Why is my app being detected as a Win32/Coinminer? (False Positive)

Double Bullet 1

Hello everyone,

My XNA C# App has been detected as a Win32/Coinminer, Wacapew and a susgen. I scanned my app on totalvirus.com and the only results that come up are from MaxSecure and Microsoft. This has really been a nightmare to determine what is causing this detection and my customers have been sending in negative reviews because Windows Defender would delete the app and popup saying that it is a coinminer or trojan. I can't replicate the issues on my machines although I have PUA defense and Windows Defender Security on. The detections are very random and can happen to everyone at anytime without notice. I would have to build my app in Visual Studio 2017 many times and upload it on totalvirus. I've seen other developers online having issue's with Windows Defender detecting that their simple program is a wacapew, but not with coinminer. I have sent in my app .exe to be checked by Microsoft Security teams as a false positive. I wait for a bit and I get a response back saying that the detections have been removed but then a week later the detection would be back. I have no idea what's causing this and I would love for someone from the Windows Security Team to help me out on this.

This situation must be resolved as soon as possible because I'm getting constant negative reviews from untrusting customers claiming that I'm exploiting their computers to coinmine. It is outrageous for me but it's very hard to explain to my customers that I'm telling the truth and I'm trying the best I can to figure this out.

I don't want to sign my application because that can be very costly for a small app that I have.

All help would be appreciated!

Lex Li (Microsoft) 4,742 Reputation points Microsoft Employee

2021-07-24T03:23:09.347+00:00

Report false positives to those antivirus vendors, so that they can put your software in allowed lists. Or earn reputation by distributing it to a large audience (many open source software follows that). You won't be able to go any other way if you don't want to sign the executable. "I would love for someone from the Windows Security Team to help me out on this" and then you should open a support case via http://support.microsoft.com. That usually costs you more than buying a code sign certificate.
Double Bullet 1 Reputation point

2021-07-26T18:53:30.093+00:00

Would code signing the executable get rid of any detections from Windows Defender or is that not how that works? I don't want to purchase a $400 code signing certificate if it won't solve my problem.

If it will help with my problem, which code signing company would you recommend?
Brian Hoxie 1 Reputation point

2021-10-18T22:31:51.187+00:00

I'm having the same exact issue. I submitted it to Microsoft several times and they didn't update in Windows Defender. No other antivirus does this and when I add checks for trojans, it works fine. Apparently PAU and virus are two different things?

Very frustrating.
Double Bullet 1 Reputation point

2022-09-19T15:23:47.49+00:00

Oh wow so I'm not alone. Did you ever find a fix for this random detection?
Brian Hoxie 1 Reputation point

2024-01-14T17:14:25.7633333+00:00

I know it's been a few years since we had this issue but wanted to follow up on some progress (I hope!). I went through a particular tough time with false positives the past few months where every new compile would trigger the issue. Then they added my installer and binary zip package to the detections and it was very frustrating. I would submit the request through their online submission site: https://www.microsoft.com/en-us/wdsi/filesubmission/ and get it whitelisted, but it took several weeks to get things cleared. I do updates randomly for my app and that's just not practical as it's opensource freeware for a video game. Additionally, VirusTotal showed 5 different companies, including Google (couldn't email in my app to other companies through Gmail even), flagging my software. This was becoming more of an issue now I needed to figure out. Following this, I looked into options and one thing I explored was getting an open source certificate to sign my code. From what I read this was a good way to earn reputation and then virus scanners would lower the risk for the app. I bought the open source certificate from Certum and going through the process I ended up deciding not to sign my app for privacy reasons (your name and city is required so everyone that has your software knows that). While not a huge issue, I still felt uncomfortable sharing that right now for several reasons. Now back to square one, I looked at my application for anything I could get rid of in my 3rd party libraries. I had several and honestly it was becoming cumbersome to keep up with them. So I removed everything I could and after reach, compiled and ran it through VirusTotal to see what it returned. One library I was using but no longer really needed was a Google Analytics tracker. It was a simple way to see how many people use my app and nothing else. I commented out the update and removed the library but it still flagged as suspect. Then I remembered I was reading the MAC address to create a unique identifier for the user. I deleted that code, removed the GA Library and then boom - no flags. I've been uploading my app and msi installer to Microsoft without any flags. Additionally, Google (who I've never been able to find a whitelist submission process for) no longer flags it either. Success!...?!?!? I hope but I'm sharing my journey with this if it helps others since I know how frustrating it is. Note, I also submitted a petition to review my application after re-scanning and they sent me this link that may be helpful. Good luck! https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/