Current Windows 11 sees ffsend as a severe trojan?

[Pentaphon]

Obviously a false positive but why would this happen?

[lunae-f]

I am in the same situation as this issue. I ran winget install ffsend and Windows Defender warned me that it was "Trojan:Win32/Malagent!MSR". (DeepL)

[ptrmsk]

An explanation of this would be nice.

From the Releases page, I downloaded both executables and scanned them on VirusTotal. ffsend-v0.2.76-windows-x64.exe has zero positives, ffsend-v0.2.76-windows-x64-static.exe had over 20.

The version of ffsend installed with scoop comes with warnings from these antivirus programs:

Product	Threat type	Notes
AhnLab-V3	Malware/Win.Generic.C5451432
Antiy-AVL	Trojan/Win64.Agentb
Bkav Pro	W32.Common.E6DA96CB
Cylance	Unsafe
DeepInstinct	MALICIOUS
Fortinet	W32/PossibleThreat
Jiangmin	Trojan.Agentb.nuy
K7AntiVirus	Trojan ( 0001140e1 )
K7GW	Trojan ( 0001140e1 )
Kaspersky	Trojan.Win64.Agentb.kvsy
Lionic	Trojan.Win32.Agentb.X!c
MaxSecure	Trojan.Malware.114192910.susgen	Possible relative of this: "I’ve had a detection or two from them before, mainly for things like GTA mods that talk to a Github repository for managing auto script updates. I’m just going out on a limb and say if whatever it is you downloaded does the same, then that’s probably what it’s picking up as a trojan, because trojans will download things onto your PC without your knowledge a.k.a things like auto updaters."
McAfee	Artemis!0945D7008A24
McAfee-GW-Edition	BehavesLike.Win64.Dropper.rh	Installers and other projects show this; someone else recommends submitting false positives. I'm not sure what "rh" means.
Microsoft	Trojan:Win32/Malagent!MSR	Microsoft says: "This threat can perform a number of actions of a malicious hacker's choice on your PC."
QuickHeal	Trojan.Win64
Rising	Trojan.Agent!8.B1E (CLOUD)
Sophos	Mal/Generic-S	Sophos says: This detection covers many thousands of threats, from social networking worms to distributed denial of service Trojans and fake anti-virus (also known as 'scareware').
TrendMicro	Trojan.Win64.FRS.VSNW0AG23
TrendMicro-HouseCall	Trojan.Win64.FRS.VSNW0AG23
VBA32	TrojanPSW.Rusty
Webroot	W32.Malware.Gen
Zillya	Trojan.Agent.Win64.32660
ZoneAlarm by Check Point	Trojan.Win64.Agentb.kvsy

Based on the build YML, the static and dynamic EXEs are built almost entirely the same way. And based on Rust documentation and project notes, the static library is the more reliable one.

As a workaround for now, downloading and using the dynamic ffsend library should be fine. I already have a local folder called C:\bin where I can drop it to use it anyway, and the project looks stable (hasn't been updated for months).

[timvisee]

The project is fully open source, and clearly has no malicious function. That's easily verifiable.

I'm not sure why some of these scanners see the static binary as malicious. Some of the static bits may match up with patterns in other, actually malicious, binaries. I don't know.

I don't have a Windows machine to test this on though. Nor do I want to invest time in fighting against all these anti malware providers.

If you're unsure about this, I recommend to review the source code and compile from source.