We have been receiving a lot of reports about Windows Defender falsely detecting our updater as malware. As soon as the first reports rolled in, we (and many of the users affected) immediately reported the false detection to Microsoft, and it appeared that the problem was resolved very promptly. We were confident that once the updated Windows Defender definitions spread, the false detection issue would be over. Unfortunately that didn't happen. User reports of the false detection have continued to pour in despite us having difficulty reproducing it, so we decided to take a deeper look at the issue.
The detection name Windows Defender gives is always Trojan:Win32/Azden.A!cl. Azden.A is a generic label for auto-updating behavior detection, nothing unusual there, but !cl signifies that the detection is from their machine learning based cloud services. Errors in machine learning aren't really something one fixes as much as encourages toward the correct answer, so Microsoft can’t simply stop the false detection. As a workaround Microsoft has been whitelisting every development build that is reported, but any time there is a new development build, or old development build now (all dev builds with the updater are now affected), machine learning will flag it as a trojan and spread that alert through the cloud. That is why it is so prolific; local definitions don't even matter. This also made it very challenging for us to diagnose. A user will encounter a false detection on a new or old build, report that false detection to Microsoft, and then tell us. By the time we receive it and give it a try, Microsoft will have already whitelisted that build, and we can't reproduce it. That's why we haven't been talking about this issue up until now; even though users kept reporting it to us, every time we tried it it seemed resolved.
We are investigating some options on our end that may make the whitelisting last longer, but this is pretty much entirely out of our control. Hopefully enough user reports can make Windows Defender's AI realize that Dolphin's updater is not a threat. Please continue to report the false detections to Microsoft and hopefully their issue will resolve itself.
For reference, here is the discussion on Twitter: https://twitter.com/Dolphin_Emu/status/1184971556264374272
The detection name Windows Defender gives is always Trojan:Win32/Azden.A!cl. Azden.A is a generic label for auto-updating behavior detection, nothing unusual there, but !cl signifies that the detection is from their machine learning based cloud services. Errors in machine learning aren't really something one fixes as much as encourages toward the correct answer, so Microsoft can’t simply stop the false detection. As a workaround Microsoft has been whitelisting every development build that is reported, but any time there is a new development build, or old development build now (all dev builds with the updater are now affected), machine learning will flag it as a trojan and spread that alert through the cloud. That is why it is so prolific; local definitions don't even matter. This also made it very challenging for us to diagnose. A user will encounter a false detection on a new or old build, report that false detection to Microsoft, and then tell us. By the time we receive it and give it a try, Microsoft will have already whitelisted that build, and we can't reproduce it. That's why we haven't been talking about this issue up until now; even though users kept reporting it to us, every time we tried it it seemed resolved.
We are investigating some options on our end that may make the whitelisting last longer, but this is pretty much entirely out of our control. Hopefully enough user reports can make Windows Defender's AI realize that Dolphin's updater is not a threat. Please continue to report the false detections to Microsoft and hopefully their issue will resolve itself.
For reference, here is the discussion on Twitter: https://twitter.com/Dolphin_Emu/status/1184971556264374272