deltachat-rpc-server-win64.exe is marked as malware by VirusTotal since 1.150.0

[link2xt]

This version is marked as malware:
https://github.com/deltachat/deltachat-core-rust/releases/download/v1.150.0/deltachat-rpc-server-win64.exe

sha256sum of 1.149.0 is 347bdcf0905cb19335ae915ea7a256db1396e48eecf848ede6fe116f4f82ebb9, it is clean:
https://www.virustotal.com/gui/file/347bdcf0905cb19335ae915ea7a256db1396e48eecf848ede6fe116f4f82ebb9
I built it with nix build .#deltachat-rpc-server-win64 and it produced the same binary with the same sha256, the version uploaded to GitHub releases, PyPI and npm is reproducible.

sha256sum of 1.150.0 is 12cdbb651b793c2b81b3a08a8ea10942dcfdf30777381c947b3002dad3c9d4e4, I also reproduced it with Nix, but this one is flagged:
https://www.virustotal.com/gui/file/12cdbb651b793c2b81b3a08a8ea10942dcfdf30777381c947b3002dad3c9d4e4

Going to bisect to the commit now.

git bisect log

Commit 60163cb (bad, 1/72 flagged): https://www.virustotal.com/gui/file/a76476948e06af68a513e542c02f0a5c66c970b71aa0590096bdcdf80d212dd0

Commit 1e886a3 (good): https://www.virustotal.com/gui/file/5137e6c543ab985872c06a019b08a21ffc1c5d0cfa7d2d968e007b08d8ad0a06

Commit 010b655 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/6bcbc36ab460d15c847c402d3b3d44e2adde277f6cdce5e16bf284b59b874d71

Commit 19dc16d (good):
https://www.virustotal.com/gui/file/e95316049c1e8123823eb475406425d33b9922b04c1f249d7596f6722a425740

Commit fe53eb2 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/6bcbc36ab460d15c847c402d3b3d44e2adde277f6cdce5e16bf284b59b874d71

Commit 9c0e932 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/0512e8b2e25c64c11d470e54ca931f464986cd7d41031c02e6dee53425d86ad2

I suspect it will end up at nix flake update commit which implicitly updated Rust, but doing proper git bisect currently anyway.

EDIT: so it is 9c0e932 which updated Rust.

This problem results in antivirus deleting deltachat-rpc-server.exe when installing Delta Chat Desktop on Windows and breaking the setup: deltachat/deltachat-desktop#4209

[link2xt]

At this point it is only Microsoft detecting Trojan:Win64/CobaltStrike.IM!MTB
Seems they have a history of such false positives: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scars-admins-with-false-cobalt-strike-alerts/

Also here: tree-sitter/tree-sitter-css#35

[link2xt]

https://docs.virustotal.com/docs/false-positive-contacts lists https://www.microsoft.com/en-us/wdsi/filesubmission as a place to report false positives. There is a way to upload your binary as a "software developer", probably we should do it from Delta Chat related account.

[WofWca]

What's interesting is that the 32-bit build of 1.150 is not flagged: https://www.virustotal.com/gui/file/98c85c5cd0fab1be0f12dc4768b889aaaaa53a8124ced8c5039e24c08ea260d6

[link2xt]

I uploaded 1.152.0 as the false positive:

[link2xt]

1.152.0 release, the latest one at the moment and the one submitted as false positive:
https://www.virustotal.com/gui/file/f5c3174fa11bb2010a9aadad993ce4b130d0b5de2a17782a64619bb2e67277e4

We can click to rescan it later and see if the problem is resolved.

[link2xt]

I have also tested that checking out v1.149.0 tag and running nix flake lock --update-input fenix to only update Rust results in Microsoft detecting 1.149.0 as Trojan:Win64/CobaltStrike.IM!MTB: https://www.virustotal.com/gui/file/bf0ddac0dd7c4a667f37f5207d55cd08b3c01b980738826e93e44d894168511d

Here is the diff compared to 1.149.0:

diff --git a/flake.lock b/flake.lock
index 95b1fe5d8..8fe43fb73 100644
--- a/flake.lock
+++ b/flake.lock
@@ -47,11 +47,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1714112748,
-        "narHash": "sha256-jq6Cpf/pQH85p+uTwPPrGG8Ky/zUOTwMJ7mcqc5M4So=",
+        "lastModified": 1734071760,
+        "narHash": "sha256-i5/1cvgahF0lvtRkg9aKlYr0SuE8hNO7xaqvdkc+qXE=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "3ae4b908a795b6a3824d401a0702e11a7157d7e1",
+        "rev": "db0bcf236f561ebbac1204074757c26c53a3d63c",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1713895582,
-        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
+        "lastModified": 1733940404,
+        "narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
+        "rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713",
         "type": "github"
       },
       "original": {
@@ -203,11 +203,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1714031783,
-        "narHash": "sha256-xS/niQsq1CQPOe4M4jvVPO2cnXS/EIeRG5gIopUbk+Q=",
+        "lastModified": 1734022706,
+        "narHash": "sha256-rIz8/rsTP5N7uLSyFbHZ+ink6EHBKkWFAQPkzhq7/YM=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "56bee2ddafa6177b19c631eedc88d43366553223",
+        "rev": "9b2e72c40454012cbac8a1aa94d65931e3a7b881",
         "type": "github"
       },
       "original": {

[WofWca]

We can click to rescan it later and see if the problem is resolved.

