VirusTotal and Defender flagging the batchpatch download

BatchPatch Forums Home Forums BatchPatch Support Forum VirusTotal and Defender flagging the batchpatch download

Tagged: 

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • April 20, 2025 at 10:06 am #14361
    ntcooper
    Participant

    Hi BatchPatch community,

    Micrsoft Defender flagged my batchpatch .zip download file as having Wacatac.H!ml. And VirusTotal results is giving 2 hits for obfuscator warnings.

    I have verified the authenticity and integrity of the signature file on the .exe file and it is legit.

    Is anyone else seeing this? I think these are false positives but I was wondering if others are seeing this as well.

    Thanks.

    April 20, 2025 at 12:29 pm #14362
    doug
    Moderator

    Indeed, you’re correct that it’s a false positive. What’s really strange and annoying is that we submitted it to Microsoft, and they basically then responded by telling us that it’s not malicious, which of course we already know. We couldn’t get them to actually pay attention to or care about what we were trying to explain to them.

    We’ve only had a couple of other customer reports of this false positive in addition to one occurrence on one of our own systems.

    These are the two detection names that we see in Microsoft Security/Defender:
    Trojan:Script/Sabsik.FL.A!ml
    Trojan:Script/Wacatac.B!ml

    Google suggests that when a Defender detection’s name has a ML suffix, it’s a “machine learning” detection. I couldn’t really find much on this subject, but it’s surely the reason why we are only aware of 4 machines (3 from customers including you, plus 1 of our own machines) producing this detection. It’s not being detected by any normal Defender ruleset, which seems to be connected to why Microsoft isn’t helpful to us when we report the false positive. Crappy quality control and customer service on their part is probably also at play here.

    And as you’ve seen there are also a couple of detections in VirusTotal, despite all of the other many dozens of VirusTotal engines recognizing it as clean (because it IS clean). Based on the behavior that we have seen thus far when trying to figure out what we can do about this (seems like we can’t do anything, at the moment, since it’s a Defender issue, and submitting a false positive to Microsoft has gotten us nowhere, and 99% of Defender instances don’t detect it since it’s clean), it’s very likely to be the case that if you simply grab that .zip file on a different computer, it won’t be detected. Also we generally saw that the .zip was detected even though the extracted .exe wasn’t detected on our one system that was having all the .zip detections. Then after several days it stopped detecting anything on that one machine where it was alerting for several days. It’s all very strange, frankly.

    Verifying the authenticity and integrity of the signature file ensures that you got the exact file that we digitally signed, so you can trust that it’s not malicious. However, I understand that it doesn’t exactly produce a warm and cozy feeling when Defender keeps trying to quarantine it. Even here on the system that was giving us the same issues, it was unnerving. Like a weird form of digital gaslighting.

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.