Hoppa till innehåll

False Positives

Det här innehållet är inte tillgängligt på ditt språk än.

Tauri is safe!

You can go through all of Tauri’s source code and all its dependencies if you like. Tauri gets audited periodically by a third party entity that ensures Tauri is perfectly safe. There are no trojans added by Tauri or its dependencies.

What is a false positive?

A false positive is when your antivirus tells you something is a virus when it’s not.

Your computer knows if the file came from the internet

When you download a file through your browser your computer adds some information to the file regarding where it came from. When your antivirus scans the file it sees that metadata and effectively puts on its tin foil hat and does some extra strict scanning of it. That’s why a file can be scanned on your own computer as not being a virus, but when sent to your users over the internet they get a virus warning, despite the file having the exact same contents.

To check if this is what’s causing the issue you can run these commands on the users device in order to remove the metadata on the file. This is not a solution to the issue and you can’t add it to CI/CD to fix things, but it can be part of debugging whether it’s a false positive.

# Windows
attrib -r <filename>:Zone.Identifier
# MacOS
xattr -d com.apple.quarantine <filename>

How can I be sure it’s not a virus?

Send your file to VirusTotal and check which antiviruses are telling you it’s a virus. False positives are essentially when the bad providers are triggering but the good ones do not. Once the scan finishes check for providers like Symantec Norton and ESET, they are two of the biggest and most reliable antiviruses, if they say it’s not a virus it’s pretty much guaranteed not to be one. The fact Windows Defender says it’s a virus is really annoying but it doesn’t prove anything because it’s simply not sophisticated enough to reliably determine if something is a virus.

Could it be a trojan?

Yes. Not from Tauri, but it could be a true positive. Don’t trust your NPM and Cargo dependencies implicitly, they are not just capable of infecting your app, but can even infect your computer if you’re not careful. If what you have is an actual virus then it wasn’t given to you by anything Tauri made, it’ll be from a malicious dependency you’ve added to your project.

What can I do to fix it?

Using the .msi installer has been reported to raise fewer false positives than that .exe installer. It still raises warnings, just not as much. So that might be a first step to try. Other than that, the only reliable way to get rid of the issue is to sign your application and submit it to antivirus providers for further testing.

Sometimes just rebuilding the app a couple times can also make Windows Defender stop flagging it as a virus, it’s the weirdest thing.

Other than that there’s not much you can do. It’s an upstream issue with the projects Tauri uses, so there’s not much Tauri can do about it either. What you can remember with this is that it’s not an issue with Tauri per se, it’s an issue with the installer projects used, you’re gonna face these sorts of issues regardless of what other app framework you look at.

Check out the NSIS information on the subject here: NSIS False Positives

Ad-hoc signing for MacOS

If you are facing false positive issues on a Mac you can use something called ad-hoc signing on your app to get around the need for a paid certificate from Apple. Do note that this certificate doesn’t come with the same security guarantees for your users and doesn’t allow you to submit your app to the AppStore, but for any project that you distribute yourself that you just want people to be able to install and use as-is without the fancy signing security benefits, you can instead opt for ad-hoc signing, which is more of a developer tool that gets rid of the warning from the OS.

codesign -s - /path/to/YourApp.app

There’s no option currently in tauri-action or Tauri in general to use this sort of signing.