[BUG] Windows Defender flags Claude.msix installer as Trojan:Script/Wacatac.H!ml (false positive)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
As the regular Windows install for Claude fails due to the developer mode setting, we have to use the MSIX per https://support.claude.com/en/articles/12622703-deploy-claude-desktop-for-windows
When downloading the Claude Desktop installer for Windows from the official release URL, Microsoft Defender triggers a Severe threat alert and automatically removes the file before it can be executed. The installer is flagged as Trojan:Script/Wacatac.H!ml.
This is believed to be a false positive, as the file was downloaded directly from downloads.claude.ai. Installation is completely blocked on affected machines until the AV vendor updates its definitions or Anthropic adjusts the signing/packaging.
Suggested resolution
Submit the Claude.msix binary to Microsoft for false positive review at security.microsoft.com.
Verify the code signing certificate on the MSIX is valid and trusted by Windows.
Confirm the build pipeline has not been compromised (supply chain integrity).
What Should Happen?
Expected behavior
The installer should download and run without triggering antivirus alerts. The MSIX package should be properly signed and recognized as safe by Microsoft Defender.
Error Messages/Logs
Alert details
Detected Trojan:Script/Wacatac.H!ml
Severity Severe
Status Removed (quarantined automatically)
Defender message This program is dangerous and executes commands from an attacker.
Source URL https://downloads.claude.ai/releases/win32/x64/1.1.7714/Claude-3bd6f69326a0abac98bb269c29140e2a543cad64.msix
Affected file %USERPROFILE%\Downloads\Claude.msix
Environment
OS Windows (win32/x64)
Claude version 1.1.7714
AV / EDR Microsoft Defender (Windows Security)
Steps to Reproduce
Steps to reproduce
Navigate to the Claude Desktop download page or use the direct release URL.
Download Claude.msix to a Windows machine with Microsoft Defender active.
Observe Defender for Endpoint P2 (enterprise environments) immediately quarantine and remove the file.
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
1.1.7714
Platform
Other
Operating System
Windows
Terminal/Shell
Non-interactive/CI environment
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