16

I had compiled a simple hello world program in C with the MinGW compiler using the command line. As it had finished compiling, windows defender popped up and detected a virus (Trojan:Win32/Fuery.C!cl).

#include <stdio.h>
#include <stdlib.h>
int main() {
    printf("Hello World");
    return 0;
}

https://i.stack.imgur.com/qGUYo.jpg

I had taken action on this (Removed) as windows defender suggested, but when I compile again the same happened, multiple times.

I had downloaded an AntiVirus (Malwarebytes) and scanned my whole system and it detected some registry key errors, but not this.

I've tried compiling C++ files too, but windows defender did not detect any virus there. This only happens when I compile in C.

I've also tried checking the compiled executable at VirusTotal. https://www.virustotal.com/gui/file/476d47215dad80db49c9fd508ab5e10e5aeb5b623248ca156830a28b70affe5f/detection

I tried CodeBlock's MinGW compiler and 0 engines detected it. (Same C file) https://www.virustotal.com/gui/file/8ba4b0fa24b1b6b69152acce2353fcca8447bbecbfc4e5ec48d33cc75d94f2f1/detection

EDIT: I deleted the path variable of C:/MinGW and added CodeBlock's MinGW compiler. I then used the command line to compile the same C file again and had uploaded the .exe file to VirusTotal. This time, 0 engines detected. So I have come to the conclusion that, the MinGW compiler that I had installed was creating this problem. https://www.virustotal.com/gui/file/34d383f6c09f897d8c9a44ed0e7850574320e50fdf439eeb1f06705fdcc95386/detection

I don't know why this happens. Is there a malware in my computer that affects my C programs or is this a false detection?

tan
  • 209
  • 1
  • 2
  • 8
  • 4
    Sounds like a Windows Defender false positive. – Jesper Juhl Jun 13 '20 at 19:15
  • im going to define this as a false detection but if anyone has an answers please let me know!! – tan Jun 13 '20 at 19:33
  • @Evg, yes i also tried that before but failed to mention it. i have done it again and 31 engines have detected it as unsafe – tan Jun 13 '20 at 19:39
  • After I installed Windows 10 Defender scanned all my drives, deleting *every* executable I had made myself, without warning. It wasn't long before I went back to Windows 7 and AVG, which would warn me until I **configured it to ignore certain folders** (and their children). – Weather Vane Jun 13 '20 at 19:50
  • Maybe you wrote the virus and heuristic algorithm has detected it. – 0___________ Jun 13 '20 at 21:14
  • 1
    @tan Interestingly enough, sounds very similar to the issue reported [here](https://developercommunity.visualstudio.com/content/problem/1046937/windows-defender-reports-a-trojan-1.html) for VC++. – dxiv Jun 14 '20 at 03:14
  • Same question: https://stackoverflow.com/questions/61958729/codeblocks-mingw-windows-defender-trojanwin32-fuery-ccl – M.M Jun 14 '20 at 07:28
  • @M.M i have seen it BEFORE i posted this question, it did not help me – tan Jun 14 '20 at 07:30
  • I'm having the same issue with a simple C program compiled in the VS Developer Console using `cl`. If I include the `/O2` switch when compiling, I can execute the program, but if I leave it out Windows Defender quarantines it. – Valuator Feb 16 '21 at 15:46

6 Answers6

14

There is no malware, it is a false positive. The executable generated by your version of MinGW looks very similar to a particular virus.

To avoid the problem, add the directory where you build your code to the list of exclusion in the antivirus.

Also consider using mingw-w64 instead of mingw.org .

M.M
  • 138,810
  • 21
  • 208
  • 365
7

I came across with the same problem, compiler tdm gcc v9.2.

The following compilation triggers a warning (kaspersky).

gcc temp.c -o temp.exe

The following does not

gcc -O3 temp.c -o temp.exe

Where temp.c is

#include <stdlib.h>
#include <stdio.h>
#include <math.h>
int main() {
    int a, b;
    scanf("%d %d", &a, &b);
    printf("mod %4d, %4d is %4d\n", a, b, a%b);
    return 0;
}

The same code with g++ passes the test with both compilations. The antivirus software does not detect the same virus elsewhere but only in temp.exe (first compilation).

