starred/pkl
1
0
Fork 0
mirror of https://github.com/apple/pkl.git synced 2026-01-11 14:20:35 +01:00
Code Issues 198 Packages Projects Releases 10 Wiki Activity

Windows detects virus when downloading https://github.com/apple/pkl/releases/download/0.26.0/pkl-windows-amd64.exe #166

New Issue
Open
opened 2025-12-30 01:21:41 +01:00 by adam · 5 comments
adam commented 2025-12-30 01:21:41 +01:00
Owner
Copy Link

Originally created by @cloudflight-cweiss on GitHub (Jun 19, 2024).

I wanted to try the new windows native version today and windows defender triggered with a virus detection warning:
Trojan:Win32/Wacatac.B!ml

I hope this is a false positive?

Originally created by @cloudflight-cweiss on GitHub (Jun 19, 2024). I wanted to try the new windows native version today and windows defender triggered with a virus detection warning: Trojan:Win32/Wacatac.B!ml I hope this is a false positive?
adam commented 2025-12-30 01:21:41 +01:00
Author
Owner
Copy Link

@holzensp commented on GitHub (Jun 19, 2024):

I would think so (false positive)! This is disconcerting, nonetheless... How did you download it? Browser? (If so, which one?) Invoke-WebRequest? GitHub client?

@holzensp commented on GitHub (Jun 19, 2024): I would think so (false positive)! This is disconcerting, nonetheless... How did you download it? Browser? (If so, which one?) `Invoke-WebRequest`? GitHub client?
adam commented 2025-12-30 01:21:41 +01:00
Author
Owner
Copy Link

@cloudflight-cweiss commented on GitHub (Jun 19, 2024):

I downloaded it via Chrome by clicking the link on the Github Release page.
It also did not alarm at first but only when i tried to execute it (without arguments to get the help displayed), after which it also instantly triggered on subsequent downloads (when i wanted to confirm that I did not accidentally download another version via some other link)

My current assumption would be that the native executable tries to load some java code via unpacking or something (or lazy loading more code from the net?) which could plausibly trigger the Windows Defender

P.S.: I also downloaded the 0.27.0-SNAPSHOT version linked in my other github issue in the pkl-intellij repository (https://github.com/apple/pkl-intellij/issues/8#issuecomment-2140719150)
Command is as described here: https://pkl-lang.org/main/latest/pkl-cli/index.html#windows-executable
Although I think i deleted that version after I noticed there was a new 0.26.0 release and the 27-SNAPSHOT did not trigger anything (not 100% sure if I executed that one or not)

@cloudflight-cweiss commented on GitHub (Jun 19, 2024): I downloaded it via Chrome by clicking the link on the Github Release page. It also did not alarm at first but only when i tried to execute it (without arguments to get the help displayed), after which it also instantly triggered on subsequent downloads (when i wanted to confirm that I did not accidentally download another version via some other link) My current assumption would be that the native executable tries to load some java code via unpacking or something (or lazy loading more code from the net?) which could plausibly trigger the Windows Defender P.S.: I also downloaded the 0.27.0-SNAPSHOT version linked in my other github issue in the pkl-intellij repository (https://github.com/apple/pkl-intellij/issues/8#issuecomment-2140719150) Command is as described here: https://pkl-lang.org/main/latest/pkl-cli/index.html#windows-executable Although I think i deleted that version after I noticed there was a new 0.26.0 release and the 27-SNAPSHOT did not trigger anything (not 100% sure if I executed that one or not)
adam commented 2025-12-30 01:21:42 +01:00
Author
Owner
Copy Link

@holzensp commented on GitHub (Jun 19, 2024):

The native executable runs on sandboxed / air-gapped machines, so it certainly isn't a late/remote load. The point of GraalVM's native-image is that you don't end up running a JVM, so I also cannot imagine anything having to do with that type of Java dynamism.

I've searched for similar reporting on native-image, but have not seen much. There have been issues with false positives from Windows Defender for GraalVM before, but that concerned a component (svm.jar) of the GraalVM distribution itself.

Do try the 0.27-SNAPSHOT, because it's built with the same infrastructure. Alternatively, see what happens if you get it through Invoke-WebRequest or curl (we've seen issues with signing from browser-downloaded binaries before that other download tools didn't have). If you have any more detail from Windows Defender, that could also be helpful. Anyone else seeing similar and finding this, please chime in!

@holzensp commented on GitHub (Jun 19, 2024): The native executable runs on sandboxed / air-gapped machines, so it certainly isn't a late/remote load. The point of GraalVM's `native-image` is that you _don't_ end up running a JVM, so I also cannot imagine anything having to do with that type of Java dynamism. I've searched for similar reporting on `native-image`, but have not seen much. There have been issues with [false positives from Windows Defender for GraalVM before](https://github.com/oracle/graal/issues/1752), but that concerned a component (`svm.jar`) of the GraalVM distribution itself. Do try the 0.27-SNAPSHOT, because it's built with the same infrastructure. Alternatively, see what happens if you get it through `Invoke-WebRequest` or `curl` (we've seen issues with _signing_ from browser-downloaded binaries before that other download tools didn't have). If you have any more detail from Windows Defender, that could also be helpful. Anyone else seeing similar and finding this, please chime in!
adam commented 2025-12-30 01:21:42 +01:00
Author
Owner
Copy Link

@stackoverflow commented on GitHub (Jun 19, 2024):

I can't reproduce that (Windows 11). I can download the exe through chrome and run it on cmd or powershell with no problems. Running Windows Defender on it, also says the file is fine, nothing was found.

@stackoverflow commented on GitHub (Jun 19, 2024): I can't reproduce that (Windows 11). I can download the exe through chrome and run it on cmd or powershell with no problems. Running Windows Defender on it, also says the file is fine, nothing was found.
adam commented 2025-12-30 01:21:43 +01:00
Author
Owner
Copy Link

@z-jxy commented on GitHub (Jun 19, 2024):

I downloaded using Invoke-WebRequest and Chrome without any issues.

The !ml portion of Trojan:Win32/Wacatac.B!ml indicates the detection was made using machine learning, which is prone to false positives.

If in doubt, you can scan using virustotal. Result shows 1/72 detections from vendors, with the only detection also being ML based:

pkl-windows-virustotal
@z-jxy commented on GitHub (Jun 19, 2024): I downloaded using `Invoke-WebRequest` and Chrome without any issues. The `!ml` portion of `Trojan:Win32/Wacatac.B!ml` indicates the detection was made using machine learning, which is prone to false positives. If in doubt, you can scan using [virustotal](https://www.virustotal.com). Result shows 1/72 detections from vendors, with the only detection also being ML based: <img width="1288" alt="pkl-windows-virustotal" src="https://github.com/apple/pkl/assets/107861121/bf4fb8dc-f5e8-41cf-a9da-26824e81c824">
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pkl#166
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?