What proxy software does - rewriting the system proxy, installing services, creating virtual adapters, encrypting traffic - overlaps heavily with what security software watches for. Friction is inevitable; symptoms range from install-time detections to TUN failing to sudden mid-session outages.
Symptoms and what they mean
- Installer or core quarantined/deleted: "file not found" on launch, or an AV quarantine notice.
- Service Mode install fails: behavior protection blocked the service registration.
- Starts fine, everything times out: the firewall silently blocks the core's outbound connections.
- System Proxy switch keeps snapping back: a "browser protection" feature reverting proxy settings.
The fix: exclusions
Windows Defender shown; third-party AVs are analogous:
- Windows Security → Virus & threat protection → Manage settings → Exclusions.
- Add folder exclusions:
C:\Program Files\Clash for Windows(install dir) and%USERPROFILE%\.config\clash(data dir - core files update there). - Previously quarantined? Restore the files from Protection History first, then exclude.
- Firewall side: under "Allow an app through the firewall", tick Clash for Windows on both Private and Public (essential for LAN sharing).
Why the false positives
CFW carries no paid code-signing certificate, and its packed core plus proxy-rewriting behavior trip heuristics. So false positives are common - but that is not a safety proof. The rational protocol: download from trusted sources, verify hashes, then exclude. Excluding an installer of unknown origin is where the real danger lies.
Habits that reduce friction
- Pause real-time protection during version upgrades (so files aren't half-quarantined mid-install), re-enable after.
- Some security suites' "network protection" simply cannot coexist with TUN - choose one.
- EDR on corporate devices is not yours to bypass, nor should you - follow IT policy.