Windows Defender / Microsoft Endpoint False Positive: C2 Activity Detection

andreyakub1 · February 10, 2026, 4:09pm

Description: Since Feb 10, 2026, Microsoft Endpoint Security is flagging and blocking the Delta Chat RPC server. It appears to be a false positive related to the executable being unsigned and performing network activity (flagged as C2).

Execution Details:

Process Name: deltachat-rpc-server.exe
Version: 2.33.0.0 (x64)
Detection Type: C2 (Command and Control) activity related
Status: Blocked / Malicious (File Verdict)
Path: C:\Program Files\WindowsApps\merlinux.DeltaChat_2.33.0.0_x64__v2ry5hvxhdhyy\app\resources\app.asar.unpacked\node_modules\@deltachat\stdio-rpc-server-win32-x64\deltachat-rpc-server.exe

File Hashes:

SHA256: 3fda5ee389c61f09b9f1e3dcfcaf7bf7616c8a0387e1c5569d4fd5b0ebb506cd
SHA1: 1ce79e4ea24584c6f80f5d90c13166ee55a7a94e
MD5: a94af41f0a15a29bdcba2c6198519c39

Additional Info: The security software highlights that the file is Unsigned. VirusTotal shows a low detection ratio (2/67), suggesting this is an automated heuristic block by Microsoft rather than a confirmed virus.

link2xt · February 11, 2026, 4:43am

This is now tracked at Core 2.42.0 is incorrectly detected by VirusTotal · Issue #7847 · chatmail/core · GitHub

andreyakub1 · February 11, 2026, 7:41am

Thanks for the clarification, can someone tell why Virus Total and MS says this app is unsigned?

link2xt · February 11, 2026, 8:04am

The binary is indeed unsigned, but it is not an issue. You can either install from Microsoft Store or ignore the warning.

We previously signed with SSL.com certificate, but now the procedure got even more complicated and requires running some proprietary software and using “cloud” service with limited number of binaries you can sign. The service hardly verifies anything but will call you at night to validate the company and is not easy to cancel.