Hi,
just (2025-09-09 12:25 CET) downloaded the recent silverbullet.exe from github and the Microsoft Defender gave a severe warning, as it found a trojan “Trojan:Script/Wacatac.H!ml”
The last downloaded file from 2025-09-01 had no warning.
Anyone has the same problem?
Is it a false alarm?
Thanks 
Best regards
Nico
Errrr, whut? I have no idea what to do about something like this. You’re downloading edge builds I assume?
Yes, this was my Download-Link:
http://github.com/silverbulletmd/silverbullet/releases/download/edge/silverbullet-server-windows-x86_64.zip
Very strange, indeed. To be honest, I don’t really believe, this is a real finding. But I have to be sure, as I want to use Silverbullet on my Work-PC as well (which is a Windows client).
My private installation is running Linux.
Unless Deno itself was somehow trojan’ed, this should be false alarm.
OK, just downloaded todays edge-release and Defender kept quiet 
So I think, it was false alarm…
This happened to me today too after upgrading to 2.1.6
Windows Defender silently deleted all my silverbullet.exe files.
I had several copies for different versions:
only silverbullet_old.exe stayed intact (for now)
i just want to mention that i have a company managed device so i cannot whitelist or modify Windows Defender settings, or disable it altogether #SoSad
I don’t know if it’s a false-alarm, or if it somehow “silverbullet” got caught in windows’s defenders registries as malicious 
also when trying to manually download the windows binary, chrome says:
Nope! Virus found
Happened to me after an almost 95% migration from 0.10.x to 2.x.x
I’m trying to trick it by unziping (my 2.1.5 version zip) and renaming silverbullet.exe to notes.exe
for now (10 minutes) it’s working. let’s hope it stays so. but it’s pretty weird.
Does anyone else had any issues with windows defender quarantining, deleting or messing with their silverbullet instance?
I hoped that the Go rewrite would also some of these issues. Perhaps these binaries need to be somehow signed. I’m not a Windows user myself. I only have an old Windows 10 VM somewhere. If anybody has expertise on this topic I’d be all ears.
I am also a Mac/Linux user myself. i only have Windblows on my work PC, where I have this issue. Linux&Mac working flawlessly.
We maybe covered this at some point, but installing SB on some centralized Linux server somewhere is not an option that you then simply connect to from Windows? Honestly that’s the intended model, I wouldn’t recommend people run SilverBullet “in production” on their local machines, Windows nor Mac.
I had this today again, too with some of todays released versions 
Defender states, it found a “Trojan:Win32/Bearfoos.A!ml”
And says something like “This program is dangerous. It executes commands from an attacker.”
Last known attempted working for me is:
SilverBullet 2.1.5-041823bca468f4ed9cb62ebb9b308dea337db818
That’s very annoying (But I do not blame anyone here, but Microsoft Defender )
Unfortunately, for me it is not a solution to run this on a server somewhere.
At work I do not have access to a server where I can use that And I’m not allowed to use private devices for that…
The only solution is maybe to install everything within WSL on my PC. Don’t know, if that is practicable…
Besides the Defender problem everything is working like a charm, so I see nothing against the approach to run it locally. I even found a solution to get rid of the windows command window and running Silverbullet in the background.
Of course, in my private environment I run it the preferred way via virtual machines and without any Microsoft involved
I’m running my personal instance with my not work related notes on my Homelab inside a LXC container on Proxmox. And I tunnel into it using either Twingate or Wireguard, when I’m away from home. This is working fine for me personally, and have great experience running it like that.
And I was running a windows(exe) instance locally on my work computer for work related notes, so that nothing leaves the “work” environment, not that I have so many secrets, but that’s the company policy. I ran silverbullet.exe as a windows service in the background. This construct worked for almost a year now until this malware/trojan/virus thingy happened. i don’t know if this an unhappy coincidence or not, but it started with v2.1.x
i’m running a complete full WindowsDefender scan on the computer. I dunno if it would find something. But what are the chances that the compiler to be infected and produce a trojan injected windows executable? i’m not a dev, so maybe my question sounds stupid. but could that be technically possible?
Just wanted to confirm that 2.1.7 … 2.1.9 is running now fine & clean without any warnings.
It must have been a possible fasle positive with 2.1.6
I’ve not read the full thread, but I saw something lately about go binaries being flagged that execute shell commands. I can’t find it anymore, but this would make sense to me, i.e. the shell api causing problems here.
Indeed that must be it, a quick search gave me these results of older articles but the issue maybe reappear in waves:
it make sense now. thanks for the clarification.
Don’t know if this has anything to do with it, but searching “silverbullet” on youtube shows it’s also the name of a dubious “cracking” tool, so that could also explain why the name is triggering this.
Yeah. When we were still on Discord we constantly had people join asking for support on that tool.
The latest binary (v2.2.1) triggers Windows Defender with a “Trojan:Win32/Bearfoos.A!ml” quarantine.
lol again? just ignore it.
I noticed that it usually happens when you update to edge within couple of minutes/hourse since release. if you wait until the next day, you can update without issues and it won’t be flagged as Trojan.
“lol”? Don’t be so condescending.
I think @Mr.Red missed some appropriate punctuation there: “LOL, again!?” He’s laughing at the fact that Windows Defender seems to quasi-randomly detects trojans even though there’s nothing there, so we keep being surprised. He’s not laughing at you, he’s laughing at the randomness.
To be honest, I’m not really sure how windows defender works or what to do about this issue. SilverBullet releases are built using official Go compiler builds, so I really do not know what could be going on here. And as mentioned, these warnings also seem to randomly disappear as randomly as they appear.
