This is not good. Do we need to pull the installer packages?
The packaging happens during CI, right? So does this mean the build VMs are compromised?
On the other hand, @magjac one of your problems is about given.exe from 2.44.1 and the other problem is about neato.exe from 2.45.202… This suggests to me that maybe you have a local infection spreading between files you access. Maybe run a full scan of your Windows machine with Defender?
I will do this as soon as I can, but now I’ve rebooted to Ubuntu 18.04 again to code for money (impossible on Windows).
I think it would be good if someone else but me tried the unzip and test on VirusTotal which you can do with any OS. My guess is you will see the same thing as me. I have a hard time believing that I have a virus on the Ubuntu 18.04 computer I did that test with.
I get the same result for the msbuild release zip. It finished almost immediately, so I think they just hashed the file and showed me the cached result from your run.
I get the following results for other artifacts:
gvgen.exe from the msbuild debug zip is also detected by SecureAge APEX, but not MaxSecure.
The CMake 32-bit installer is detected by SecureAge APEX, MaxSecure, Bkav, VBA32
The CMake 64-bit installer is also detected by the same 4 engines
I am guessing that maybe this is a false positive, given I have never heard of any of these AV products. @magjac when you get back to your Windows machine, can you try running a Windows Defender update and see if Microsoft have releases new definitions that change the result?
My virus definitions were up-to-date. I started a full scan, but then the computer became useless and the estimated time was around 2.5 h, so I’m going to let it run overnight instead.
That Windows computer went to sleep when I did. It was 90% complete when I had to cancel the scan. It said Time left: 1:05:36 but counted around 1 second per minute (and not always down ). It hadn’t reported any viruses yet.
Thank you for doing this. I’ve never seen this before. Please let me know if you would like me to ask someone at Microsoft for help if standard channels do not work quickly enough.
I don’t think that issue is related, I think that issue is an antivirus just configured to block any unknown binary (so it would be working as intended to block graphviz)