Wijmo Files Flagged as False Positive Trojan in Windows Defender
A few weeks ago we heard from many of you that a few of the files in our distribution were being flagged as trojan viruses by Windows Defender. Before we go any further, this was a false positive in Windows Defender and wijmo files were never corrupt. Nevertheless, that is a scary thing to see and it put us in a very difficult position. So, thank you all for the patience and trust as we resolved the issue.
The Problem
When scanning a Windows PC, Windows Defender would find a few of Wijmo's files and mark them as TrojanJS/Jorv.A!cl. Here is the full list of files that were flagged:
NpmImages\\wijmo-amd-min\\wijmo.grid.pdf.js
NpmImages\\wijmo-amd-min\\wijmo.grid.xlsx.js
NpmImages\\wijmo-amd-min\\wijmo.pdf.js
NpmImages\\wijmo-commonjs-min\\wijmo.grid.pdf.js
NpmImages\\wijmo-commonjs-min\\wijmo.pdf.js
NpmImages\\wijmo-commonjs-min\\wijmo.xlsx.js
NpmImages\\wijmo-system-min\\wijmo.grid.pdf.js
NpmImages\\wijmo-system-min\\wijmo.grid.xlsx.js
NpmImages\\wijmo-system-min\\wijmo.pdf.js
NpmImages\\wijmo-system-min\\wijmo.xlsx.js
Why were these files flagged? We don't know for certain, but we suspect they were flagged for a couple of reasons:
- They included pdf and xslx (both common file extensions used in malware) in the name
- They are all JavaScript module formats that load external dependencies (possibly flagged as script injection)
One frustration with Defender is that we could not get more concrete information about what exactly was flagging within our code. So we had no idea what was causing the problem other than our own suspicions. It would be great for us to have more details when something is flagged. But I imagine Microsoft does not expose this information so that malicious software developers can't exploit it so easily.
The Solution
The first thing we did was confirm that Windows Defender was flagging the files. Then we immediately confirmed that the files were not corrupt. The next step was to report the problem to Microsoft. We submitted all of the flagged files through the Malware Protection Center. The submission process is easy. The analysis process was very fast and we received what seemed to be an automated message rather quickly confirming that the files we reported were indeed, [Not Malware]. We get instructions telling us that the latest Defender definitions should exclude these files from being flagged. We were also given a link to download prerelease versions of the definitions to test for ourselves. So the good news is that the process was easy and fast. The bad news is that, unfortunately, the files were still being flagged by Windows Defender on some machines (even after updating the definitions). At this point, we weren't sure that the problem was going to be fixed by Microsoft, so we started testing some changes to our code to see if we could get rid of the problem from our side. We had mixed results and did not find a complete solution. During this time, we kept submitting files and information to Microsoft to help pinpoint the issue. Finally, we got an update from Microsoft that cleaned up all of the flagged files but a single one. After that, we were able to submit the last file and Micorosft quickly fixed that false positive flag as well.
Conclusion
This has been a trying process for our team. We felt terrible for our customers because our own product was in a sense being held hostage by security software. It is hard to handle threats like this when they are out of your hands and you don't have much information to go on. Thankfully, Microsoft makes it easy to submit issues like this. It just takes a lot of patience and persistence to get the false positive flag removed. Once Microsoft applies the fix, they are also very fast at delivering it to Windows users. Sorry to everyone that this has impacted and thanks again for the patience. -The Wijmo Team