Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 11 Trojan:Win32/Wacatac.B!ml when using CustomTkInter in a pyinstaller #2658

Open
hansvdam opened this issue Dec 13, 2024 · 3 comments
Open

Windows 11 Trojan:Win32/Wacatac.B!ml when using CustomTkInter in a pyinstaller #2658

hansvdam opened this issue Dec 13, 2024 · 3 comments

Comments

@hansvdam
Copy link

I spend a long time nailing this down to the source and finally removed CustomTkinter from my codebase. I want to leave some trace, because I could not find anything about this online:
I used it in an application (for windows and mac) in a pyinstaller and for windows packed using an inno-installer.
Windows Security flags the installer as Trojan:Win32/Wacatac.B!ml when I include CustomTkinter (and darkdetect) in the build. Without it everything is fine.
@MAINER4IK
Copy link

buy a certificate and make a digital signature, the library is not to blame for this in any way

@Akascape
Copy link

Akascape commented Jan 18, 2025
edited
Loading

It's not a problem with the library itself. Getting flags from antivirus software like this is common when using PyInstaller and Inno Setup.

Solutions:

Invest in a Software Signing Certificate: If you plan to work on larger projects, obtaining a software signing certificate is recommended.
OR
Avoid Using Inno Setup: Instead, try distributing a one-file executable created using PyInstaller. Check this: #939

Experiment with Executable Packing: Check which files and libraries are triggering the antivirus.

Check in VirusTotal: Upload the executable to VirusTotal.com to check the false positive rating. If you encounter serious detections, try to contact the antivirus vendors to remove the false positives, in case you are distributing the executables in public. But 2-5 false detections are common if it's not signed.

@teijiIshida
Copy link

It's the darkdetect library (which uses winreg) that CustomTkinter is using. When packaging using auto-py-to-exe one directory, I almost always get this Watac detection and about 15-25 detections on VirusTotal. My guess is because most malwares modifies the registry, so vendors just blanket-wide detect it as bad in the signature.

I removed darkdetect and modified my CustomTkinter to still work without winreg. It still can do Dark/Light mode (but no System mode). Now, I don't get this detection anymore and VirusTotal doesn't show me 25+ false detections. I still get 7 detections from the usual crappy vendors, but I ignore them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hansvdam @teijiIshida @Akascape @MAINER4IK