
Windows Defender detects malware in DMD - vintagedave
https://issues.dlang.org/show_bug.cgi?id=18786
======
binarycrusader
There's a process to report false positives and other problems:

[https://www.microsoft.com/en-
us/wdsi/filesubmission](https://www.microsoft.com/en-us/wdsi/filesubmission)

...to ensure things like this get investigated.

For what it's worth, I just downloaded the latest D compiler distribution for
Windows and scanned it with Windows Defender -- it didn't report any problems.

~~~
ShorsHammer
Brave browser has been flagged by Windows Defender for over a year, instead of
blocking it Antimalware Service Executable goes into overdrive and chews up
all cpu usage.

Many have reported the false positive, the browser is open source. Nothing has
changed. So good luck with that.

~~~
binarycrusader
I just downloaded the latest Brave browser and scanned it with Windows
Defender -- no issues reported. Perhaps there have been issues in the past,
but there don't appear to be any known ones at the moment.

Now, the separate tor browser component that's included, that's a different
story. But the Brave browser itself is just fine.

------
userbinator
I've seen plenty of stories of "Hello World!" programs being detected, and on
the other hand it's also pretty easy to modify malware so that it stops being
detected. IMHO the fundamental aspect of how AVs work is broken because
they're not behavioural but basically pattern-matching on binaries, and poorly
matching at that. Combine that with their propensity to be used as censorware
(detecting keygens, patchers, and other cracks which are otherwise non-
malicious and functioning as intended), and you can understand why I don't
trust nor use AV. Too bad Windows Defender is installed by default and a real
pain to remove.

------
weinzierl
I ran into similar problems with Rust executables like ripgrep and xsv. I
don't know if it is Windows Defender or some other _" endpoint security"_
solution but I have seen both of them blocked in a corporate environment.

~~~
valarauca1
large corporations often block users from setting executable permissions on
files they created as a way curbing malware.

Or at least I've encountered this in my career.

------
nonfamous
According to the linked issue, it's not just Windows Defender; 21% of scanners
reported by VirusTotal also flag D. What could cause so many independent virus
checkers to throw a false positive like this?

~~~
drdrey
They may not be as independent as you would think. For instance. There could
be straight-up signature sharing or outsourcing between vendors, and there is
definitely an incentive to flag something if your competitors also flag it.

~~~
vatueil
IIRC Microsoft does share malware detection information with other antivirus
providers, so that sounds plausible.

(I think that's also part of the reason why Windows Defender appears less
competitive in antivirus comparisons, since you'd have to be doing something
wrong to perform worse than the baseline Microsoft gives you.)

------
abductee_hg
all antivirus sw is blocking all the demoscene-releases(size coding 4k, 64k,
etc.) and constantly deleting my own releases after windowsupdate turns the
defender on again...

~~~
wolfgke
Exactly my experience. I downloaded a large archive of demoscenes. It lead to
a lot of "fun" with Windows Defender.

Just my imagination: If a malicious attacker would like to "convince" a victim
to turn off the antivirus software, I can imagine this might be a good
starting point how to annoy the user sufficiently.

------
sriku
Not the same topic, but we recently faced malware that got distributed via
Hadoop yarn - where what looked like crypto mining code would kick in and hog
cpu once the scale of spark compute hit some point. It would kick in randomly
and it installed itself as a cron job. It was crazy figuring out this was
happening as it wasn't something we expected with java code and from such a
distribution. We got rid of yarn to eliminate it at that point.

------
tjoff
The response on that issue was a bit depressing. Since noone seems to care I'm
not surprised that it isn't fixed.

But it is surprising to me that this isn't a top priority.

~~~
joshstrange
I get where they are coming from. Windows is far from the top OS used by D
programers, it only effects people who use anti-virus, and I'm betting you can
whitelist it or otherwise bypass it. All of those things may seem like sizable
hurdles but we are talking about programmers here, I think they can handle it.
I know back when I used Windows I would get false positives for all kinds of
things because I was on the bleeding edge or always trying new stuff that they
hadn't seen or looked malicious (but wasn't). If you are going to run "anti-
virus" as a developer you need to know what side-effects you might run into
(the same way I know that PrivacyBadger and uMatrix in Chrome can cause
issues, I don't go running to the website that is broken just because my
extension broke it).

~~~
larkeith
> I'm betting you can whitelist it or otherwise bypass it

That you can easily bypass it is irrelevant - it's a bad sign to me, as a
potential user, when the installer is flagged as a virus, and a far worse one
when the D team seems utterly apathetic about fixing it. I see no evidence in
the thread whether it's a false positive or not (though plenty of unbacked
claims and some ad hominem: "you are the one using the snake oil software"),
only developers asking the users to blindly report it to their AV vendor.

I also did not see any response to Mike Franklin's comment: "It's not the
compiler that is reporting the virus, it's the installer. What utility are we
using the generate the installer executable?"

This throws up an entire forest of red flags to me as a developer - I'll stick
to languages where the contributors care enough about the language to report a
false positive themselves.

~~~
platinumrad
Why is it on D's developers to fix a false positive in someone else's
software? They redirected the reporter to the proper venue. I don't see what
else they should be doing.

~~~
criley2
That's like asking why you should correct false data on your personal credit
report. It's someone else's computer database, not yours! (Or maybe a better
analogy would be "Why should I ask Google to stop marking my legit domain as
spam and hiding emails to my users? It's their system!")

