Trojan in download full backup (false positive windows defender)

chtse53 · March 7, 2024, 7:28am

I am on HA-core 2024.2.5. I made a full backup before installing the 2024.3.0 update. I downloaded the full backup tar file. Windows defender detected a trojan in the file and deleted the file. My previous full backup was about 750mb. This new backup tar file is more than 1 Gb. The name of the trojan was " Trojan:Script/Wacatac.B!ml". Is this real? Very scary.

tom_l · March 7, 2024, 7:34am

Very unlikely. That’s a windows trojan for a start.

chtse53 · March 7, 2024, 7:38am

All the recent full backups show this Trojan as scanned by Windows Defender. One full backup from July 2023 does not show this trojan when scanned by Windows Defender. Wonder any other people experience this.

koying · March 7, 2024, 7:53am

That trojan is a windows software.
There are no executable in your backup, even less anything windows.

You’re very likely just unlucky a chain of bytes recognized as the trojan by Defender happens to appear in your backups, and it’s very unlikely somebody else will get exactly the same problem.

jambalaya · March 7, 2024, 11:32pm

Hmmm. I updated to 2024.3.0 yesterday, and likewise for me, Windows defender detected that trojan in today’s backup file (first time I have ever had a trojan detected in a home assistant backup file). Not very comforting despite assurances that a Windows Trojan inside a Linux backup should be OK…

tom_l · March 7, 2024, 11:36pm

It’s not a trojan. It is:

i.e. false positive. You can submit it to Microsoft for evaluation if you like.

Be aware there may be sensitive information in your backup (secrets, passwords, access tokens, etc…).

Alex1806 · March 8, 2024, 7:27am

Same problem, Windows 11 defender detected a trojan (Script/Wacatac.B!ml) in full backup and blocks the downlaod file.

Core
2024.3.0
Supervisor
2024.02.1
Operating System
12.0
Frontend
20240306.0

tom_l · March 8, 2024, 7:44am

Same answer.

jambalaya · March 8, 2024, 2:10pm

Unfortunately even assuming the backups have a false positive, Windows now blocks the download every time. The good news is that if I use the Linux zip command instead of the built-in core backup in the GUI (and delete the flagged backups from the config/backups folder) all is well. So something to do with the new “faster compression speeds due to a library named isal” backup feature mentioned here? - Raspberry Pi 5 support and more in Home Assistant OS release 12 & Supervisor update

HeijnAlbert · March 9, 2024, 8:17am

Same problem, same answer, still a problem.

koying · March 9, 2024, 8:32am

Are you trolling? What do you want anybody else than Microsoft do about their antivirus finding false positives in compressed files.

Actually, the fact that several of you has the same “problem” makes it even more likely it is a false positive.

If you want to be reassured, use another antivirus for confirmation/infirmation.

If what bother you is the windows message, stop making your backups transiting through windows.

LiQuid_cOOled · March 9, 2024, 8:37am

@koying 100% agreed, they can also let it pass through if they set the download to allow in Windows Security.

indeeed · March 9, 2024, 10:10am

Or rename the backup file to end with .exe before downloading and windows “defender” should be defeated (no false-positives anymore)

Probably not…

No, just a false-positive… Try some other snake oil

RobH_1 · March 9, 2024, 10:50am

I thought I would report my results just for the collective knowledge here. I have scanned backup files all the way back to my oldest 6/4/2023 and they all have this virus detected. My bet is on a false positive.

The first time I saw this was backing up this morning and I am running 2024.2.3. So, it does not have to do with the 2024.3 update. My guess is an update to Defender or to the virus signatures is causing the issue.

frank42 · March 9, 2024, 11:12am

Hi,

there’s no trolling involved.

I bought a new Pi and wanted to download a full backup for migrating my installation to the new Pi and I have a similar encounter here.

Windows Defender detects a Trojan.Script/Sabsik.FLA!ml in the file. Not sure if the detection is valid, though, but it’s there and it makes windows block my download which in return prevents me from saving the file and uploading to the new Pi.

indeeed · March 9, 2024, 11:30am

Or

…

koying · March 9, 2024, 11:34am

Just temporarily disable real-time virus scanning for the duration of the transfer

frank42 · March 9, 2024, 11:36am

Sure,

it’s always the better solution to ignore/skip/suppress the symptoms instead of analysing and fixing the root cause.

indeeed · March 9, 2024, 11:37am

Microsoft allows you to train there system for free! Please go ahead and try to inform them about the false-positive and document your mileage here!

koying · March 9, 2024, 11:38am

You have been told what is the root cause and what is the solution.
Those workarounds are just if you are stuck while Microsoft is reviewing the data you no doubt submitted to them as indicated above.