Trojan:Script found in fmodules\yahooqt.mxt
I updated the quotes download extension tool yesterday for Moneydance and this morning the Trojan:Script\Wacatac.B!ml was found and removed by Microsoft Defender from the moneydance\fmodules\yahooqt.mxt file.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Maddy on May 05, 2022 @ 02:36 PM
Hi Don,
We are sorry to hear about the problem you have encountered.
Unfortunately, this is a false alert and a known problem. The only work around for the time being is to allow this file/process until it’s fixed.
I hope this information is helpful. Please let us know if you have further questions or need more assistance.
--
Maddy, Infinite Kind Support
2 Posted by esqack on May 06, 2022 @ 01:12 AM
Hi Maddy,
What is your source for characterizing this as a false alert/positive? The developer? My Defender app also quarantined the file/automatically removed the yahooqt.mxt extension from Moneydance's fmodules folder. Thanks.
Support Staff 3 Posted by Sean Reilly on May 06, 2022 @ 11:53 AM
Hi Don,
I've verified that the yahooqt.mxt extension is exactly identical to the one that I've created, and I can assure you that there were no viruses in it then, or added since. If you've used the built-in extension manager to find and install the extension, and not downloaded the yahooqt.mxt file from the web or received it via email, then it is safe to load.
I ran Windows Defender on the original file and it thought there was a virus in it, but I confirmed the contents of the file are exactly as when I packaged and digitally signed the extension. I've also extracted the contents of the file and verified that there isn't any malicious code within it.
When I looked up the details on the virus that Defender claims it is, it doesn't match up and there's no way that such a virus could infect something based on the way that moneydance loads the extension files.
I'm confident that this is a false alarm and the threat should be "allowed" by going into Windows Defender, clicking on the Actions menu for the thread and choosing "Allow".
Thanks,
Sean
--
Sean Reilly
Developer, The Infinite Kind
https://infinitekind.com
4 Posted by Scott on May 06, 2022 @ 12:38 PM
I don't know if it helps with any resolution from the development side, but Windows Defender also claims that Trojan:Script/Oneeva.A!ml is also present in yahooqt.mxt. I thought this info might be useful in case iK is working with Microsoft towards a resolution. Thanks!
5 Posted by Joe on May 06, 2022 @ 08:40 PM
I too had Windows Defender claims (May 6, 2022) that Trojan:Script/Oneeva.A!ml is also present in yahooqt.mxt and quarantined the file. Is this a false positive as well?
Thanks
6 Posted by esqack on May 07, 2022 @ 04:56 AM
Thank you for the replies.
7 Posted by don.canova on May 08, 2022 @ 05:27 PM
Today, after updating Windows "Security Intelligence Version" with version 1.363.1629.0 dated 05/08/2022 03:44 I was able to download and install fmodules/yahooqt.mxt v1032 without it being flagged. I even ran Windows Defender against the file itself.
I am unsure if you worked with Microsoft, or they changed their "intelligence" on their own, or if you changed your yahooqt script. But for future reference, in my opinion, I think it unwise to recommend allowing flagged threats just to make your software work.
8 Posted by don.canova on May 08, 2022 @ 10:01 PM
Well... Unfortunately I spoke too soon. This afternoon I fired up my computer again and Windows Defender immediately found the Trojan:Script/Oneeva.A!ml once more. Maybe this will help diagnose the problem when you talk to Microsoft, but I won't be using your script until you or Microsoft fix this problem.
9 Posted by don.canova on May 08, 2022 @ 10:03 PM
Perhaps the Trojan:Script is downloading from Yahoo when the quotes are downloaded.
10 Posted by esqack on May 08, 2022 @ 11:10 PM
I did not get a hit on either yahooqt or oneeva today when I installed the extension and updated the security values. However, I do think don.canova's suggestion is prudent -- something is triggering the alerts, even if beyond The Infinite Kind's build, and it likely is best to put it on ice until the cause is determined or corrected and announced.
11 Posted by don.canova on May 16, 2022 @ 01:28 PM
Last Friday I again downloaded your Quotes and Exchange Rates Updater script v1032 and Micorosoft Defender allowed it to install without alerting. I used the script to download quotes on Friday and this morning (Monday) and so far, still no alerts from MS Defender. The MS Defender "Intelligence" version I now have installed is 1.363.2050.0 dated 5/16/2022. Hopefully this ends the drama.
12 Posted by esqack on May 16, 2022 @ 04:01 PM
I had the same experience. Thank you for following up, and in doing so, reminding me that I needed to reinstall the extension.
System closed this discussion on Aug 15, 2022 @ 04:10 PM.