(False positive?) Windows Defender message on config backup

angelus249

Dabbler
Joined
Dec 19, 2014
Messages
41
Hi folks,

I've got a faulted USB boot drive and wanted to backup the config before resilvering the new drive. However, Windows Defender reported a Trojan/Script find and blocked the download.
1709831422860.png


While I found an old "false positive" topic regarding the whole TrueNAS image --> https://www.truenas.com/community/threads/threat-blocked-message-windows-defender.108658/ I didn't find anything regarding the config itself, though.

Any thoughts?

Btw. the USB drive failed a few days ago and I immediately saved the config back then as well, without any issues/reports.
I run latest the TrueNAS Core 13.0-U6.1 for my NAS and Windows 11 Pro, 23H2 with recent Windows Defender virus definitions on the client, where I downloaded the config.

Cheers
 

RadolBR

Cadet
Joined
Sep 4, 2023
Messages
8
I'm not a security expert. But I don't think it's anything serious.

Probably just a few lines from the configuration file that Defender picked up as a possible virus and put on warning.
Wacatac is known for being able to open ports, perhaps some line that has something with SSH or another type of access to the machine.

But using another antimalware won't hurt. Better safe than sorry.
 

angelus249

Dabbler
Joined
Dec 19, 2014
Messages
41
I would agree, hence adding the "False positive?" part in the subject. However, based on the previous feedback regarding the false positive on the image I was curious if a) others experienced the same here and b) if iXsystems is taking any action.

Well, maybe we'll learn some more some day.

Either way, the resilvering is long done :)

Cheers
 

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,222
That's interesting since I haven't had issues handling the config file a few weeks ago.
 

stephen.dail

Cadet
Joined
Apr 18, 2023
Messages
3
That's interesting since I haven't had issues handling the config file a few weeks ago.
I only recently started getting the reports as well.
I'm going with false positive, as I scanned the file online at https://www.virustotal.com/ (scans file using 39 different popular/noted AV tools from Avast to Kaspersky to Google to Trend...etc.) and ALL came up as negative.
 

Attachments

  • TrueNAS_backup_AV_scan_online.png
    TrueNAS_backup_AV_scan_online.png
    102.5 KB · Views: 90

kuraegomon

Cadet
Joined
Mar 10, 2024
Messages
1
Hi there,
Can confirm that I _just_ encountered precisely the same symptom as the OP (MS Defender detects the config backup file as "Trojan:Script/Wacatac.B!ml"). So it certainly appears to be something recent, as my previous config backup (taken late last year) was saved with issue.

It's pretty annoying though, as I think I'd have permanently switch antivirus providers to escape the problem. Defender's response is to immediately delete the file!
 

GTAXL

Cadet
Joined
Jan 8, 2018
Messages
5
Got this too when downloading the config backup file on Windows 10 Pro.

2024_03_10_105436.png
 

planedrop

Dabbler
Joined
Jun 28, 2021
Messages
26
I know it's not helpful, but just commenting to say I'm seeing the same thing now.

Also @stephen.dail probably best not to upload anything sensitive (like a config file) to VirusTotal, everything that goes on there is public and can be looked at by researchers. And the .db file has some info in it that is in relatively plain text.
 

stephen.dail

Cadet
Joined
Apr 18, 2023
Messages
3
I know it's not helpful, but just commenting to say I'm seeing the same thing now.

Also @stephen.dail probably best not to upload anything sensitive (like a config file) to VirusTotal, everything that goes on there is public and can be looked at by researchers. And the .db file has some info in it that is in relatively plain text.
Acknowledged - and good point. Guess I took one for the team. :)
 

angelus249

Dabbler
Joined
Dec 19, 2014
Messages
41
Please update your Windows Defender definitions to the latest version and see if the config file is still being mistakenly flagged as malware. We worked to resolve this issue a few days ago.
Looks good. No more reports.

Cheers
 
Joined
Mar 15, 2024
Messages
4
Just upgraded from Bluefin to the current Cobia, because it showed me this problem.
The problem still persists with Windows11 and current security updates.
 

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,112
Just upgraded from Bluefin to the current Cobia, because it showed me this problem.
The problem still persists with Windows11 and current security updates.
Greeting He-Who-Must-Not-Be-Named :wink:

Can you share the version of your protection info under Windows Security -> Virus & Threat Protection -> Protection Updates?

Eg:
1710523578784.png

Thanks!
 

planedrop

Dabbler
Joined
Jun 28, 2021
Messages
26
Yeah I second @HoneyBadger can you show us the version being used, because so far I haven't been able to replicate this issue on multiple Windows 11 boxes.
 
Joined
Mar 15, 2024
Messages
4
It does not flag it as dangerous when I don't click the "Export Password Secret Seed", as additional information.

(sorry for 2 posts, should have checked that earlier :) )
 
Top