Share via

Windows Defender detecting Trojan:Script/Wacatac.B!ml in a dotnet application that I wrote and use for the last 15 years.

Anonymous
2022-06-25T17:16:34+00:00

Years ago I wrote a network test tool in dotnet. Over the years I have updated it to the latest dotnet version and added features and and new functions.

Windows Defender just alerted me and deleted it saying that it had Trojan:Script/Wacatac.B!ml in the exe. I know this is not true unless that trojan is in Visual Studio's compilation tools!

It didn't even give me an option to allow it. It didn't quarantine it, it just deleted it. History doesn't show anything. It is showing in the event log though.

What does this Trojan:Script/Wacatac.B!ml even do? I'm trying to understand what Defender thinks my application is doing.

How can I report it as Safe to Microsoft. I'll even provide source code if necessary.

Below is the Event log entry for it:

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.

 For more information please see the following:

https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Wacatac.B!ml&threatid=2147735503&enterprise=0

 	Name: Trojan:Script/Wacatac.B!ml

 	ID: 2147735503

 	Severity: Severe

 	Category: Trojan

 	Path: file:_C:\Program Files\MC Labs\Network Tools\Network Tools Sharp.exe

 	Detection Origin: Local machine

 	Detection Type: FastPath

 	Detection Source: Real-Time Protection

 	User: REDACTED

 	Process Name: C:\Windows\System32\RuntimeBroker.exe

 	Security intelligence Version: AV: 1.369.225.0, AS: 1.369.225.0, NIS: 1.369.225.0

 	Engine Version: AM: 1.1.19300.2, NIS: 1.1.19300.2

I am going to recompile with VS 2022 and see if it is detected as malicious again.

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-06-27T20:03:17+00:00

    The Real-time protection is the module that is detecting this.

    Still nothing listed in the protection history. Is it really OK for Defender to just delete things without any record? I knew to check the Event log, but most users wouldn't know that.

    Since I copied the original file over it eventually removed that version as well. So I no longer have a copy of the older file that is being detected falsely to submit to them. I'm now using the newly compiled version and will submit that if it is detected and deleted again. I've Excluded my Source code folders so it doesn't remove the current version and I can submit it if it becomes necessary.

    AI can be so useful but it can also be a pain!

    Was this answer helpful?

    4 people found this answer helpful.
    0 comments
  2. Rob Koch 25,875 Reputation points Volunteer Moderator
    2022-06-25T19:14:56+00:00

    Look carefully at both the specific detection as well as portions of the Event log entry, though you need to understand a bit more about how Defender actually works to see what I saw in an instant.

    What you need to know about Defender is that for several years now, it has been one of the most advanced apps that Microsoft has created to take advantage of their ML.NET machine learning (i.e. Artificial Intelligence) abilities that have been created and advancing in parallel to Windows.

    Microsoft Defender uses ML.NET to stop malware | .NET

    Introduction to Windows Machine Learning | Microsoft Docs

    Though this machine learning is really used throughout Defender's operation, it's most prevalent within certain specific detections which are designated by a suffix of "!ml" attached to the end of the detection name, which you should note is included in the one which detected your app.

    Since these detections are related specifically to machine learning, they are inherently also found via real-time protection, so manual or automated scans will not find them.

    The other clue to this within the Event log entry is the FastPath Detection type, which though maybe not obvious also implies machine learning as that's really how the dynamic, quick detection systems within Defender all truly operate.

    I could now try to explain the potential reasons for this detection, but to a developer such as yourself this should be fairly obvious as a combination of a likely script within your code with a similarity to that found within the actual Wacatac malicious software that mis-triggered the machine learning and caused a false positive detection.

    If this detection continues via real-time - machine learning, then you should manually submit your app using the WDSI Portal (under More pulldown) for developers to indicate it's a false positive, so it can be evaluated by first the machine learning system and then possibly a human to cause the detection to be tweaked to avoid this.

    Antimalware and cybersecurity portal - Microsoft Security Intelligence

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2022-06-25T17:51:16+00:00

    Just to verify, I copied the original exe file from my release compile directory to the same folder and asked Defender to scan it, it came back clean, it runs fine...

    So the previous detection was a false positive, but I want to know why....

    I then updated all the NuGet packages and recompiled in VS2022 just because I have not recompiled it since the beginning of the year and that version also tests clean.

    Also wanted to mention that defender also removed the shortcuts on the start menu. Because a shortcut is malicious?

    I also have this app on numerous other machines, I'm going to scan them as well.

    SentinelOne detects nothing.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments