Virus is detected in mesa3d download with Defender.

[luisgo007]

When I download mesa3d for Windows (7z) Windows (Defender) detects a Virus in it.

[pal1000]

Most likely false positive. See also #39, #46, #51.

[w-mcilhagga]

It is a false positive, but you need to tell MS that they are morons.

[jppw]

GData Anti Virus tells me the same, with nearly every file.

System: Windows 2019 RDS Server, up to date on Proxmox

[DanielGibson]

Are you sure there's nothing wrong with the binaries? When I tried to extract the x86 part of mesa3d-21.2.1-release-msvc.7z Windows Defender complained about (almost?) all .exe files.

As I was curious I told it to extract one of them anyway and uploaded it at VirusTotal, where 26 AV Engines identify it as some kind of Trojan: https://www.virustotal.com/gui/file/a541f19531d2a39d1a326746677f1ed328f3803ef1cffc26262e0be0d1815608/detection

You should seriously look into this, it seems quite possible that your build machine is infected. UPDATE: Or maybe that many AV engines are wrong after all. Worrying that the heuristic for detecing this Fugrafa/Sabsik malware is so bad on that many different AV engines.. and that "links CRT statically" seems to be a big part of it.

[DanielGibson]

BTW, I built LLVM 12.0.1 and mesa 21.2.0 myself, with VS2019. meson options were --backend=vs --buildtype=release -Db_ndebug=true -Dbuild-tests=true -Dosmesa=true. The generated graw-tex-srgb.exe was only 85KB (instead of 199KB), and on virustotal only one AV engine (that I've never heard of) flags it as "malicious": https://www.virustotal.com/gui/file/61b22fbd8ff3f417c49d6d7996f2ffa6067fc2984d2846c9f01b39dcfe32b27d/detection

So In case anyone ignored their AV they should really scan their system.

@pal1000 you should probably take down your downloads until you've verified that either it really was false positives or (much more likely at this point) until you've reinstalled your build machine and built fresh clean binaries (verify with virustotal).

In case anyone needs a 32bit x86 opengl32.dll from mesa 21.2.0 that's most probably clean, here you go: opengl32_x86.zip

[pal1000]

For starters only 32-bit executables are detected as malware, the x64 ones are not. The DLLs, which are the the most important part, are not detected at all. The executables are just unit tests. I did a full scan with Windows defender and the only detections were some 32-bit Mesa unit tests. As for file size parity you may get there with

meson.exe build/x86 --buildtype=release -Db_ndebug=true -Dc_std=c17 -Db_vscrt=mt -Dzlib:default_library=static -Dcpp_std=vc++latest -Dllvm=enabled -Dshared-llvm=disabled --backend=ninja -Dgallium-drivers=swrast,zink,d3d12 -Dvulkan-drivers=swrast -Dgallium-d3d10umd=false -Dspirv-to-dxil=true -Dshared-glapi=enabled -Dgles1=enabled -Dgles2=enabled -Dosmesa=true -Dbuild-tests=true -Dmicrosoft-clc=disabled -Dc_link_args="/DELAYLOAD:vulkan-1.dll" -Dcpp_link_args="/DELAYLOAD:vulkan-1.dll"

Note that you also need Vulkan SDK to build zink and you have to execute ninja with -k 0 option as some tests don't build with MSVC and -Dshared-glapi=enabled.

[DanielGibson]

Ok, the main difference between your and my build settings is that you link the CRT statically (-Db_vscrt=mt) which also explains the difference in size.

Turns out, if I do that (which implies also building LLVM with statically linked CRT) as well I get similar results, see https://www.virustotal.com/gui/file/bfd24bf4c76ed77bc428f6842b5fba2e6df4093ee0176bd0722082f41d98bcb7/detection (No idea why in that case "only" 16 V scanners - including Windows Defender - flag it as malicious, while it's 26 for your binary)

So it looks like I was wrong and it probably is a false positive after all - sorry about the noise.

However, as we can't change how broken AV software is (this really is way worse than I expected, and I really don't expect much) I'd suggest that you also build with dynamic CRT, even if that might mean that people may have to install the VS runtime - I guess most have it installed anyway (VS2015-2019 sharing the same runtime probably helps).

[DanielGibson]

I reported the false positives to Windows Defender (https://www.microsoft.com/en-us/wdsi/filesubmission - because I use it myself) and AVG (https://www.avg.com/de-de/false-positive-file-form - because they reacted when I ranted on Twitter about this problem).

I'll keep you updated in case there's any reactions.

I'm not gonna spend time on reporting to more AV vendors, but if someone has this problem with the product they're using themselves, they should try to report it to the vendor, maybe that'll make them fix their heuristics.

[LowLevelMahn]

FYI: also happend to me with mesa3d-21.2.3-release-msvc.7z

current Win 10 x64 Defender and Virus-Total telling me that some of the exes contain Trojan:Win32/Sabsik.FL.A!ml

mesa3d-21.2.3-release-msvc.7z->x86/fast_urem_by_const_test.exe and others

https://www.virustotal.com/gui/file/7f73a1cfbfac889c7bc558b2d551590b0bf43da3aee3a1d1c87ffe1c43b4df42

at least less false detections then before