Windows Defender detects Puwaders.C!ml in ver 1.19.0

[dzonesasaki]

Windows Defender detects PUA:Win32/Puwaders.C!ml in make.exe from w64devkit-i686-1.19.0.zip . Is this a false positive?

[skeeto]

Yes, that's a false positive. Due to bad luck that particular binary has many hits on Virus Total, too. In general, 32-bit binaries have it worse than 64-bit binaries.

The GNU Make build is reproducible, and so you can practically verify this for yourself if you're paranoid. You only need Docker (or Podman) to build a bit-for-bit identical binary from source. Inputs all come from official sources (see the top of Dockerfile), cryptographically verified, and the build steps are easily auditable (rest of Dockerfile). Building on v1.19 or the current master (2b0ae5a) will produce this matching hash:

$ ./multibuild.sh -4 $ unzip -q w64devkit-i686.zip w64devkit/bin/make.exe $ sha256sum w64devkit/bin/make.exe c12fbcc2121322cd455e06d437bc96ee64c2c96c64e185f292f9a7fd6a0d7182 w64devkit/bin/make.exe

If you plug that hash into Virus Total you'll see month old results which include this false detection.

[dzonesasaki]

Thanks for the reply. I see this issue should be in gnu make. I would like to close this issue.