Hi,

The site virustotal.com doesn't like the new 2.095.0 release for Windows: three engines find a threat in "rdmd.exe" file in the 7z archive.  One engine finds BScope.TrojanRansom.Encoder in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The latter is new: detected in 2.095.0-rc1 version, but not in 2.094.2 release.  One engine detects a threat in some other executables from the archive as well.

Note: when given the whole 7-zip archive, some of the engines time out, so it's best to upload and check the ".exe" files separately.

What's the next thing to do here?  Obviously, I'd like the release to not contain threats (or false alarms), so that we can feel safe about installing dmd on servers and such.

Ivan Kazmenko.

On Sun, Jan 10, 2021 at 10:59:57AM +0000, Ivan Kazmenko via Digitalmars-d wrote:
> Hi,
> 
> The site virustotal.com doesn't like the new 2.095.0 release for Windows: three engines find a threat in "rdmd.exe" file in the 7z archive.  One engine finds BScope.TrojanRansom.Encoder in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The latter is new: detected in 2.095.0-rc1 version, but not in 2.094.2 release.  One engine detects a threat in some other executables from the archive as well.
> 
> Note: when given the whole 7-zip archive, some of the engines time out, so it's best to upload and check the ".exe" files separately.
> 
> What's the next thing to do here?  Obviously, I'd like the release to not contain threats (or false alarms), so that we can feel safe about installing dmd on servers and such.
[...]

I'm 99.9% sure that these are false positives. We've had this problem in the past. It would be nice if someone filed false-positive reports for these cases to virustotal.com so that this problem can be corrected.


T

-- 
I am not young enough to know everything. -- Oscar Wilde

On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:
> Hi,
>
> The site virustotal.com doesn't like the new 2.095.0 release for Windows: three engines find a threat in "rdmd.exe" file in the 7z archive.  One engine finds BScope.TrojanRansom.Encoder in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The latter is new: detected in 2.095.0-rc1 version, but not in 2.094.2 release.
>  One engine detects a threat in some other executables from the archive as well.
>
> Note: when given the whole 7-zip archive, some of the engines time out, so it's best to upload and check the ".exe" files separately.
>
> What's the next thing to do here?  Obviously, I'd like the release to not contain threats (or false alarms), so that we can feel safe about installing dmd on servers and such.
>
> Ivan Kazmenko.

MS Defender on my company Win10 laptop blocks 2.095 also :(((
No update / installation possible.
And no, I cannot add exclusions in Defender as it's company managed...

On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:
> Hi,
>
> The site virustotal.com doesn't like the new 2.095.0 release for Windows: three engines find a threat in "rdmd.exe" file in the 7z archive.  One engine finds BScope.TrojanRansom.Encoder in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The latter is new: detected in 2.095.0-rc1 version, but not in 2.094.2 release.
>  One engine detects a threat in some other executables from the archive as well.

I couldn't even download the installer .exe on my Windows machine without manually copying the link and pasting it into the address bar. Pressing the download link did nothing. This was with Chrome and its own malware protection.

On Sunday, 10 January 2021 at 18:11:24 UTC, Anonymouse wrote:
>
> I couldn't even download the installer .exe on my Windows machine without manually copying the link and pasting it into the address bar. Pressing the download link did nothing. This was with Chrome and its own malware protection.

Same, you have to get the file back from Windows Defender.

On Sunday, 10 January 2021 at 18:11:24 UTC, Anonymouse wrote:
> On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:
>> Hi,
>>
>> The site virustotal.com doesn't like the new 2.095.0 release for Windows: three engines find a threat in "rdmd.exe" file in the 7z archive.  One engine finds BScope.TrojanRansom.Encoder in it, and two others find Hacktool.Win32.Krasnoglaz.Gena.  The latter is new: detected in 2.095.0-rc1 version, but not in 2.094.2 release.
>>  One engine detects a threat in some other executables from the archive as well.
>
> I couldn't even download the installer .exe on my Windows machine without manually copying the link and pasting it into the address bar. Pressing the download link did nothing. This was with Chrome and its own malware protection.

