Windows binary quarantined by Windows Defender — needs code signing

[ChristianTellefsenAttensi]

Description

The Windows native binary agent-browser-win32-x64.exe is quarantined by Windows Defender (Microsoft Defender Antivirus). This does not necessarily happen immediately during install — in our case the binary worked fine for a day before being quarantined after a subsequent Defender definitions update or scheduled scan. This results in a missing binary and a confusing error at runtime:

Error: No binary found for win32-x64
Expected: C:\Users\...\node_modules\agent-browser\bin\agent-browser-win32-x64.exe

Detection details

• Detection name: Trojan:Script/Wacatac.H!ml
• Type: ML heuristic (!ml suffix = machine-learning based, not a specific signature)
• SHA256: 1e3a61e903960675b3adbefaf1c79e4c04d1b0464b0912d57036c441c0589ecf
• File size: 777,728 bytes
• Version: 0.9.1

Wacatac.H!ml is widely reported as a false positive for unsigned/packed binaries. Other CLI tools have the same problem (e.g. opencode#3415).

Steps to reproduce

1. npm install -g agent-browser on Windows
2. Binary works initially
3. Windows Defender eventually quarantines the .exe (e.g. after a definitions update or scheduled scan)
4. agent-browser "test" fails with "No binary found"

Expected behavior

The binary should be code-signed (Authenticode) so Windows Defender does not flag it.

Workaround

Restore the binary from Windows Security → Protection history, then add an exclusion for the binary path.

Environment

• OS: Windows 11
• agent-browser: 0.9.1
• Node.js: v22.19.0
• npm global install

[ChristianTellefsenAttensi]

The bug report was generated by Claude Code after my agent-browser got quarantined and we investigated.

I don't actually know what the best solution is here, this looks reasonable to me though.

[ChristianTellefsenAttensi]

Check ghsoftwarecaster site.

What is ghsoftwarecaster? How will it help? A quick web search turned up nothing that seemed relevant.