Unlikely, it's been marking other releases as potentially malicious

[link2xt]

I mean if Microsoft does something about false positive, VirusTotal should stop detecting old binaries as malware as well.

[link2xt]

There is a workaround at #6346 but this Rust downgrade prevents us from upgrading dependencies, e.g. iroh at #6309 so the issue will remain open until Microsoft fixes the false positive.

[link2xt]

There is also an update on the false positive report:

[link2xt]

VirusTotal still flags 1.152.0 so the issue remains open until we can build with new Rust and get 0 detections on VirusTotal and can merge #6348

[link2xt]

Current situation with #6348

https://www.virustotal.com/old-browsers/file/5ba9d321c00a387fcab67ec8ab59325f118307c7914e45f04eb2efdaa81ef655 (2/76, Ikarus + Google)

https://www.virustotal.com/gui/file/5ba9d321c00a387fcab67ec8ab59325f118307c7914e45f04eb2efdaa81ef655 (2/72, Google + Ikarus)

[link2xt]

According to https://docs.virustotal.com/docs/false-positive-contacts we should write to [email protected] or what? Not going to do it.

[gerryfrancis]

@link2xt The situation has become worse, now 5 of 76 scanners report a trojan. (Just click one of the links you posted above.)

[WofWca]

What about Microsoft? Because I'm not sure if we should care about Google. Does it not let you download the installer through Chrome?

[link2xt]

The file from https://github.com/deltachat/deltachat-core-rust/releases/download/v1.152.2/deltachat-rpc-server-win64.exe is completely clean:
https://www.virustotal.com/gui/file/0f09e707d2dfa12b18ce4acaf4d484f61eef359e04d717296af4f23629527598

[link2xt]

Here is 1.153.0 compiled with new Rust from PR #6348:
https://www.virustotal.com/gui/file/fe2d13431883f8c108ed7546e04f089bbc9dabc33640887d2484fcbdb7bc2814
Currently 2/72, Google + Ikarus.

1.153.0 with current Rust is clean:
https://www.virustotal.com/gui/file/e4260a237473b147e8ea6fd4a4260179c9dacd045734540fc86c5077e079589c

[link2xt]

This "Ikarus" is probably just using outdated Microsoft antivirus and will update eventually, but Google I'd like to have fixed before we upgrade. It probably affects Google Drive at least.

[link2xt]

Another update of PR #6348, now two (Google + Ikarus) again.

https://www.virustotal.com/old-browsers/file/d51e6f5323b20fe9cc6543e967b6521612187c186459b8287a938a788aa10d5d
https://www.virustotal.com/gui/file/d51e6f5323b20fe9cc6543e967b6521612187c186459b8287a938a788aa10d5d

Similar issue, looks like these two vendors like to generate false positives: java-native-access/jna#1627

[WofWca]

I just tried downloading https://github.com/deltachat/deltachat-core-rust/releases/download/v1.153.0/deltachat-rpc-server-win64.exe with Google Chrome. It, worked fine, Chrome didn't say anything.

Edit: as pointed out below: this version is not marked as malware, because it uses old Rust.
But I tried downloading the below-mentioned MR's build artifact (which is zipped) (https://github.com/deltachat/deltachat-core-rust/actions/runs/12701889784/artifacts/2410714660), and Chrome did not complain.

[gerryfrancis]

@WofWca Looks fine now: https://www.virustotal.com/gui/file/e4260a237473b147e8ea6fd4a4260179c9dacd045734540fc86c5077e079589c

[link2xt]

I just tried downloading https://github.com/deltachat/deltachat-core-rust/releases/download/v1.153.0/deltachat-rpc-server-win64.exe with Google Chrome. It, worked fine, Chrome didn't say anything.

All releases are still compiled with old Rust. Rust version is pinned by flake.lock. What matters is the version of the fenix dependency from the flake.nix. In the PR #6348 which I rebased yesterday I also update flake.lock with nix flake update fenix because currently pinned fenix does not contain Rust 1.81. And binaries built with new nightly Rust locked in this new flake.lock do not pass.

I already posted above that "1.153.0 with current Rust is clean" and a link to https://www.virustotal.com/gui/file/e4260a237473b147e8ea6fd4a4260179c9dacd045734540fc86c5077e079589c, this was always clean and this does not change, but it is built with old Rust, some nightly below 1.81.

As soon as we merge #6348 we will get this in releases:
https://www.virustotal.com/gui/file/d51e6f5323b20fe9cc6543e967b6521612187c186459b8287a938a788aa10d5d

[link2xt]

I will wait until the fix deltachat/deltachat-desktop#4469 for desktop is merged, then merge #6348. We will still have false positives for Google and Ikarus but it will be easier to report such false positives if we can point to releases.