Windows Defender detects Trojan in produced binary #89
Comments
|
This is very alarming, would it be possible to link a virus total scan of the binary? |
|
This is the report for the Windows binary: I've created a new release for this issue. For extra info, my initial comment only mentions 1 detection, but Windows defender showed me 2 threats in the same binary. Also, this is the Virustotal result for a locally built release (clean, rustc v1.73.0): |
|
After a lot of testing I have found that any rust program cross-compiled on alpine linux linked using mingw-w64 seems to get the same detection: https://www.virustotal.com/gui/file/25e247564dc98cb64f386c3b791108467dcd6a69f676fb9587f519c9c8eff197 (I'm not sure if they get detected by windows defender as I don't have windows). Compiling using cross-rs there is a different detection but the binary is still detected as malicious. I believe that this is a false positive because the toolchain I used to replicate the detection would require one of the following to be compromised:
If u want to avoid any detections this might be possible by using github actions' windows runner (I haven't tested this): jobs:
build:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- run: cargo build --release
- uses: diamondburned/action-upload-release@main
with:
files: target/release/my-program.exe |
|
I had to split up the build and the add-to-release since I build on Windows, and then add the binary to the release on a linux job. on:
release:
types: [created]
jobs:
build:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- run: cargo build --release
- uses: actions/upload-artifact@v4
with:
path: ./target/release
if-no-files-found: error
retention-days: 1
overwrite: true
add_to_release:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/download-artifact@v4
with:
path: .
- uses: diamondburned/action-upload-release@main
with:
files: artifact/ynab-belfius.exeBut unfortunately... Same result. Both Virustotal and Windows defender seem to detect threats :(
Thank you for the thorough analysis though. |
|
Was there previous releases that were not detected? |
|
No, This is (one of) my first time(s):
I don't have any previous experience with building a release this way. I'm also aware it might be something I'm doing wrong, but I can't really imagine what since building locally doesn't cause any issues. |
|
I'm having the same issue; did you discover anything further? |
|
Hi @lokkju , |
|
Some context on this. This seems to be a problem with cross-compiling in general. I have tried to cross-compile a simple program to automatically accept the match when one it found for an online game (CS2). This binary is immediately nuked by Windows Defender as it thinks it contains |
This is only detected in the binary that was added to the release by this build action.
When I build the executable manually then no issue is detected.
The binary produced by the action is also slightly larger than the one built locally. (I don't know if I used the same rust version though, that could have an effect)
In case you want to see the source for what I'm trying to build:
https://github.com/jeroenpelgrims/ynab-belfius
I've since removed the offending release from Github.
The text was updated successfully, but these errors were encountered: