External Publication
Visit Post

Windows Defender flags Codex computer-use helper as Trojan:Win32/ClickFix.DE!MTB

OpenAI Developer Community July 2, 2026
Source

I’m reporting what looks like a possible Windows Defender false positive involving Codex Desktop.

Windows Security repeatedly showed “Threat blocked” / Severe for:

Trojan:Win32/ClickFix.DE!MTB

The affected resource shown through PowerShell was the Codex computer-use helper:

C:\Users\ocean\AppData\Local\OpenAI\Codex\runtimes\cua_node\1b23c930bdf84ed6\bin\node_modules\@oai\sky\bin\windows\codex-computer-use.exe

The command line included:

codex-computer-use.exe turn-ended

PowerShell checks showed:

ActionSuccess: True

DidThreatExecute: False

IsActive: False

I also ran a Windows Security scan afterward and it reported no threats.

Extra context:

  • This is happening on my travel machine, not my main PC.

  • I’m using a VPN through a travel router.

  • The machine is isolated from my other devices on the network.

  • It seemed to happen around the end of Codex turns, sometimes near when work like git pushes completed, but Defender’s resource pointed to Codex’s local helper, not git.exe or GitHub traffic.

  • I updated Codex, fully exited all Codex instances, stopped leftover helper processes, and rescanned.

  • I searched online and did not find many/any reports of this exact codex-computer-use.exe + ClickFix.DE!MTB combination.

The file hash I saw was:

F2B2F56FCD1699B0FA32DEC3214A56A1D36B937A2ECF58CC822AB4A904551E03

The executable also appeared to be unsigned when checked with Get-AuthenticodeSignature, which may be part of why Defender is suspicious.

I’m not asking people to ignore Defender warnings. I’m leaving the item blocked and not restoring/allowing it. I’m posting this to see if anyone else has seen the same detection and to help confirm whether this is a Defender heuristic false positive around Codex’s computer-use helper.

Discussion in the ATmosphere

Loading comments...