winlibs_mingw Windows Defender identifies llvm-strings.exe as Trojan:Win32/Acll

I'm guessing this is a false positive, but still wanted to mention that mingw64\bin\llvm-strings.exe in winlibs-x86_64-posix-seh-gcc-13.2.0-llvm-18.1.3-mingw-w64ucrt-11.0.1-r7.7z is being identified as Trojan:Win32/Acll on Windows 11 23H2.

Apr 18 '24 13:04 mxk

My build system was also Windows 11 23H2, using Defender as antivirus, and I got no alerts.

Were you also using Defender or a different antivirus software?

Apr 18 '24 16:04 brechtsanders

Also using Defender, but on a company-managed computer, which has everything under "Virus & threat protection settings" enabled. If you have any MAPS or other cloud-related settings turned off, that may be the reason why.

Apr 18 '24 21:04 mxk

I got the same alert on my pc running Windows 10 Home 22H2 (Build 19045.4291).

I did a full offline scan of the 7z file, and only llvm-strings.exe was detected.

I uploaded it to Virus Total and got 30 detections:

https://www.virustotal.com/gui/file/084b09fcab3d3b0812873c876fdbd1797f4a31384e0b00253b44ac29116ffb6a

Apr 19 '24 04:04 juanmbt

Looks like generic/heuristic detections, so still seems like false positive.

Though 30 false positives on VirusTotal is a lot.

Apr 19 '24 06:04 brechtsanders

Is the same false positive present in the release from https://github.com/mstorsjo/llvm-mingw/releases ?

Apr 19 '24 06:04 brechtsanders

No, neither llvm-mingw-20240417-ucrt-x86_64.zip nor llvm-mingw-20240417-msvcrt-x86_64.zip trigger any Defender alerts. I don't know if it matters, but the ucrt version of llvm-strings.exe in that zip is about half the size of the winlibs version.

Apr 19 '24 12:04 mxk

I re-scanned the original compressed file after updating the definitions in Defender. Now I got two new alerts:

The original reported alert, and these two:

Trojan:Win32/Wacatac.H!ml nvptx-arch.exe

Trojan:Win32/Znyonm UnicodeNameMappingGenerator.exe

Apr 19 '24 22:04 juanmbt

It's not uncommon for antivirus heuristics to find threats in software development tools (assemblers, compilers, linkers).

From my side all I can say is that I really built everything from source, down to each and every dependency.

So in theory, if these are not false positives, either the code was compromised before I compiled it, or the binaries were comprimised after (the checksum files are there to detect tampered with files after I published them).

How can we be certain these are false positives?

Apr 21 '24 12:04 brechtsanders

Same here, defender alert on llvm-enabled builds. Workaround : download non-llvm releases :)

mingw64\bin\UnicodeNameMappingGenerator.exe -> Trojan:Win32/Znyonm mingw64\bin\nvptx-arch.exe -> Trojan:Win32/Phonzy.A!ml mingw64\bin\llvm-strings.exe -> Trojan:Win32/Acll

Apr 25 '24 23:04 YouriAndropov

Same as YouriAndropov and an additional trojan of Virgof.A, and all of these don't appear in winlibs-x86_64-posix-seh-gcc-13.1.0-llvm-16.0.5-mingw-w64ucrt-11.0.0-r5.7

Apr 26 '24 00:04 ghost

I used brave to download it, brave said it's unsafe and promoted If I should keep it or not, then when unzipping bitdefender kicked in and quarantined the files, also I scanned with virus total I got detections

Apr 28 '24 19:04 anirban6996

2024-04-30 00_50_04-Windows Security

Apr 29 '24 19:04 ghost

Results from Malwarebytes Anti-Malware

Trojan.Crypt.Generic, C:\MINGW64\BIN\AMDGPU-ARCH.EXE Trojan.Crypt.Generic, C:\MINGW64\BIN\LLVM-STRINGS.EXE Trojan.Crypt.Generic, C:\MINGW64\BIN\UNICODENAMEMAPPINGGENERATOR.EXE Trojan.Crypt.Generic, C:\MINGW64\BIN\NVPTX-ARCH.EXE

May 02 '24 06:05 lucascampolimm

I created new releases. Can you please tell me if your virus alerts are gone in these releases?

https://github.com/brechtsanders/winlibs_mingw/releases/tag/13.2.0posix-18.1.5-11.0.1-msvcrt-r8
https://github.com/brechtsanders/winlibs_mingw/releases/tag/13.2.0posix-18.1.5-11.0.1-ucrt-r8

May 04 '24 12:05 brechtsanders

I tested the ucrt x64 release r8 and it seems OK now. I think Harsh Kumar Narula was right and the infection was real.

