FabFilter User Forum
Some Fabfilter uninstaller Files flagged as trojan by Windows Defender
Hey guys,
today after starting my pc Windows Defender notified me that it quarantined a few files because they are infected by Trojan:Win32/Wacatac.B!ml.
I turns out they're all Fabfilter uninstaller files/regkeys for some legacy plugins. I have installed these plugins a few weeks ago, so I guess this alarm is due to a new definition that was updated today.
I have downloaded Microsoft Safety Scanner und it says it doesn't find any infection. Could you possibly further soothe my nerves with some information what these (un)installers may have in common that could trigger a false positive?
Many thanks in advance.
Here is the full list:
file: C:\Program Files\FabFilter\Pro-L\Uninst.exe
file: C:\Program Files\FabFilter\Pro-Q 2\Uninst.exe
file: C:\Program Files\FabFilter\Saturn\Uninst.exe
file: C:\Program Files\FabFilter\Timeless 2\Uninst.exe
regkey: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Pro-L 1.34
regkey: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Pro-Q 2.27
regkey: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Saturn 1.28
regkey: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Timeless 2.38
uninstall: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Pro-Q 2.27
uninstall: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Pro-L 1.34
uninstall: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Saturn 1.28
uninstall: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Timeless 2.38
Best Regards,
Peter
Yes same here. Affected all installed FF products.
Same here.
Trojan:Win32/Wacatac.B!ml
file: C:\Program Files\FabFilter\Saturn\Uninst.exe
regkey: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Saturn 1.27
uninstall: HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FabFilter Saturn 1.27
I'm glad I'm not the only one seeing this. Thank goodness I found this. This happened to me as well. Did every virus/malware scan possible and no infection.
Each time I reinstall all FF products defender tells me the uninstallers are all infected with "Trojan:Win32/Wacatac.B!ml" in addition to the registry key entries for the uninstaller.
This occured with both yesterday's and today's (1.409.416.0) Defender definitions. Uploading the files to Microsoft threat database however, every scan shows no malware.
So, false positives from trigger happy definitions?
Thanks for the reports!
I'm pretty sure this is a false positive. It looks like a heuristic in Defender is triggering on the way our uninstallers have been created. The fact that uploading these files to Microsoft doesn't trigger a warning confirms this.
I scanned these files this morning on Windows 11 and none of them got flagged. Is there an option for any of you who are getting these warnings to flag these as false positives with Microsoft?
We'll look into changing the way we create our uninstallers if this problem persists.
Cheers,
Good news,
Updated to today's definitions and reinstalled FF products again and the scan didn't flag them as Trojans this time. So it seems Microsoft has corrected their error for now.
Thanks
Hi Andrew,
That's great, thanks for the follow-up!
Cheers,
Can confirm. I recovered the flagged files from the quarantine and scanned them again. They have not been flagged again in the latest scan