[GH-ISSUE #223] winagent-v1.1.11.exe blocked by Windows Defender #2085

New issue

Closed

opened 2026-03-14 02:24:52 +03:00 by kerem · 3 comments

kerem commented

2026-03-14 02:24:52 +03:00

Owner

Originally created by @Get-ThingsRubenMade on GitHub (Dec 27, 2020).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/223

Installation through the custom .exe and through PowerShell script resulted in Windows Defender acting up.

Full info from Protection History:

Detected: Trojan:Win32/CryptInject!ml
Status: Removed
A threat or app was removed from this device.

Date: 26/12/2020 18:16
Details: This program is dangerous and executes commands from an attacker.

Affected items:
file: C:\Users%localuser%\AppData\Local\Temp\winagent-v1.1.11.exe

OS information as follows:

Edition Windows 10 Enterprise
Version 20H2
Installed on ‎17/‎11/‎2020
OS build 19042.685
Experience Windows Feature Experience Pack 120.2212.551.0

Windows defender information:

Antimalware Client Version: 4.18.2011.6
Engine Version: 1.1.17700.4
Antivirus Version: 1.329.1155.0
Antispyware Version: 1.329.1155.0

Probably a false positive, but would like to be able to get some remote installations done without triggering a security warning on those remote systems...

Any suggestions on how to go about this?

Originally created by @Get-ThingsRubenMade on GitHub (Dec 27, 2020). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/223 Installation through the custom .exe and through PowerShell script resulted in Windows Defender acting up. Full info from Protection History: > Detected: Trojan:Win32/CryptInject!ml > Status: Removed > A threat or app was removed from this device. > > Date: 26/12/2020 18:16 > Details: This program is dangerous and executes commands from an attacker. > > **Affected items:** > file: C:\Users\%localuser%\AppData\Local\Temp\winagent-v1.1.11.exe OS information as follows: > **Edition** Windows 10 Enterprise > **Version** 20H2 > **Installed** on ‎17/‎11/‎2020 > **OS build** 19042.685 > **Experience** Windows Feature Experience Pack 120.2212.551.0 Windows defender information: > Antimalware Client Version: 4.18.2011.6 > Engine Version: 1.1.17700.4 > Antivirus Version: 1.329.1155.0 > Antispyware Version: 1.329.1155.0 Probably a false positive, but would like to be able to get some remote installations done without triggering a security warning on those remote systems... Any suggestions on how to go about this?

kerem closed this issue

2026-03-14 02:24:57 +03:00

kerem commented

2026-03-14 02:25:03 +03:00

Author

Owner

@dinger1986 commented on GitHub (Dec 27, 2020):

Check out the discord channel.

This unfortunately is a regular issue because essentially any RMM is a Trojan. I know the developers have this in hand and are looking into code signing, feel free to donate to this project to help with this part as it's a fairly expensive yearly charge.

If you check out the discord channel I have written a script to update tactical rmm and add in exclusions. The developers have also suggested what folders need excluded to do updates/installs.

@dinger1986 commented on GitHub (Dec 27, 2020): Check out the discord channel. This unfortunately is a regular issue because essentially any RMM is a Trojan. I know the developers have this in hand and are looking into code signing, feel free to donate to this project to help with this part as it's a fairly expensive yearly charge. If you check out the discord channel I have written a script to update tactical rmm and add in exclusions. The developers have also suggested what folders need excluded to do updates/installs.

kerem commented

2026-03-14 02:25:08 +03:00

Author

Owner

@Get-ThingsRubenMade commented on GitHub (Dec 28, 2020):

# EXAMPLE: Install-TacticalAgent.ps1 -deployment_uri https://api.example.com/clients/custom-token/deployment
param ([Parameter(Mandatory = $true)][string]$deployment_uri)

$temp_path = "$env:TEMP\trmm"
$agent_path = 'C:\Program Files\TacticalAgent'
$exclusions = $temp_path, $agent_path

Write-Output 'TacticalAgent installation process started'
Write-Output 'testing temp folder'
if (!(Test-Path $temp_path)) {
	Write-Output 'temp folder not present yet, creating it now'
	try { New-Item -Type Directory -Path $temp_path -Name 'trmm' -Force | Out-Null }	catch { Write-Output 'failed creating temp folder'; break }
}
else { Write-Output 'temp folder already present' }
foreach ($exclusion in $exclusions) {
	Write-Output "setting defender exlusion: $exclusion"
	try { Set-MpPreference -ExclusionPath $exclusion } catch { Write-Output "failed setting defender exlusion: $exclusion"; break }
}
Write-Output 'downloading tacticalagent installer'
Invoke-WebRequest -Uri $deployment_uri -OutFile "$temp_path\tactical.exe"
$installer = Get-ChildItem $temp_path | Where-Object { $_.Name -match 'tactical' -and $_.Extension -eq '.exe' }
if ($null -ne $installer) {
	Write-Output 'setup file downloaded, launching setup'
	Start-Process $installer.FullName -ArgumentList '-silent' -Wait
}
else { Write-Output 'failed to locate the TacticalAgent setup'; break }
Write-Output 'cleaning up leftovers'
Remove-Item $temp_path -Recurse -Force

With some pointers in discord, I've managed to solve it for me personally with above PowerShell snippet.
Figured someone else might get some use out of it~

@Get-ThingsRubenMade commented on GitHub (Dec 28, 2020): ``` # EXAMPLE: Install-TacticalAgent.ps1 -deployment_uri https://api.example.com/clients/custom-token/deployment param ([Parameter(Mandatory = $true)][string]$deployment_uri) $temp_path = "$env:TEMP\trmm" $agent_path = 'C:\Program Files\TacticalAgent' $exclusions = $temp_path, $agent_path Write-Output 'TacticalAgent installation process started' Write-Output 'testing temp folder' if (!(Test-Path $temp_path)) { Write-Output 'temp folder not present yet, creating it now' try { New-Item -Type Directory -Path $temp_path -Name 'trmm' -Force | Out-Null } catch { Write-Output 'failed creating temp folder'; break } } else { Write-Output 'temp folder already present' } foreach ($exclusion in $exclusions) { Write-Output "setting defender exlusion: $exclusion" try { Set-MpPreference -ExclusionPath $exclusion } catch { Write-Output "failed setting defender exlusion: $exclusion"; break } } Write-Output 'downloading tacticalagent installer' Invoke-WebRequest -Uri $deployment_uri -OutFile "$temp_path\tactical.exe" $installer = Get-ChildItem $temp_path | Where-Object { $_.Name -match 'tactical' -and $_.Extension -eq '.exe' } if ($null -ne $installer) { Write-Output 'setup file downloaded, launching setup' Start-Process $installer.FullName -ArgumentList '-silent' -Wait } else { Write-Output 'failed to locate the TacticalAgent setup'; break } Write-Output 'cleaning up leftovers' Remove-Item $temp_path -Recurse -Force ``` With some pointers in discord, I've managed to solve it for me personally with above PowerShell snippet. Figured someone else might get some use out of it~

kerem commented

2026-03-14 02:25:13 +03:00

Author

Owner

@dinger1986 commented on GitHub (Dec 28, 2020):

You should post that back on GitHub in scripts

@dinger1986 commented on GitHub (Dec 28, 2020): You should post that back on GitHub in scripts

kerem referenced this issue

2026-03-14 06:57:15 +03:00

[GH-ISSUE #2085] [Feature Request] Redirect back to prior screen following login #3241