β.εηοιτ.βε
  • 33,893
  • 13
  • 69
  • 83
James A Smith
  • 71
  • 2
  • `-O3` somehow worked for me also. A simple hello world compiled like so: `i686-w64-mingw32-gcc -o dev.exe new.c -O3`. Without it, it tells me `the file contains a virus or potentially unwanted software`. – James M. Lay Aug 30 '22 at 03:36
4

I may have solved my problem.

This is what I did: I removed the PATH Variable of C:\MinGW and added CodeBlock's MinGW compiler (CodeBlocks/MinGW/bin). I used the command line to compile the same C file, and had uploaded the .exe to VirusTotal. No engines detected this file! https://www.virustotal.com/gui/file/34d383f6c09f897d8c9a44ed0e7850574320e50fdf439eeb1f06705fdcc95386/detection

So I have come to a conclusion that, MinGW was the compiler that was causing this problem. I have removed it.

However, I am not quite sure if this problem is FULLY solved. There is still a possibility of malware affecting my executable (or perhaps not). I cannot be sure.

If anyone has any answers, please comment or answer

tan
  • 209
  • 1
  • 2
  • 8
  • 1
    This does not rule-out your original mingw-gcc being compromised. Compile a few more source files with it and see if they are all flagged -- if not, then it was likely a false positive issue. If they are all infected -- you still have problems... – David C. Rankin Jun 14 '20 at 08:48
  • yes I shall.. and if the problem still occurs, I shall let you know – tan Jun 14 '20 at 09:01
  • Hi it has been 3 days and I've had no detection. I think my problem has been solved and my question answered. PS: StackOverflow is great!! – tan Jun 16 '20 at 09:11
0

Since you wrote that program and you know it isn't actually a Trojan, it's obviously a false positive. You should submit the file to them at https://www.microsoft.com/wdsi/filesubmission so they can figure out why it's triggering the false positive and fix it. (If it happens with everything you compile, just sending them one will suffice.) In the meantime, you should add an exclusion to Windows Defender for the folder that you compile your executables in.

Joseph Sible-Reinstate Monica
  • 45,431
  • 5
  • 48
  • 98
  • 2
    In the event that you're less than confident about the false positive, it may also be enlightening to objdump the binary and examine the assembly code produced. – l.k Jun 13 '20 at 20:30
  • @l.k I'd be exceptionally surprised if anything useful came of that. – Joseph Sible-Reinstate Monica Jun 13 '20 at 20:31
  • Mainly I would expect reassurance that everything is fine. – l.k Jun 13 '20 at 20:32
  • 1
    "Since you wrote that program" Who wrote the program is irrelevant. The system is owned by third parties at this point and all executables written on it are, at this point, being infected. It doesn't matter who writes them. It's rather typical. Developer machines are not magically immune to malware. The fact that any development is being done on them means nothing. It's a typical signature of a system that is only nominally yours, but really is stealing all your data and infecting everything in sight. It's basically a situation where a figurative nuke from orbit is all that's left. – Kuba hasn't forgotten Monica Jun 14 '20 at 07:09
0

I ran into this after installing MinGW on 01-08-20(dd-mm-yy). For me it was also Windows Defender, the way to - hopefully temporarily- get rid of this is to add an exception for the folder your compilation output will reside in. The Microsoft website states these steps to add an exclusion:

  1. Go to Start > Settings > Update & Security > Windows Security > Virus & threat protection.
  2. Under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions
Gertjan Brouwer
  • 996
  • 1
  • 12
  • 35
0

I had a similar problem. I figured out that the following dll was missing: mingw32-libmingwex-dll. Once I installed it via "MinGW Installation Package", I didn't have the problem anymore. I hope this can help others.

gburri
  • 1
  • This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://stackoverflow.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://stackoverflow.com/help/whats-reputation), you can also [add a bounty](https://stackoverflow.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/33015823) – GAVD Oct 31 '22 at 07:22