Login/Register
Program installed with Inno Setup seen as Trojan (Wacatac.B!ml)
Asked Answered
Solved inno-setupwindows-defendertrojan
K

5

8

My software is a .NET application. The original .exe compiled with Visual Studio works fine and Microsoft Defender has nothing to say about it or any of the dependencies.

I made an installer with Inno Setup, that has been working fine until now, on a bunch of different machines.

The installer deploys my two .exe (the main app and an admin tool) and my own libraries, a few other libraries (Helix Toolkit, Triangles.net), and some libraries from .NET 5.0 (so that the framework is not needed for an offline install).

Since this morning, I have the following:

  • one of the installed .exe is seen as a Trojan by Microsoft Defender, and is put in quarantine;
  • when I put the original .exe back in the Program Files directory manually, no Trojan is detected (even when i manually test the directory).

To be clear:

  • no malware is detected in the installer
  • no malware is detected in the original file
  • only the file installed by Inno Setup is concerned

Is it possible that Inno Setup put that Trojan in my exe? If so, what could I do to prevent or circumvent it?

The more I investigate this, the less I understand what Inno Setup does. My original exe file weighs only 280 Ko, and the exe file installed by Inno Setup weighs 132 Mo. And, again, the Trojan is ONLY detected in the exe installed by inno setup.

Screen cap (sorry for the french OS):

enter image description here

The trojan description is:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aScript%2fWacatac.B!ml&threatid=2147735503

The Inno Setup installer is now seen as containing the trojan and put in quarantine.

enter image description here

Kephart answered 18/8, 2021 at 14:34 Comment(2)
If the anti-malware engine thinks your executable looks suspicious, then sure, it would block it. You would need to inform the vendor of a false-positive or manually unblock in that case. (Digitially signing your executables and installers using a code-signing certificate from a validated CA is another very good solution, although this is not free.)Twobyfour
I pay for a 3 year code signing certificate and whitelist each installer with the avast ftp server.Naara
I
4

This is a false positive alarm.

Report your software as safe to several AV companies and wait till the update their databases.

Also it helps if the software is signed with certificate, has many users/downloads and everyone reports it as safe.

Irmairme answered 19/8, 2021 at 5:21 Comment(4)
Ok for reporting and signing, but I don't understand why there is no Trojan detected in my original exe, and only in the much heavier exe installed by Inno Setup. See my edit about the file size, too.Kephart
Setup is also an executable and the AV software may see some binary operation e.g. writing to files or folders, working in registry or anything suspicious.Irmairme
Again, defender sees no Trojan in the setup executableKephart
The Trajan was detected in the installed exe several weeks after having been installedKephart
Q
7

The problem is the Compression setting in InnoSetup. Change it from:

Compression=lzma

to

Compression=zip

and the problem goes away. Feel free to try other Compression setting but zip works.

Quinquevalent answered 26/11, 2023 at 23:2 Comment(4)
Nevermind. It worked the first time but not subsequent compilesQuinquevalent
If you found the answer is incorrect, you can delete it.Giulia
@Quinquevalent I removed "SolidCompression=yes" and problem went away. Maybe virus detection not able to scan in setup file?Myrlemyrlene
I was having the same issue using InstallForge. Your solution fixed the problem. In my case I changed the compression from lzma to bzip2.Poignant
I
4

This is a false positive alarm.

Report your software as safe to several AV companies and wait till the update their databases.

Also it helps if the software is signed with certificate, has many users/downloads and everyone reports it as safe.

Irmairme answered 19/8, 2021 at 5:21 Comment(4)
Ok for reporting and signing, but I don't understand why there is no Trojan detected in my original exe, and only in the much heavier exe installed by Inno Setup. See my edit about the file size, too.Kephart
Setup is also an executable and the AV software may see some binary operation e.g. writing to files or folders, working in registry or anything suspicious.Irmairme
Again, defender sees no Trojan in the setup executableKephart
The Trajan was detected in the installed exe several weeks after having been installedKephart
L
2

My .net 6 app was flagged with the same Trojan. Defender had no issues when my code was just in the bin\release folder, but after publishing it to a folder and letting Visual Studio create a single executable, Defender started showing this false positive. For me the solution was simply to strong name my main exe assembly. This seemed to change the final resulting exe signature enough as to not get flagged anymore.

Levania answered 11/12, 2021 at 10:40 Comment(0)
I
0

I removed the remarked items, the Trojan warning disappeared:

Interpolation answered 22/4, 2022 at 6:4 Comment(4)
Please add code directly into answer , rather than screenshot. It would be more helpfull to other users when reading your answer.Stuckey
Given he's showing lines to remove, rather than lines that need typing - I'm not sure why code is better than a screenshot?Colophony
@Colophony You can do <strike>blah blah blah</strike> (although the OP may not know this)Scallion
@PaulSanders - That still doesn't make it easier for the reader though. My point was just that in this context, a screenshot is fine. The reader would never need to copy and paste this code - the Op was showing what lines to remove.Colophony
C
0

I solved enabling the Sign the assembly option in the project properties

enter image description here

Campobello answered 17/1 at 21:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.