Windows Defender Severe

[discotimetraveler]

Hello, thank you for this tool. I am using it right now to type this message on my OneXPlayer. Its a significant improvement. But during installation my Windows Defender triggered a severe warning for TapTipProxy. I allowed the script to finish and did not "remediate" the warning. When I then went back to Defender it told me the active app protection was disabled and I had to turn it back on. Now when I look at the alert it tells me the remediation failed and the app is dangerous and executes commands from an attacker.

Your documentation doesn't mention any of this. Which is concerning for me. If for some reason this app is doing something Defender does not like but is legitimate I would expect that to be called out in the documentation.

What's going on here? Is this app in fact safe and why does this alert have to occur if it is?

Thanks

[Lulech23]

As is written in the intro text:

Replacing the OSK may trigger a Windows Security event. This is normal and should be resolved by Windows automatically.

The reason is purely because Windows recognizes a change has been made to a file in the Windows system. I have submitted TabTipProxy.exe to Microsoft's Defender database personally and they found no issues, so any flags should be automatically resolved.

[discotimetraveler]

I took that part of the documentation to refer to the initial UAC prompt. I did see that the TabTip section of the documentation does indicate it should avoid Windows detecting it as a virus threat, but it does. Maybe that should be updated. Regardless, I trust the app is safe. Thanks for the response.

[nmeier]

old thread - my experience is that my Crowd Strike malware detection finds the executable and deletes it. This is even in case if the executable is built myself through command line. VBA as input to the executable gets flagged somehow and I cannot get the the ttp executable to survive.

[Lulech23]

Not sure, but since I submitted the precompiled TTP for AV whitelisting, it's possible you might have better luck downloading that one. Even though it should have the exact same signature as a locally compiled one, AV heuristics might be picking up on something else, or just blanket flagging anything that executes commands invisibly.

Most AV software allows adding exclusions, so you should be able to go that route if nothing else.