Using WindowsIconUpdater.exe will cause Windows Defender to block the game

Post reply

❤Follow Topic(11)

0 favourites

11 posts

From the Asset Store

Using the GooglePlay Games native plugin

$2.49 USD

With this template you will learn how to use the GooglePlay Games native plugin

iagolira

- 68kStudios
- - Joined 19 Apr, 2016
  - 14 topics • 92 posts
- 4
- 19 Jul, 2023
- Quote
Hi,

I've been reported that one of my game published on Steam is being blocked by Windows Defender. After some days of trying, I've found that the cause of this issue is WindowsIconUpdater.exe.

If you use this (very helpful) tool, Windows Defender will find a trojan called "wacatac.H!ml" on the exe of the game. I think that is a false positive, but is enough to create issues in some users and prevent them to play the game.

To reproduce the issue, simply scan the folder of the game (exported with NW.js) using Windows Defender before and after the usage of WindowsIconUpdater.exe

PS: I haven't opened a bug report because it's not a Construct bug and I don't have a project to attach
- dop2000
- - Joined 26 May, 2016
  - 134 topics • 12,103 posts
- 2
- 19 Jul, 2023
- Quote
Yeah, I had the same issue today! Windows Defender blocked and removed NW.EXE file claiming that it was infected by "wacatac.H!ml" trojan.

But in my case this happened in NWJS preview, so I don't think it's necessarily related to the WindowsIconUpdated app. I believe this happens when NWJS tries to write something to disk.
- Ashley Construct Team Founder
- Moderator
- - Joined 21 May, 2007
  - 668 topics • 30,065 posts
- 1
- 20 Jul, 2023
- Quote
You need to report false positives like this to the antivirus vendor. Only they can change what is detected as malicious or not.
- 68kStudios
- - Joined 19 Apr, 2016
  - 14 topics • 92 posts
- 2
- 20 Jul, 2023
- Quote
You need to report false positives like this to the antivirus vendor. Only they can change what is detected as malicious or not.

WindowsIconUpdater itself doesn't trigger any alert, neither does the the exe of the game. Windows Defender blocks the exe only after I've used WindowsIconUpdater to change the icons.

Anyway, we can still use Resource Hacker to change the icons; I just wanted to inform other users of the cause of the issue.
- Ashley Construct Team Founder
- Moderator
- - Joined 21 May, 2007
  - 668 topics • 30,065 posts
- 1
- 20 Jul, 2023
- Quote
Regardless though, you still need to submit such false positives to the antivirus vendor, so they can improve their detection and make sure they don't incorrectly flag files. I suspect there is a single change they can make to their detection that will avoid all false positive cases with NW.js, so long as they have some examples of false positives submitted by users.
- technic
- - Joined 10 Jan, 2022
  - 16 topics • 28 posts
- 2
- 20 Jul, 2023
- Quote
Can confirm this, had the same thing happen today.
- molter
- - Joined 1 Aug, 2015
  - 4 topics • 11 posts
- 3
- 21 Jul, 2023
- Quote
Just to confirm too, players can't play my game since Steam is flagging it as having a virus. I'll report it to AV providers and I encourage anyone with this problem to do it too.
Try Construct 3

Develop games in your browser. Powerful, performant & highly capable.
Try Now Construct 3 users don't see these ads
- molter
- - Joined 1 Aug, 2015
  - 4 topics • 11 posts
- 2
- 21 Jul, 2023
- Quote
Just to confirm too, players can't play my game since Steam is flagging it as having a virus. I'll report it to AV providers and I encourage anyone with this problem to do it too.

Quick update and workaround:

Newest versions of NWJS (Tested 0.77.0 and 0.76.0) are running into false positives, regardless of if you run the icon updater. Older versions of NWJS don't trigger any false positives (Tested 0.61.0), but will still trigger it if you run the icon updater.
- Airlinefood
- - Joined 26 Mar, 2013
  - 1 topics • 4 posts
- 3
- 31 Jul, 2023
- Quote
Having the same problem after running the nw.js icon updater as well on the most recent C3 build. The games exe and icon updater will trigger active virus software, if and when the icon updater is ran, otherwise running the exe (*in my case) without updating the icons caused no issue.

Never had this problem when running it before.

This false positive occurs across different virus suites/databases as: .Trojan:Win32/Bearfoos.B!ml

Surely there has to be a better solution then reporting it to each individual vendor, specially if this is a general problem native to construct or nw js?

Tried using resource hacker to change the games icon with no luck, and its seems counter intuitive to be spending additional time and resources to solve a problem caused by the out of the box solution bundled in the software I am paying to access. How is this not a C3 problem, when the problem occurs naturally from using the product as intended?
- Ashley Construct Team Founder
- Moderator
- - Joined 21 May, 2007
  - 668 topics • 30,065 posts
- 2
- 1 Aug, 2023
- Quote
Surely there has to be a better solution then reporting it to each individual vendor, specially if this is a general problem native to construct or nw js?

I'm afraid there isn't. Everyone affected should report any false positives to their antivirus vendor. It's the only way things like this get sorted out.

I'm pretty sure this is nothing to do with the icon updater, and the base files themselves are flagged as false positives. Perhaps the fact the icon updater tool modifies the files causes antivirus software to take note.
- AdinsenUniverses
- - Joined 27 Jan, 2024
  - 0 topics • 1 posts
- 0
- 11 Apr, 2024
- Quote
havin the same issue and im worried that it wacatac might be a actual virus that will hack my pc and try and discover where i am