Security concern about Windows binary (v2.23.0)

[Geogboe]

Describe the bug Want to first clarify that I believe this is a false positive but still wanted to bring it to the attention of the maintainers. When I tried to download the archive for this via Firefox I got a warning which prompted me to run it through virustotal which is flagging it for a multiple reasons -- all of which I don't fully understand not being familiar with the code.

Here's the report: https://www.virustotal.com/gui/file/be1c45308c479db5d0ef6db49eefdbd41c2dbe543027807909e180b49fec2f0e

Edit: updated description

To Reproduce NA

Expected behavior NA

Screenshots NA

Versions:

• Version: 2.23.0
• OS: NA
• Shell Version: NA

Additional context

Here's what I tested

archive file: Name: navi-v2.23.0-x86_64-pc-windows-gnu.zip Size: 2611933 bytes (2550 KiB) SHA256: 97539b0aa149c60dee1315d90e9339d84fb33ec80311b6d3c85aac07e5f22f22

executable: Name: navi.exe Size: 5172488 bytes (5051 KiB) SHA256: be1c45308c479db5d0ef6db49eefdbd41c2dbe543027807909e180b49fec2f0e

VirusTotal report: https://www.virustotal.com/gui/file/be1c45308c479db5d0ef6db49eefdbd41c2dbe543027807909e180b49fec2f0e

I looked through the code base and build pipeline it looks like upx is being used to compress the binary: https://github.com/denisidoro/navi/actions/runs/7156992883/job/19487333651#step:5:208 and I'm thinking that might be making the bin more suspicious to scanners. I found a similar issue for another rust project: https://github.com/svenstaro/miniserve/issues/1210#issuecomment-1694579204 and even a pinned issue for upx itself: https://github.com/upx/upx/issues/437

These are pretty small binaries so I just wonder how much larger it would be without running it through upx and if that would remove some of the warnings?

[welcome[bot]]

Thanks for opening your first issue here! In case you're facing a bug, please update navi to the latest version first. Maybe the bug is already solved! :)

[denisidoro]

I can disable upx for Windows :)