Winget installation flagged as a trojan by windows security about wezterm HOT 14 OPEN

These sorts of false positives pop up from time to time; you can see from searching in this repo the prior events. They are outside of my control and sort themselves out after someone reports the false positive.

You might have better luck with the nightly build.

I'm a little concerned that this has not been acknowledged yet. Wezterm is otherwise trustworthy right? I haven't used it before this issue.

Everything in wezterm is open source, and the CI is also open source. You can see exactly what has gone into a build and verify that there is nothing nefarious happening here, to the binaries that you download from this github repository.

If you are installing via some external aggregator/distro then the chain of trust is less clear.

It is currently "too difficult" for an independent OSS maintainer to automate code signing for windows executables; it's a ludicrous endeavor: I would need to found an LLC, have it independently verified, then fund annual book keeping for the LLC, its tax returns and status, just to get a code signing certificate that doesn't result in a scary prompt for the user. In addition, I have yet to find a certificate provider that will integrate nicely with GH actions in a fully automated way (most require some kind of USB hardware device or cloud call that requires a presence check in order to sign), so that implies that I therefore also need to procure and maintain a dedicated windows build system to produce these binaries and keep pressing a button on each build run.

I would love for this situation to be different!

https://fosstodon.org/@[email protected]/111819639907704896 is a thread with more context.

from wezterm.

It was flagged by a few dubious antiviruses as having a trojan. Nonetheless, would love to hear the author's opinion.

https://www.virustotal.com/gui/file/35a6ec0eff7aa65e3987f14223bfb9df831eaab2964eb441ed6cad4356d252ff
8 / 70 security vendors and no sandboxes flagged this file as malicious

from wezterm.

it seems to be resolved now, i installed from winget the 0301 version, and no defender warnings anymore

@igorzhilin How? winget search wezterm shows: "WezTerm wez.wezterm 20240203-110809-5046fc22 winget"

from wezterm.

Flagged again for the "WezTerm-windows-20240203-110809-5046fc22.zip" version, but this time its "Trojan:Win32/Malgent!MSR"

from wezterm.

I'm also getting this from downloading https://objects.githubusercontent.com/github-production-release-asset-2e65be/120568143/609f4929-1353-4ee8-9ca7-4f255c73eb45?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240225%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240225T225642Z&X-Amz-Expires=300&X-Amz-Signature=d9cd3ec6bae58e0df77015c03e1e4b57be483ffd969cf5b23348833de18d1d7f&X-Amz-SignedHeaders=host&actor_id=1312390&key_id=0&repo_id=120568143&response-content-disposition=attachment%3B%20filename%3DWezTerm-20240203-110809-5046fc22-setup.exe&response-content-type=application%2Foctet-stream via https://wezfurlong.org/wezterm/install/windows.html on Windows 10

from wezterm.

winget upgrade fails for the same reason (win 10).
Interestingly, virustotal found no issues with this file (one vendor flagged it as suspicious, and that's it).

from wezterm.

Winget managed to install this on one of my Windows 10 machines a couple of days ago, but if I scan the file now it reports a trojan. Windows 11 refuses, says it's some "AgentTesla" trojan. Scanned the 10 machine with mwb and defender and it finds nothing, but I'm still pretty concerned...

Update: it does find it in strip-ansi-escapes.exe in the root WezTerm directory.

Update again: #5041

from wezterm.

Same issue here, it quarantines it after detecting some Trojan:Win32/AgentTesla!ml.

from wezterm.

The issue is with strip-ansi-escapes.exe reported earlier in #5041
If you download the .zip file from Releases, Windows will specifically block that executable.

from wezterm.

The issue is with strip-ansi-escapes.exe reported earlier in #5041 If you download the .zip file from Releases, Windows will specifically block that executable.

As mentionned above, and as I have experienced myself, the issue arises also with winget. Would be nice to know precisely what is happening.

from wezterm.

I'm a little concerned that this has not been acknowledged yet. Wezterm is otherwise trustworthy right? I haven't used it before this issue.

from wezterm.

I'm a little concerned that this has not been acknowledged yet. Wezterm is otherwise trustworthy right? I haven't used it before this issue.

I got fed up with windows and switched back to linux eventually and currently am using wezterm, so I don't actually care about this problem anymore, but I highly doubt it's anything serious. It's a huge project with 250+ contributors and even more users, supporters etc.

from wezterm.

it seems to be resolved now, i installed from winget the 0301 version, and no defender warnings anymore

from wezterm.

Sorry to report that the issue is back again.

But I fully sympathize with the issues you are facing @wez - so thanks for trying!

One things that can help is to download the file in the WSL2 session, so try doenload using curl in WSL:

curl -LO https://github.com/wez/wezterm/releases/download/20240203-110809-5046fc22/WezTerm-windows-20240203-110809-5046fc22.zip

Then unzip/copy to the Windows filesystem /mnt/c/Users<youruser> - then you can unblock the WezTerm files from Windows Defender.

from wezterm.