{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihwfmzu66lge6gxav4hzeypctjeaakr3dmtmipkhk4teb3mugixuu",
    "uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mpp4psf5kza2"
  },
  "path": "/t/windows-defender-flags-codex-computer-use-helper-as-trojan-win32-clickfix-de-mtb/1385584#post_1",
  "publishedAt": "2026-07-02T22:04:30.000Z",
  "site": "https://community.openai.com",
  "tags": [
    "@oai"
  ],
  "textContent": "I’m reporting what looks like a possible Windows Defender false positive involving Codex Desktop.\n\nWindows Security repeatedly showed “Threat blocked” / Severe for:\n\n`Trojan:Win32/ClickFix.DE!MTB`\n\nThe affected resource shown through PowerShell was the Codex computer-use helper:\n\n`C:\\Users\\ocean\\AppData\\Local\\OpenAI\\Codex\\runtimes\\cua_node\\1b23c930bdf84ed6\\bin\\node_modules\\@oai\\sky\\bin\\windows\\codex-computer-use.exe`\n\nThe command line included:\n\n`codex-computer-use.exe turn-ended`\n\nPowerShell checks showed:\n\n`ActionSuccess: True`\n\n`DidThreatExecute: False`\n\n`IsActive: False`\n\nI also ran a Windows Security scan afterward and it reported no threats.\n\nExtra context:\n\n- This is happening on my travel machine, not my main PC.\n\n- I’m using a VPN through a travel router.\n\n- The machine is isolated from my other devices on the network.\n\n- It seemed to happen around the end of Codex turns, sometimes near when work like git pushes completed, but Defender’s resource pointed to Codex’s local helper, not git.exe or GitHub traffic.\n\n- I updated Codex, fully exited all Codex instances, stopped leftover helper processes, and rescanned.\n\n- I searched online and did not find many/any reports of this exact `codex-computer-use.exe` + `ClickFix.DE!MTB` combination.\n\nThe file hash I saw was:\n\n`F2B2F56FCD1699B0FA32DEC3214A56A1D36B937A2ECF58CC822AB4A904551E03`\n\nThe executable also appeared to be unsigned when checked with `Get-AuthenticodeSignature`, which may be part of why Defender is suspicious.\n\nI’m not asking people to ignore Defender warnings. I’m leaving the item blocked and not restoring/allowing it. I’m posting this to see if anyone else has seen the same detection and to help confirm whether this is a Defender heuristic false positive around Codex’s computer-use helper.",
  "title": "Windows Defender flags Codex computer-use helper as Trojan:Win32/ClickFix.DE!MTB"
}