024-02-23

A few hours ago I just had updated my system (incl. Defender) before firing up PortableApps updates - that's when I was getting the warnings
Security Intelligence Version 1.405.463.0
Updated 2024-02-22

And that's why I am so happy with my 2 other systems: Debian and macOS, who imo always been much more stable than Windows, and less less prone to malware and viruses. If you think I am wrong just go and check the following data from CVEdetails.com (by SecurityScorecard)

https://www.cvedetails.com/version-list/23/36/1/Debian-Debian-Linux.html
https://www.cvedetails.com/version-list/49/156/1/Apple-Mac-Os-X.html

and compare it to

https://www.cvedetails.com/version-list/26/125376/1/Microsoft-Windows-10...
https://www.cvedetails.com/version-list/26/164881/1/Microsoft-Windows-11...

2b2b
Offline
Last seen: 8 months 2 weeks ago
Joined: 2008-09-30 12:45
same here windows 11 and servers 2020

Hi!
Currently no updates possible, defender is ranting about dangerous scripts.
Defender definition updated now.
Since yesterday no updates possible.
br ! 2b2b

ottosykora
Offline
Last seen: 1 day 3 hours ago
Joined: 2007-10-11 17:48
same here

tested now on 4 w10 pc.
all updated today.
While no problem yesterday, today 24. feb no operation of portable apps on those w10 possible as all is blocked by the defender. Neither installed onusb stick nor installed on pc direktly works.
No further updates to defender possible.

the update is reported as: 1.405.505.0

Otto Sykora
Basel, Switzerland

Crayfish
Offline
Last seen: 8 months 2 weeks ago
Joined: 2024-02-24 05:51
Same for me, but the

Same for me, but the detection is Trojan:Script/Sabsik.TE.A!ml. Defender definitions are 1.405.505.0 and cannot update it further.

Panicked at first, but noticed Defender alerted my after Windows started. Checking the event logs showed it was PortableApps-related. I have it starting with Windows, and I have it check for updates on startup. And it's repeatable when checking for updates manually, which thrown up an error window.

Yves6720
Offline
Last seen: 8 months 2 weeks ago
Joined: 2024-02-24 05:35
Hi !

Hi !
Same thing here with W10 and W11 ... Maybe false positives...

Only detected by real time engine, not by a manual scan...

Regards
Yves

Accelerator 01
Offline
Last seen: 6 months 1 week ago
Joined: 2020-11-05 05:54
Trojan:Script/Wacatac.B!ml

I am getting this too. Everything was fine a week ago.

Trojan:Script/Wacatac.B!ml

Crayfish
Offline
Last seen: 8 months 2 weeks ago
Joined: 2024-02-24 05:51
Defender updated to 1.405.524

Defender updated to 1.405.524.0 and apps can be checked for updates without the detection.

XTP963
Offline
Last seen: 8 months 2 weeks ago
Joined: 2024-02-24 11:35
The problem is back

Windows Defender (on Windows 11 pro) detects Trojan:Script/Sabsik.TE.A!ml with update 1.405.529.0

John T. Haller
John T. Haller's picture
Offline
Last seen: 5 hours 36 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Fine Here

Windows 11 Pro with update 1.405.529.0 running in a clean virtual machine and it works without issue. Did you change any Security settings?

Sometimes, the impossible can become possible, if you're awesome!

XTP963
Offline
Last seen: 8 months 2 weeks ago
Joined: 2024-02-24 11:35
I haven't made any changes to

I haven't made any changes to the security settings, but I don't use a virtual machine.

John T. Haller
John T. Haller's picture
Offline
Last seen: 5 hours 36 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
VM won't matter

Using a virtual machine or not shouldn't affect scanning. I just mention it because it's essentially a clean install of Windows 11 Pro which has never had any software installed on it and hasn't had any Windows Security settings altered.

Sometimes, the impossible can become possible, if you're awesome!

John T. Haller
John T. Haller's picture
Offline
Last seen: 5 hours 36 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Rescanned

I rescanned everything released in the last 3 days. A couple of the launchers had that same false positive in Defender when first released, likely due to an updated code signing certificate (happens yearly), and all the Defender false positives have been resolved in both the installer and launcher. Platform and updater working fine here on Windows 10 and 11 in clean virtual machines using all the default Defender settings with update 1.405.529.0. I'm unsure why a few users are experiencing issues but hopefully it'll settle soon.

Sometimes, the impossible can become possible, if you're awesome!

XTP963
Offline
Last seen: 8 months 2 weeks ago
Joined: 2024-02-24 11:35
Problem solved for me with

Problem solved for me with Windows Defender update 1.405.569.0 .

Crayfish
Offline
Last seen: 8 months 2 weeks ago
Joined: 2024-02-24 05:51
Still okay after updating to

Still okay after updating to 1.405.529.0.

lukasaz1999
Offline
Last seen: 2 months 2 weeks ago
Joined: 2024-02-27 14:51
Works with 1.405.701.0

Thanks for letting us know that this was a false positive.

Log in or register to post comments