Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Last release is marked with a Trojan Wacatac.B!ml #1024

Open
confibox opened this issue Sep 15, 2024 · 7 comments
Open

Last release is marked with a Trojan Wacatac.B!ml #1024

confibox opened this issue Sep 15, 2024 · 7 comments

Comments

@confibox
Copy link

The laste release MacType v1.2024.9.14 is marked by NordVPN and MS Security Defender with the troyan:

Trojan:Win32/Wacatac.B!ml

Any idea?
@snowie2000
Copy link
Owner

As long as you got the file from GitHub,it should be fine.

@confibox
Copy link
Author

confibox commented Sep 15, 2024
edited
Loading

Hi Snowie2000, thanks in advance, yes, I got the file from GitHub, I wonder why, two engines refuse to deal with it, NordVPN, blocks the download, I turn off the protection and later, whe run the instalation, MS Security Defender refuse to run the instalation process, which or what component is identify as a Trojan?

@ssssssbbb
Copy link

ESET did the same thing, the problem is not about whether it is trojan or not, the file just vapoured as soon as the downloading is completed, it's so annoying to turn off the protection before using it.

This prevents the soft from popularizing.

@snowie2000
Copy link
Owner

snowie2000 commented Sep 16, 2024
edited
Loading

Because of the nature of the MacType, it can cause false positive for many AV softwares, bacause:

  1. It hook many APIs and hooks into almost all the processes.
  2. It alters the way processes launches and changes code of the target processes
  3. It has easyhook and detours builtin and they are widely found in malwares

I think why it is more common to be mistakenly detected if because this is the first version that has easyhook/detours statically linked which is more like a malware behavior while previously they were distributed separately as DLLs.

@wmjordan
Copy link

I've been using MacType for more than a decade.
It is solidly stable and never connects to the Internet without your explicit permission.
I've even installed it onto my Windows servers. No crash or security warning have ever been caused by it.

@dinaau
Copy link

dinaau commented Sep 20, 2024

Because of the nature of the MacType, it can cause false positive for many AV softwares, bacause:

  1. It hook many APIs and hooks into almost all the processes.
  2. It alters the way processes launches and changes code of the target processes
  3. It has easyhook and detours builtin and they are widely found in malwares

I think why it is more common to be mistakenly detected if because this is the first version that has easyhook/detours statically linked which is more like a malware behavior while previously they were distributed separately as DLLs.

yeah but why preivous build doesnt trigger the alarm? what is the differernce you've made on Version 2024.9.14 that might triggered those engines ?

@snowie2000
Copy link
Owner

Nobody knows. My guess is that the statically linked mactype.core looks somewhat like many trojan malwares.
Or maybe simply because old versions are whitelisted in the AV softwares.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@snowie2000 @wmjordan @dinaau @ssssssbbb @confibox