False Positives
Sometimes antiviruses are a bit overly cautious. Tauri apps can sometimes be flagged as a false positive for a Trojan virus when using the NSIS installer. This is a well known upstream issue for NSIS that sadly can’t really be fixed because it’s the fault of antiviruses and hackers, not the project itself.
You can read more on it here: NSIS False Positives
You can go through all of Tauri’s source code and all its dependencies if you like. Tauri gets audited periodically by a third party entity that ensures Tauri is perfectly safe. There are no trojans added by Tauri or its dependencies.
A false positive is when your antivirus tells you something is a virus when it’s not.
When you download a file through your browser your computer adds some information to the file regarding where it came from. When your antivirus scans the file it sees that metadata and effectively puts on its tin foil hat and does some extra strict scanning of it. That’s why a file can be scanned on your own computer as not being a virus, but when sent to your users over the internet they get a virus warning, despite the file having the exact same contents.
To check if this is what’s causing the issue you can run these commands on the users device in order to remove the metadata on the file. This is not a solution to the issue and you can’t add it to CI/CD to fix things, but it can be part of debugging whether it’s a false positive.
Send your file to VirusTotal and check which antiviruses are telling you it’s a virus. False positives are essentially when the bad providers are triggering but the good ones do not. Once the scan finishes check for providers like Symantec Norton and ESET, they are two of the biggest and most reliable antiviruses, if they say it’s not a virus it’s pretty much guaranteed not to be one. The fact Windows Defender says it’s a virus is really annoying but it doesn’t prove anything because it’s simply not sophisticated enough to reliably determine if something is a virus.
Yes. Not from Tauri, but it could be a true positive. Don’t trust your NPM and Cargo dependencies implicitly, they are not just capable of infecting your app, but can even infect your computer if you’re not careful. If what you have is an actual virus then it wasn’t given to you by anything Tauri made, it’ll be from a malicious dependency you’ve added to your project.
Using the .msi
installer has been reported to raise fewer false positives than that .exe
installer. It still raises warnings, just not as much. So that might be a first step to try. Other than that, the only reliable way to get rid of the issue is to sign your application and submit it to antivirus providers for further testing.
Sometimes just rebuilding the app a couple times can also make Windows Defender stop flagging it as a virus, it’s the weirdest thing.
Other than that there’s not much you can do. It’s an upstream issue with the projects Tauri uses, so there’s not much Tauri can do about it either. What you can remember with this is that it’s not an issue with Tauri per se, it’s an issue with the installer projects used, you’re gonna face these sorts of issues regardless of what other app framework you look at.
Check out the NSIS information on the subject here: NSIS False Positives
If you are facing false positive issues on a Mac you can use something called ad-hoc signing on your app to get around the need for a paid certificate from Apple. Do note that this certificate doesn’t come with the same security guarantees for your users and doesn’t allow you to submit your app to the AppStore, but for any project that you distribute yourself that you just want people to be able to install and use as-is without the fancy signing security benefits, you can instead opt for ad-hoc signing, which is more of a developer tool that gets rid of the warning from the OS.
There’s no option currently in tauri-action
or Tauri in general to use this sort of signing.