{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreib4enah5kc3zueepps7t3ukh6lsqnm73f47w6xnrzrqlf2kxkb7ki",
    "uri": "at://did:plc:lk3jfj3zq4k4wxnk474axylu/app.bsky.feed.post/3mpqz6a5wd6w2"
  },
  "path": "/t/windows-defender-flags-codex-computer-use-helper-as-trojan-win32-clickfix-de-mtb/1385584#post_3",
  "publishedAt": "2026-07-03T16:42:56.000Z",
  "site": "https://community.openai.com",
  "textContent": "Thanks, this is helpful. I’m not whitelisting/restoring it.\n\nUpdate: this has now reproduced on my main PC too, completely separate from the travel router/VPN/laptop setup. Same Defender detection pattern, and it happened near the end of a Codex commit/turn. That makes me think this is less likely to be network/VPN-specific and more likely a Defender heuristic around Codex’s helper/turn-ended behavior.\n\nBoth machines show clean scans afterward, and I’m leaving the item blocked.\n\n- Codex Desktop version/build: latest as of July 3, 2026\n\n- Defender security intelligence version: `1.453.401.0`\n\n- SHA-256 of the helper: `F2B2F56FCD1699B0FA32DEC3214A56A1D36B937A2ECF58CC822AB4A904551E03` from the first affected machine\n\nstill have to see:\n\n- whether reinstall/update produces the same helper hash under the same `cua_node` runtime path",
  "title": "Windows Defender flags Codex computer-use helper as Trojan:Win32/ClickFix.DE!MTB"
}