That's a different issue: https://issues.dlang.org/show_bug.cgi?id=21292

On Sunday, 10 January 2021 at 15:25:33 UTC, H. S. Teoh wrote:
> On Sun, Jan 10, 2021 at 10:59:57AM +0000, Ivan Kazmenko via Digitalmars-d wrote:
>>
>> What's the next thing to do here?  Obviously, I'd like the release to not contain threats (or false alarms), so that we can feel safe about installing dmd on servers and such.
>
> I'm 99.9% sure that these are false positives. We've had this problem in the past. It would be nice if someone filed false-positive reports for these cases to virustotal.com so that this problem can be corrected.

OK, but what is the exact process?  What I found was a paid / trial version of VirusTotal services.

-----

More details on "rdmd.exe" from the 7-zip archive
(http://downloads.dlang.org/releases/2.x/2.095.0/dmd.2.095.0.windows.7z):

https://www.virustotal.com/gui/file/0943e40d04aa6f6e9a59dac8a0ec49d49542fe40af70c07a30f1389a42e40323/detection

1. Kaspersky reports "HackTool.Win32.Krasnoglaz.gena".  However, the Kaspersky site itself marks the file as clean:
https://opentip.kaspersky.com/0943E40D04AA6F6E9A59DAC8A0EC49D49542FE40AF70C07A30F1389A42E40323/
My understanding is that the VirusTotal's version of Kaspersky is some conservative one, and Kaspersky site provides a more current version.

2. ZoneAlarm by Check Point reports "HackTool.Win32.Krasnoglaz.gena".  Turns out this engine uses Kaspersky for virus detection.

3. VBA32 reports "BScope.TrojanRansom.Encoder".  Can't find an online version of this antivirus.

There is also the case of Windows Defender reported here and by a fellow user also, which I myself didn't experience.

Ivan Kazmenko.

On Sunday, 10 January 2021 at 16:10:55 UTC, notna wrote:
>
> MS Defender on my company Win10 laptop blocks 2.095 also :(((
> No update / installation possible.
> And no, I cannot add exclusions in Defender as it's company managed...

to be more precise...
* I want to "install" the "downloads.dlang.org/releases/2.x/2.095.0/dmd.2.095.0.windows.7z"
* As soon as I open it, it triggers MS Defender with a "Trojan:Win32/Zpevdo.B" hit and the 7z file is removed

Even after running the commands mentioned in https://github.com/electrumsv/electrumsv/issues/510#issuecomment-690651691 I still cannot "open" the 7z file :(

On Sunday, 10 January 2021 at 20:15:50 UTC, Ivan Kazmenko wrote:
> https://www.virustotal.com/gui/file/0943e40d04aa6f6e9a59dac8a0ec49d49542fe40af70c07a30f1389a42e40323/detection

I've retriggered the analysis; Kaspersky and ZoneAlarm are now good there as well, only VBA32 and newly Qihoo-360 still detect something.

> There is also the case of Windows Defender reported here and by a fellow user also, which I myself didn't experience.

I've just downloaded, extracted and manually scanned the .7z successfully on an up-to-date Win10 machine with enabled Windows Defender.

I am hitting an 'Operation did not complete successfully because the file contains a virus or potentially unwanted software' error with PowerShell's Net.WebClient.DownloadFile() on a CI box though; not sure if that comes from Windows Defender.

On Sunday, 10 January 2021 at 10:59:57 UTC, Ivan Kazmenko wrote:

> What's the next thing to do here?  Obviously, I'd like the release to not contain threats (or false alarms), so that we can feel safe about installing dmd on servers and such.

Perhaps you can check if rdmd is compiled -m32mscof or -m32. If it's compiled with -m32 it will produce OMF object files and link with the DMC runtime. Perhaps compiling for COFF and linking with the MS runtime makes a difference?

--
/Jacob Carlborg