2.3.11 - Win11 Defender detects x64 msi as a Trojan:Script/Wacatac.B!ml

[MrTomasz]

Windows Version

Microsoft Windows 11 24H2 10.0.26100.1150

WSL Version

2.3.11

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

No response

Distro Version

No response

Other Software

Windows Defender signatures version 1.415.150.0 (2024-07-17 14:08).

Repro Steps

Download wsl.2.3.11.0.x64.msi

Expected Behavior

Installer package is clean and able to be installed.

Actual Behavior

Windows Defender detects a Trojan:Script/Wacatac.B!ml in the MSI installer and removes it.

Diagnostic Logs

webfile: C:\xxx\wsl.2.3.11.0.x64.msi|https://objects.githubusercontent.com/github-production-release-asset-2e65be/55626935/640d9564-e4e4-4ea5-b125-5da7bc8e825f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240718%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240718T084119Z&X-Amz-Expires=300&X-Amz-Signature=283a0eed31037353b376545ec86582cbdefefd4862eaec7f46a8a06e7d3080bc&X-Amz-SignedHeaders=host&actor_id=17730020&key_id=0&repo_id=55626935&response-content-disposition=attachment%3B%20filename%3Dwsl.2.3.11.0.x64.msi&response-content-type=application%2Foctet-stream|pid:13468,ProcessStart:133657656937118415

[github-actions]

Logs are required for review from WSL team

If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'.
Otherwise please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.

How to collect WSL logs

Download and execute collect-wsl-logs.ps1 in an administrative powershell prompt:

Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1
Set-ExecutionPolicy Bypass -Scope Process -Force
.\collect-wsl-logs.ps1

The scipt will output the path of the log file once done.

Once completed please upload the output files to this Github issue.

Click here for more info on logging
If you choose to email these logs instead of attaching to the bug, please send them to [email protected] with the number of the github issue in the subject, and in the message a link to your comment in the github issue and reply with '/emailed-logs'.

[DoctorWho8]

A false positive. Can you check with a different AV program?

[MrTomasz]

Logs are required for review from WSL team

Not gonna provide because this is related to WSL installer, not to WSL itself.

A false positive.

I am 99.9% sure it's false positive, but MSFT AV shall not react in that way for MSFT software. Previous versions were alright.

[davidfiala]

To be super explicit so that we're all on the same page:

The link in question: https://github.com/microsoft/WSL/releases/download/2.3.11/wsl.2.3.11.0.x64.msi

Ref: https://www.virustotal.com/gui/file/ac59215d7d723b226a6fbe9c85f88245e2d7355c7c8ec53fb8c0f1f4791d5d11/details

Algo	Hash of MSI
MD5	51d293f12d39aff872b805af22d8a7d9
SHA-1	7a59e95038727c5f026f66618a6a01bea2400848
SHA-256	ac59215d7d723b226a6fbe9c85f88245e2d7355c7c8ec53fb8c0f1f4791d5d11

Still hits positive as of Windows 11 Defender:

Security intelligence version: 1.415.174.0
Version created on: 7/18/2024 3:47 AM

Edit: fixed file URL due to bad copy/paste. hashes were correct.

[newbenji]

To be super explicit so that we're all on the same page:

The link in question: https://github.com/microsoft/WSL/releases/download/2.2.4/wsl.2.2.4.0.x64.msi

Ref: https://www.virustotal.com/gui/file/ac59215d7d723b226a6fbe9c85f88245e2d7355c7c8ec53fb8c0f1f4791d5d11/details

Algo Hash of MSI
MD5 51d293f12d39aff872b805af22d8a7d9
SHA-1 7a59e95038727c5f026f66618a6a01bea2400848
SHA-256 ac59215d7d723b226a6fbe9c85f88245e2d7355c7c8ec53fb8c0f1f4791d5d11
Still hits positive as of Windows 11 Defender:

Security intelligence version: 1.415.174.0
Version created on: 7/18/2024 3:47 AM

pretty sure its the new pre release

https://github.com/microsoft/WSL/releases/download/2.3.11/wsl.2.3.11.0.x64.msi

Thats the one testing postive in my ms defender.

file: wsl.2.3.11.0.x64.msi
Virus: Trojan:Script/Wacatac.B!ml

[davidfiala]

@OneBlue I know there probably isn't an SLA for these types of things, but given the sensititivty it would be nice to receive some sort of acknowledgement that even if there is no immediately resolution. Or at least a process update for next time.

Publishing an unsigned MSI that is flagged by Defender is not ideal.

---

FWIW, Defender is no longer flagging in my case:

Security intelligence version: 1.415.241.0
Version created on: 7/22/2024 4:11 AM

[benhillis]

@davidfiala - we recently did some build system refactoring and publishing unsigned MSI files is a new regression. We're fixing that internally and will be updating our checks to make sure that doesn't happen again.

[DoctorWho8]

And that answers my issues completely. @benhillis can we mark this as "closed"? Or does it stay open until the next signed release is available?

[benhillis]

I'll mark this as fixed when we push a new update.

[DoctorWho8]

I'll mark this as fixed when we push a new update.

Great!

[MrTomasz]

I am happy now with wsl.2.3.13.0.x64.msi.