Windows detects virus when downloading https://github.com/apple/pkl/releases/download/0.26.0/pkl-windows-amd64.exe

[cloudflight-cweiss]

I wanted to try the new windows native version today and windows defender triggered with a virus detection warning:
Trojan:Win32/Wacatac.B!ml

I hope this is a false positive?

[holzensp]

I would think so (false positive)! This is disconcerting, nonetheless... How did you download it? Browser? (If so, which one?) Invoke-WebRequest? GitHub client?

[cloudflight-cweiss]

I downloaded it via Chrome by clicking the link on the Github Release page.
It also did not alarm at first but only when i tried to execute it (without arguments to get the help displayed), after which it also instantly triggered on subsequent downloads (when i wanted to confirm that I did not accidentally download another version via some other link)

My current assumption would be that the native executable tries to load some java code via unpacking or something (or lazy loading more code from the net?) which could plausibly trigger the Windows Defender

P.S.: I also downloaded the 0.27.0-SNAPSHOT version linked in my other github issue in the pkl-intellij repository (apple/pkl-intellij#8 (comment))
Command is as described here: https://pkl-lang.org/main/latest/pkl-cli/index.html#windows-executable
Although I think i deleted that version after I noticed there was a new 0.26.0 release and the 27-SNAPSHOT did not trigger anything (not 100% sure if I executed that one or not)

[holzensp]

The native executable runs on sandboxed / air-gapped machines, so it certainly isn't a late/remote load. The point of GraalVM's native-image is that you don't end up running a JVM, so I also cannot imagine anything having to do with that type of Java dynamism.

I've searched for similar reporting on native-image, but have not seen much. There have been issues with false positives from Windows Defender for GraalVM before, but that concerned a component (svm.jar) of the GraalVM distribution itself.

Do try the 0.27-SNAPSHOT, because it's built with the same infrastructure. Alternatively, see what happens if you get it through Invoke-WebRequest or curl (we've seen issues with signing from browser-downloaded binaries before that other download tools didn't have). If you have any more detail from Windows Defender, that could also be helpful. Anyone else seeing similar and finding this, please chime in!

[stackoverflow]

I can't reproduce that (Windows 11). I can download the exe through chrome and run it on cmd or powershell with no problems. Running Windows Defender on it, also says the file is fine, nothing was found.

[z-jxy]

I downloaded using Invoke-WebRequest and Chrome without any issues.

The !ml portion of Trojan:Win32/Wacatac.B!ml indicates the detection was made using machine learning, which is prone to false positives.

If in doubt, you can scan using virustotal. Result shows 1/72 detections from vendors, with the only detection also being ML based: