Virus in gvgen.exe?

Windows 10 claims this:

It occurs while copying the install directory with:

~/graphviz-windows$ cp -rp /c/Program\ Files\ \(x86\)/Graphviz\ 2.44.1 32/exe
cp: cannot open '/c/Program Files (x86)/Graphviz 2.44.1/bin/gvgen.exe' for reading: Permission denied

It’s 100% repeatable. I got no warning while installing it.

Perhaps someone of our more proficient Windows users can tell if this is for real or not?

A quick scan with Windows defender also revealed:

Following the Learn more link leads to:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FWacatac.C!ml&threatid=2147749372

FWIW, I downloaded and ran the F‑Secure Free Online Scanner and it detected nothing:

Perhaps try uploading to VirusTotal? That will test against every antivirus

1 Like

I love Windows:

I unpacked the MSBuild .zip file on an Ubuntu 18.04 system and got this:

Note that is is not exactly the same file since the first file is what the CMake .exe installer installed on my Windows 10 computer.

https://www.virustotal.com/gui/file/371d16f4d0a42966b51b1f85773b1c62b803a8968c0d35c75ab1963b5cc34571/details

This is not good. Do we need to pull the installer packages?

The packaging happens during CI, right? So does this mean the build VMs are compromised?

On the other hand, @magjac one of your problems is about given.exe from 2.44.1 and the other problem is about neato.exe from 2.45.202… This suggests to me that maybe you have a local infection spreading between files you access. Maybe run a full scan of your Windows machine with Defender?

1 Like

I will do this as soon as I can, but now I’ve rebooted to Ubuntu 18.04 again to code for money (impossible on Windows). :money_mouth_face:

I think it would be good if someone else but me tried the unzip and test on VirusTotal which you can do with any OS. My guess is you will see the same thing as me. I have a hard time believing that I have a virus on the Ubuntu 18.04 computer I did that test with.

I get the same result for the msbuild release zip. It finished almost immediately, so I think they just hashed the file and showed me the cached result from your run.

I get the following results for other artifacts:

  • gvgen.exe from the msbuild debug zip is also detected by SecureAge APEX, but not MaxSecure.
  • The CMake 32-bit installer is detected by SecureAge APEX, MaxSecure, Bkav, VBA32
  • The CMake 64-bit installer is also detected by the same 4 engines

I am guessing that maybe this is a false positive, given I have never heard of any of these AV products. @magjac when you get back to your Windows machine, can you try running a Windows Defender update and see if Microsoft have releases new definitions that change the result?

1 Like

Will do later tonight.

My virus definitions were up-to-date. I started a full scan, but then the computer became useless and the estimated time was around 2.5 h, so I’m going to let it run overnight instead.

That :face_with_symbols_over_mouth: Windows computer went to sleep when I did. It was 90% complete when I had to cancel the scan. It said Time left: 1:05:36 but counted around 1 second per minute (and not always down :upside_down_face:). It hadn’t reported any viruses yet.

FWIW I’d expect this is a false positive. Virus patterns are notoriously error prone… all the same it’s our problem to fix :-/

1 Like

I think so too. If this persists; I’m going to try submitting it to Microsoft for analysis.

Thank you for doing this. I’ve never seen this before. Please let me know if you would like me to ask someone at Microsoft for help if standard channels do not work quickly enough.

1 Like

I suspect this is related:

If someone else wants to have a go with Microsoft on this, please go ahead. I don’t have the energy or the bandwidth at the moment.

I don’t think that issue is related, I think that issue is an antivirus just configured to block any unknown binary (so it would be working as intended to block graphviz)

1 Like

I don’t have time right now to do this myself either, but should we create a Gitlab issue to track this?

Sure, gitlab issue sgtm