False positive? Trojan:Script/Wacatac.H!ml

HALJimmy · March 25, 2023, 11:21am

Hello,

After last supervisor update (2023.03.2) and / or Core 2023.3.6 when i download a backup my defender screams and alerts about Trojan:Script/Wacatac.H!ml in the backupfile, no backup files before this does it. Anyone else experienced the same?

Just want to know before i have to start deleting addons etc to identify the cause of the alerts. Or worst case reinstall everything from scratch

Also tried
Restored and older version from an image, created a new backup, no alert.
updated with new supervisor and core update, created backup, alert is back

tom_l · March 25, 2023, 12:40pm

Search the backup archive for that html file (the backup is just a compressed file you can extract it with winzip or similar).

HALJimmy · March 25, 2023, 1:57pm

Wacatac.H!ml is just the name of the trojan/script and not an actual html file, the harmful code (if it exists) could be located in any file included in the backup

ratsepa · March 27, 2023, 8:38am

I have same problem. Restored earlier backup, no warnings when downloading backup.
Updated ESPHome, made backup and WindowsDefender blocks downloading because of Wacatac

Thesexton · March 27, 2023, 11:09am

I also got the Trojan warning when I’m downloading my 3 latest’s backups. The backups before that are clean.

Did not change anything in that time, except installing the latest’s HA update.

tom_l · March 27, 2023, 1:01pm

If you are sure this is coming from the ESPHome addon, report it here:

ratsepa · March 27, 2023, 6:50pm

I’m not sure it was ESPHome. I restored version 2023.3.1 which is clean. I have now updated addons step by step. No Wactac in backup for now. Tomorrow I try update HA to latest and will see if problem comes from there.

ratsepa · March 28, 2023, 8:54am

I’m confused now. I made backup yesterday evening and it’s clean. Today morning I made new backup and it gives Wacatac warning. To trace down where is the source, I made partial backups for HA, Folders and Add-Ons - they all were clean. Then I made full backup again and it was clean. After half hour full backup and again warning about Wacatac.
So I downloaded this last infected backup to another computer where Windows Defender is not active and scanned file there with Cortex XDR - no threats.
I vill try with other scanners too

goldeagle2005 · March 30, 2023, 12:41pm

Same problem here. Core version 2023.3.4, though I have seen this happen once in a prior version. Earlier, I created a full backup and Windows Defender found the trojan. Deleted the backup, created another full backup and it’s clean. Made a full backup today and again got the alert. Tried downloading the backup again and again got the alert. Deleted said backup, created a new one but this time had the trojan detected.

Funny thing is, I have scanned my system and not found this Trojan anywhere else.

Edit: After getting a positive alert from Windows Defender, I ran a scan with Avast. Did not get any alert there so I am iines to believe this as a false positive from Windows Defender. Will update if I find something new.

Edit 2: After updating to Core 2023.3.6, I made another full backup and ran a scan with Avast - no alerts received. I then scanned this new backup with Windows Defender and again, I did not get any alert.

Here’s the weird part - I scanned the old backups (the ones which were flagged as infected by Defender) again with Windows Defender and this time I did not get any alerts. This, combined with the fact that I would frequently get an error in Windows Defender that the Threat Service has stopped leads me to believe that Windows Defender is the culprit. I’ve switched to Avast completely for now. In case I have something else to report, I’ll update here.

Hope this helps.

HelpITru · April 10, 2023, 6:47pm

The same Trojan:Script/Sabsik.FL.A!ml