...to ensure things like this get investigated.
For what it's worth, I just downloaded the latest D compiler distribution for Windows and scanned it with Windows Defender -- it didn't report any problems.
Many have reported the false positive, the browser is open source. Nothing has changed. So good luck with that.
Now, the separate tor browser component that's included, that's a different story. But the Brave browser itself is just fine.
Short summary: https://mspoweruser.com/microsoft-shares-ways-for-software-v...
The overwhelming desire to lock people into their walled garden is so blatant.
The first method to prevent a false positive is to ensure the software is digitally signed.
To someone looking to make money from malware, the cost of code signing is probably insignificant. To someone innocent and just wanting to share some software for free, it's not.
It shows that MS is clearly not interested in actually improving the detection accuracy of their AV much, but more interested in converting developers into a revenue stream.
Or at least I've encountered this in my career.
(I think that's also part of the reason why Windows Defender appears less competitive in antivirus comparisons, since you'd have to be doing something wrong to perform worse than the baseline Microsoft gives you.)
Edit: this describes the issue - https://mma.prnewswire.com/media/727967/VirusTotal_and_the_C...
I've a few flags from npm with Kaspersky, because there's so many packages that include some little binary, and since this is npm, it's often "unusual", like go.
Just my imagination: If a malicious attacker would like to "convince" a victim to turn off the antivirus software, I can imagine this might be a good starting point how to annoy the user sufficiently.
But it is surprising to me that this isn't a top priority.
Symantec basically coerced us into buying a code-signing cert from them, and we still had to submit every build directly to them for this reputation issue to go away. Royal pain in the ass.
Same deployment procedure as had been for years (we'd previously been code-signing with a GoDaddy cert) with Click-Once deployment (was a .Net Office add-in), all of a sudden we start getting dinged.
The cost to the company (a relatively small company) was significant. Had to buy a Symantec code-signing cert (~$900), had to ditch ClickOnce and invest in InstallShield (don't recall the license cost) and engineer the installer to both sign the installed libs & the installer itself. All of this because Symantec hadn't seen the new libs enough because, well, we targeted a smaller corporate audience (for argument sake, we had around a 100 clients, of which, each would only have 1 or 2 installs of this particular app).
I wouldn't know how easy it would be to bypass. And in a corporate environment you would not be able to.
Someone interested in programming in D should be able to disable it and programmers != Everyone
> I wouldn't know how easy it would be to bypass. And in a corporate environment you would not be able to.
I feel like this knowledge is just a google search away and for corporate... If you computers are so locked down that you can't disable the anti-virus they are probably locked down so that you can't install new programs in general. I, for one, would never choose to work for a company that locked down and in that case I feel like you just need to talk to IT to ask them to whitelist it.
All of that said I feel like there is a huge disconnect between the points you are making and the actual population that is trying to use D. Look, I have no clue on the actual install base/user base of D lang but I can't imagine we are talking a "real" number of people having this issue. D doesn't even rank on any of the "Top languages of 2018" lists I found online (that isn't a knock on D, it's just facts) so that coupled with the fact that the vast majority of D developers seem to use non-Windows OS's make this all seem like a lot to do about nothing.
Good luck finding a job in banking, government, healthcare, defense, retail, insurance, securities, food, pharmaceutical, or pretty much anything other than social media.
All of these industries are basically forced into “whitelisted software only” by some regulation or another.
Also I find it very hard to believe that everyone working at FAANG companies is using a locked down computer.
It's almost like that was easier to say than to do.
That you can easily bypass it is irrelevant - it's a bad sign to me, as a potential user, when the installer is flagged as a virus, and a far worse one when the D team seems utterly apathetic about fixing it. I see no evidence in the thread whether it's a false positive or not (though plenty of unbacked claims and some ad hominem: "you are the one using the snake oil software"), only developers asking the users to blindly report it to their AV vendor.
I also did not see any response to Mike Franklin's comment: "It's not the compiler that is reporting the virus, it's the installer. What utility are we using the generate the installer executable?"
This throws up an entire forest of red flags to me as a developer - I'll stick to languages where the contributors care enough about the language to report a false positive themselves.
2. They are the only authority that can rightfully claim that their product is virus free. In time they might gain an understanding of what triggers it which might also be beneficial when reporting it. If it is a common occurrence they should probably have a template ready and a process for doing this. They also have interest in it being done correctly and that they have the ability follow up on any issues. In fact, they should prefer to do it themselves rather than random people doing it for them when they only indirectly can be informed of any progress.
3. Thank the reporter for bringing the issue to their attention.
4. Happy to answer questions related to the issue.
Doesn't matter who is to blame. The D community is taking the hit, they should act to try and avoid that.
