Hello, The VT Link checked the *URL* not the binary itself. As the executable is above 20MB there's no way (AFAIK) to let it be checked by VT. Vigorf.A is a "generic" detection[1] which basically means that it classifies the program as malicious based on behaviour or other heuristics --- thus there often is no definitive single thing that causes the detection, it's a combination of many small factors. After taking a quick look at the executable possible flags are: * the data to be installed is appended to the executable (often called overlay or EOF data). This is a technique often used by so called "binders" which pack a legitimate and an malicious executable together and execute both - so the user sees a legitimate programm running and thinks that the whole executable was legitimate. * the file itself has very high entropy (7.96), which indicates encrypted or packed data. AV flag executables with an entropy higher 6 (thresholds may vary) because, well, encrypted or packed data (from the POV of the AV) means that data is hidden and thus cannot be analyzed. I'm not sure how to handle that situation, those are (basically) necassary for the installer to function. Storing the data unpacked would bloat the binary way beyond anything sensible, storing it any other way (as a resource or in .data) won't help either. Not to mention that this would require mucking around with InnoSetup. Maybe MicroSoft is willing to create an exception but then this problem would just resurface every new release. Another might be codesigning, but that requires money, infrastructure and time. [1] https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-descriptio... Am 24.05.2018 um 10:24 schrieb Peter Dimov via Boost:
Mateusz Loskot wrote:
Hi,
One user reported via #boost at cpplang.slack.com that Windows Defender reported trojan in the latest Windows binaries. I checked myself and I can confirm the latest up-to-date Windows Defender is detecting Vigorf.A in the installer archive.
Is this false report?
VirusTotal says clean: https://www.virustotal.com/#/url/b9ac08dd74b171f589b64bd91ba192986f7fe861fa4...
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost