Thread overview
VisualD.dll flagged during VisualD 0.45.0 installation as Trojan by McAfee
Aug 03
jj
August 03
Hi,

For other users of McAfee AV software: Note that, during the installation of VisualD 0.45.0, the VisualD.dll is detected as GenericRXBS-NK!9A26B67896F trojan by my McAfee AV (Enterprise v8.8 in my case).

Since I have been using VisualD (and D) for practically forever I am sure this is a false-positive, and caused by McAfee's new-fangled 'generically detected malware' algorithm!

I tried using the Quarantine Manager to 'restore' VisualD.dll, but this does not work since McAfee does not 'remember' previously restored files, and quarantine it every time VS loads the DLL.

Since this is a corporate PC I cannot disable McAfee, so this even stops me from ZIPping the damn DLL (to email to McAfee for analysis).

I'll have to revert to VisualD 0.45.0-rc2 for now, but it would be useful if someone can report this according to [1).

[1]: https://kc.mcafee.com/corporate/index?page=content&id=KB85567



August 03

On 03.08.2017 14:00, ShadoLight wrote:
> Hi,
> 
> For other users of McAfee AV software: Note that, during the installation of VisualD 0.45.0, the VisualD.dll is detected as GenericRXBS-NK!9A26B67896F trojan by my McAfee AV (Enterprise v8.8 in my case).
> 
> Since I have been using VisualD (and D) for practically forever I am sure this is a false-positive, and caused by McAfee's new-fangled 'generically detected malware' algorithm!
> 
> I tried using the Quarantine Manager to 'restore' VisualD.dll, but this does not work since McAfee does not 'remember' previously restored files, and quarantine it every time VS loads the DLL.
> 
> Since this is a corporate PC I cannot disable McAfee, so this even stops me from ZIPping the damn DLL (to email to McAfee for analysis).
> 
> I'll have to revert to VisualD 0.45.0-rc2 for now, but it would be useful if someone can report this according to [1).
> 
> [1]: https://kc.mcafee.com/corporate/index?page=content&id=KB85567
> 

It seems this is getting worse for dmd built executables.

VirusTotal also shows the McAfee failures, and 3 other engines complain, too. If I build Visual D against the MS-Runtime instead of the DigitalMars-Runtime, no virus is detected.

Unfortunately the DLL grows from 3 MB to 9 MB, which seems to uncover a bug somewheree in the tool chain. That might not be a show stopper, though, and I wanted to switch to the COFF builds eventually anyway.

The autotester has also created the same version, maybe it passes McAfee as is: https://ci.appveyor.com/project/rainers/visuald/build/job/2g40k1pgyxg58avv/artifacts
It isn't built with the precise GC, though, so it might eat a bit more memory if you edit large files.
August 03
On Thursday, 3 August 2017 at 16:58:33 UTC, Rainer Schuetze wrote:
>
>
> On 03.08.2017 14:00, ShadoLight wrote:
>> [...]
>
> It seems this is getting worse for dmd built executables.
>
> VirusTotal also shows the McAfee failures, and 3 other engines complain, too. If I build Visual D against the MS-Runtime instead of the DigitalMars-Runtime, no virus is detected.
>
> Unfortunately the DLL grows from 3 MB to 9 MB, which seems to uncover a bug somewheree in the tool chain. That might not be a show stopper, though, and I wanted to switch to the COFF builds eventually anyway.
>
> The autotester has also created the same version, maybe it passes McAfee as is: https://ci.appveyor.com/project/rainers/visuald/build/job/2g40k1pgyxg58avv/artifacts
> It isn't built with the precise GC, though, so it might eat a bit more memory if you edit large files.


it still does not work with my VS 2017. after install it does not show up in the menu, it does not know d. sorry for the bad news.
August 04

