[Windows] Default MaterialApp project built with /MT compilation flag is detected by antiviruses

[kirill-21]

Code of the app:

import 'package:flutter/material.dart';

void main() => runApp(const MyApp());

class MyApp extends StatelessWidget {
  const MyApp({Key? key}) : super(key: key);

  @override
  Widget build(BuildContext context) {
    return MaterialApp(
      title: 'Material App',
      home: Scaffold(
        appBar: AppBar(
          title: const Text('Material App Bar'),
        ),
        body: const Center(
          child: SizedBox(
            child: Text('Hello World'),
          ),
        ),
      ),
    );
  }
}

Steps to reproduce:

• Go to Windows/CMakeLists.txt and add this property to build the app with MT flag(MT flag is used not to attach additional dll files to the project)

set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")

• Build app with flutter build windows
• Upload .exe file to VirusTotal

Result with /MT flag:

Result without /MT flag:

Flutter version: 2.8.0 from the stable channel

[kirill-21]

My proposal is so that someone from Flutter team officially(from @flutter.dev/google email address) contacts these antivirus companies with request to update their scan engines for such cases when an empty app is already considered as a virus just because of inherited vc++ libraries.

Not every developer can sign his code with expensive code signing certificate to make his app more friendly for antiviruses and for ordinary user who decides whether to use your app or not there's no matter how many antiviruses scan this file as a thereat: 1, 2 or 60, it becomes not trustable in a same way.

[stuartmorgan]

@timsneath Is this something the project wants to follow up on?

My proposal is so that someone from Flutter team officially(from @flutter.dev/google email address) contacts these antivirus companies with request to update their scan engines

Can you elaborate on why? If this is reproducible with the example app then you can provide an example that the companies can compile from source, and thus validate themselves. That's a much, much stronger safety guarantee than the domain that the email is sent from, so it's not clear to me what the advantage of your proposal is over developers such as yourself simply contacting them directly to report the false positive.

[kirill-21]

If this is reproducible with the example app then you can provide an example that the companies can compile from source, and thus validate themselves. That's a much, much stronger safety guarantee than

I think is about relation of companies to your request. If they see that it's just some random guy writing them, they are not really motivated to install flutter, compile some source, test the outcomes, rewrite their analyzer engine, but when they see that request is official from the language developers, that it's not a problem of just one man, they are much more likely to conduct a more detailed analysis of the problem and cooperate in its solution. That's difficult to persuade the company to spend so much time doing such things.

For example, if this issue was created not by me but by some huge company(maybe by one from Flutter showcase) (what won't happen because they do have resources for code signing certificates and hundreds of good specialists). i guess you(as a flutter team) would be more interested in the situation's resolving, just my opinion).

I've already tried to contact some antivirus companies manually and all i achieved is removing false detections from a single file by it's md5 hash, so this is applicable only to one specific application and i have to contact them again and again after each build of the app what makes it an endless groundhog loop

[maheshmnj]

Hi @kirill-21, thanks for filing the issue. I am able to reproduce the same behavior with the MT flags enabled virustotal detects app as malicious.

Leaving this issue open for further insights from the team.

flutter doctor -v

PS C:\Users\mahesh\Downloads\hello_world\hello_world> flutter doctor -v
[√] Flutter (Channel stable, 2.8.0, on Microsoft Windows     
    [Version 10.0.19042.1348], locale en-US)
    • Flutter version 2.8.0 at C:\flutter_sdk\stable
    • Upstream repository
      https://github.com/flutter/flutter.git
    • Framework revision cf44000065 (5 days ago), 2021-12-08 
      14:06:50 -0800
    • Engine revision 40a99c5951
    • Dart version 2.15.0

[√] Android toolchain - develop for Android devices (Android
    SDK version 31.0.0)
    • Android SDK at
      C:\Users\mahesh\AppData\Local\Android\sdk
    • Platform android-31, build-tools 31.0.0
    • Java binary at: C:\Program Files\Android\Android      
      Studio\jre\bin\java
    • Java version OpenJDK Runtime Environment (build       
      11.0.10+0-b96-7249189)
    • All Android licenses accepted.

[√] Chrome - develop for the web
      Files\Google\Chrome\Application\chrome.exe

[√] Visual Studio - develop for Windows (Visual Studio
    Community 2019 16.11.4)
    • Visual Studio at C:\Program Files (x86)\Microsoft
      Visual Studio\2019\Community
    • Visual Studio Community 2019 version 16.11.31727.386
    • Windows 10 SDK version 10.0.19041.0
PS C:\Users\mahesh\Downloads\hello_world\hello_world> flutter doctor -v
[√] Flutter (Channel stable, 2.8.0, on Microsoft Windows [Version 10.0.19042.1348], locale en-US)
    • Flutter version 2.8.0 at C:\flutter_sdk\stable
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision cf44000065 (5 days ago), 2021-12-08 14:06:50 -0800
    • Engine revision 40a99c5951
    • Dart version 2.15.0

[√] Android toolchain - develop for Android devices (Android SDK version 31.0.0)
    • Android SDK at C:\Users\mahesh\AppData\Local\Android\sdk
    • Platform android-31, build-tools 31.0.0
    • Java binary at: C:\Program Files\Android\Android Studio\jre\bin\java      
    • Java version OpenJDK Runtime Environment (build 11.0.10+0-b96-7249189)    
    • All Android licenses accepted.

