Latest Release Recognized as Threat by Windows

[patrickmelix]

The latest 1.61 release is recognized by Windows as Trojan:Script/Phonzy.B!ml and installation is blocked.

[Jonathan-LeRoux]

Is this Windows Defender? Is there a way to force the installation and/or whitelist the file?
We've had many false positives in the past and some success getting previous versions whitelisted by various antivirus software.
You can try downloading the .pptm and creating your own .ppam from it, it might work.

[patrickmelix]

Yes, it is Windows Defender. One can force the file to be restored in the settings of the Defender. I mainly wanted to let you know that this is a thing. The previous version is not detected as malicious. I have not tried to create the ppam myself, as I don't currently have the need for the latest version. But I might try later.
As I don't have any experience with this kind of problems I sadly cannot help you with getting this whitelisted... But thanks a lot for your great work!

[Jonathan-LeRoux]

Thanks a lot for letting me know! I use Defender as well so I can see if it gets flagged on my end too. I will also check virustotal.

[Jonathan-LeRoux]

I just tried downloading the .ppam file from the release and double-clicking it. I had to first "unblock" it in its Properties in Explorer, then enable macros, but I didn't get any warning from Windows Defender. I did to scan the file, and Defender didn't report any threat. I don't know if it's because my virus definitions are older or newer than yours...
Note that virustotal.com only reports one security vendor as detecting a malware.
My guess is that these detections are very fuzzy, and it's just a fluke.

[Jonathan-LeRoux]

The count has now climbed to 13/62. I have honestly no idea what is triggering these detections, other than stupid AI and herd behavior. The "Code Insight" is actually pretty spot on and explains that all the functions that are used are there for a good reason, not a malicious one. The other AI-generated code analysis basically talks about generic things that, indeed, a malicious add-in would do, but also that any add-in that needs to execute external programs and store information in the registry would do too...

[Jonathan-LeRoux]

If someone gets a similar malware detection, it would be very helpful if you could:

• try to download the .pptm and "save as" to a .ppam to create your own add-in. Maybe Defender will like it better.
• try updating your virus definitions
• try requesting Windows Defender to analyze the add-in further and whitelist it. I believe you can do so via their sample submission portal.
  This last step is very important. Hopefully it only takes a couple minutes to do.

[lobpcg]

Confirmed the issue. Detected as https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AScript%2FWacatac.B!ml and blocked. The unblocking requires allowing Wacatac.B!ml.

I have just submitted the iguanatex_v1_61.ppam as User Opinion: Incorrect detection at https://www.microsoft.com/en-us/wdsi/filesubmission/

[Jonathan-LeRoux]

Thanks @lobpcg !
I hope they can clear it. If they do found malware in there, I'd love to hear how it got in :D

[jamiescottie1]

Can confirm that the issue still persists with Win Defender definitions from 18th April 2024. I also submitted the file to https://www.microsoft.com/en-us/wdsi/filesubmission/ as incorrect detection, hopefully they can clear it soon.

I can also confirm that downloading the .pptm, then "Save as" to .ppam seems to work, Defender does not detect the created .ppam as threat in that case.

[Jonathan-LeRoux]

Thanks for the updates! I will mention all this in the release.

[fawidmer]

Confirming detection of Wacatac.B!ml on Windows 11 (10.0.22631).
Workaround with downloading pptm and save as ppam is working for now. :)

[hmakmur]

The same issues also shows with Cisco AMP where it quitely deletes files and not tell users.

[Jonathan-LeRoux]

Can you report false positives to Cisco?
Also, what happens if you download the .pptm and save it as .ppam?

[hmakmur]

I did not try to play the rename trick but I suspect the result is the same. I can't really report to Cisco. Cisco recommend whitelisting the files. Here is what is written about it, incase you want to see full details of this file.

[Jonathan-LeRoux]

If you get to trying to download the .pptm and converting it to a .ppam via PowerPoint's "save as" ("export" on Mac), I'd be curious to know if that worked.
I'm aware of virustotal's report. Their AI-based "code insight" is pretty spot on, too bad some other vendors flag it as a threat.

[hmakmur]

I downloaded the .pptm file, Exported to .ppam file. Scan it with Cisco AMP. The result is fine. No detection.

[Jonathan-LeRoux]

Thanks for confirming. I updated the release text to encourage more users to try this.

[kcmckell]

My Windows Defender was still blocking the PPAM file that I exported from the PPTM file. I ended up having to tell Windows Defender to make an exception for macros coming from a certain directory (as detailed here by Microsoft).