On 03.08.2017 19:58, jj wrote:
> On Thursday, 3 August 2017 at 16:58:33 UTC, Rainer Schuetze wrote:
>>
>>
>> On 03.08.2017 14:00, ShadoLight wrote:
>>> [...]
>>
>> It seems this is getting worse for dmd built executables.
>>
>> VirusTotal also shows the McAfee failures, and 3 other engines complain, too. If I build Visual D against the MS-Runtime instead of the DigitalMars-Runtime, no virus is detected.
>>
>> Unfortunately the DLL grows from 3 MB to 9 MB, which seems to uncover a bug somewheree in the tool chain. That might not be a show stopper, though, and I wanted to switch to the COFF builds eventually anyway.
>>
>> The autotester has also created the same version, maybe it passes McAfee as is: https://ci.appveyor.com/project/rainers/visuald/build/job/2g40k1pgyxg58avv/artifacts 
>>
>> It isn't built with the precise GC, though, so it might eat a bit more memory if you edit large files.
> 
> 
> it still does not work with my VS 2017. after install it does not show up in the menu, it does not know d. sorry for the bad news.

Sorry to hear that but I didn't really expect any magic solution just from bumping the version number.

From your last posted error message, I suspect that the 3 files written by the installer at "c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\Extensions\Rainer Schuetze\VisualD\0.45" exist? Maybe there are older files in parallel folders? If yes, try deleting these.

VS2017 transfers settings from these extension files into a "private registry" %AppData%\Local\Microsoft\VisualStudio\15.0_ade21380\privateregistry.bin, maybe you can make that file available for download somewhere so I can check whether entries in there look ok.

Are you using the english version of VS or some other language? Maybe there is something wrong in how Visual D handles this, but I have seen it working with german versions (though not with VS2017 yet).
August 06

On 03.08.2017 14:00, ShadoLight wrote:
> Hi,
> 
> For other users of McAfee AV software: Note that, during the installation of VisualD 0.45.0, the VisualD.dll is detected as GenericRXBS-NK!9A26B67896F trojan by my McAfee AV (Enterprise v8.8 in my case).
> 
> Since I have been using VisualD (and D) for practically forever I am sure this is a false-positive, and caused by McAfee's new-fangled 'generically detected malware' algorithm!
> 
> I tried using the Quarantine Manager to 'restore' VisualD.dll, but this does not work since McAfee does not 'remember' previously restored files, and quarantine it every time VS loads the DLL.
> 
> Since this is a corporate PC I cannot disable McAfee, so this even stops me from ZIPping the damn DLL (to email to McAfee for analysis).
> 
> I'll have to revert to VisualD 0.45.0-rc2 for now, but it would be useful if someone can report this according to [1).
> 
> [1]: https://kc.mcafee.com/corporate/index?page=content&id=KB85567
> 

This seems to pass most anti-virus programs on virustotal:

https://github.com/dlang/visuald/releases/tag/v0.45.1-rc1

August 07
On Sunday, 6 August 2017 at 12:03:37 UTC, Rainer Schuetze wrote:
>
>
> On 03.08.2017 14:00, ShadoLight wrote:
>> [...]
>
> This seems to pass most anti-virus programs on virustotal:
>
> https://github.com/dlang/visuald/releases/tag/v0.45.1-rc1

Thanks Rainer, very much appreciated!
August 23
On Thursday, 3 August 2017 at 12:00:39 UTC, ShadoLight wrote:
> Hi,
>
> For other users of McAfee AV software: Note that, during the installation of VisualD 0.45.0, the VisualD.dll is detected as GenericRXBS-NK!9A26B67896F trojan by my McAfee AV (Enterprise v8.8 in my case).
>
Hi
Are you sure about, that it is a only VisualD problem?
I got a similar message from McAfee using the current DMD with Dub.

Regards Ozan


August 25
On Wednesday, 23 August 2017 at 13:31:37 UTC, Ozan (O/N/S) wrote:
> On Thursday, 3 August 2017 at 12:00:39 UTC, ShadoLight wrote:
>> Hi,
>>
>> For other users of McAfee AV software: Note that, during the installation of VisualD 0.45.0, the VisualD.dll is detected as GenericRXBS-NK!9A26B67896F trojan by my McAfee AV (Enterprise v8.8 in my case).
>>
> Hi
> Are you sure about, that it is a only VisualD problem?
> I got a similar message from McAfee using the current DMD with Dub.
>
> Regards Ozan

This is a general problem and will possibly happen with all AV software. And many of them that use heuristics will flag any port-opening D program (e.g. DCD) as "Generic.XYZ".

Please remember, "Generic" means, your AV tool has no idea what it actually is, but it looks very suspicious.