If google erroneously blacklists your site, why should you care? You haven't done anything wrong? Some things just suck and you have to take care of it yourself.
2. there is no fix for a tool which is not a mass-market-consumer-product
3. as a technologist you should know that all anti-virus is bullshit which does not work. false positives and false negatives abound. the anti-virus's job is to accurately identify viruses/malware because users can't. But the anti-virus can't do it either. It's true. Really. I figured this out on my own over 15 years ago, and it never changed.
I really hate the sentiment and consensus around anti-virus. It's like an "car-crash protection talisman". It just does not work. But if you tell some one not to use it, and they get in a car crash, it's your fault. If they use it, and they get in a car crash, oh well, what can you do. But it's truly bullshit.
> They are the only authority that can rightfully claim that their product is virus free.
This is a dumb idea. What's the point of anti-virus if we just trust the vendor.
> This is a dumb idea. What's the point of anti-virus if we just trust the vendor.
The AV company will, hopefully, not... The vendor is the only one that can vet that the file on the site is the file that it is intended to be. They are also the only ones that can make changes to the their builds (which can help).
Software developers have to lobby on their own behalf so their software fits into larger ecosystems seamlessly. Or deal with angry users.
Also, that's an insane comparison between AV reports and personal credit reports.
Support is important.
All of this stinks of entitlement to me. "I want you to fix my problem cause by my software that only affects a small group of people".
Then, they're actually still patient enough to be polite and trying to suggest to the user what he/she can do to help the project (or actually himself/herself), in order to resolve the issue he/she has. And in response, the user is only trying to deflect any responsibility and work/effort, and aggressively trying to push it back on them, using some weird, illogical, and generally absurd arguments (that they also are politely trying to explain as being invalid). Instead of actually trying to do what they suggested, and what could actually help resolve the issue.
That's how it would look like from the authors/maintainers' side of the fence.
Neither the last release nor the recent release candidate have been flagged by any AV according to VirusTotal.
Anyone can send the report of the false positive to the AV companies. I don't understand why nobody took a few minutes to solve this.
As a volunteer, it's hard to do that for software that seems to be financially motivated to report false positives, so the users can pretend the money they give antivirus companies is worthwhile.
Also, I understand that this is not top priority and that is a nice small task to be delegated to one of the newest contributors, specially the one that have the problem and are using the obscure AV. But after a few months, it's time to say "whatever" and try to solve it. [Anyway, I tried an hour ago, it's not so easy. See my other comment.]
So for us who are already in, it is a "solved" problem. I recognize it doesn't help first timers though.
After hearing "Wolf! Wolf!" a few thousand times, one is done with AV.
I think if I had to turn Windows Defender off, it'd be better to just switch to *nix (which I assume doesn't have similar false positive problems for whatever reason).
Consider Red, which gets hit by AV truck almost on a monthly basis . Not only toolchain itself gets recognized as a "generic malware" †, but almost all compiled user applications get flagged too. Such false positives are alway duly reported, issue seems to be gone... and then cycle repeats, even though no changes in compiler output or runtime with REPL were made ‡. Just like that, sporadically. Some of them go nuts even over simple "hello world".
Last year, as a last resort, developers directly twitted one of the most nastiest vendors (Avira) about this issue . Nothing changed. They don't care at all, since 2012, when the Red project started.
I know NirSoft  products suffer from that plague; network utilities (Wireshark, nmap) get hit, so as various packers (WinRar, also see ); re-reading the thread after the original post, I'm not even surprised that demoscene experiences problems with anti-virus software; but seeing this issue pertaining mainstream language such as D is, well, terrifying, to say the least ⁂.
It can be easily brushed off as an anomaly in such mature, widely adopted code bases, but with non-mainstream, yet-in-development languages it's a scourge that hinders the adoption and serves as a constant source of headache both for developers and users. And, honestly, I can't see how this can be resolved without raising public awareness and engaging other developers in a debate.
: https://news.ycombinator.com/item?id=4152539 (apparently, original post is deleted, but still can be retrieved via Archive)
† We can only guess what causes the trigger, as vendors never give any feedback. One guess is that toolchain generates a file layout different from VisualStudio or GCC linkers, and uses a custom compression of DATA segment.
‡ I think this happens after each update of heuristic DBs or AV engines which vendors share. IIRC Windows started to use machine learning for malware detection some time ago. Total bonanza.
⁂ Ever wondered what the very first issue in Nim repository was? (https://github.com/nim-lang/Nim/issues/1)
When there is no cost to providing a false positive, there is little incentive to avoid it.
- open source, used by many before
- av companies frequently get false positives
- virus companies probably use common sigs and heuristics
- the installer might probe for higher privileges without actually being malicious
- not much