Windows Defender incorrectly flagged Winaero Tweaker as HackTool

Windows 10's built-in antivirus software Windows Defender ATP uses algorithms and machine learning models to find and block suspicious files on your system, but there is a trade-off. 

Sometimes legitimate programs have false-positive detections by Windows Defender who classify them as malicious.

Users are reporting that the popular third-party Windows tweaking app called 'Winaero Tweaker' has been flagged as 'potentially unwanted software' or 'Hacktool' in Windows Defender.

The app, which allows you to customize Windows, is being removed by Windows Defender who is detecting the executable as "HackTool:Win32/WinTweak" or "!#UACTrigger.A".

What's more concerning is that Winaero removal doesn't appear to be the case of 'false positive' as Microsoft has specifically created a classification 'WinTweak' for this app.

As the creator of Winaero Tweaker explained, Winaero is not a 'potentially unwanted software' as it only allows users to customize Windows experience, turn off Windows Update, disable Windows Defender and telemetry.

It is not known if this detection was specifically created for Winaero Tweaker or caused by aggressive heuristics that have accidentally detected the software.

Windows Defender uses heuristics and AI to classify programs as malicious, but sometimes these "intelligent systems" make mistakes.

"The tradeoff of an intelligent, scalable approach is that some of our more aggressive classifiers from time to time misclassify normal files as malicious (false positives). While false positives are a very tiny occurrence compared to the large number of malware we correctly identify (true positives) and protect customers from, we are aware of the impact that misclassified files might have," Michael Johnson of Windows Defender Research noted.

This detection has since been fixed in version 1.313.1221.0 of Windows Defender's antivirus definitions.

Windows 10 users can check what version of Windows Defender is being used by checking this guide.

Users can manually update the Windows Defender definitions by going to Windows Security > Virus & threat protection and then clicking on the 'Check for updates' link.

For users of older definitions, WinAero Tweaker will continue to be blocked.

BleepingComputer has contacted Microsoft about this new detection but has not heard back as of yet.

Comments are closed.