PureBasic Trojan detected by Windows Defender

[cmartinez]

A few weeks ago I downloaded the demo version of PureBasic from its official website. Now I'm getting this message on the two computers that I have it installed on.

Threat detected: Trojan:Win32/Wacatac.D!ml
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.
Afffected items: .......\Temp\PureBasic_Compilation.exe

What's up with this?

[kernadec]

hello
IDE PureBasic does not need to go on the Internet to function
then just go to Windows firewall and prohibit the connection and the problem is solved
bye

[Marc56us]

Preferences > Compiler > [X] Create temporary executable in the source directory

and exclude your sources directory from your virus scanner

%temp%\PureBasic_Compilation*.exe is the name of your compilation if you do not set a name.

[cmartinez]

Thank you both for your replies. But my question is, why is a trojan being detected in the first place?

[kernadec]

a Trojan can have an identical execution sequence of assembly or very close to a code compiled by PureBasic,
in case of doubt, it gives an alert
if you don't want to face this kind of trouble either you prohibit it or you give an exception for IDE PureBasic

best regard

[IdeasVacuum]

Given that Fred (PB Developer and Owner) does not include Trojans in his code, there is nothing harmful to detect. This means that Windows Defender is giving a false-positive (rare, unlike products such as Avast that discover "threats" everywhere).

If in doubt about the safety of any exe file, you can upload it to Virus Total to see how many antivirus programs think there is an issue - but beware, many AV programs use the same engine and same database and consequently they can all report the same false result. It is mostly down to so-called heuristics code attempting to identify threats that are newer than the detection code.

You can report Windows Defender issues:
https://www.microsoft.com/en-us/wdsi/filesubmission

[cmartinez]

Thanks for the explanations ... and of course I never doubted Fred's honesty... God forbid... this software is proving to be a marvelous discovery for me, and pretty soon I'll be acquiring a professional licence.

Thanks all for the clarification.

[Ty1003]

Yup. A lot of more down-stream languages such as PB have this problem. You can just add an exclusion to your Windows Defender and you'll be fine. AutoIt also has this problem, but god only know what nasty stuff was made with it. Someone might've made a virus in PureBasic ages ago, thus triggering Windows Defender to detect similarities in the executable, and flag it. You can report it to Microsoft but chances are nothing will get done about it so it's just easier to add an exclusion.

[IdeasVacuum]

... I don't know of any programming language that is immune to false-positives. C/C++ = nightmare.

[BarryG]

What's up with this?

False-positive alerts. Been discussed here before. Search the forums. Annoying as hell but not much we can do.

[Rinzwind]

Would be interesting to see the code you compiled/run that triggered the alert. Many av software never were really smart about it. Trigger anything unknown that call certain system apis or inet functions. It seems even worse nowadays. Any legitimate scripting is also a known case of trouble with antivirus engines. Heuristics my ass ;

[skywalk]

A backup and compression too i wrote more than 5yrs ago just got flagged on Windows 10 defender. Seems like they are lowering the threshold for virus.

[kernadec]

hello
Can Fred explain why the IDE uses a connection
when it compiles a code .. while IDE PureBasic
does not need a connection for this work, and why copy our source code under
the name "PB_EditorOutput.pb" in an area accessible to intruders
we have not option to prevent this
so i use windows firewall to prevent the IDE
connect without my knowledge without giving the reason for this connection.

because in portable mode can leave the source code
"PB_EditorOutput.pb"
in the client computer during the test
best regard

[Vernostonos]

I found the windows Firewall to be problematic. I've used Tinywall for years, its lite weight and very easy to use program. You have to set an exception for Firefox and it will work great. Especially in conjunction with software like Sandboxie. Other than Firefox nothing on my computer is allowed to ping the internet. I gave up years ago on Anti-virus software, its slow and by the time it catches anything its often too late. It's much better to use a Virtual machine or sandboxing software for your internet needs and when downloading. Just my 2 cents...

[BarryG]

why copy our source code under the name "PB_EditorOutput.pb" in an area accessible to intruders we have not option to prevent this

The Windows %TEMP% folder (where the source is copied by default) is designed to hold temp files like this. It's not a problem or bad practice to do that. That folder is not meant for critical or private files.

i use windows firewall to prevent the IDE connect without my knowledge without giving the reason for this connection

What do you mean? What proof have you got of this? There's an auto-update check, is that what you mean? This can be disabled.