GDWeave flagged as false positive by antivirus software

[kdurmeter]

Good morning.

Went to install GDWeave and it's being flagged as a virus by Windows Defender

It is flagging it as Trojan:Win32/Wacatac.B!ml

[NotNite]

This is a false positive by your antivirus, but I kind of expected this happening from the new GDWeave update that initializes itself in a different way. You can tell your antivirus to ignore this for now. I'll get this sorted soon.

[legokidlogan]

And yet, scanning built-in system copies of winmm.dll (of which there are many) results in no detection flags, for WD and virustotal.

Is there any difference in the contents of GDW's version of the dll from the standard C:\Windows\System32\winmm.dll or is it just a matter of not being properly signed? If it's the latter, then theoretically people could use a copy of the dll from their own system files instead and have it run fine without the worry of a flagged 3rd party dll.

[NotNite]

The winmm.dll included is a proxy DLL written in Rust. Replacing it with the system file would result in GDWeave not loading. The entire point is that it overrides the system file in the search path.

[RecoveryDeer]

yo has this been fixed or not?? @NotNite

[NotNite]

There isn't anything I can "fix". Microsoft's form to mark as a false positive is currently broken, and it's not a bug in my code. Also, please don't ping me in GitHub issues I'm already subscribed to - I will see your message eventually.

[RecoveryDeer]

I never got a reply for my other question, so I naturally assumed you didn't see it. This is the only time I've ever had this problem with anything; so I ask again:
Is it safe to mark as ignore? I've read that it's an actual potential virus in correspondence to other things, so if I mark it for ignore, how do I know it won't just ignore future instances where it isn't a 'false positive'?

You also stated in a previous comment that you'd get it sorted soon, ergo why I asked if it has been fixed or not.

[NotNite]

Is it safe to mark as ignore?

Yes.

I've read that it's an actual potential virus in correspondence to other things

It's not, and I proved this: #27 (comment)

if I mark it for ignore, how do I know it won't just ignore future instances where it isn't a 'false positive'?

Assuming you mark the detection as wanted instead of making an exclusion, it'll probably allow that specific version of the file instead of excluding every version.

There will never be a time I push malware to GDWeave, and I have systems in place to ensure that wrt CI. If it's really needed, I can set up attestation, but I don't think it's worth the effort.

You also stated in a previous comment that you'd get it sorted soon, ergo why I asked if it has been fixed or not.

I tried. Microsoft's form to mark as a false positive is currently broken.

[RecoveryDeer]

Thank you!!

[MareepSheepPeep]

My Windows Defender is flagging that .dll with PUA:Win32/Packunwan - is this also an expected false positive? It's also flagged as malicious by 12/68 vendors in VirusTotal, citing hacktool.rustregion. I am not trying to accuse you of anything or make any judgements about your character, I'm just trying to be as safe as possible.

[NotNite]

Yes.

[Foxydapirate12]

You can submit the file to the Microsoft Malware Analysis File Submission Page and they usually include a patch for it in the next Windows Defender Security Intelligence Update, I'll submit the current version now ^w^

[NotNite]

You can submit the file to the Microsoft Malware Analysis File Submission Page and they usually include a patch for it in the next Windows Defender Security Intelligence Update, I'll submit the current version now ^w^

Last time I tried doing this, their submission form was broken, but if it works now you're welcome to. Thanks!