May 04 '24 20:05 YouriAndropov

New results from Malwarebytes Anti-Malware, UCRT version. To date, I haven't encountered any issues with these releases, but I felt it was important to report these detections.

Malware.AI.4095755650 C:\MINGW64\BIN\AMDGPU-ARCH.EXE Malware.AI.4031154886 C:\MINGW64\BIN\LLVM-STRINGS.EXE Malware.AI.4196497163 C:\MINGW64\BIN\UNICODENAMEMAPPINGGENERATOR.EXE Malware.AI.3214030154 C:\MINGW64\BIN\NVPTX-ARCH.EXE

May 04 '24 23:05 lucascampolimm

Have you gained an understanding of what was the cause of the possible infection? To prevent this from happening in the future.

May 06 '24 22:05 plashenkov

@lucascampolimm are you talking about the revision 7 or revision 8 ? It is quite unclear. My windows defender couldn't find any threat in the latest build.

May 07 '24 18:05 YouriAndropov

I dowloaded the R8 UCRT LLVM x64 file: winlibs-x86_64-posix-seh-gcc-13.2.0-llvm-18.1.5-mingw-w64ucrt-11.0.1-r8.zip

Got these detections:

Trojan:Win32/Wacatac.H!ml mingw64/bin/amdgpu-arch.exe

Trojan:Win32/Phonzy.A!ml mingw64/bin/llvm-strings.exe mingw64/bin/nvptx-arch.exe mingw64/bin/UnicodeNameMappingGenerator.exe

May 07 '24 19:05 juanmbt

@YouriAndropov I tried out the r7 first, and then I gave the r8 a go.

May 07 '24 19:05 lucascampolimm

If r8 also shows the threats than I'm even more convinced these are false positives, especially since some antivirus scanners label the threats as generic or heuristic, meaning they don't match actual signatures of know viruses.

Add to that that it's only in LLVM binaries, not in all the rest, which was also build on the same build system.

May 07 '24 20:05 brechtsanders

Tested again and this time defender found Trojan:Script/Wacatac.H!ml… Maybe safer to stick to non-llvm releases until we know for sure.

May 07 '24 22:05 YouriAndropov

Question: I just released GCC 14.1.0 builds. Does this change anythinwith regards to the virus alerts?

May 08 '24 14:05 brechtsanders

My Windows Defender finds no threats in GCC 14.1.0 + LLVM.

Release 8 of GCC 13.2.0 was the same just after its release (no threats), but after some time Defender began to show the alerts.

May 08 '24 14:05 plashenkov

My antivirus (F-secure) flagged: -UnicodeNameMappingGenerator.exe with Trojan.TR/AVI.Agent.cbart -nvptx-arch.exe with Trojan.TR/AVI.Agent.miqlr -llvm-strings.exe with Trojan.TR/AVI.Agent.wolyp -amdgpu-arch.exe with Trojan.TR/AVI.Agent.knzjf

Using winlibs personal build version gcc-13.2.0-llvm-18.1.5-mingw-w64ucrt-11.0.1-r8

May 10 '24 08:05 PyryLaa

Defender now finds Trojan:Win32/cerber on winlibs-x86_64-posix-seh-gcc-14.1.0-llvm-18.1.5-mingw-w64ucrt-11.0.1-r1.7z following files:

libLLVMNVPTXDesc.dll
libLLVMX86Desc.dll

Still unsure of what to think about these alerts.

May 23 '24 09:05 YouriAndropov

https://www.virustotal.com/gui/file/6ad191561595d4359d2e3efc65c7e0168f592ed96a8680f4c1f711914cb7ed6b/behavior

Why does nvptx-arch.exe delete folders and registry keys related to Google Update?

May 28 '24 20:05 lucascampolimm

In this context, "dropped" usually means created (as in dropped onto your hard drive), not deleted.

Completely agree it has no business touching any of those files, though.

May 28 '24 20:05 Alcaro

Are the virus alerts for LLVM components still present in these last releases?

https://github.com/brechtsanders/winlibs_mingw/releases/tag/14.1.0posix-18.1.7-12.0.0-ucrt-r2
https://github.com/brechtsanders/winlibs_mingw/releases/tag/14.1.0posix-18.1.7-12.0.0-msvcrt-r2

The build system used to build these releases has been scanned with multiple virus scanners and nothing was found.

Jun 10 '24 05:06 brechtsanders

Hello, Trojan:Win32/Phonzy.B!ml detected on : winlibs-x86_64-posix-seh-gcc-14.1.0-llvm-18.1.7-mingw-w64ucrt-12.0.0-r2.7z File : UnicodeNameMappingGenerator.exe

Jun 10 '24 18:06 YouriAndropov