Virus report in the latest Windows release

[RReverser]

Trying to download latest cargo-binstall from Github (https://github.com/cargo-bins/cargo-binstall/releases/download/v0.22.0/cargo-binstall-x86_64-pc-windows-msvc.full.zip) triggers antivirus on Windows:

This might be a false positive, but worth looking into in case build pipeline got compromised. Defender tends to be pretty good in the last decade or so, and this is literally the first time I got a report from it for a downloaded app in many years, so I don't want to dismiss it prematurely.

[RReverser]

One VirusTotal vendor seems to agree (although just one): https://www.virustotal.com/gui/url/4696a209aa804307c7db63664e29cfe374a70c35724577de565d47564175e6c8?nocache=1

[NobodyXu]

Thanks, I will look into it but I didn't notice anything wrong in our CI, so I am suspicious of the report.

Also, can you try downloading https://github.com/cargo-bins/cargo-binstall/releases/download/v0.22.0/cargo-binstall-aarch64-pc-windows-msvc.zip , the non-full version which doesn't contain the debug symbols and see if it still triggers the anti-virus?

[RReverser]

Yeah I tried that immediately after, and that one triggered as well. I didn't have same issue with previous versions and could build from source (cargo install cargo-binstall) locally without problems as well.

[NobodyXu]

Yeah I tried that immediately after, and that one triggered as well. I didn't have same issue with previous versions and could build from source (cargo install cargo-binstall) locally without problems as well.

That's strange.

Can you unzip the achieve and see which file triggers the virus checker?

[NobodyXu]

I had a look at the output of cargo tree of crates/bin and I didn't see anything suspicious.

[passcod]

seems a fairly common false positive for various rust projects, see eg tauri-apps/tauri#2486

[RReverser]

Can you unzip the achieve and see which file triggers the virus checker?

Tried today, looks like 3 VirusTotal vendors think that cargo-binstall.exe has a Trojan, the other files are fine: https://www.virustotal.com/gui/file/541b1bb9a1303d120e713804017b2a627c591d80849d7153b07290169ac3c87d

Although now I tried on cargo-binstall.exe from regular non-full zip and that one shows as clean (even though the uncompressed zip is still flagged): https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

[NobodyXu]

Although now I tried on cargo-binstall.exe from regular non-full zip and that one shows as clean (even though the uncompressed zip is still flagged): https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

That really sounds like a false positive.

The cargo-binstall.exe in the full and non-full zip is identical since they are from the same build.
The full zip just contains more stuff: debug symbols, README.md, detect-wasi.exe.

I don't think detect-wasi.exe contains any malware, it contains a minimal wasi executable that can be run to test if the environment support running wasi directly (through something like binfmt_misc).

The debug symbols and README.md just can't be malware.

[RReverser]

Looks like 0.23 doesn't have this problem, so closing.