Yes, let’s all complain to the HA devs and get them to fix a Microsoft problem.
You and others have been told multiple times it’s a false positive which only triggers on a Microsoft product, yet you expect HA to fix the “root cause”
1 Like
For you is to wait for microsoft to fix your snake oil - until then no new pi for you 
Ok, enough bashing just because my opinion doesn’t match yours. It’s not helpful to attack on a personal level just for thinking of a different path.
Microsoft won’t do anything about that, that’s something that’s clear to me. But on the other hand, in MY opinion there must be a reason why Defender thinks that there’s a trojan in it. False positive or not, I just wanted to suggest that there’s another solution to circumventing the trigger - for example checking what exactly triggered Defender and find out if that could be solved.
There was no “complaining to the HA devs” involved in my response, so stop bashing around.
Just try to stick to facts:
There are hundreds of snake oil vendors/producers out their which on a daily basis falsely mark files as dangerous. Obviously it is not the task for HA devs or nabu casa to fix other peoples/companies software.
Normally they do fix this failures if they are reported enough as being wrong (e.g. ventoy). So it’s up to you and the others snake oil users to have your software fixed - easy as that!
Just don’t ask the HA devs to waste time for your home made problems because you use a third party software that is in no way related to HA.
Well, who are you complaining to, then?
That’s exactly what submitting the incriminating file to Microsoft will allow them to do. Nobody else than them can do that.
Did you do that? If not, your “divergent” opinion is just venting your frustration tbh…
As said, i wasn’t “complaining”. I don’t know why some people interpret every different opinion as a complaint. I was trying to do a conversation in the first place, but it seems that different opinions trigger AngryTrumpMode here instead of a constructive discussion culture.
Well, I did not. Because as you may already know, the backup contains plain text passwords in some files and I woudn’t like Microsoft to know those.
Re-read your answer carefuly.
If that passive-agressive answer was not a complain, I’m not sure what it was meant to be… I’m pretty sure nobody took that as a desire for conversation, though
1 Like
You’re right, that might not have been the best possible answer, but I didn’t understand the “If a trojan is detected, disable the detection” approach. It feels like “If your knee hurts, don’t go to a doctor, just stop walking”.
However. You’re right, I’m wrong. You won.
There shouldn’t be any questions left if you read the thread.
Your snake oil detects a file falsely as dangerous so you can live with it and wait for Microsoft to fix it or “overwrite” the false-positive so that you can continue doing what you intended - your choice.
The snake oil users here (including you) were encouraged to trigger microsoft (the “doctor” and owner of the closed source snake oil solution) to fix it - if no one will the flase-positive will continue…
Nothing to win…
I generally agree, just that it was already outlined before (and as a summary of this thread):
- It is extremely unlikely that a windows trojan would have found its way in a HA backup, if anything because it’s not supposed to contain any executable files, and even less supposed to contain anything windows-specific.
- It is even more unlikely that multiple users would have exactly the same report.
- Yours is different, so it was already mentioned that a proper course of action would be:
- Use another(s) virus scanner as additional opinion
- If it is deemed highly probable that it is a false positive, report it to Microsoft to prevent other users to meet the same issue
- In the meantime, if that detection is blocking you, temporaily disable real-time virus scanning, time to, e.g., do a copy from a VM to somewhere else through windows.
- In the unlikely event it is confirmed you actually have a virus in your backup file, it is necessarily in your actual configuration, somewhere. An HA backup is just a zip file of the content of your
/configdirectory, with some added json files for metadata. Possible course of action would then be:- Temporarily disable virus detection
- unzip the content of the backup
- Do an virus scan of the unzipped content of the backup to detect which file is infected
- Delete the infected file from your
/config
1 Like
I Have to answer this one - I know some of the people who do this job PERSONALLY and used to work for Microsoft support. This is the kind of thing I dealt with daily and… 100% This is literally the only way you will see a ‘fix’. If you suspect a false positive submit the file usiythief tool and it will be reviewed within 24 hours.
Also to your ‘I don’t want them to have my passwords’. that’s fantastic! Also they don’t want them either. They have serious privacy policies inside that WILL get a services employee fired (and potentially prosecuted) for misusing your password if you left it in there. When the review is done the file is destroyed. Any misuse is strictly against company policy and dealt with harshly for MS and it’s partners.
When you submit a file for this it goes straight to the MSRC MSRC - Microsoft Security Response Center for review an they take privacy VERY seriously.
To your point there is no way to ‘know’ it’s a false positive without being reviewed but the reasons it’s not a virus is legit and the MSRC would probably clear it right off.
Also, defender has been false positive - ing that particular malware a LOT lately. It false pos on two addins I get from stream deck. Looks like the commonality was some kind of compressed file. I’d bet something in the latest definition for that malware partiality matches the compression signature for a tarball.
So if you want 100% assurance you’re stuck until you (or someone) submits a file for review to get that false positive cleared.
Personally, given the reasons above is just temp disable the AV.
3 Likes
I had a similar issue but is’t not the same.
my says Trojan:Script/Phonzy.C!ml
where in a post above it’s Sabsik.FL.A!ml
I tried using jotti to test https://virusscan.jotti.org/
but there seems to be a file limit of 250MB and mine is 600.
can someone test in jotti?
[edit]
strange thing, the complete backup is marked as virus,
but when I extract the .tar file and check all tar.gz files separate now virus is found.
Thanks for the clarification. I’ll submit my “trojan” then.
1 Like
YMMD 
Last time I touched a microsoft PC (helping a family member) it turned out that windows does send the bitlocker encryption key into the microsoft cloud (by default after installation)! Obviously only for the better of humanity and convenience of the users…
Yes it absolutely is @indeed. It’s salted, reencrypted and saved in the Microsoft account of the primary user for bitlocker recovery purposes. You can actually see it in the user’s account if you’re an Entra ID user. Personally I’m a fan because it’s helped at least four friends unscrew themselves wje thy did something that locked the disk. If you don’t want fine. Then don’t use a Microsoft account for setup (and yes it’s still possible see responses to Elon musks latest ‘tweet’ to Satya N.). And if you still don’t care for it then you don’t have to use it. To quote a friend “choice is good.”
Tnis not a bash Microsoft thread so we’ll leave it there ok?
Right! Only praises from now on 
Classic, same flase-positive we got 20 years ago already from snake oil without AI!!1!11!
Because it is compressed it is evil! MS never disappoints!
Strange indeed. It makes me wonder if Defender even supports tar files…
It does, no worries!
Yep – I’ve got the same problem!
Same here.
I updated to HAOS 12.1.rc1 and getting the same (virus detected) when trying to download the copy to windows10.
This didn’t happen before.
Ok, or maybe is the update to 2024.3.0. Not sure which one triggered the alert because I updated both haos and core.