False positive: VBA32 on VirusTotal detects basic bootstrapper as BScope.Trojan.Penguish #9119

evgen-pervenenko · 2025-07-08T16:58:51Z

evgen-pervenenko
Jul 8, 2025

Question

Hello, community

Recently, the VBA32 antivirus engine on VirusTotal has started flagging simple bootstrapper application as Trojan malware (BScope.Trojan.Penguish). Has anyone else encountered this issue, or found a reliable workaround?

VirusTotal:
https://www.virustotal.com/gui/file/f4280a68a9b6e8fa75f6f736bb46aee7f214957a29f14543a9f427f46d052d03?nocache=1

Environment:
.NET Framework: 4.6.2
WiX Toolset: 5.0.2

Example Application:

<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs"
	xmlns:bal="http://wixtoolset.org/schemas/v4/wxs/bal"
	xmlns:util="http://wixtoolset.org/schemas/v4/wxs/util">
	
	<Bundle Name="Bootstrapper" 
			Version="1.0.0.0" 
			Manufacturer="Test app" 
			UpgradeCode="06A19F6F-688C-44A6-B3D3-26F72DE50689" 
			DisableModify="no">

		<BootstrapperApplication>
			<bal:WixStandardBootstrapperApplication
				Theme="hyperlinkLicense"
				LicenseUrl="https://example.com/license.html"/>
		</BootstrapperApplication>
		
		<Variable bal:Overridable="yes" Name="Prerequisite" Value="" Type="formatted" />
		<Variable bal:Overridable="yes" Name="InstallLevel" Value="1" />

		<Chain>
	  		<MsiPackage Id="FirstInstaller" SourceFile="$(var.FirstInstaller.TargetPath)" Visible="yes" bal:PrereqPackage="yes">
				<MsiProperty Name="PREREQUISITE" Value="[Prerequisite]" />
				<MsiProperty Name="INSTALLLEVEL" Value="[InstallLevel]" />
			</MsiPackage>
			<MsiPackage Id="SecondInstaller" SourceFile="$(var.SecondInstaller.TargetPath)" Visible="yes" bal:PrereqPackage="yes">
				<MsiProperty Name="PREREQUISITE" Value="[Prerequisite]" />
				<MsiProperty Name="INSTALLLEVEL" Value="[InstallLevel]" />
			</MsiPackage>
		</Chain>
	</Bundle>
</Wix>

Open Source Maintenance Fee

I (or an organization I'm a member of) pay the Open Source Maintenance Fee by sponsoring the wixtoolset project because I support the maintainers.

robmen · 2025-07-09T18:17:44Z

robmen
Jul 9, 2025
Maintainer

Sign your bundle and send it to the anti-virus company as a false positive. All the reputable anti-virus companies have ways to report them by sending your binary. But make sure it's signed first. :)

0 replies

evgen-pervenenko · 2025-07-10T07:22:12Z

evgen-pervenenko
Jul 10, 2025
Author

Hi, @robmen, thank you for the suggestion! We’ve actually tested both signed and unsigned versions of the bundle — unfortunately, the detection persists in both cases.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WiX Toolset

False positive: VBA32 on VirusTotal detects basic bootstrapper as BScope.Trojan.Penguish #9119

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

WiX Toolset

False positive: VBA32 on VirusTotal detects basic bootstrapper as BScope.Trojan.Penguish #9119

Uh oh!

evgen-pervenenko Jul 8, 2025

Question

Open Source Maintenance Fee

Replies: 2 comments

Uh oh!

robmen Jul 9, 2025 Maintainer

Uh oh!

evgen-pervenenko Jul 10, 2025 Author

evgen-pervenenko
Jul 8, 2025

robmen
Jul 9, 2025
Maintainer

evgen-pervenenko
Jul 10, 2025
Author