(False positive?) Windows Defender message on config backup

[angelus249]

Hi folks,

I've got a faulted USB boot drive and wanted to backup the config before resilvering the new drive. However, Windows Defender reported a Trojan/Script find and blocked the download.

While I found an old "false positive" topic regarding the whole TrueNAS image --> https://www.truenas.com/community/threads/threat-blocked-message-windows-defender.108658/ I didn't find anything regarding the config itself, though.

Any thoughts?

Btw. the USB drive failed a few days ago and I immediately saved the config back then as well, without any issues/reports.
I run latest the TrueNAS Core 13.0-U6.1 for my NAS and Windows 11 Pro, 23H2 with recent Windows Defender virus definitions on the client, where I downloaded the config.

Cheers

 

[RadolBR]

I'm not a security expert. But I don't think it's anything serious.

Probably just a few lines from the configuration file that Defender picked up as a possible virus and put on warning.
Wacatac is known for being able to open ports, perhaps some line that has something with SSH or another type of access to the machine.

But using another antimalware won't hurt. Better safe than sorry.

 

[angelus249]

I would agree, hence adding the "False positive?" part in the subject. However, based on the previous feedback regarding the false positive on the image I was curious if a) others experienced the same here and b) if iXsystems is taking any action.

Well, maybe we'll learn some more some day.

Either way, the resilvering is long done :)

Cheers

 

[Davvo]

That's interesting since I haven't had issues handling the config file a few weeks ago.

 

[stephen.dail]

That's interesting since I haven't had issues handling the config file a few weeks ago.

I only recently started getting the reports as well.
I'm going with false positive, as I scanned the file online at https://www.virustotal.com/ (scans file using 39 different popular/noted AV tools from Avast to Kaspersky to Google to Trend...etc.) and ALL came up as negative.

 

[kuraegomon]

Hi there,
Can confirm that I _just_ encountered precisely the same symptom as the OP (MS Defender detects the config backup file as "Trojan:Script/Wacatac.B!ml"). So it certainly appears to be something recent, as my previous config backup (taken late last year) was saved with issue.

It's pretty annoying though, as I think I'd have permanently switch antivirus providers to escape the problem. Defender's response is to immediately delete the file!

 

[GTAXL]

Got this too when downloading the config backup file on Windows 10 Pro.

 

[Davvo]

Make a Bug Report.

 

[planedrop]

I know it's not helpful, but just commenting to say I'm seeing the same thing now.

Also @stephen.dail probably best not to upload anything sensitive (like a config file) to VirusTotal, everything that goes on there is public and can be looked at by researchers. And the .db file has some info in it that is in relatively plain text.

 

[stephen.dail]

I know it's not helpful, but just commenting to say I'm seeing the same thing now.

Also @stephen.dail probably best not to upload anything sensitive (like a config file) to VirusTotal, everything that goes on there is public and can be looked at by researchers. And the .db file has some info in it that is in relatively plain text.

Acknowledged - and good point. Guess I took one for the team. :)

 

[planedrop]

Acknowledged - and good point. Guess I took one for the team. :)

Yeah I've made the same mistake with other config files before so like to warn people lol. But appreciate you telling us the results nonetheless.

 

[anodos]

Please update your Windows Defender definitions to the latest version and see if the config file is still being mistakenly flagged as malware. We worked to resolve this issue a few days ago.

 

[angelus249]

Please update your Windows Defender definitions to the latest version and see if the config file is still being mistakenly flagged as malware. We worked to resolve this issue a few days ago.

Looks good. No more reports.

Cheers

 

[planedrop]

I can confirm it's fine for me now too.

 

[Voldemort2903]

Just upgraded from Bluefin to the current Cobia, because it showed me this problem.
The problem still persists with Windows11 and current security updates.

 

[HoneyBadger]

Just upgraded from Bluefin to the current Cobia, because it showed me this problem.
The problem still persists with Windows11 and current security updates.

Greeting He-Who-Must-Not-Be-Named

Can you share the version of your protection info under Windows Security -> Virus & Threat Protection -> Protection Updates?

Eg:

Thanks!

 

[Voldemort2903]

Greeting He-Who-Must-Not-Be-Named

Can you share the version of your protection info under Windows Security -> Virus & Threat Protection -> Protection Updates?

Eg:
View attachment 76596
Thanks!

Sure! :)

It's the same as yours in your screenshot.

Also I'm using TrueNAS-SCALE-23.10.2

And it's still blocking it, just tried it again.

 

[planedrop]

Yeah I second @HoneyBadger can you show us the version being used, because so far I haven't been able to replicate this issue on multiple Windows 11 boxes.

 

[Voldemort2903]

Yeah I second @HoneyBadger can you show us the version being used, because so far I haven't been able to replicate this issue on multiple Windows 11 boxes.

It's still doing it, even with the newer update that just came out.

 

[Voldemort2903]

It does not flag it as dangerous when I don't click the "Export Password Secret Seed", as additional information.

(sorry for 2 posts, should have checked that earlier :) )