Skip to content

v2.2.1 — Anti-Defender FP hotfix

Choose a tag to compare

View all tags
@Delido Delido released this 15 Jun 07:54
· 20 commits to main since this release
v2.2.1
39f84fd

Windows Defender stopped flagging this buildTrojan:Win32/Wacatac.C!ml on every fresh install of v2.2.0 was a classic PyInstaller ML false-positive driven by two structural signals. v2.2.1 attacks both:

Install location → C:\Program Files\SignalRGBWallpaper

Pre-2.2.1 installed per-user into %LOCALAPPDATA%\Programs\…. That path is the classic "unsigned EXE in a user-writable persistence location" malware pattern — Defender's ML weights it heavily. Discord / Slack / Chrome get away with the same per-user path because they're signed; until we have a code-signing cert, moving to Program Files (admin-only ACL) cuts the FP score sharply.

Trade-off: UAC prompt on install + update. Per-user data (%LOCALAPPDATA%\SignalRGBWallpaper\) is unchanged.

The installer wipes the legacy install automatically:

  • Stops the running SignalRGBBridge.exe from %LOCALAPPDATA%\Programs
  • Deletes the legacy install directory
  • Deletes the per-user Start-Menu folder (+ the early-2.2.1 %PROGRAMDATA% one)
  • Removes the legacy HKCU Uninstall\…_is1 registry entry
  • Rewrites the HKCU Run\SignalRGBWallpaperBridge autostart with the new path

SignalRGBBridge.exe: 5.9 MB → 0.56 MB

PyInstaller was packing the application bytecode into a zlib-compressed PYZ archive and appending it to the EXE. The result was a tiny bootloader followed by ~5 MB of high-entropy compressed data — textbook crypter / packer signature, exactly what Defender's ML scores as a Wacatac-class loader.

-d noarchive keeps the bytecode as individual .pyc files inside _internal/ instead. The EXE shrinks to a 0.56 MB pure bootloader; no high-entropy blob lives inside it. --noupx added defensively for future build environments.

winget

The published manifest now declares Scope: machine. winget upgrade Delido.SignalRGBWallpaper works against v2.2.0 user-scope installs and migrates them to the new machine-scope location via the installer's built-in migration code.

Known UX regression

The tray's silent auto-update flow now triggers a UAC consent dialog mid-install. Accept the prompt to let the update proceed — Inno then installs unattended. No way around this short of code-signing + EV trust reputation.

Assets 3
Loading