After last supervisor update (2023.03.2) and / or Core 2023.3.6 when i download a backup my defender screams and alerts about Trojan:Script/Wacatac.H!ml in the backupfile, no backup files before this does it. Anyone else experienced the same?
Just want to know before i have to start deleting addons etc to identify the cause of the alerts. Or worst case reinstall everything from scratch
Also tried
Restored and older version from an image, created a new backup, no alert.
updated with new supervisor and core update, created backup, alert is back
Wacatac.H!ml is just the name of the trojan/script and not an actual html file, the harmful code (if it exists) could be located in any file included in the backup
I have same problem. Restored earlier backup, no warnings when downloading backup.
Updated ESPHome, made backup and WindowsDefender blocks downloading because of Wacatac
I’m not sure it was ESPHome. I restored version 2023.3.1 which is clean. I have now updated addons step by step. No Wactac in backup for now. Tomorrow I try update HA to latest and will see if problem comes from there.
I’m confused now. I made backup yesterday evening and it’s clean. Today morning I made new backup and it gives Wacatac warning. To trace down where is the source, I made partial backups for HA, Folders and Add-Ons - they all were clean. Then I made full backup again and it was clean. After half hour full backup and again warning about Wacatac.
So I downloaded this last infected backup to another computer where Windows Defender is not active and scanned file there with Cortex XDR - no threats.
I vill try with other scanners too
Same problem here. Core version 2023.3.4, though I have seen this happen once in a prior version. Earlier, I created a full backup and Windows Defender found the trojan. Deleted the backup, created another full backup and it’s clean. Made a full backup today and again got the alert. Tried downloading the backup again and again got the alert. Deleted said backup, created a new one but this time had the trojan detected.
Funny thing is, I have scanned my system and not found this Trojan anywhere else.
Edit: After getting a positive alert from Windows Defender, I ran a scan with Avast. Did not get any alert there so I am iines to believe this as a false positive from Windows Defender. Will update if I find something new.
Edit 2: After updating to Core 2023.3.6, I made another full backup and ran a scan with Avast - no alerts received. I then scanned this new backup with Windows Defender and again, I did not get any alert.
Here’s the weird part - I scanned the old backups (the ones which were flagged as infected by Defender) again with Windows Defender and this time I did not get any alerts. This, combined with the fact that I would frequently get an error in Windows Defender that the Threat Service has stopped leads me to believe that Windows Defender is the culprit. I’ve switched to Avast completely for now. In case I have something else to report, I’ll update here.
