Trojan:Script found in fmodules\yahooqt.mxt

don.canova's Avatar

don.canova

05 May, 2022 02:22 PM

I updated the quotes download extension tool yesterday for Moneydance and this morning the Trojan:Script\Wacatac.B!ml was found and removed by Microsoft Defender from the moneydance\fmodules\yahooqt.mxt file.

  1. Support Staff 1 Posted by Maddy on 05 May, 2022 02:36 PM

    Maddy's Avatar

    Hi Don,

    We are sorry to hear about the problem you have encountered.

    Unfortunately, this is a false alert and a known problem. The only work around for the time being is to allow this file/process until it’s fixed.

    I hope this information is helpful. Please let us know if you have further questions or need more assistance.

    --
    Maddy, Infinite Kind Support

  2. 2 Posted by esqack on 06 May, 2022 01:12 AM

    esqack's Avatar

    Hi Maddy,

    What is your source for characterizing this as a false alert/positive? The developer? My Defender app also quarantined the file/automatically removed the yahooqt.mxt extension from Moneydance's fmodules folder. Thanks.

  3. Support Staff 3 Posted by Sean Reilly on 06 May, 2022 11:53 AM

    Sean Reilly's Avatar

    Hi Don,

    I've verified that the yahooqt.mxt extension is exactly identical to the one that I've created, and I can assure you that there were no viruses in it then, or added since. If you've used the built-in extension manager to find and install the extension, and not downloaded the yahooqt.mxt file from the web or received it via email, then it is safe to load.

    I ran Windows Defender on the original file and it thought there was a virus in it, but I confirmed the contents of the file are exactly as when I packaged and digitally signed the extension. I've also extracted the contents of the file and verified that there isn't any malicious code within it.

    When I looked up the details on the virus that Defender claims it is, it doesn't match up and there's no way that such a virus could infect something based on the way that moneydance loads the extension files.

    I'm confident that this is a false alarm and the threat should be "allowed" by going into Windows Defender, clicking on the Actions menu for the thread and choosing "Allow".

    Thanks,
    Sean

    --
    Sean Reilly
    Developer, The Infinite Kind
    https://infinitekind.com

  4. 4 Posted by Scott on 06 May, 2022 12:38 PM

    Scott's Avatar

    I don't know if it helps with any resolution from the development side, but Windows Defender also claims that Trojan:Script/Oneeva.A!ml is also present in yahooqt.mxt. I thought this info might be useful in case iK is working with Microsoft towards a resolution. Thanks!

  5. 5 Posted by Joe on 06 May, 2022 08:40 PM

    Joe's Avatar

    I too had Windows Defender claims (May 6, 2022) that Trojan:Script/Oneeva.A!ml is also present in yahooqt.mxt and quarantined the file. Is this a false positive as well?

    Thanks

  6. 6 Posted by esqack on 07 May, 2022 04:56 AM

    esqack's Avatar

    Thank you for the replies.

  7. 7 Posted by don.canova on 08 May, 2022 05:27 PM

    don.canova's Avatar

    Today, after updating Windows "Security Intelligence Version" with version 1.363.1629.0 dated 05/08/2022 03:44 I was able to download and install fmodules/yahooqt.mxt v1032 without it being flagged. I even ran Windows Defender against the file itself.
    I am unsure if you worked with Microsoft, or they changed their "intelligence" on their own, or if you changed your yahooqt script. But for future reference, in my opinion, I think it unwise to recommend allowing flagged threats just to make your software work.

  8. 8 Posted by don.canova on 08 May, 2022 10:01 PM

    don.canova's Avatar

    Well... Unfortunately I spoke too soon. This afternoon I fired up my computer again and Windows Defender immediately found the Trojan:Script/Oneeva.A!ml once more. Maybe this will help diagnose the problem when you talk to Microsoft, but I won't be using your script until you or Microsoft fix this problem.

  9. 9 Posted by don.canova on 08 May, 2022 10:03 PM

    don.canova's Avatar

    Perhaps the Trojan:Script is downloading from Yahoo when the quotes are downloaded.

  10. 10 Posted by esqack on 08 May, 2022 11:10 PM

    esqack's Avatar

    I did not get a hit on either yahooqt or oneeva today when I installed the extension and updated the security values. However, I do think don.canova's suggestion is prudent -- something is triggering the alerts, even if beyond The Infinite Kind's build, and it likely is best to put it on ice until the cause is determined or corrected and announced.

  11. 11 Posted by don.canova on 16 May, 2022 01:28 PM

    don.canova's Avatar

    Last Friday I again downloaded your Quotes and Exchange Rates Updater script v1032 and Micorosoft Defender allowed it to install without alerting. I used the script to download quotes on Friday and this morning (Monday) and so far, still no alerts from MS Defender. The MS Defender "Intelligence" version I now have installed is 1.363.2050.0 dated 5/16/2022. Hopefully this ends the drama.

  12. 12 Posted by esqack on 16 May, 2022 04:01 PM

    esqack's Avatar

    I had the same experience. Thank you for following up, and in doing so, reminding me that I needed to reinstall the extension.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac