Scala CLI v1.2.0 mistagged by Windows Defender as a Trojan in v1.2.0/scala-cli-x86_64-pc-win32.zip

[philwalk]

Version(s)
v1.2.0 windows release

Describe the bug
Windows Defender reports that it's infected with a virus

To Reproduce
download this file:
releases/download/v1.2.0/scala-cli-x86_64-pc-win32.zip

After download, go to chrome downloads page, click show-in-folder, right-click on the zip file and then Scan with Microsoft Defender.

Defender prevented the unzip with the following information:

Threat blocked
Detected: Trojan:Script/Wacatac.B!ml
Status: Removed
A threat or app was removed from this device.
Date: 2024-03-09 10:46 AM
Details:
Affected items:
file: C:\Users\user\Downloads\scala-cli-x86_64-pc-win32.zip
[...]

Expected behaviour
Perhaps this is a false positive, hopefully it won't prevent Windows users from trying out scala-cli.

BTW, let me know if I should report this type of problem as other than as a bug ...

[Gedochao]

We always submit Windows native packages (.msi) for malware analysis when releasing a new Scala CLI version, as it often gets mistagged by Windows Defender otherwise.
For v1.2.0, the submission was done on 07.03.2024 (4 days ago, as of me writing this post).
It is very variable when it comes to Microsoft processing these submissions, sometimes it happens within 24 hours, sometimes it's still in progress after 2 weeks.
This time, after 4 days it's still in progress.
The file used for the submission is this one:

• scala-cli-x86_64-pc-win32.msi

You're using the .zip, but that shouldn't matter once Microsoft approves this version as malware-free.

If you're curious about the process, it's described in our release steps here.

I will leave this issue open until the submission gets approved, in case anyone else looks for the answer in the meantime.

[Gedochao]

BTW, let me know if I should report this type of problem as other than as a bug ...

@philwalk I created a dedicated label for issues of this kind: anti-malware analysis Issues tied with anti-malware analysis of Scala CLI packages.

[boggye]

I have the same issue... I cannot install it on a windows 2016 machine. And Defender won't let me run the msi program.

[Gedochao]

@boggye unfortunately, Microsoft still has not finished analysing our most recent release.
I have submitted it on 07.03.2024, so it's been processed for 11 days already at the time of writing this comment.

This is, unfortunately, the way it is with new releases on a Windows device. This should be fixed once Microsoft Security Intelligence finishes the scan and fixes the tagging for Scala CLI. Of course, when the next Scala CLI version comes out, we will wait for them to confirm Scala CLI indeed is not malware all over again.
I wish there was a way for us to expediate this process but it is what it is.

In the meantime, what I can suggest is:

• use an earlier release which has already been scanned by Microsoft
  • I actually can't confirm if v1.1.3 has been approved my Microsoft already, but v1.1.2 definitely was; you can try either of them
• use the JVM distribution via our fatJAR, temporarily (it may start slightly slower, but perhaps this solution would work for you)
  • you can use the fatJAR with Coursier:

cs launch org.virtuslab.scala-cli:cliBootstrapped:latest.release -M scala.cli.ScalaCli

• or just download the JAR from https://repo1.maven.org/maven2/org/virtuslab/scala-cli/cliBootstrapped/