Windows defender suddenly alerting me to Arduino files

First of all I want to apologise if this is in the wrong section, I couldn't really discern the best place for this to go.

Yesterday I turned on my PC and got a Windows Defender alert suddnly telling I need to take action about a file, something that's never happended on this PC.

The threat detected was for BrowserModifier:Win32/Xiazai and the file it was affecting was AppData\Roaming\systray\systray.dll.

I removed the file but I got the exact same alert today, after deleting and a restart I confirmed it was being created when I logged in.

I used Process Monitor to find out what was making it and it pointed me to Arduino Create Bridge, which confuses me because I've had this on my PC for a few months now (albeit I rarely use it) and I've never had a security alert.

To double confirm everything I removed the plugin and the affected file, restarted and got no new alerts, upon re-installing the plugin I immediately got the same alert.

What concerns me about this is that Windows Defender has no mention of Arduino, and nothing in the properties of systray.dll has any mention of Arduino, only "Brave New SOftware Project, Inc" as the digital signer.

The web editor wasn't detecting the plugin until I told Windows Defender to allow it, so it's definitely has something to do with Arduino.

Can anyone explain what's happened here? Has Windows perhaps updated with with new definitions and started detecting this file? Did the plugin update?

Am seeing the same thing here with defender silently killing the create agent under win 7 x64.
MSE is also not showing the ADD for exclusions which is now greyed out at this end.
Will pass this along and thank for the report.

You are in the correct section BTW.


As a quick way around you can restore it from MSE.
here it runs ok after that.

Also ran it through Virus total where they all came up clean except two.
I strongly suspect a "false positive".

Thanks for reporting it. We've filed a case to Microsoft as we believe it's a false positive. I hope they will get back to us soon and remove it from their AV signatures.

I'll keep you posted.


same here. yesterday all was fine, but today Windows Defender signals a Win32/Xiazai unwanted software.

Hi everyone! Windows Defender's detection is now looking good again. Fixes have been integrated in signature version: 1.301.576.0.

References: VirusTotal

Sorry everyone for the inconvenience!


thanks. but scary ( ;

Nah not scary.

All the AV programs out there often come up with false positives for a variety of software.
Thankfully they are PDQ at sorting things out like that so the vast majority don't even know.

Scary is when you run something through sites like virustotal and get a lot of warnings.
Never rely on a single AV source for ANY computer.