Windows defender flags ninja.exe as containing a trojan

[mtreinish]

Pip installing ninja (via a setup dependency for a project relying on scikit-build to build) is failing because windows defender is blocking ninja.exe. It is flagging ninja.exe in the wheel as containing a trojan:

[jcfr]

Thanks for bringing this up 🙏

Let's try to have a look:

• This is the AppVeyor that generated and upload the build wheel. See https://ci.appveyor.com/project/scikit-build/ninja-python-distributions/builds/33328127/job/5y8uwlvy5g29tr8q
• In the case of windows, the binary is re-packaging the binary available at https://github.com/kitware/ninja/archive/v1.10.0.gfb670.kitware.jobserver-1.zip https://github.com/Kitware/ninja/releases/download/v1.10.0.gfb670.kitware.jobserver-1/ninja-1.10.0.gfb670.kitware.jobserver-1_i686-pc-windows-msvc.zip

Is defender raising an alarm after downloading https://github.com/kitware/ninja/archive/v1.10.0.gfb670.kitware.jobserver-1.zip ?

Could you also check if definer complain after downloading the binary provided by the upstream project ? See https://github.com/ninja-build/ninja/releases/download/v1.10.0/ninja-win.zip

Thanks for your help,

[mtreinish]

I download both https://github.com/kitware/ninja/archive/v1.10.0.gfb670.kitware.jobserver-1.zip and https://github.com/ninja-build/ninja/releases/download/v1.10.0/ninja-win.zip on my windows 10 vm, extracted both and also manually scanned both of the extracted zips. Nothing was flagged by windows defender. Although for https://github.com/kitware/ninja/archive/v1.10.0.gfb670.kitware.jobserver-1.zip I didn't see a binary in the extracted contents.

But, I did also download: https://github.com/Kitware/ninja/releases/download/v1.10.0.gfb670.kitware.jobserver-1/ninja-1.10.0.gfb670.kitware.jobserver-1_i686-pc-windows-msvc.zip from the release page on the Kitware/ninja repo and that was flagged. So it looks like the source of the infected binary is that

[mtreinish]

We probably should report this to the Kitware/ninja maintainers and pull the infected wheels from pypi in the meantime

[jcfr]

Nothing was flagged by windows defender. Although for https://github.com/kitware/ninja/archive/v1.10.0.gfb670.kitware.jobserver-1.zip I didn't see a binary in the extracted contents.

Good point, I referenced the wrong link. I edited my comment with the correct link that you also looked at.

Kitware/ninja maintainers and pull the infected wheels from pypi in the meantime

Good news is that I work at Kitware, I will engage with the relevant team and report back.

https://github.com/ninja-build/ninja/releases/download/v1.10.0/ninja-win.zip on my windows 10 vm, extracted both and also manually scanned both of the extracted zips. Nothing was flagged by windows defender

Thanks for checking.

[jcfr]

Waiting this is sorted out, I just deleted the windows wheel from the release.

[jcfr]

[jcfr]

Analyzing the executable with VirusTotal didn't report any problem
https://www.virustotal.com/gui/file/ff1abc0a47838ed45f0abd68c6afed2d647edf3b225959dfd5ba6725b8106719/detection

Running it through Microsoft Safety Scanner as well as ESET did not detect anything.

@mtreinish

We would recommend submitting it to Microsoft as a false positive (Requires a Microsoft account)
https://www.microsoft.com/en-us/wdsi/filesubmission

Here you can get an overview of the process
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide

[jcfr]

We also updated https://github.com/Kitware/ninja/releases/download/v1.10.0.gfb670.kitware.jobserver-1/ninja-1.10.0.gfb670.kitware.jobserver-1_i686-pc-windows-msvc.zip to include a signed executable.

I will now generate 1.10.0.post1 release.