[BUG] Windows Defender flags Claude.msix installer as Trojan:Script/Wacatac.H!ml (false positive)

Resolved 💬 2 comments Opened Mar 20, 2026 by thomasjsweet Closed Mar 23, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

As the regular Windows install for Claude fails due to the developer mode setting, we have to use the MSIX per https://support.claude.com/en/articles/12622703-deploy-claude-desktop-for-windows

When downloading the Claude Desktop installer for Windows from the official release URL, Microsoft Defender triggers a Severe threat alert and automatically removes the file before it can be executed. The installer is flagged as Trojan:Script/Wacatac.H!ml.

This is believed to be a false positive, as the file was downloaded directly from downloads.claude.ai. Installation is completely blocked on affected machines until the AV vendor updates its definitions or Anthropic adjusts the signing/packaging.

Suggested resolution

Submit the Claude.msix binary to Microsoft for false positive review at security.microsoft.com.
Verify the code signing certificate on the MSIX is valid and trusted by Windows.
Confirm the build pipeline has not been compromised (supply chain integrity).

What Should Happen?

Expected behavior

The installer should download and run without triggering antivirus alerts. The MSIX package should be properly signed and recognized as safe by Microsoft Defender.

Error Messages/Logs

Alert details

Detected	Trojan:Script/Wacatac.H!ml
Severity	Severe
Status	Removed (quarantined automatically)
Defender message	This program is dangerous and executes commands from an attacker.
Source URL	https://downloads.claude.ai/releases/win32/x64/1.1.7714/Claude-3bd6f69326a0abac98bb269c29140e2a543cad64.msix
Affected file	%USERPROFILE%\Downloads\Claude.msix
Environment

OS	Windows (win32/x64)
Claude version	1.1.7714
AV / EDR	Microsoft Defender (Windows Security)

Steps to Reproduce

Steps to reproduce

Navigate to the Claude Desktop download page or use the direct release URL.
Download Claude.msix to a Windows machine with Microsoft Defender active.
Observe Defender for Endpoint P2 (enterprise environments) immediately quarantine and remove the file.

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

1.1.7714

Platform

Other

Operating System

Windows

Terminal/Shell

Non-interactive/CI environment

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