Software developers have to lobby on their own behalf so their software fits
into larger ecosystems seamlessly. Or deal with angry users.

~~~
windwake12
Angry users is not something you can opt out of. Malware reports are just
another fact of life for many open source projects. I think the putty link
(was posted elsewhere) is an awesome summary of the impossible fight you're
asking developers off taking on.

Also, that's an insane comparison between AV reports and personal credit
reports.

------
gus_massa
Something similar happened to Racket a few years ago with AVG. IIRC I just
send an email to one or two of the antivirus companies and they fixed the
problem in a few days.

Anyone can send the report of the false positive to the AV companies. I don't
understand why nobody took a few minutes to solve this.

~~~
smt88
Does it just mean very few D devs use Windows?

~~~
WalterBright
Devs learn pretty quick to turn off AV. It's nigh impossible to run a test
suite with AV on, for example, because it tries to scan/flag every executable
built during the tests.

After hearing "Wolf! Wolf!" a few thousand times, one is done with AV.

~~~
smt88
Is there a reason this happens with D, but not with Rust, C++, or C#?

I think if I had to turn Windows Defender off, it'd be better to just switch
to *nix (which I assume doesn't have similar false positive problems for
whatever reason).

------
9214
Some AV vendors (notably Avast, AVG, Avira, McAffee, Norton and Windows
Defender) use extremely poor heuristics and never actually tweak them, instead
just whitelisting a given file. You think that if false positive in a compiler
or runtime is reported they'll at least will get serious about it? Nope.

Consider Red, which gets hit by AV truck almost on a monthly basis [1]. Not
only toolchain itself gets recognized as a "generic malware" †, but almost all
compiled user applications get flagged too. Such false positives are alway
duly reported, issue seems to be gone... and then cycle repeats, even though
no changes in compiler output or runtime with REPL were made ‡. Just like
that, sporadically. Some of them go nuts even over simple "hello world".

Last year, as a last resort, developers directly twitted one of the most
nastiest vendors (Avira) about this issue [2]. Nothing changed. They don't
care at all, since 2012, when the Red project started.

I know NirSoft [3] products suffer from that plague; network utilities
(Wireshark, nmap) get hit, so as various packers (WinRar, also see [4]); re-
reading the thread after the original post, I'm not even surprised that
demoscene experiences problems with anti-virus software; but seeing this issue
pertaining mainstream language such as D is, well, terrifying, to say the
least ⁂.

It can be easily brushed off as an anomaly in such mature, widely adopted code
bases, but with non-mainstream, yet-in-development languages it's a scourge
that hinders the adoption and serves as a constant source of headache both for
developers and users. And, honestly, I can't see how this can be resolved
without raising public awareness and engaging other developers in a debate.

\--

[1]:
[https://github.com/red/red/issues?utf8=%E2%9C%93&q=label%3At...](https://github.com/red/red/issues?utf8=%E2%9C%93&q=label%3Atype.AV+)

[2]:
[https://twitter.com/red_lang/status/887970289618829312](https://twitter.com/red_lang/status/887970289618829312)

[3]: [https://www.nirsoft.net/](https://www.nirsoft.net/)

[4]:
[https://news.ycombinator.com/item?id=4152539](https://news.ycombinator.com/item?id=4152539)
(apparently, original post is deleted, but still can be retrieved via Archive)

\--

† We can only guess what causes the trigger, as vendors never give any
feedback. One guess is that toolchain generates a file layout different from
VisualStudio or GCC linkers, and uses a custom compression of DATA segment.

‡ I think this happens after each update of heuristic DBs or AV engines which
vendors share. IIRC Windows started to use machine learning for malware
detection some time ago. Total bonanza.

⁂ Ever wondered what the very first issue in Nim repository was?
([https://github.com/nim-lang/Nim/issues/1](https://github.com/nim-
lang/Nim/issues/1))

------
BeardPower
To make sure that our releases are clean we apply best practices like
generating the Windows binaries on Linux servers running Wine. We test the
binaries to the last detail with various AV packages. Malware analysis is also
incorporated to get to the ground why some AV packages report the binaries as
infected but to no avail. The heuristic engines of major AV vendors are tuned
very severely, and there is no way of getting around it for us developers.

------
PeterLGummybear
The other day we saw an article about someone embedding a .zip in a jpeg that
survived twitter's thumbnailing. What about doing similar things with the
eicar string or other false positives that make antivirus freak out? This
seems like it'd be an interesting DoS attack.

------
Roritharr
For some reason Windows Defender started hogging my CPU today whenever I have
my IDE open. In the multiple years since switching to Microsofts internal AV
Solution i've never experienced this, does anyone else have a similar
experience?

~~~
detaro
Maybe your IDE started reindexing source files in the background, accessing
many files very quickly? Defender can cause lots of load if that happens and
it wants to inspect everything.

------
0x8BADF00D
That’s strange. Is the compiler binary packed at all? I wonder what heuristic
they’re using to classify the D compiler as a Trojan.

~~~
Lerc
I would imagine they encountered malware written in D, compared the executable
to a bunch of others (not written in D) then decided the distinctive
characteristics of D were indicative of malware.

When there is no cost to providing a false positive, there is little incentive
to avoid it.

~~~
qaq
There is incentive to avoid it but as you might imagine there are not that
many D programs in corporate environments so prob not a pain point for any
major customer and it's low priority.

------
emmelaich
notavirus:

    
    
       - open source, used by many before
       - av companies frequently get false positives
       - virus companies probably use common sigs and heuristics
       - the installer might probe for higher privileges without actually being malicious
    

isavirus:

    
    
       - not much
    
    

Was clamav tried? Is ESET listed (my favourite AV)

