2048 Game Exe Flagged by Windows Defender as Trojan:Win32/Sabsik.FL.A!ml

[rj-jones]

Hello everyone,

I've just finished following a workshop called "2048 with Bevy ECS" created by Chris Biscardi on his website https://www.rustadventure.dev/workshops. I've just completed everything and I'm in the process of creating a release executable but I've run into an issue with Windows Defender, or a potentially bad crate.

I am able to successfully create a release executable, but when I run it Windows flags it as a Trojan:Win32/Sabsik.FL.A!ml and quarantines the file. If this is indeed a bad crate, how can I go about finding it? Or is this just Windows Defender overreacting?

Here are the dependencies I'm using:

[dependencies]
bevy = "0.10"
bevy_easings = "0.10.0"
itertools = "0.10.5"
rand = "0.8.5"

Rust Info

rustup 1.26.0 (5af9b9484 2023-04-05)
info: This is the version for the rustup toolchain manager, not the rustc compiler.
info: The currently active `rustc` version is `rustc 1.75.0 (82e1608df 2023-12-21)`

OS Info

Edition	Windows 11 Pro
Version	22H2
Installed on	‎4/‎4/‎2023
OS build	22621.3007
Experience	Windows Feature Experience Pack 1000.22681.1000.0

Any advice on how to tell if it's a bad crate would be appreciated. Thanks!

[alice-i-cecile]

@ChristopherBiscardi is a well-known and trustworthy member of the Bevy community: no worries there. I've heard of similar problems before with false positives, both for Bevy and other game engines. However, supply chain attacks are possible. I'm not personally sure how you might investigate further; perhaps others know more.

[ChristopherBiscardi]

For what its worth, there are no external crates of my own in that workshop (or crates from non-crates.io sources), so all non-third party code is auditable (there are no weird binary blobs or anything like that). In fact it is almost inherently audited because you have to write the code yourself to go through the workshop.

bevy, itertools, and rand are all very widely used rust crates. If there was an issue with one of them I would assume the issue would be widely known very quickly. I don't think there is one, but checking the relevant issue trackers would be where I would start if I was going to check.

bevy_easings is https://github.com/vleue/bevy_easings which is (as far as I know) handled by @mockersf and while being a smaller crate than the others, is another well known and trustworthy member of the Bevy community.

I also don't know how I would further investigate other than checking the relevant issue trackers and such.

As a side mention, I am happy to receive these kinds of issues on the 2048, etc repos so as to not additionally burden Bevy maintainers, but I also understand why it would've been filed here given the type of issue.

[rj-jones]

Thank you for your response, and for creating the course!

I've moved the source code via GitHub to a brand new machine (just got a new laptop) running the same OS version. On the new machine I experienced slightly different behavior. Windows did not immeadiatley flag the executable when I ran it. It let me run the app. However, when I manually ran a Windows Defender scan on the "target" directory produced by the compiler it then proceeded to quarantine the exe for a different reason, this time Program:Win32/Wacapew.C!ml.

I've also run the executable through VirusTotal, here are its results.

One thing I noticed is that the new machine and VirusTotal both found Program:Win32/Wacapew.C!ml and not Trojan:Win32/Sabsik.FL.A!ml. I'm also not sure how to proceed being that I'm able to produce a similar issue on a completely new machine. Does this mean it's likely a false positive?

[dbalsom]

I'm struggling with the same issue with my emulator MartyPC https://github.com/dbalsom/martypc
I do not use Bevy but being a Rust project we probably share a few of the same crates. I'm trying to track down which one might be the cause of it.

Could you issue the command 'cargo tree' to get a list of dependencies? I'll reply with a list of the ones that we share in common

[afonsolage]

If you build on CI and scan it directly from the remote link, does it show some malware? It can easily be a false positive on Windows Defender, but it can also be the case where your machine/network is infected (routers and IoT) or there is some crate infected (less likely)

[dbalsom]

Virustotal finds the CI url to be clean. It has been built by others as well with the same issue, as well as from a fresh VM. It is only Windows Defender that flags it.

[sandwichdoge]

Came here from Google just to say Windows Defender is categorizing both my AutoIt3-compiled app and my golang game cross-compiled on Linux with this same threat. Microsoft just blanketing everybody with this one.