sourcegit icon indicating copy to clipboard operation
sourcegit copied to clipboard
verified publisher icon sourcegit-scm

Latest update marked as Trojan Virus by Windows Defender

Open M0n7y5 opened this issue 8 months ago • 8 comments

Image

However on virus total it says its clean so i assume its false positive. https://www.virustotal.com/gui/file/062f01e5db94983fb0e726faeb72974fc8422767ef86cc4b652e8aa905d29261

Image

Any input on that?

M0n7y5 avatar Apr 23 '25 08:04 M0n7y5

Same problem. Windows 11.

Image

Dl1MA avatar Apr 23 '25 16:04 Dl1MA

#43 #873 #918 #965 #1105

TL;DR: Not much can be done from SourceGit side, you can try to contact Microsoft support. Usually these ml detects are gone after few days.

aikawayataro avatar Apr 23 '25 18:04 aikawayataro

Why is this happened over and over? Can you prevent that from happening? Whats the options here, i am curious.

M0n7y5 avatar Apr 24 '25 11:04 M0n7y5

TL;DR: Not much can be done from SourceGit side, you can try to contact Microsoft support. Usually these ml detects are gone after few days.

This was my experience a few days ago. It was reported as trojan but after windows update (defender), it no longer was.

alensiljak avatar Apr 29 '25 17:04 alensiljak

Why is this happened over and over? Can you prevent that from happening? Whats the options here, i am curious.

  • SourceGit does not have a valid digital signature, which increases the probability of this issue occurring.
  • If you upload the zip to https://www.microsoft.com/en-us/wdsi/submission for detection, you will find that each file in the zip is fine, but the zip package is detected as a potential threat. I'm not sure why this is the case. The zip in the Releases page is automatically generated by the gh release upload "$TAG" packages/* command used in the Github Action pipeline.
  • As @alensiljak said, after windows update, this issue will be solved automatically.

love-linger avatar Apr 30 '25 01:04 love-linger

You can apply for open source signing via https://signpath.org/ I use it for my app and it solved these issues (at least with MS Defender). You may still get some warnings from SmartScreen because you automatically don't get instant trust unless you use EV certificate, but long term, it should solve these Defender false positives.

JosefNemec avatar Apr 30 '25 10:04 JosefNemec

You can apply for open source signing via https://signpath.org/ I use it for my app and it solved these issues (at least with MS Defender). You may still get some warnings from SmartScreen because you automatically don't get instant trust unless you use EV certificate, but long term, it should solve these Defender false positives.

You've misunderstood what I meant. The main cause of this problem is that the zip file format is used for this project on the Windows platform. As I said above, if you upload it to https://www.microsoft.com/en-us/wdsi/submission for detection, you will find that all the files in the zip are fine, but the zip file itself may be marked as a potential threat. What frustrates me is that, in order to reduce the occurrence of this issue, the zip file in the Release page is generated by the gh (Github CLI) provided by Github.

love-linger avatar May 20 '25 09:05 love-linger

What frustrates me is that, in order to reduce the occurrence of this issue, the zip file in the Release page is generated by the gh (Github CLI) provided by Github.

< 2025.08 , the zip was generated by zip command in ubuntu , >= 2025.08 , the zip was generated by Compress-Archive in PowerShell . This modification does not seem to improve WD's false positives, it also does not trust the zip generated by PowerShell .

gadfly3173 avatar May 20 '25 10:05 gadfly3173