2.7.0.0 x86 and .zip high count of Generic/Suspicious Detections.

[ljmacri]

Describe the bug

My current WhyNotWin11 Portable v2.6.1.1 runs correctly from a removable USB stick. Microsoft Defender is the primary antivirus for my Win 10 v22H2 computer .

I can download the latest Portable build for WhyNotWin11 v2.7.0.0 (WhyNotWin11.zip, rel. 07-Oct-2025) from https://github.com/rcmaehl/WhyNotWin11/releases but when I try to unzip this file it is quarantined by Microsoft Defender as Trojan:Win32/Suschil!rfn.

I don't know if it is relevant, but the scan engine for my Microsoft Defender AV recently updated from 1.1.25080.5 to 1.1.25090.3001.

To Reproduce

1. Browse to https://github.com/rcmaehl/WhyNotWin11/releases.
2. Scroll to Assets section for current v2.7.0.0 release and click link for portable WhyNotWin11.zip file.
3. Save WhyNotWin11.zip to removable USB stick or (any other location).
4. Right-click WhyNotWin11.zip (i.e., to try to choose "Extract All" from pop-up context menu).
5. WhyNotWin11.zip is automatically quarantined by MS Defender as Trojan:Win32/Suschil!rfn.

Expected behavior

WhyNotWin11.zip should unzip normally and unpack the WhyNotWin11.exe executable without being quarantined.

Screenshots

Desktop (please complete the following information):

Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.6332 * Firefox v143.0.4 * Microsoft Defender v4.18.25080.5-1.1.25090.3001 * Malwarebytes Premium v5.4.1.215-142.0.5389

Additional context

I will submitted a false positive detection report on the Microsoft Security Intelligence Portal at https://www.microsoft.com/en-us/wdsi/filesubmission/ today but in the past I have never received a response from Microsoft when submitting a possible FP report this way.

[rcmaehl]

Technically a duplicate of #49

It looks like _x86 (32-bit only) has a ton of Generic/Suspicious detections which will also cause issues with the zip. There were some big changes this release to support Windows PE, namely implementing DeviceIoControl, so I'm not too surprised this happened. I'm tempted to kill of the 32-bit only build specifically because it always has this issue (although this is the first time it's been this high).

I believe last time I considered this, x86 was still 10% of downloads, which is a lot of users.

I MIGHT spin off the WinPE compatibly to its own build as I've been considering a PRO version for a while with a ton of extra checks 99% of users won't care about (WinRe, Display, Camera, etc). Might move Feature Update compatibility in there as well.

Just a heads up, the non-zipped WhyNotWin11.exe is Portable as well as-is.

[obiwankenobi7]

I also downaloaded it and not only my antivirus detected several threats here but also Virustotal check...

[rcmaehl]

I also downaloaded it and not only my antivirus detected several threats here but also Virustotal check...

That is correct. It had 31 detections originally. I've submitted some false positive reports and it's down to 29 now, hoping it will continue to fall as they're processed.

[rcmaehl]

Looking at the MITRE results the "MEDIUM" Severity items are:

• DXDIAG is touched (I can probably remove this)
• MachineGuid is read (might need to manually minimize some UDF function, might be IS interpreter)
• That we're pulling files directly from github (spinning up a custom host is probably more suspicious IMO)
• That the user-agent identifies itself as Autoit (which is "suspicious or fake", easily fixable with HttpSetUserAgent however)
• Extracted Files are sometimes overwritten (this is honestly dumb but okay)

[rcmaehl]

Test 1:

• Removed Dxdiag
• Set Custom Useragent

Results: Detections dropped to Extremely Low 20s

Test 2

• Removed Dxdiag
• Set Custom Useragent
• Disabled downloading files from github

Results: No Change

Test 3

• Created simple dialog box 32-bit messagebox pop-up

Results: Extremely High 10s

Notes

Removing Dxdiag and Setting a Custom User-agent were the most effective. It still pisses off Microsoft OCCASIONALLY with a generic detection, but nothing I can do can get around AVG or AVAST false-positives (~22% of the non-MS AV market based on Security.org Reports) as even a basic messagebox freaked them out.

Getting rid of the 32-bit version seems more and more appealing

[evil-raider]

Even the new x64 version of the program has been triggered by VirusTotal (3/71). I sent a request to DRWEB to look into this false positive. They removed it from the list of malware.
This is my mini-contribution to ensuring that all users enjoy this program :)

[ljmacri]

Just a heads up, the non-zipped WhyNotWin11.exe is Portable as well as-is.

Hi rcmaehl:

Could you confirm that the 2.2 MB WhyNotWin11.exe available on your download page at https://www.whynotwin11.com/download/ is a portable file? Users are instructed to "Install Why Not Win 11 Tool on your PC" (i.e., not to save WhyNotWin11.exe and run without installation) so I always assumed the WhyNotWin11.exe offered on that download page was an .exe installer that would install files somewhere in C:\Program Files and create registry entries.

Just FYI, I was able to save and unzip WhyNotWin11.zip v2.7.0.0 on a removable USB stick on 26-Oct-2025 but when my weekly Malwarebytes Premium scheduled scan ran today the unzipped WhyNotWin11.zip file I archived at C:\Users<myusername>\Downloads was detected as Generic.Malware/Suspicious, and Malwarebytes suggested I quarantine this file.

---

Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.6456 * Firefox v144.0.2 * Microsoft Defender v4.18.25090.3009-1.1.25090.3001 * Malwarebytes Premium v5.4.3.221-144.0.5414 * 64-Bit WhyNotWin11 Portable 2.7.0.0

[rcmaehl]

Could you confirm that the 2.2 MB WhyNotWin11.exe available on your download page at https://www.whynotwin11.com/download/ is a portable file?

WhyNotWin11.com is not owned by me. See #66

I keep an eye on them to make sure they're still providing the github download and aren't being suspicious like they used to be, but I don't own the site.

[ljmacri]

WhyNotWin11.com is not owned by me.

Sorry. Then what about the WhyNotWin11.exe and WhyNotWin11_x86.exe files you've posted under "Assets" at https://github.com/rcmaehl/WhyNotWin11/releases/tag/2.7.0? Are those portable executables that do not require installation?

---

Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.6456 * Firefox v144.0.2 * Microsoft Defender v4.18.25090.3009-1.1.25090.3001 * Malwarebytes Premium v5.4.3.221-144.0.5414 * 64-Bit WhyNotWin11 Portable 2.7.0.0

[rcmaehl]

WhyNotWin11.com is not owned by me.

Sorry. Then what about the WhyNotWin11.exe and WhyNotWin11_x86.exe files you've posted under "Assets" at https://github.com/rcmaehl/WhyNotWin11/releases/tag/2.7.0? Are those portable executables that do not require installation?

That is correct.