Windows Defender flags newest wstunnel.exe as trojan

[Imfae]

Hello,

I was upgrading wstunnel from the 7.9.2 version to the 9.2.2 version. For client side, I downloaded wstunnel_9.2.2_windows_amd64.tar.gz for my Windows 10 machine. Immediately after unzipping the tar.gz file, Windows Defender isolated wstunnel.exe and flagged it as Trojan:Win32/Bearfoos.A!ml with a threat level of Severe.

I have, of course, overridden the antivirus's verdict and allowed the program. But having never received this warning while using the 7.9.2 version or the earlier Haskell versions, I think I should raise the issue to your attention.

And please, for the peace of mind of this ignorant user, the newest release is not really a trojan, right?

[erebe]

Hello,

Thanks for letting me know. I can assure you the latest release is not a trojan, so be at peace.

Would you mind trying previous release and telling me if windows still flag it as trojan https://github.com/erebe/wstunnel/releases/tag/v9.2.1 ?

In the latest release, i stripped debug and symbols information, to make binary smaller, maybe it is that it does not like

let me know !

[Imfae]

I can assure you the latest release is not a trojan

That's good to know. Thank you.

Would you mind trying previous release and telling me if windows still flag it as trojan https://github.com/erebe/wstunnel/releases/tag/v9.2.1 ?

Windows Defender on my machine does not flag the 9.2.1 version as trojan. But since I allowed the 9.2.2 version, I'm not entirely sure if the antivirus just 'learned' not to flag similar programs.

[erebe]

Ok, let's see if other people complains about it. I am letting the issue open
(I tried on a Windows 7, and no warning)

[erebe]

Hi back,

In the end you were right, I tried on the Windows 11 of my wife, and wstunnel latest version has been detected as trojan while v9.2.1 not.

I have re-set the debug symbols for windows build, and updated the artifacts of the v9.2.2 to include them.

Thanks for reporting :)

[khanhj]

@erebe This issue happened again on v10.1.0 to latest version. Microsoft Windows flags this trojan. Can you please update?

[erebe]

Would you mind trying this binary and let me know ?

https://github.com/erebe/wstunnel/releases/download/v10.1.8/wstunnel_10.1.8_windows_amd64_obfuscated.exe

[gauravkanoongo]

Hey @erebe

I attempted to install v10.1.8 using Scoop and it was flagged as trojan by Windows Security:

then, I used above given link to download wstunnel_10.1.8_windows_amd64_obfuscated.exe also, and it is also getting detected as trojan:

Let me know if you want me to try anything additional.

[resyguok42]

In the meantime, it seams a manually compiled version of wstunnel (10.1.8 windows amd64) does not trigger Windows Defender.

1. Install Rust with default options via https://www.rust-lang.org/tools/install
2. Install git with default options via https://git-scm.com/downloads/win
3. Inside a Command Prompt:

cd %TMP% && rmdir /s /q wstunnel && git clone --depth 1 https://github.com/erebe/wstunnel.git && cd wstunnel
cargo build --release --package wstunnel-cli
copy target\release\wstunnel.exe %LOCALAPPDATA%\Microsoft\WindowsApps
cd %USERPROFILE%
wstunnel --version

[wolfman42]

In the meantime, it seams a manually compiled version of wstunnel (10.1.8 windows amd64) does not trigger Windows Defender.

1. Install Rust with default options via https://www.rust-lang.org/tools/install
2. Install git with default options via https://git-scm.com/downloads/win
3. Inside a Command Prompt:

cd %TMP% && rmdir /s /q wstunnel && git clone --depth 1 https://github.com/erebe/wstunnel.git && cd wstunnel
cargo build --release --package wstunnel-cli
copy target\release\wstunnel.exe %LOCALAPPDATA%\Microsoft\WindowsApps
cd %USERPROFILE%
wstunnel --version

Followed these steps and the resulting wstunnel.exe no longer gets flagged as a Trojan on VirusTotal.com. However, AliCloud / Acronis (Static ML) still detects that it is wstunnel. It classifies it as "Proxytool:Multi/WSTunnel".