Windows Defender understands the zip as malware about w64devkit HOT 10 CLOSED

Is it time to put a note in the readme or releases so people can stop opening these (non-)issues?

from w64devkit.

Unfortunately I don't have time to investigate right now but here's what VT reports : https://www.virustotal.com/gui/file/dce1d71a3629e060e8f84ae7fff7334753eda2f9ced4c5ebc7327b169a5b5359/behavior

IP traffic :

• TCP 204.79.197.203:443
• UDP 192.168.0.48:137
• UDP a83f:8110:4c52:5043:2d61:3633:3264:6639:53
• TCP 23.198.171.50:443
• TCP 20.99.186.246:443

TLS :

• api.msn.com

I find very strange that a supposedly portable compiler app make TCP calls. If someone can investigate/explain, that would be great.

It also seems to drop files in the folder : C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0

What does this portable app have to do with the google updater?

It also does other things but I'm no expert in reversing windows binaries. I don't make accusations, I just am curious. In the end I personnally got visual studio back since I don't trust this repo yet. Windows defender removed the executable anyway and flag some part of it as a worm. I didn't feel like it was worth the risk to whitelist it even tho it could be a false positive.

from w64devkit.

from w64devkit.

Wow, I just tried my own current exercice in C and...it's a virus too... xD
It's got even more flag (7 AVs flag it as a virus lol). For a custom struct and a bunch of printfs, that's funny.
Thank you for taking the time to clarify and point out that VT is very broken.
In fact I tried the simplest code to open a file in 4 lines.

int main(int ac, char** av) {
    if (ac >= 2) fopen(av[1], "r");
    return 0;
}

And guess what, it is also a virus... Damn depressing... I suppose that those AVs detect every program that's "too basic" as a virus, if it doesn't have a certain degree of complexity and conformity, it flags it, probably just in case.
Sorry for being doubtful and suspicious, and thank you again for taking the time to respond!

from w64devkit.

is that really not an issue? Version 1.23 cannot be used on Windows 11 as the zip file is blocked straight after downloading.
If the main reason behind this project is "Portable C and C++ Development Kit for x64 Windows" well then I see here a big issue.

from w64devkit.

@Megaemce I wish it weren't an issue, but it is out of our hands. There is nothing actionable here.

As for the zip file getting blocked, there is a slightly convoluted process you can use to get windows defender to stop deleting it.

Go on the page for the "threat" itself, and click "actions -> allow"

If you have suggestions for how to get Microsoft to stop false flagging w64devkit, I'd love to hear them. AFAIK, it is impossible.

from w64devkit.

This is an old screenshot from a different obnoxious run-in with windows defender, and it's on windows 10. But I doubt Windows 11 differs by that much here.

from w64devkit.

Thx for the imput. Do you have any idea why then version 1.22 cause no windows defender alert?

from w64devkit.

@0xRemyRuiz I don't know, but w64devkit.exe itself makes NO tcp calls, at all. Its source is small, you can manually review it yourself
https://github.com/skeeto/w64devkit/blob/master/src/w64devkit.c
Other components of w64devkit (busybox.exe), that w64devkit.exe itself starts might. But that is for some of its applets (Like wget) among other things. They aren't split in other executables for size reasons, so it might appear that way.

It also seems to drop files in the folder : C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0

I don't know what you're talking about, but it sure isn't w64devkit that does that...

from w64devkit.

#79

from w64devkit.