At a specific crate, the security software detects malware

I am using kaspersky on Windows 11 and VHO:Trojan.Win32.Sdum.gen has been detected. The path of the object is \target\debug\build\lock_api-c19a87ff62304834. The object name is build-script-build.exe. Is this object ok?
If yes, exclude it from scanning with kaspersky.

$ rustup show
Default host: x86_64-pc-windows-gnu
rustup home:  C:\Users\daiki\scoop\persist\rustup\.rustup

installed toolchains
--------------------

stable-x86_64-pc-windows-gnu
stable-x86_64-pc-windows-msvc (default)
1.70.0-x86_64-pc-windows-gnu
1.72.0-x86_64-pc-windows-gnu

installed targets for active toolchain
--------------------------------------

wasm32-unknown-unknown
x86_64-pc-windows-msvc

active toolchain
----------------

stable-x86_64-pc-windows-msvc (default)
rustc 1.72.1 (d5c2e9c34 2023-09-13)

Please help me ;;

This is the result of compiling axum's project.

This is the screen when blocked by kaspersky.

   Compiling num-traits v0.2.15
   Compiling rand v0.8.5
error: failed to run custom build command for `quote v1.0.30`

Caused by:
  could not execute process `D:\projects\rust\axum-tera\target\debug\build\quote-118d235b3539816e\build-script-build` (never executed)

Caused by:
  Process cannot access file. Another process is in use. (os error 32)
warning: build failed, waiting for other jobs to finish...
error: failed to run custom build command for `lock_api v0.4.10`

Caused by:
  could not execute process `D:\projects\rust\axum-tera\target\debug\build\lock_api-c19a87ff62304834\build-script-build` (never executed)

Caused by:
  Access denied. (os error 5)
error: failed to run custom build command for `parking_lot_core v0.9.8`

Caused by:
  could not execute process `D:\projects\rust\axum-tera\target\debug\build\parking_lot_core-eee2bb8dc4d68b01\build-script-build` (never executed)

Caused by:
  Access denied. (os error 5)

This is almost certainly a false positive on Kaspersky's side. It seems they make a habit of marking Rust executables that were compiled locally (which includes build scripts like build-script-build.exe) as malware.

In particular, it's quite improbable that quote, lock_api, and parking_lot_core would all be compromised because they are core parts of the Rust ecosystem (e.g. I'm pretty sure lock_api and parking_lot_core are used for std's mutexes, and quote is the second most downloaded crate on crates.io).

Searching the Rustsec database shows quote has no reported advisories, lock_api only has one advisory from back in 2020, and parking_lot_core has no reported advisories.

In general, I'm pretty suspicious of how effective antivirus software is in this day and age, especially when there are allegations that they may be used by nation states.

7 Likes

Libstd has it's own futex based mutex implementation now. And before that it used OS mutexes.

1 Like

The RFC for const-init std mutex mentioned that it may use parking_lot impl for platforms which doesn't support it. But it seems that it wasn't needed for all supported targets currently. The rustc itself uses parking_lot extensively, though.

1 Like

(Tangential, but...)

Depends on your platform; still a pthread mutex on macos for example. Looks like Windows uses SRWLock.

1 Like

Antivirus software in general tends to distrust programs that were created on your own computer.

The .Gen suffix on the detection stands for "Generic", i.e. it doesn't actually know what this program is.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.