Microsoft Defender detects Cursor update as Trojan:Win32/Wacatac.B!ml and Trojan:Script/Wacatac

Support Bug Reports
, ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

When updating Cursor IDE, Microsoft Defender flags and quarantines files from the update process as Trojan:Win32/Wacatac.B!ml and Trojan:Script/Wacatac.

The detection occurs during the update download/install, which causes the update to fail or be interrupted.

Cursor was downloaded only from the official Cursor website. No cracked or modified version was used. The detected files appear to be part of Cursor’s script-based updater, which may be triggering heuristic or machine-learning based detections in Microsoft Defender.

This makes it unclear whether this is a false positive or an issue with how the update is packaged, signed, or delivered.

Steps to Reproduce

Install Cursor IDE from the official website.

Launch Cursor on Windows with Microsoft Defender enabled.

When prompted that an update is available, start the update process.

Cursor begins downloading the update files.

During the download or install phase, Microsoft Defender detects and quarantines files related to the updater.

Defender shows alerts for:

Trojan:Win32/Wacatac.B!ml

Trojan:Script/Wacatac

The update process is interrupted or fails due to the quarantine action.

Screenshots / Screen Recordings

cursor.png
cursor.png815×433 69.6 KB

Operating System

Windows 10/11

Version Information

version ide 2.4.31

Does this stop you from using Cursor

No - Cursor works, but with this issue

1 Like
3

Hey, thanks for the report.

This is a false positive from Windows Defender’s heuristic ML detection. The inno_updater.exe file is a legit part of Cursor’s update mechanism (an Inno Setup-based updater), and detections like Wacatac.B!ml / Wacatac.C!ml are known to be false positives for similar executables.

As a workaround, you can add an exclusion in Windows Defender:

  1. Open Windows Security > Virus & threat protection
  2. Under Virus & threat protection settings, click Manage settings
  3. Scroll to Exclusions and click Add or remove exclusions
  4. Add the Cursor install folder (usually C:\Users\<username>\AppData\Local\Programs\cursor)

After that, restore the file from quarantine in Defender’s protection history and try updating again.

Let me know if adding the exclusion fixes the update issue.