[√] Chrome - develop for the web
    • Chrome at C:\Program Files\Google\Chrome\Application\chrome.exe

[√] Visual Studio - develop for Windows (Visual Studio Community 2019 16.11.4)      
    • Visual Studio at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community
    • Visual Studio Community 2019 version 16.11.31727.386
    • Windows 10 SDK version 10.0.19041.0

[√] Android Studio (version 2020.3)
    • Android Studio at C:\Program Files\Android\Android Studio
    • Flutter plugin can be installed from:
       https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
       https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 11.0.10+0-b96-7249189)        

[√] VS Code (version 1.61.2)
    • VS Code at C:\Users\mahesh\AppData\Local\Programs\Microsoft VS Code
    • Flutter extension version 3.29.0

[√] Connected device (3 available)
    • Windows (desktop) • windows • windows-x64    • Microsoft Windows [Version 10.0.19042.1348]
    • Chrome (web)      • chrome  • web-javascript • Google Chrome 96.0.4664.93
    • Edge (web)        • edge    • web-javascript • Microsoft Edge 95.0.1020.44

• No issues found!

[√] Flutter (Channel master, 2.6.0-12.0.pre.885, on Microsoft Windows [Version 10.0.19042.1348], locale en-US)
    • Flutter version 2.6.0-12.0.pre.885 at C:\flutter_sdk\master
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision 16ec56ee0f (12 days ago), 2021-12-02 02:49:05 -0500
    • Engine revision 888f4c0fc6
    • Dart version 2.16.0 (build 2.16.0-56.0.dev)
    • DevTools version 2.8.0

[√] Android toolchain - develop for Android devices (Android SDK version 31.0.0)
    • Android SDK at C:\Users\mahesh\AppData\Local\Android\sdk
    • Platform android-31, build-tools 31.0.0
    • Java binary at: C:\Program Files\Android\Android Studio\jre\bin\java
    • Java version OpenJDK Runtime Environment (build 11.0.10+0-b96-7249189)
    • All Android licenses accepted.

[√] Chrome - develop for the web
    • Chrome at C:\Program Files\Google\Chrome\Application\chrome.exe

[√] Visual Studio - develop for Windows (Visual Studio Community 2019 16.11.4)
    • Visual Studio at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community
    • Visual Studio Community 2019 version 16.11.31727.386
    • Windows 10 SDK version 10.0.19041.0

[√] Android Studio (version 2020.3)
    • Android Studio at C:\Program Files\Android\Android Studio
    • Flutter plugin can be installed from:
       https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
       https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 11.0.10+0-b96-7249189)

[√] VS Code (version 1.61.2)
    • VS Code at C:\Users\mahesh\AppData\Local\Programs\Microsoft VS Code
    • Flutter extension version 3.29.0

[√] Connected device (3 available)
    • Windows (desktop) • windows • windows-x64    • Microsoft Windows [Version 10.0.19042.1348]
    • Chrome (web)      • chrome  • web-javascript • Google Chrome 96.0.4664.93
    • Edge (web)        • edge    • web-javascript • Microsoft Edge 95.0.1020.44

• No issues found!

[timsneath]

I've filed a report with both companies that are reporting false positives. I can't guarantee any response, obviously -- I fear you're giving us more credit in terms of our leverage with these niche companies than we deserve! But hopefully it will have some impact...

[kirill-21]

Hi there, the situation on Flutter 3.0 has became extremely awful. This is not normal, detection from 12 antiviruses for clear default MateApp application that looks like this:

Please, do something, this is bad user experience, ordinary people do not trust my app because of this

[kirill-21]

@timsneath it seams that your report to Ikarus antivirus team has helped previous time, can do you the same for antiviruses above?

[stuartmorgan]

Please, do something

The people who can do something are the authors of the antivirus software. We don't control their heuristics, or have the ability to require them to change them.

[kirill-21]

Please, do something

The people who can do something are the authors of the antivirus software. We don't control their heuristics, or have the ability to require them to change them.

But what should a developer do? There is no way to fix it manually and people who might download our apps won't do it just because of this problem. I've tried to write antivirus teams but they remove detection only for single executable and whenever you make a tiny change you have to contact them again and again

[stuartmorgan]

But what should a developer do? There is no way to fix it manually

Based on your initial report, you could avoid this from your side simply by using Microsoft's recommended approach of shipping the necessary redistributables with your applicaiton, instead of linking the runtime into your application (and each of your plugins, if any).

[kirill-21]

But what should a developer do? There is no way to fix it manually

Based on your initial report, you could avoid this from your side simply by using Microsoft's recommended approach of shipping the necessary redistributables with your applicaiton, instead of linking the runtime into your application (and each of your plugins, if any).

But even without /MT mode apps built with Flutter 3.0 are detected by antivirus(list of antiviruses becomes smaller but it's still a problem).

Of course you still can ship the app via Microsoft Store but that is the lose of Win7+Win8 users

[flutter-triage-bot]

The triaged-desktop label is irrelevant if there is no team-desktop label or fyi-desktop label.