Bug 18786 – AV program detects malware in windows download of DMD

Created attachment 1687 Output of AV program When I ran DMD download (dmd-2.063.2) on the Virus total site I got the following 2 detections McAfee-GW-Edition BehavesLike.Win32.Dropper.cc VBA32 suspected of Trojan.Downloader.gen.h Is this correct or false positives. If correct can you direct me to a clean version Thanks

This is a false positive. Please notify your Antivirus vendor and report their false detection there. Thanks! BTW dmd-2.063 is more than four years old. Are you sure you need such an old release?

dmd-2.080.0.exe, downloaded yesterday, gives 12 reports on VirusTotal including McAfee, TrendMicro, and Microsoft. This is 12/64 scanners, ie 18%. A false positive sounds less likely. https://www.virustotal.com/#/file/007560cc35e78ba74d6fa9732e27032a1fd2f2d6cbadffd1c39ffff68d5dd100/detection Windows Defender on Win10 identifies it as a trojan and will not run, too.

It's a false positive. You can check the signature of the binary. Please report it to your Antivirus vendors. They traditionally have troubles with the DigitalMars runtime.

What information does checking the signature give? It shows it's signed, not that it's virus-free. A signature shows that a binary comes from a certain source, not that it carries no payloads. > Please report it to your Antivirus vendors. VirusTotal.com tests using 60-70 vendors, of which 18% (let's round to one fifth of all AVs) have trouble with this binary. I do not believe responsibility for reporting a false positive, at such a scale, lies with someone with no knowledge of your runtime, your build machines, your internal pre-signature AV checks, your runtime or the areas of your runtime that cause AVs to flag the binary.

> I do not believe responsibility for reporting a false positive Well, you are the one using the snake oil software (and possibly even paying for it). Don't forget that D is an open source project and driven by volunteers. Most D developers use Linux, so they never run into this problems with Windows. The only thing I can guarantee you is that it's a false positive because these reports have been semi-regularily coming in from time to time over the recent years. As mentioned for the AV vendors the D runtime looks still unfamiliar and thus they often wrongly determine it to be a virus. So tl;dr: if you don't report it to the AV vendor you use, who else is going to? And also AV vendors often take reports from their users much more seriously than from open source projects (I tried to get in touch with done of them a few years ago which horribly failed).

> What information does checking the signature give? It shows it's signed, not that it's virus-free. A signature shows that a binary comes from a certain source, not that it carries no payloads. Yes, but then again how do you know that anything does or doesn't contain a virus? FWIW you can build the compiler from the sources yourself quite quickly and typically that is even more likely to be determined as a virus - even though in this case you could have checked the entire code. The signature at least insures that you got the binary built from the source code you can see on GitHub (depending on whether or not you trust our release master).

There is something screwy about it. It's not the compiler that is reporting the virus, it's the installer. What utility are we using the generate the installer executable?

Greenify, I hear you in that I know D is open source software run by volunteers, and that means no-one needs to look after reports like this if they don't want to. If it was one AV vendor, I'd happily report it. It's up to 21% of vendors on Virustotal now, though, and that means a couple of things: * I, as a new D user, do not have the knowledge and background to state to a vendor that it is truly virus free. If the runtime causes problems, I can't explain what and why. You can't ask I report it, because you're asking me to make statements to the vendor that I don't have the knowledge to back up. ("Can you take this package on board the airplane for me? No bombs, promise." Later, at security, "No, no bombs. Oh, no, it's not my package. No, I don't know what's in it. It's locked, I don't have the key. But no bombs. I'm sure.") The only people who can speak to an AV with authority and assist them in finding why it is a false positive are those with a good understanding of the RTL and the patterns in it that are causing the AV to be concerned. * A large number of AVs is a danger sign, and if this was my own software I'd be investigating, even if I believed there was no cause for concern. I have done that in the past for even a single AV report. * This impacts your users. Currently, no-one on Windows 10 can install D because the installer is captured by Windows Defender. The importance of that depends on the value you put on allowing Windows users to use D. I'll be frank: I'm new to D, and I downloaded to try it out and learn it. It's not reasonable to expect any new user to ignore thirteen different antivirus vendors screaming "don't run it!" and to bypass security on their local system to install.

(In reply to David M from comment #8) > * I, as a new D user, do not have the knowledge and background to state to a > vendor that it is truly virus free. If the runtime causes problems, I can't > explain what and why. You can't ask I report it, because you're asking me > to make statements to the vendor that I don't have the knowledge to back up. > ("Can you take this package on board the airplane for me? No bombs, > promise." Later, at security, "No, no bombs. Oh, no, it's not my package. > No, I don't know what's in it. It's locked, I don't have the key. But no > bombs. I'm sure.") Don't worry, they won't believe you blindly :) virus analysts will check if it's truly clean. You only need to report, the rest will be done for you, no expertise is required from you at all. > * This impacts your users. Currently, no-one on Windows 10 can install D > because the installer is captured by Windows Defender. I just downloaded dmd-2.080.0.exe and windows defender doesn't detect it as a virus.

DMD 2.082.0, Microsoft Windows 10 Enterprise Build 17134 - Defender prevents any work with DMD or compiled by DMD programs.

(In reply to Alexey Kulentsov from comment #10) > DMD 2.082.0, Microsoft Windows 10 Enterprise Build 17134 - Defender prevents > any work with DMD or compiled by DMD programs. We're actually signining Windows binaries since 2.082.0 and didn't have any further Defender issues after also submitting dmd for inspection. Do you have any additional info to reproduce the issue, in particular the one with self-built binaries. [¹]: https://dlang.org/changelog/2.082.0.html#signed_windows_binaries

I downloaded 2.082.1, Edge showed message "Running security scan" which took a long time, I opened the Defender interface, and after some time Edge reported that download is complete. Maybe the scan just takes a long time.

Created attachment 1716 Compiled utility rejected by Windows Defender in corporate network

(In reply to Martin Nowak from comment #11) > We're actually signining Windows binaries since 2.082.0 and didn't have any > further Defender issues after also submitting dmd for inspection. I am in the corporate network with centralized administration. Now I think, maybe, corporate rules are more strict than defaults, and rejects unknown self-signed certificates. > Do you have any additional info to reproduce the issue, in particular the > one with self-built binaries. DMD installer from official site, DMD version: DMD32 D Compiler v2.082.0 Copyright (C) 1999-2018 by The D Language Foundation, All Rights Reserved written by Walter Bright Utility source and executable (mpgit) are attached to the issue in the previous comment.

It's not a self-Signet certificate, it's one from an officially approved windows certificate vendor. Not sure whether we can do more for you. Maybe you just need to talk to your admins?

THIS ISSUE HAS BEEN MOVED TO GITHUB https://github.com/dlang/installer/issues/662 DO NOT COMMENT HERE ANYMORE, NOBODY WILL SEE IT, THIS ISSUE HAS BEEN MOVED TO GITHUB