After downloading the Binance client, Windows Defender pops up with "Threat quarantined"—is there a real problem or is it a false positive? This article provides the judgment process. Download gateway: Binance website, mobile Binance official app, and if you haven't installed the App on iOS, see the iOS install guide.
1. False Positives vs. True Infections
| Judgment Item | False Positive | True Infection |
|---|---|---|
| Digital Signature | Issued to Binance Holdings | No signature / Unknown issuer |
| SHA-256 | Matches the official website | Does not match |
| Download Source | binance.com | Third-party site |
| Alert Type | "Potentially Unwanted Program" | "Trojan", "Ransomware", etc. clearly defined |
Matching signature + SHA-256 = false positive; any discrepancy = genuine threat.
2. Steps to Confirm a False Positive
Step 1: Do Not Restore Yet
If Defender has quarantined the file, do not restore or delete it yet.
Step 2: Verify the Source
Confirm the download link is a binance.com subdomain, and it hasn't passed through short links or third-party relays.
Step 3: Check the Signature from Defender's Quarantine
Windows Security -> Virus & threat protection -> Protection history -> Click the item -> See details -> File information. You can see the full path and file properties here.
Step 4: Check SHA-256 on Another Clean Machine
Or temporarily restore it in the quarantine and use PowerShell:
Get-FileHash binance.exe -Algorithm SHA256
Compare this with the value published on the official website.
3. Adding to the Whitelist
After confirming it is a false positive:
Defender Whitelist
Windows Security -> Virus & threat protection -> Exclusions -> Add an exclusion:
- Select "Folder" as the type, and add
C:\Program Files\Binance - Or select "File" and add the specific .exe
360 / Huorong
Open the main interface of each -> Settings -> Trusted zone -> Add file / folder.
Do Not Disable Defender Globally
It is unacceptable to turn off your antivirus completely just to install Binance. Other malware will exploit the vulnerability.
4. Handling a True Infection
1. Do Not Restore the File
Let the antivirus software keep it quarantined.
2. Full System Scan
Windows Security -> Full scan. This may take 1-3 hours.
3. Check Startup Items
Win+R -> msconfig -> Startup. Look for any suspicious entries (especially those with names like "Binance" but abnormal paths).
4. Check Scheduled Tasks
Task Scheduler -> Task Scheduler Library. Look for tasks you don't recognize.
5. Network Isolation
Disconnect from the internet immediately upon finding a suspicious file to prevent remote control from exfiltrating more data.
6. Change Passwords
Change the passwords for Binance, email, and other financial accounts.
5. Defensive Download Strategies
1. Download Only from binance.com
Any "Binance Client" distributed in "Binance discussion groups", "crypto helpers", or "crypto tools" is 99% malicious.
2. Run in a Sandbox First After Downloading
Windows 11 comes with a built-in Sandbox, allowing you to temporarily run an .exe to observe its behavior. If it behaves normally in the Sandbox, install it on the main system.
3. Install on a Limited-Privilege Account
Use a standard account instead of an administrator account for daily Windows use. This way, even if malware bypasses Defender, its privileges are restricted.
4. Follow Binance Announcements
Binance occasionally releases security announcements to notify users when a certain version is spoofed. Subscribing to official X / Telegram accounts allows you to receive these firsthand.
6. Fake "Repair" Traps
After a virus alert, search engines might recommend a "Binance client repair tool." All third-party "repair" tools are scams. There are only two ways to handle it:
- Add to whitelist (if confirmed as a false positive)
- Antivirus cleanup (if confirmed as an infection)
There is no middle ground.
FAQ
Q1: How long will it take for the official team to fix a false positive? Binance continuously submits clean samples to Microsoft and antivirus vendors. False positives usually disappear after one or two version updates.
Q2: Is reporting a "Potentially Unwanted Program (PUP)" considered a false positive? Usually, yes. The Binance client occasionally triggers these rules due to the nature of the Electron framework.
Q3: Can I use the portable client to avoid false positives? The portable version still triggers the same rules. The handling method is identical.
Q4: Can I still use the previously installed version after a Defender alert? Yes, provided you confirm it's a false positive. You can upgrade again once a new signature passes.