Windows Defender trojan alert after publish
Whenever I publish my project to a folder I get a Windows Defender warning about "Meterpreter!pz" I have built this solution multiple times before and only now is it throwing this this at me.
24 Replies
your program happens to match heuristics for malware
that doesn't mean it is, just that defender thinks it is
What could I do to circumvent this?
i think there's a guy here on the defender team that might appreciate a sample of the false positive
That would be great
@rtreit and @etreit both work on the Defender team, although I think they are on holiday break. But yes you should submit it as a false positive here:
https://www.microsoft.com/en-us/wdsi/filesubmission
Submit a file for malware analysis - Microsoft Security Intelligence
Submit suspected malware or incorrectly detected files for analysis. Submitted files will be added to or removed from antimalware definitions based on the analysis results.
If you report back the submission ID they might be able to give the submission a little nudge.
Looking into it
What do you mean by this?
When you submit the false positive it should give you back some kind of ID
You should get a submission number back, if you toss it here we can take a look more easily
Meterpreter!pz
For once it's not wacatac 
Iām afk but should be back home soon and can take a look, might be worth seeing if you can do an update, I think I remember something about a meterpreter detection that was having some false positives that was removed, but might still be on your machine. I can verify if that might be the case in a bit.
lol File upload failed - please try again.
dd1d08fd-1132-4928-980b-9b7b6081003c
Very much appreciated!
Thank so much for giving us the submission number, I took a look at what was detecting it and it seems a bit wonky so putting some stuff into motion for someone to re-examine that. Sorry about this!
I'll add that this only happens in the release publish builds with Single File option. It does not get flagged if i build a release build and run it locally.
What about debug?
You mean running it in IDE with debug, or compiling a debug and executing it?
I meant publishing a debug build with single file
Was just curious
Will try in about 15 minutes
It also gets deleted, only non-published ones work
We are disabling that detection and the change should be rolling out soon. Thanks a ton for sharing with us!
Glad to hear!
Was actually worried that my files were just compleetely damaged
That's some quick response time, unlike Norton who still hasn't responded to a friend of mine after 2 years š
For future reference, usually if you have issues with AVs, the best way to avoid them is to get a code signing certificate
i managed to get a false positive on my company's (not defender) AV by changing the color of an element in avalonia 
I think Norton exists just to collect money and spread misery
Norton is terrible