Reputation: 360
Program installed with Inno Setup seen as Trojan (Wacatac.B!ml)
My software is a .NET application. The original .exe compiled with Visual Studio works fine and Microsoft Defender has nothing to say about it or any of the dependencies.
I made an installer with Inno Setup, that has been working fine until now, on a bunch of different machines.
The installer deploys my two .exe (the main app and an admin tool) and my own libraries, a few other libraries (Helix Toolkit, Triangles.net), and some libraries from .NET 5.0 (so that the framework is not needed for an offline install).
Since this morning, I have the following:
- one of the installed .exe is seen as a Trojan by Microsoft Defender, and is put in quarantine;
- when I put the original .exe back in the
Program Filesdirectory manually, no Trojan is detected (even when i manually test the directory).
To be clear:
- no malware is detected in the installer
- no malware is detected in the original file
- only the file installed by Inno Setup is concerned
Is it possible that Inno Setup put that Trojan in my exe? If so, what could I do to prevent or circumvent it?
The more I investigate this, the less I understand what Inno Setup does. My original exe file weighs only 280 Ko, and the exe file installed by Inno Setup weighs 132 Mo. And, again, the Trojan is ONLY detected in the exe installed by inno setup.
Screen cap (sorry for the french OS):
The trojan description is:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aScript%2fWacatac.B!ml&threatid=2147735503
The Inno Setup installer is now seen as containing the trojan and put in quarantine.
Upvotes: 9
Views: 16959
Answers (7)
Reputation: 27380
I solved updating Inno Setup from 5.5.9 to 6.4.1 (current latest version).
Otherwise I could go on using Inno Setup 5.5.9 if in the .iss file I...
- remove
SetupIconFileline - change
SolidCompression=yestoSolidCompression=no
Upvotes: -1
Reputation: 101
Inno Setup 6.2.2 version had similar issue on Windows 11. Instead, install its 6.3.3 version. I hope it helps you.
Upvotes: -1
Reputation: 4272
I solved enabling the Sign the assembly option in the project properties
Upvotes: 0
Reputation: 91
The problem is the Compression setting in InnoSetup. Change it from:
Compression=lzma
to
Compression=zip
and the problem goes away. Feel free to try other Compression setting but zip works.
Upvotes: 8
Reputation: 2365
My .net 6 app was flagged with the same Trojan. Defender had no issues when my code was just in the bin\release folder, but after publishing it to a folder and letting Visual Studio create a single executable, Defender started showing this false positive. For me the solution was simply to strong name my main exe assembly. This seemed to change the final resulting exe signature enough as to not get flagged anymore.
Upvotes: 2
Reputation: 5472
This is a false positive alarm.
Report your software as safe to several AV companies and wait till the update their databases.
Also it helps if the software is signed with certificate, has many users/downloads and everyone reports it as safe.
Upvotes: 4
Related Questions
- inno setup executable seen as a Virus
- C# Application Detected By Kaspersky As Trojan Virus (VHO:Trojan.MSIL.Convagent.gen)
- Inno Setup post-install program launches, installer still "active"
- WiX setup detect and uninstall Inno setup
- Malware detected after compiling with Inno Setup
- Installing Inno Setup and AVG and popup error
- Windows defender detecting exe as Trojan:Win32/Azden.A!cl virus
- False positive detection of c# .net program by anti-virus as trojan
- Inno-Setup: Post Install open link: antivirus alert while opening a link
- Inno Setup RegAsm.exe Errors