Windows Defender flags Codex computer-use helper as Trojan:Win32/ClickFix.DE!MTB
I’m reporting what looks like a possible Windows Defender false positive involving Codex Desktop.
Windows Security repeatedly showed “Threat blocked” / Severe for:
Trojan:Win32/ClickFix.DE!MTB
The affected resource shown through PowerShell was the Codex computer-use helper:
C:\Users\ocean\AppData\Local\OpenAI\Codex\runtimes\cua_node\1b23c930bdf84ed6\bin\node_modules\@oai\sky\bin\windows\codex-computer-use.exe
The command line included:
codex-computer-use.exe turn-ended
PowerShell checks showed:
ActionSuccess: True
DidThreatExecute: False
IsActive: False
I also ran a Windows Security scan afterward and it reported no threats.
Extra context:
This is happening on my travel machine, not my main PC.
I’m using a VPN through a travel router.
The machine is isolated from my other devices on the network.
It seemed to happen around the end of Codex turns, sometimes near when work like git pushes completed, but Defender’s resource pointed to Codex’s local helper, not git.exe or GitHub traffic.
I updated Codex, fully exited all Codex instances, stopped leftover helper processes, and rescanned.
I searched online and did not find many/any reports of this exact
codex-computer-use.exe+ClickFix.DE!MTBcombination.
The file hash I saw was:
F2B2F56FCD1699B0FA32DEC3214A56A1D36B937A2ECF58CC822AB4A904551E03
The executable also appeared to be unsigned when checked with Get-AuthenticodeSignature, which may be part of why Defender is suspicious.
I’m not asking people to ignore Defender warnings. I’m leaving the item blocked and not restoring/allowing it. I’m posting this to see if anyone else has seen the same detection and to help confirm whether this is a Defender heuristic false positive around Codex’s computer-use helper.
Discussion in the ATmosphere