Windows Defender removes v0.19.1

[Scott Currie]

FYI, Windows Defender does not like v0.19.1, and it immediately removes pat.exe as soon as you unzip it.

-Scott, NS7C

[Martin Hebnes Pedersen]

Hi Scott,

Thanks for letting us know :)

This is most likely a false positive. Windows Defender do this for Go apps from time to time.

- https://github.com/la5nta/pat/issues/103

- https://github.com/la5nta/pat/issues/415

- https://go.dev/doc/faq#virus

I will need to submit a form to Microsoft for manual review of the file. And for that, I need more details.

Can you or anyone else please provide a screenshot detailing which threat (Detection Name) it was identified as?

Thanks!

-- 

73 de LA5NTA / Martin

man. 15. sep. 2025, 06:50 skrev Scott Currie <scott.d...@gmail.com>:

FYI, Windows Defender does not like v0.19.1, and it immediately removes pat.exe as soon as you unzip it.

-Scott, NS7C

--
You received this message because you are subscribed to the Google Groups "pat-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pat-users+...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/pat-users/83ecac4d-ede6-470b-9f45-f40e40efbb09n%40googlegroups.com.

[Scott Currie]

Oddly, this shows up as a settings modifier:

Not something I have seen before.

If I allow it, it runs fine and my hosts file has not been changed.

I also tested the Gensio v0.24 fork, and Defender did not complain about that.

-Scott

--

-Scott

[Martin Hebnes Pedersen]

This is definitely a false positive, as none of the scanners on virustotal.com detect it as a threat.

https://www.virustotal.com/gui/file/affd13f4e7d1ad477f501d04d6b05f1e23279144d1d307b43ba477311da16454/detection

[Martin Hebnes Pedersen]

Scott,

I'm guessing this is the SettingsModifier:Win32/PossibleHostsFileHijack which presumably is triggered when the hosts file is modified. It's a bit odd, since this was detected before you ever executed the program.

Have you made manual changes to your hosts file recently?

I'm finding no evidence on google indicating that this particular threat is a common false positive for Go apps.

I'm very interested in hearing from other Windows users installing Pat v0.19.1. Wondering if this is a one time thing, or if everyone is seeing the same behavior from MS Defender.

-- 

Martin

[Scott Currie]

So, I have installed v0.19.1 on 3 Windows systems now, and only one has complained. Two are Win11 Pro, and the other is Win10 Pro. Only one of the Win11 systems complained. There is no significant difference between the systems that I am aware of. They were all upgraded from previous Windows versions, so perhaps there is some garbage hanging around in the one system that complains. M$ magic...

-Scott, NS7C

--

-Scott

[Corey Minyard]

I was able to unzip this and run it without any issue on current Windows 11.

-corey - AE5KM

[Scott Currie]

Installing on an up to date Win10 system does not trigger any response from Defender. The system that complained is running Win11 Pro.

I'll try other systems....

-Scott, NS7C

[Scott Currie]

I have never modified the hosts file on this system, and looking at it just now, it shows the default example comments. There are no new entries.

I'll try running on a different system and see what happens.

-Scott, NS7C

On Monday, September 15, 2025 at 9:05:34 AM UTC-7 LA5NTA wrote:

[LA5NTA]

Thanks for all the help :)

Since we are unable to reproduce on other systems (including Corey's Windows 11 machine) and you see no evidence the hosts file was modified, I'm going to assume this was a false positiv.

I've run the windows binary through lots of scanners, and not a single one has detected any threats/vulnerabilities.

This all got me thinking about supply chain attacks, and I have now implemented Go's vulnerability scanner (govulncheck) into our CI pipeline and pre-release routine.

Thanks again!

-- 

73 de LA5NTA / Martin