I'm using Rust's documentation's sample code for initiating a simple TCP connection between two endpoints over network: let mut stream = TcpStream::connect("192.178.40.50:34254")?;
This single line of code is detected as malicious by several antivirus applications, such as Emsisoft, Avira & EScan. (I've tested them myself, not via VirusTotal or any other online portals)
Interestingly, initiating TcpStream via other programming languages (such as C#, which is equivalent to TcpClient class) are not flagged as malicious.
I'm aware that C# cannot be easily compared to a language like Rust.
Nevertheless, this raises the question why such behavior depends on implementation language. Does Rust use a specific method/library for handling TCP connections?
I've also disabled AVs' firewalls, so that's not the case about blocking connections.
In addition to all of this, it is worth noting that these AVs mentioned do not report the file as malicious upon scanning manually, but only when it is executed, so this means they're literally preventing this specific 'behavior', which is connecting to an IP endpoint via TCP.
Is there a workaround to this?
I'm testing this on a Windows 10 machine, with x64 Portable Executable (.EXE) output.
I'm always adding the general project directory to the AV exclusions. It avoids those false positives and the general overhead of it constantly scanning the files that are being modified.
EDIT: However, I wouldn't disable the firewall. Is it your AV that finds the binary suspect or your firewall that finds the connection suspect?
It is the AV itself that finds the connection suspicious, which then closes the application and removes the binary, along with the whole directory containing it.
Both my Windows and AV's internally supported firewalls are disabled.
Regarding the solution you kindly provided, I can exclude it on my own machine, but this is not applicable for a deployment environment, so if I decide to send the app for other users to use it, they too, need to exclude it themselves, and this is not very convenient in nature.
An antivirus doesn't normally care about the connections. It will check the executables that are launched and prompt you the first time. Perhaps they're also monitoring their behaviour, indeed. And some react more aggressively and remove it, as you said.
Do you really need two antivirus programs? The Windows Security is good enough those days, and in any case, having two at the same time is probably asking for trouble, so when I used to install a security software, I disabled Windows'. Either way, if the users that run your software have only Windows Security, you should check how this one alone reacts; chances are it's only a prompt the first time you run the software, which isn't really inconvenient.
For communications that are intercepted by the firewall, it's typically the same. The last time I installed such an app, the firewall asked me whether I wanted to allow or block the app, and that was it.
If you deploy an installer like Windows Installer, I suppose it's possible to add a script to exclude the installation folder (as some IDEs do), but I've never had to do it, so I don't know how.