deltachat-rpc-server-win64.exe is marked as malware by VirusTotal since 1.150.0

[link2xt]

This version is marked as malware:
https://github.com/deltachat/deltachat-core-rust/releases/download/v1.150.0/deltachat-rpc-server-win64.exe

sha256sum of 1.149.0 is 347bdcf0905cb19335ae915ea7a256db1396e48eecf848ede6fe116f4f82ebb9, it is clean:
https://www.virustotal.com/gui/file/347bdcf0905cb19335ae915ea7a256db1396e48eecf848ede6fe116f4f82ebb9
I built it with nix build .#deltachat-rpc-server-win64 and it produced the same binary with the same sha256, the version uploaded to GitHub releases, PyPI and npm is reproducible.

sha256sum of 1.150.0 is 12cdbb651b793c2b81b3a08a8ea10942dcfdf30777381c947b3002dad3c9d4e4, I also reproduced it with Nix, but this one is flagged:
https://www.virustotal.com/gui/file/12cdbb651b793c2b81b3a08a8ea10942dcfdf30777381c947b3002dad3c9d4e4

Going to bisect to the commit now.

git bisect log

Commit 60163cb (bad, 1/72 flagged): https://www.virustotal.com/gui/file/a76476948e06af68a513e542c02f0a5c66c970b71aa0590096bdcdf80d212dd0

Commit 1e886a3 (good): https://www.virustotal.com/gui/file/5137e6c543ab985872c06a019b08a21ffc1c5d0cfa7d2d968e007b08d8ad0a06

Commit 010b655 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/6bcbc36ab460d15c847c402d3b3d44e2adde277f6cdce5e16bf284b59b874d71

Commit 19dc16d (good):
https://www.virustotal.com/gui/file/e95316049c1e8123823eb475406425d33b9922b04c1f249d7596f6722a425740

Commit fe53eb2 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/6bcbc36ab460d15c847c402d3b3d44e2adde277f6cdce5e16bf284b59b874d71

Commit 9c0e932 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/0512e8b2e25c64c11d470e54ca931f464986cd7d41031c02e6dee53425d86ad2

I suspect it will end up at nix flake update commit which implicitly updated Rust, but doing proper git bisect currently anyway.

EDIT: so it is 9c0e932 which updated Rust.

This problem results in antivirus deleting deltachat-rpc-server.exe when installing Delta Chat Desktop on Windows and breaking the setup: deltachat/deltachat-desktop#4209

[link2xt]

At this point it is only Microsoft detecting Trojan:Win64/CobaltStrike.IM!MTB
Seems they have a history of such false positives: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scars-admins-with-false-cobalt-strike-alerts/

Also here: tree-sitter/tree-sitter-css#35

[link2xt]

https://docs.virustotal.com/docs/false-positive-contacts lists https://www.microsoft.com/en-us/wdsi/filesubmission as a place to report false positives. There is a way to upload your binary as a "software developer", probably we should do it from Delta Chat related account.

[WofWca]

What's interesting is that the 32-bit build of 1.150 is not flagged: https://www.virustotal.com/gui/file/98c85c5cd0fab1be0f12dc4768b889aaaaa53a8124ced8c5039e24c08ea260d6

[link2xt]

I uploaded 1.152.0 as the false positive:

[link2xt]

1.152.0 release, the latest one at the moment and the one submitted as false positive:
https://www.virustotal.com/gui/file/f5c3174fa11bb2010a9aadad993ce4b130d0b5de2a17782a64619bb2e67277e4

We can click to rescan it later and see if the problem is resolved.

[link2xt]

I have also tested that checking out v1.149.0 tag and running nix flake lock --update-input fenix to only update Rust results in Microsoft detecting 1.149.0 as Trojan:Win64/CobaltStrike.IM!MTB: https://www.virustotal.com/gui/file/bf0ddac0dd7c4a667f37f5207d55cd08b3c01b980738826e93e44d894168511d

Here is the diff compared to 1.149.0:

diff --git a/flake.lock b/flake.lock
index 95b1fe5d8..8fe43fb73 100644
--- a/flake.lock
+++ b/flake.lock
@@ -47,11 +47,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1714112748,
-        "narHash": "sha256-jq6Cpf/pQH85p+uTwPPrGG8Ky/zUOTwMJ7mcqc5M4So=",
+        "lastModified": 1734071760,
+        "narHash": "sha256-i5/1cvgahF0lvtRkg9aKlYr0SuE8hNO7xaqvdkc+qXE=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "3ae4b908a795b6a3824d401a0702e11a7157d7e1",
+        "rev": "db0bcf236f561ebbac1204074757c26c53a3d63c",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1713895582,
-        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
+        "lastModified": 1733940404,
+        "narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
+        "rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713",
         "type": "github"
       },
       "original": {
@@ -203,11 +203,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1714031783,
-        "narHash": "sha256-xS/niQsq1CQPOe4M4jvVPO2cnXS/EIeRG5gIopUbk+Q=",
+        "lastModified": 1734022706,
+        "narHash": "sha256-rIz8/rsTP5N7uLSyFbHZ+ink6EHBKkWFAQPkzhq7/YM=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "56bee2ddafa6177b19c631eedc88d43366553223",
+        "rev": "9b2e72c40454012cbac8a1aa94d65931e3a7b881",
         "type": "github"
       },
       "original": {

[WofWca]

We can click to rescan it later and see if the problem is resolved.

Unlikely, it's been marking other releases as potentially malicious

[link2xt]

I mean if Microsoft does something about false positive, VirusTotal should stop detecting old binaries as malware as well.

[link2xt]

There is a workaround at #6346 but this Rust downgrade prevents us from upgrading dependencies, e.g. iroh at #6309 so the issue will remain open until Microsoft fixes the false positive.

[link2xt]

There is also an update on the false positive report:

[link2xt]

VirusTotal still flags 1.152.0 so the issue remains open until we can build with new Rust and get 0 detections on VirusTotal and can merge #6348