Micosoft Defender Detects Flowkeeper as Trojan:Script/Wacatac.H!ml

[titusz]

Windows flags and removes Flowkeeper.exe as Trojan:Script/Wacatac.H!ml.

[co-stig]

Hello @titusz, thanks for the report! I can confirm that part of the Windows release pipeline scans Flowkeeper.exe and setup.exe with Windows Defender exactly to avoid issues like this. But it seems that this process is not 100% bullet-proof. Could you please provide a bit more details:

1. What file do you try to execute? Is it the latest Flowkeeper.exe from the "official" website Downloads section?
2. What is your Windows version?

In the meantime I will submit those EXE files to Microsoft Security for validation, just in case.

[co-stig]

Just received an update from Microsoft -- they analyzed both EXE files and concluded that they are safe:

Still, it would be great to get more details from your side, just to be able to reproduce the same issue. Thanks!

[co-stig]

Got another report like this, after submitting false detection to Microsoft :( Tried with the latest Windows Server VM in EC2 -- all works fine

[co-stig]

Just installed 24H2, works fine out of the box:

Upgraded with the latest updates -- still works fine:

Installed 2025 Cumulative Update Preview -- still works fine:

Installed all "normal" updates on a 22H2 instance -- works fine there:

Installed preview updates on 22H2 -- still works:

Also ran Defender scans (Quick, Manual and offline) on both systems explicitly -- no threats detected.

[co-stig]

Alright, I was able to reproduce it by submitting the extracted Flowkeeper.exe to the latest Defender: https://www.virustotal.com/gui/file/07a82b4bc7fd6b049a77f65ef627b248638320ed6c8a9f9ced53072647b71d3a

Already contacted Microsoft and other vendors to mark it as a false positive. Will need to think about how to avoid this for the future versions.

[co-stig]

Update -- Microsoft removed it as false positive, took them three days. Apparently they don't process those tickets on weekends.

[co-stig]

I will close this issue, but will certainly do a follow-up, because this is simply not sustainable -- I can't spend days submitting those Windows binaries to all antivirus vendors as false positives for each new release. As a follow-up I created a few other issues:

• Compare PyInstaller, Nuitka and pyside6-deploy #114 to see if we can use something else than PyInstaller to package Flowkeeper for Windows, specifically focusing on the antivirus detections,
• Daily VirusTotal scan #109 to implement nightly scans via VirusTotal, so that I know about such issues before you open another GitHub ticket,
• Sign flowkeeper.exe from the installer #115 to sign the content of setup.exe. Currently only the installer itself is signed, but not what is inside, and I guess that this is one of the things which might trigger those antiviruses.