SCRCPY 3.1 Detecting a Trojan when extracting a zip file. False Positive?
SCRCPY is a solid screen mirroring tool that has been around for a long time now and has never had any potential security issues so the Trojan:Script/Wacatac.H!ml message from Windows Defender is pretty concerning to see but is it actually a Trojan or is it a false positive? It's a complicated situation, one that we'll explain here but you can rest assured you don't have anything to worry about.
SCRCPY 3.1 detecting a trojan when extracting a zip file. false positive
This is confirmed to be a false positive, meaning Windows Defender mistakenly identifies the file as malicious. This isn't uncommon as new programs, tools and updates quite often trigger Windows Defender. Below are some of the reasons.
-
Updated heuristics in antivirus software: Changes to detection algorithms may occasionally misclassify legitimate files.
-
Code compression or obfuscation: Some legitimate tools use packaging techniques that resemble those of malicious software.
-
Temporary issues in antivirus databases: Outdated or incorrect virus definitions can trigger false alarms.
SCRCPY 3.1 False Positive for a Trojan
For whatever strange reasons only the win64 version of SCRCPY 3.1 causes Windows Defender to flag a Trojan. If you download the win32 version Windows Defender will not trigger the Trojan warning. Which is quite odd considering there isn't all that much difference between the two versions. Interesting If you choose to "Allow on device" the threat, then proceed to extract the contents of the zip, then remove the "Allow on device" exception and scan the contents of the extracted folder no threat is detected. Also if you Check the file online it will not detect any threat. Here's an example.
How to Fix SCRCPY 3.1 False Positive for a Trojan?
While the developer of SCRCPY has already submitted his software to Microsoft file submission system for evaluation and clearance it appears that manually updating Windows Defender and Windows in general should solve the problem as the updated catalogue doesn't seem to flag SCRCPY 3.1 as a Trojan.
- To do this go to Windows > Updates and click check for updates.
- If Windows is already up to date you can check for security updates by searching Virus & Threat Protection from the start menu and then clicking Protection updates under Virus & Threat Protection updates.
After Windows and Defender have been updated you shouldn't get this false flag warning again. However, if you do you can just ignore it and make an exception for SCRCPY to continue using it. Alternatively you could also just use the win32 version of a while or just stick with version 3.0 until the problem has been fixed.