Watch out for Windows Defenders new 'machine learning' deleting/killing your app

We had a customer support call today that their Delphi app wasn’t working. It was marked as
Trojan Bearfoos.A!ml - Look out for ml at the end of the description.

I assume the machine learning was as sophisticated as ‘calls web site to check for updates, no URL matching to actual trojan, made in Delphi, no other matching file size etc - bing bing virus’

The joy!

Symptoms are the executable will disappear and you’ll see an entry in the Windows Defender history log. No alerts will appear on screen at all.

Were the apps in question code-signed? If they are signed, then it’s absolute nonsense for Defender to just blindly assume any executable is a virus. In fact, as long as the code certificate is valid and unrevoked then that should be the first level of “probably not a virus” versus the utter stupidity of heuristic detection which is basically a useless panacea from Defender tantamount to an admission that virus and trojan writers are fighting a war in which the bad guys have the upper hand.

Also, Microsoft could solve this by making any code-signed apps and files immutable at the operating system level.

It has just happened to me when I built a file and tried to run it. Wiped from my machine. Ouch.

Rebuilt and it is still there. Wonder for how long.

1 Like

I’ve heard if you say “I love Bill Gates” when you build a project Windows Defender will not delete it :wink:

What do you do, if your PC doesn’t have a microphone? or the microphone doesn’t work? :smiley:

They pretend they’re not listening and the microphone is broken… but we know better :crazy_face:

Your microphone isn’t broken, it just appears that way - really it’s just in use by another… err… app :smirk:

1 Like

Just had Defender decide that a file written in 2018 was infected with Trojan:Win32/Wacatac.B!ml

‘Simply’ signing the file fixed the ‘problem’.

Although now I realised I’m not going to sleep tonight wondering if our certificate is going to get revoked due us being flagged as a ‘known spreader of viruses’.

As part of this fun I discovered a few ‘quirks’ of Defender

that if you ‘simply’, use ‘Allow on Device’ to get the app to work you are actually allowing the virus to run on your computer (i.e. perhaps creating a real exposure, if the real virus arrives in another exe)

There is another, sorry can’t ‘refind’ it now, way of adding an exclusion that actually only creates a 48 hour ish exclusion. It creates an explicit exclusion for the file/folder combo and it won’t appear in any defender settings. You can find it in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths but you won’t be able to delete anything in there yourself.