wailsapp
Windows Defender false detects even an empty initial project as malware
Description
I have been having a lot of issues releasing my Wails app to the general public due to false positive detection. I've been trying to narrow it down since some other projects I have does not get detected as malware (e.g. api server). However to narrow it down I've simply compiled an empty Wails app and uploaded it to VirusTotal as well as did a local scan.
Unfortunately even this empty project is causing Microsoft Windows Defender to detect it as Win32/Wacapew.C!ml, or some other variant. I have an Sectigo EV code signing certificate and even after signing the binary, it does not change the results.
I understand the issue is clearly Microsoft and not the Wails project. However it does seem that there is some reason that it is sensitive a Wails app signature. I'm posting here because I'm really out of ideas on how to proceed.
I've also been submitting the files to https://www.microsoft.com/en-us/wdsi/filesubmission as false positive to potentially have Microsoft fix this issue but after submitting possibly up to 50 times over the last 1-2 months this problem persists. The reply (if they reply at all) has always been "it is a false positive", "update your virus definitions". From what I can see the local definitions do not actually detect it as malware, it is the "Cloud" defs that do cause problems.
What I'm wondering is:
- Does anyone else have this issue? Or is it some particular environment issue that I have?
- Does anyone know any channels to contact Microsoft on a higher level to resolve this?
To Reproduce
- wails init -n duplicate-finder -t vue-ts
- wails build -platform windows/amd64
- Upload binary to https://www.virustotal.com and scan
Expected behaviour
No malware detected
Screenshots
Attempted Fixes
Have submitted many false positive requests at: https://www.microsoft.com/en-us/wdsi/filesubmission
System Details
# Wails
Version | v2.8.0
# System
┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| OS | MacOS |
| Version | 14.2.1 |
| ID | 23C71 |
| Go Version | go1.21.3 |
| Platform | darwin |
| Architecture | arm64 |
| CPU | Apple M1 Max |
| GPU | Chipset Model: Apple M1 Max Type: GPU Bus: Built-In Total Number of Cores: 32 Vendor: Apple (0x106b) Metal Support: Metal 3 |
| Memory | 32GB |
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
# Dependencies
┌─────────────────────────────────────────────────────────────────────┐
| Dependency | Package Name | Status | Version |
| Xcode command line tools | N/A | Installed | 2405 |
| Nodejs | N/A | Installed | 18.16.0 |
| npm | N/A | Installed | 9.5.1 |
| *Xcode | N/A | Installed | 15.1 (15C65) |
| *upx | N/A | Available | |
| *nsis | N/A | Available | |
└────────────────────── * - Optional Dependency ──────────────────────┘
# Diagnosis
Optional package(s) installation details:
- upx : Available at https://upx.github.io/
- nsis : More info at https://wails.io/docs/guides/windows-installer/
### Additional context
_No response_
Apart from submitting to Microsoft which I have done, it might help trying to get an EV code signing certificate (although I'm unsure this actually helps).
HOWEVER just a warning to anyone who wants to get an EV code signing certificate from Sectigo or any certificate on a Yubikey FIPS HSM:
https://www.reddit.com/r/sysadmin/comments/17xbh80/sectigo_ecc_ev_code_signing_certificates_are/
Do not give them your money it's a total scam.
We have a SSL.com EV code signing certificate on a YubiKey 5C Nano FIPS and never had any issues with our Wails based application with Microsoft Defender.
Does having an EV code signing certificate actually decrease the likelihood of being flagged as a false positive? I can't seem to find any concrete information on how it affects Windows Defender / SmartScreen scans.
According to this blog it seems like EV code signing certificates aren't changing the reputation algorithms anmore since 2020.
At the time this post was written (2018), programs signed by an EV code signing certificate could immediately establish reputation with Microsoft Defender SmartScreen even if no prior reputation existed for that file or publisher. Starting in 2020, EV certificates were no longer treated specially, and will now develop reputation the same way as other Authenticode certificates.
So it seems like there's no difference in using EV or OV anymore with regard to the reputation. But what Microsoft really does remains a blackbox for us.
Hi @PylotLight, you said that modifying wails.json makes difference on this issue. https://github.com/wailsapp/wails/issues/3045#issuecomment-1803860986
Could you share your finding, please?
Hi @PylotLight, you said that modifying
wails.jsonmakes difference on this issue. #3045 (comment)Could you share your finding, please?
Unfortunately, I have nothing to report. My observation was based on different settings I updated and apps I tried to build as currently I'm having no issues despite not signing my app on my work machine, although I did see the error once with a minimal config but after updating all the details in the json it seemed to work again. Otherwise it seems based on luck at this stage I'm afraid.
