Info: Wacatac False Positives
Added 2024-10-28 07:32:39 +0000 UTCDue to some recent reports, I felt the need to write this to dispel any fears or confusion and to share some things I've learned.
Short Version
Some of you have reported Windows Defender - inconsistently and randomly - flagging downloads. This seems to happen with some regularity according to what I could gather in the community. Some point to a possible correlation with the latest versions of SB3U (modding tool). I tend to think it's because Windows Defender is more wary about compressed files since last year. In any case, there seems to be a tendency from Windows Defender to falsely flag KK stuff as Wacatac Trojan.
I have revised and tested this all day long. I couldn't find any real threat or unusual behavior. My PC is clean, the files are clean. I invite you to do your own tests using reliable methods to confirm my observations.
The only workaround I can offer you is to use Firefox and flag as innocous the content if you want to fix the algorithm and avoid WD flagging zipmods in the future.
Detailed Version
There were a lot of things I read and tested. So I wish to share with you what I could gather. Starting with what I know for certain:
A couple of you had commented that Windows Defender sometimes flags particular (seemingly random) downloads as viruses.
Windows Defender might flag this as a Generic Trojan and more likely as Wacatac Trojan specifically
Wacatac is a Trojan category of virus that propagates in 1 of 4 manners: Spam mail downloads, dropper downloads from unauthorized websites, cracked sofware and cracking software (keygen).
This is a very common false positive known and reported outside of the community
This is also mentioned as a false positive inside the community
These trojans require the execution of some a .exe for their attack.
The most common methods are using a keygen or cracking softwares to hide the attack
If you are using Windows OS with Chrome/Edge for your download, a false flagging seems to be likely to occur.
Every download contains unity3D assets, .csv and .xml. only. There are no .js, .py, .dll, etc. files. and no macros either (because there are no office files). Most importantly, there are no executables (.exe) contained. Nothing that could be malicious as far as I understand.
Unity3D asset files are mostly data containers without standalone executables. They rely on the Unity engine to be interpreted and don’t carry code that can autonomously execute or infect systems.
All of the files reported (the compressed formats and uncompressed files too) have been put through a few tests (Virus Total, Avast, etc.) and have come clean. [I invite you to do your own tests and share the results to confirm]
The uncompressed files have been scanned with my local Windows Defender and have not triggered any warnings.
All locally created zipmod files (mines) and all other zipmods form the community have been scanned using my local Windows Defender and have not triggered any warnings either.
Flagging from Windows Defender only occured when I downloaded a particular non-specific zipmod (or a file containning this particular zipmod) using Edge or Chrome (only tested these besides Firefox) from Mega, Discord or Drive (only tested these).
This happened to me in a very inconsistent manner. For instance: Windows Defender flagged Amy Wong at 2 p.m. but not at 6 p.m. The same happened for individual zipmods. Changing minimal info (like the version) or rebuilding the zipmod as a copy, would impede flagging only for it to happen again later or maybe not.
This even happened with files stored in Mega since 2022, long before these reports started occuring.
Revising the contents of the downloaded zipmods, I confirmed they had - in no way - been altered when compressed or uploaded. That is, there were no new hidden files, no corruption, no changes in the archives, etc. Just the original directories, unity3D assets, .csv and .xml. [I invite you to do your own tests and share the results to confirm]
If and once Windows Defender would flag a downloaded zipmod, it would also flag the original zipmod contained in my HD when scanned for a second time. Even if it hadn't been flagged on the first round.
I've scanned my PC with Windows Defender to be sure - specifically my KK folder where I hold all the files I share - and nothing came of it.
A couple of you guys have now confirmed my observations having reported the same issues with your own compressed files. KK-related or non-related.
This is what I think is happening
I've observed that the flagging (only flagged by Windows Defender) is mainly caused by the .zipmod compressed format and never by its contents.
This would only happen when downloading the zipmod from Chrome or Edge (as far as I tested).
It's possible that if someone incorrectly reported my content as malicious, browsers and/or Windows Defender could be more likely to flag it. (Please do your due diligence and scan the files properly before reporting if it's the case)
I've read on the Illusion and KK Server this happens with some regularity and I feel it's been reported more often in the past months.
There is a couple of mentions of false positives for something called Wacatac Trojan which is exactly what I get with Windows Defender for all of these inconsistent cases.
Reading further into this, some speculate that Windows Defender (alongside certain mainstream browsers) have incremented their bias against .zip and .rar files due to increased threats like this one -> Read
Altneratively I guess since zipmods are downloaded as compressed files, they aren't registered, they're placed somehwere known in you PC and then they do something to your application; perchance, Windows Defender algorithm (partnering with Chrome and Edge) has learned to superficially and wrongfuly flag mods as cracks.
This seems to coincide with the reports that started occurring and my observations about .zipmods (which are recognized as .zip files)
What I gather from all of this is that there are a lot of false positives caused by Windows Defender (tagging with browsers) getting a bit paranoid about the compressed files. Probably more paranoid if it's an unusual .zipmod file format. Regardless of the content of the compressed files, Windows Defender will randomly flag the downloads from Chrome and Edge.
Unfortunately I don't really have an immediate solution to this. I don't recommend you disabling Windows Defender so the only workaround I can offer to you, is to use Firefox in these cases or tell Windows Defender these files are innocous if you want to fix their algorithm in the long run. I also recommend you to scan the files using VirusTotal if you feel uneasy. But don't report the files if you're not sure they're malicious, please.
If you have any legitimate skill or knowledge in this area, please let me know what you find. It would be of great value.
Personal Note
I'm really sorry this is happening to some of you. It's bad enough for you and it's worse for me because I can't really explain this to newcomers. I feel it's awful that my content is being flagged by stupid Windows Defender or - I hope not - due to incorrect reports. It pushes me to the brink. I hate to be honest but this is getting a bit inconvenient :/. This sent me into a spiral of paranoia with my Windows Defender tagging along and losing it's crispy marbles. It was a bad day and a true spook. Halloween, amiright? :P
Comments
I can confirm this happened to me using Windows 11. It's definitely a false negative, and the files always come up clean using Virus Total. As MrD mentioned, the files can't be used for malicious purposes because they're not executable or programmable.
LlamaDramaFuck
2024-12-04 19:13:12 +0000 UTCI figured the issues. So when just unzipping the files in winrar it messes up only when I go to take the mods from the file and put them in my folder, but if I extract everything they transfer just fine. It only happens with the mods though, the card transfers just fine when I move it.
Lepresean
2024-11-04 18:39:53 +0000 UTCThat's an issue I had never heard about. I'm not sure what you mean with going to transfer mods. Can you explain it to me? You can contact me here or on Discord. I think I'll need images to help ;3
Mr. Delegado
2024-10-30 04:18:04 +0000 UTCThe only issue I've been having is when I download and unzip everything, when I go to transfer mods I get told there's nothing there and can't transfer them over
Lepresean
2024-10-30 03:18:56 +0000 UTCI'm sorry dude, hopefully this is rectified sooner rather than later, just know we're all here for ya bud, have a happy Halloween.
LithiumPanther
2024-10-29 20:29:07 +0000 UTCThanks 55 5. It's always a great surprise when I get reminded of your support. It honestly cheers me back up to the fight! :3
Mr. Delegado
2024-10-28 08:12:26 +0000 UTCNo matter what happens to you, we're here to support you and we'll always cheer you on, so please feel our energy and we sincerely wish you a Happy Halloween!
55 5
2024-10-28 07:56:11 +0000 UTC
