[Issue 18786] AV program detects malware in windows download of DMD

Apr 20, 2018

greenify

May 24, 2018

May 24, 2018

May 24, 2018

May 25, 2018

May 25, 2018

May 25, 2018

May 25, 2018

May 29, 2018

Jul 26, 2018

Oct 30, 2018

Nov 01, 2018

Nov 01, 2018

Nov 09, 2018

Nov 09, 2018

Nov 10, 2018

Jan 02

dlangBugzillaToGithub

https://issues.dlang.org/show_bug.cgi?id=18786 greenify <greeenify@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |greeenify@gmail.com --- Comment #1 from greenify <greeenify@gmail.com> --- This is a false positive. Please notify your Antivirus vendor and report their false detection there. Thanks! BTW dmd-2.063 is more than four years old. Are you sure you need such an old release? --

https://issues.dlang.org/show_bug.cgi?id=18786 David M <vintagedave@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vintagedave@gmail.com --- Comment #2 from David M <vintagedave@gmail.com> --- dmd-2.080.0.exe, downloaded yesterday, gives 12 reports on VirusTotal including McAfee, TrendMicro, and Microsoft. This is 12/64 scanners, ie 18%. A false positive sounds less likely. https://www.virustotal.com/#/file/007560cc35e78ba74d6fa9732e27032a1fd2f2d6cbadffd1c39ffff68d5dd100/detection Windows Defender on Win10 identifies it as a trojan and will not run, too. --

https://issues.dlang.org/show_bug.cgi?id=18786 --- Comment #3 from greenify <greeenify@gmail.com> --- It's a false positive. You can check the signature of the binary. Please report it to your Antivirus vendors. They traditionally have troubles with the DigitalMars runtime. --

https://issues.dlang.org/show_bug.cgi?id=18786 --- Comment #4 from David M <vintagedave@gmail.com> --- What information does checking the signature give? It shows it's signed, not that it's virus-free. A signature shows that a binary comes from a certain source, not that it carries no payloads. > Please report it to your Antivirus vendors. VirusTotal.com tests using 60-70 vendors, of which 18% (let's round to one fifth of all AVs) have trouble with this binary. I do not believe responsibility for reporting a false positive, at such a scale, lies with someone with no knowledge of your runtime, your build machines, your internal pre-signature AV checks, your runtime or the areas of your runtime that cause AVs to flag the binary. --

https://issues.dlang.org/show_bug.cgi?id=18786 --- Comment #5 from greenify <greeenify@gmail.com> --- > I do not believe responsibility for reporting a false positive Well, you are the one using the snake oil software (and possibly even paying for it). Don't forget that D is an open source project and driven by volunteers. Most D developers use Linux, so they never run into this problems with Windows. The only thing I can guarantee you is that it's a false positive because these reports have been semi-regularily coming in from time to time over the recent years. As mentioned for the AV vendors the D runtime looks still unfamiliar and thus they often wrongly determine it to be a virus. So tl;dr: if you don't report it to the AV vendor you use, who else is going to? And also AV vendors often take reports from their users much more seriously than from open source projects (I tried to get in touch with done of them a few years ago which horribly failed). --

https://issues.dlang.org/show_bug.cgi?id=18786 --- Comment #6 from greenify <greeenify@gmail.com> --- > What information does checking the signature give? It shows it's signed, not that it's virus-free. A signature shows that a binary comes from a certain source, not that it carries no payloads. Yes, but then again how do you know that anything does or doesn't contain a virus? FWIW you can build the compiler from the sources yourself quite quickly and typically that is even more likely to be determined as a virus - even though in this case you could have checked the entire code. The signature at least insures that you got the binary built from the source code you can see on GitHub (depending on whether or not you trust our release master). --

https://issues.dlang.org/show_bug.cgi?id=18786 Mike Franklin <slavo5150@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |slavo5150@yahoo.com --- Comment #7 from Mike Franklin <slavo5150@yahoo.com> --- There is something screwy about it. It's not the compiler that is reporting the virus, it's the installer. What utility are we using the generate the installer executable? --

May 25, 2018

[Issue 18786] AV program detects malware in windows download of DMD

Posted by David M

Permalink

David M

Permalink

https://issues.dlang.org/show_bug.cgi?id=18786

--- Comment #8 from David M <vintagedave@gmail.com> ---
Greenify, I hear you in that I know D is open source software run by volunteers, and that means no-one needs to look after reports like this if they don't want to.

If it was one AV vendor, I'd happily report it.  It's up to 21% of vendors on Virustotal now, though, and that means a couple of things:

* I, as a new D user, do not have the knowledge and background to state to a vendor that it is truly virus free.  If the runtime causes problems, I can't explain what and why.  You can't ask I report it, because you're asking me to make statements to the vendor that I don't have the knowledge to back up. ("Can you take this package on board the airplane for me? No bombs, promise." Later, at security, "No, no bombs. Oh, no, it's not my package.  No, I don't know what's in it.  It's locked, I don't have the key.  But no bombs.  I'm sure.")

The only people who can speak to an AV with authority and assist them in finding why it is a false positive are those with a good understanding of the RTL and the patterns in it that are causing the AV to be concerned.

* A large number of AVs is a danger sign, and if this was my own software I'd be investigating, even if I believed there was no cause for concern.  I have done that in the past for even a single AV report.

* This impacts your users.  Currently, no-one on Windows 10 can install D because the installer is captured by Windows Defender.  The importance of that depends on the value you put on allowing Windows users to use D.  I'll be frank: I'm new to D, and I downloaded to try it out and learn it.  It's not reasonable to expect any new user to ignore thirteen different antivirus vendors screaming "don't run it!" and to bypass security on their local system to install.

--

https://issues.dlang.org/show_bug.cgi?id=18786 --- Comment #9 from anonymous4 <dfj1esp02@sneakemail.com> --- (In reply to David M from comment #8) > * I, as a new D user, do not have the knowledge and background to state to a vendor that it is truly virus free. If the runtime causes problems, I can't explain what and why. You can't ask I report it, because you're asking me to make statements to the vendor that I don't have the knowledge to back up. ("Can you take this package on board the airplane for me? No bombs, promise." Later, at security, "No, no bombs. Oh, no, it's not my package. No, I don't know what's in it. It's locked, I don't have the key. But no bombs. I'm sure.") Don't worry, they won't believe you blindly :) virus analysts will check if it's truly clean. You only need to report, the rest will be done for you, no expertise is required from you at all. > * This impacts your users. Currently, no-one on Windows 10 can install D because the installer is captured by Windows Defender. I just downloaded dmd-2.080.0.exe and windows defender doesn't detect it as a virus. --

Forums