rust 1.58.1 "malicious" .../i686-pc-windows-msvc/lib/std-41d48f5938a7bd14.dll

[wodin]

I upgraded to rust 1.58.1 using rustup (installed from Homebrew) on my Apple M1 Mac and my antivirus software quarantined one of the DLLs with the following message:

An infected file attempted to run on your device. Threat name: Gen:Variant.Jaik.50076 Path: /Users/michael/.rustup/toolchains/stable-aarch64-apple-darwin/lib/rustlib/i686-pc-windows-msvc/lib/std-41d48f5938a7bd14.dll We quarantined the file to prevent malicious commands from being executed on your device.

I uploaded it to Virustotal and found that several antivirus vendors detect it as malicious:

[cuviper]

Rust started using different Windows API calls in commit 4f0ad1c92ca08da6e8dc17838070975762f59714 (cc @ChrisDenton) to deal with CVE-2022-21658. Virus scanners are often based on heuristics, and it's quite possible that this change made it look similar in some way to patterns found in a known virus.

15 scanners flagged it, but they're a minority against the 48 that did not!

[wodin]

Sure, I suspect it's a false positive. Still, it seems worth trying to do something about it?

"Only 15 of 63 flagged it as malicious" is not that comforting :)

[ChrisDenton]

This only affects the 32bit dll, right? Hmm... my local scanner doesn't report anything, does yours have a way to report false positives? Malware scanning is a bit outside my expertise unfortunately.

[wodin]

Yes, only that specific dll is detected.

You can upload a file to virustotal.com to have it scanned by a bunch of different antivirus products.

Reporting seems to be a matter of contacting each vendor who detects the file :-/

https://support.virustotal.com/hc/en-us/articles/115002121185-I-am-experiencing-a-false-positive-my-file-or-site-should-not-be-detected-

I've reported it to my antivirus vendor here: https://www.bitdefender.com/consumer/support/answer/29358/

EDIT: Closed issue by mistake and have reopened it. I have seen some mentions of "VirusTotalMonitor" which is supposed to allow you to get notified early of this sort of thing for software you're developing, but the links are broken 🤷‍♂️

[nagisa]

In general AV issues should be reported to AV vendors. We cannot really do anything about their invalid heuristics, and most of us aren't their clients.

[workingjubilee]

A compiler toolchain, essentially by definition, "does something suspicious": generate a new program and then run it, potentially trashing existing files somewhere along the way. Why, do you know what does that? Viruses do that! It is a small miracle of programming and perhaps tribute to antivirus creators that the Rust toolchain is not always detected as a virus... or maybe a bug, since, naturally, Rust's libstd contains the necessary machine code to, if it is executed, do various nasty things.

Rustup (for Linux) and the Rust std*.dll for x86-64 Windows are both also flagged:

• rustup: https://www.virustotal.com/gui/file/3dc5ef50861ee18657f9db2eeb7392f9c2a6c95c90ab41e45ab4ca71476b4338
• std*.dll: https://www.virustotal.com/gui/file/59999133cb236b67fa8c354aa62f549c34ca9b7a68d42c0ceba0c6a6dcb2e467

Though it seems most ELF programs and libraries, including our libstd.so, are completely pure in the eyes of VirusTotal. :innocent:

• cargo: https://www.virustotal.com/gui/file/637f20a47d36edb63f95bc4535044682ad8d0c068bf1601d833f20efbf7ac8d2?nocache=1
• rustc: https://www.virustotal.com/gui/file/e7b6c56f2144b98551d24bb7c78237eb8c59a609ccb09658a16bc9d73bf876b3?nocache=1
• x86_64-pc-linux-gnu-gcc-11.1.0: https://www.virustotal.com/gui/file/3136bcaf7d618dd1b73e0d01cc001fc5cc51adc986aef6f39972767d59279c9d?nocache=1
• libstd*.so: https://www.virustotal.com/gui/file/fb2d0e1a28eb303d43a78de0aec760c0cfa319cfedba4d4115e95e9d053c0930?nocache=1
• test*.dll: https://www.virustotal.com/gui/file/d885bae2f0d2e59095a3bb8adf422dad43589f0808f6cc0680c03ace812cba83?nocache=1

[wodin]

FWIW, the number of vendors/products that flag i686-pc-windows-msvc/lib/std-41d48f5938a7bd14.dll as malicious has now dropped to 5.

[workingjubilee]

4 today, as it turns out!

[workingjubilee]

Down to 3 on this report:

• https://www.virustotal.com/gui/file/59999133cb236b67fa8c354aa62f549c34ca9b7a68d42c0ceba0c6a6dcb2e467

I ran a new VirusTotal on some recent nightly stdlibs, apparently 1 for x86_64-pc-windows-msvc and one for i686-pc-windows-msvc, now:

• https://www.virustotal.com/gui/file/90a0082841e7bbe4cf11cbe09746e8daf73a66843fb4f1372aaeaf4ff9b18ea4
• https://www.virustotal.com/gui/file/b6e83e624f0696e36cad956deed855709a5bd1fbc4bd575cfc611f4fbe9809e0

I have taken the liberty of reporting the holdouts to their support teams, with the exception of Rising Antivirus (I was not able to find anywhere to report it).

[workingjubilee]

I will let everyone know how my support tickets go, and then assuming I hear back from people, I will likely close this issue as complete, and simply let everyone know which antivirus companies refuse to correct their scanners. That is the only degree to which the ticket is actionable, so it is the action to take.

[bjorn3]

https://www.virustotal.com/gui/file/59999133cb236b67fa8c354aa62f549c34ca9b7a68d42c0ceba0c6a6dcb2e467 only has a single detection from a smaller av vendor right now. https://www.virustotal.com/gui/file/b6e83e624f0696e36cad956deed855709a5bd1fbc4bd575cfc611f4fbe9809e0 has a single detection from mcafee-gw-edition and https://www.virustotal.com/gui/file/90a0082841e7bbe4cf11cbe09746e8daf73a66843fb4f1372aaeaf4ff9b18ea4 doesn't have any detection right now.

[workingjubilee]

Yes, except for the Zillya holdout, everyone responded positively. Don't know why McAfee is still flagging. Zillya wanted me to submit more binaries directly to them for them to understand what I meant.