strip-ansi-escapes.exe is detected as a Trojan by some anti-virus

[ite-usagi]

What Operating System(s) are you seeing this problem on?

Windows

Which Wayland compositor or X11 Window manager(s) are you using?

No response

WezTerm version

20240203-110809-5046fc22

Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?

Yes, and I updated the version box above to show the version of the nightly that I tried

Describe the bug

Some anti-viruses, including Microsoft Defender, recognize strip-ansi-escapes.exe as a Trojan.
I've already requested analysis from microsoft.

To Reproduce

No response

Configuration

no config

Expected Behavior

No response

Logs

Microsoft Defender Detection Target : Trojan:Win32/Wacatac.B!ml

VirusTotal Result

※Virustotal results are for reference only. It appears that this file is detected as a trojan, mainly by unreliable vendors, such as Panda, GData, Bitdefender, etc.

Anything else?

No response

[maphew]

yeah, me too:

[mknepper]

Came to say this is happening to me too on Windows 11 Pro.

[farrsite]

And happening on Windows 11 Home 22H2, Microsoft Defender Antivirus

[smuel-adm]

Same here Windows Defender reports: "'Malgent' malware"
OS
Windows 10 64-bit
(Release 22H2 Build 19045.4046)

[ite-usagi]

Received this from microsoft🤔

"We have determined that the files meet our criteria for malware. At this time the detection will remain in place. "

[ruedigerha]

I had the same message this morning.

After some research I found that there is a Rust crate "strip-ansi-escapes" that is (I think) not what is bundled with WezTerm. Its Fedora package was rebuilt a few days ago because it apparently contained a statically linked libgit2 with two vulnerabilities. I wonder if that has anything to do with this tool being flagged as trojan?

[smuel-adm]

Well, why in hell link such an tiny crate like "strip-ansi-escapes" static against git, I bet its a cross compile tool chain issue, ... never mind building wezterm under windows works perfect for me
https://wezfurlong.org/wezterm/install/source.html#installing-from-source

$ curl https://sh.rustup.rs -sSf | sh -s
$ git clone --depth=1 --branch=main --recursive https://github.com/wez/wezterm.git
$ cd wezterm
$ git submodule update --init --recursive
$ cargo build --release
$ cargo run --release --bin wezterm -- start

https://www.virustotal.com/gui/file/9b8bca077575c9728e204cc8e1d793e743ed60b610dce2782481cdf5d8c1b148/detection

[Flat]

Received this from microsoft🤔

"We have determined that the files meet our criteria for malware. At this time the detection will remain in place. "

I've also reported this to Microsoft and received the same reply. Makes me wonder if they even analyze the binary.

I've uploaded it to several malware sandboxes and all report no issues and no malicious activities.

[abhbh]

Response from @wez relevant to this issue: #5074 (comment)

[ite-usagi]

I scanned the file obtained from winget today with Microsoft Defender security intelligence 1.405.1008.0 and no Trojan were detected. Did they fix the problem?

[abelcheung]

Did they fix the problem?

Probably. Perhaps this issue can be closed now, as Microsoft Defender doesn't flag wezterm 0203 release anymore, as of Mar 17. Quite some obscure antivirus engine in Virustotal just repeat whatever Microsoft determines initially, so take them as grain of salt; similar fiasco has happened before for Tor browser. Alternatively, use nightly build. It's completely clean in Virustotal reports (shrug)

[ite-usagi]

It looks like the issue has been resolved for most of us, so I'll close this. In the future, it might be better to discuss same topics in #5074.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.