I made this backup program more than a year ago. It had never been detected as a threat before. This morning when it tried to do what it always does, Windows Defender quarantined it, calling it a severe threat "Trojan:Win32/Bearfoos.A!ml"
It uses two DLLs I've written myself, one of them does recursive searches and the other one read/writes files. Basically my .exe reads its config file, overwrites it if a problem occurs, then uses the loaded info to start recursive searches and then copies/compress (using 7za.exe) those files into multiple drives.
It is also Pinvoking kernel32 (GetConsoleWindow) and user32.dll (ShowWindow) since it is a console app.
I'm sure I can add it to exceptions, there is another thread about Avast about a very similar thing that suggested it. I'm just wondering why? Why now? Why Bearfoos? Why can't Windows Defender detect that I wrote that program myself? Why can't Windows Defender realize it's just copying files around my own local drives? I even added it myself to Windows Task Scheduler, how much more of a green flag does Windows Defender needs!?
I would imagine that's something most programs do, copying and reading files..
43 Answers
I would choose Ramhound's comment as the answer: "You will need to report the false positive to Microsoft, unless you report the false positive, Windows Defender will continue to detect it as malicious"
I submitted the file to Microsoft yesterday and they responded today. They have removed the detection and given me steps to purge old definitions and update to the new ones.
Thank you everyone for your input, even the ones that got downvoted. Here's a page that helped me understand why my program have been detected as a potential malware.
If you are 100% sure it is safe add it as an exclusion to Windows Defender.
6Why did this start to happen now? Likely there was a recent update to Windows Defender that caused it to change its behavior to your program. The detection of malicious software is difficult and the process is not 100% reliable. Mistakes are made. Sometimes malicious software is not detected and sometimes legitimate software is misidentified as malicious.
Windows Defender doesn't try to determine if you wrote the program and thus grant it special privileges. That would be a really bad idea. The programmers do not trust their ability to do this with sufficient reliability. If there was such a facility it would give malware another potential method to evade detection. Windows Defender doesn't have the big picture understanding of the program that you do. It can only check its files for the patterns of known malware and monitor its activity. And it does all of this with the knowledge that things may not be as they appear. Modern malware is very sophisticated and has many tricks so it will appear as something other than what it is. Malware is continually refining its methods to evade detection and security software must refine its detection methods.
Most security software has some kind of exclusion list. But even this isn't as simple as it appears. It must be very carefully managed or malicious software would simply add itself to the list. Malware authors study Windows Defender and other security products, always looking for some weakness they might exploit.
2