xz-5.6.4 scan reports trojans

[netmaster4]

Some Virusscanner reported issues and trojans with the current v5.6.4 versions of the xz package, specially with liblzma.dll

https://www.virustotal.com/gui/file/a69d83338facb6e9a45147384beb7d7d8ed53b5e2a41e8c059ae0d0260b356ac/relations

Larhzu thanks for the great detail report.

Windows Defender also declared it as Virus and do not allow it to download.

[Larhzu]

Thanks for the report! If I understand correctly, it's three files that are flagged: bin_i686-sse/lzmadec.exe bin_i686-sse/lzmainfo.exe bin_i686-sse/liblzma.dll Three scanners flag the two .exe files and one scanner flags liblzma.dll. Only 32-bit files are flagged. It's curious that bin_i686-sse/xzdec.exe isn't flagged. The source code for xzdec.exe includes almost everything that the source for lzmadec.exe does. On VirusTotal -> Behavior -> Full Reports -> CAPE Sandbox, there are things like "Performs some HTTP requests". These files definitely shouldn't do any network access hidden from the user (they will access network if you give them a network path on the command line like \\example.net\share\foo.txt). On VirusTotal -> Behavior -> Full Reports -> Zenbox, there is "Creates a DirectInput object (often for capturing keystrokes)". That doesn't sound right at all. I see 7za.exe on those pages too. I assume that 7za.exe is used to extract the .7z file. Perhaps VirusTotal counts 7za.exe's behavior as part of the report? The package was cross-compiled on Arch Linux. Possible explanations: (1) A false alarm. (2) My build environment is compromised. (3) Arch Linux's packages are compromised. (4) Something else. The (1) seems the most likely explanation but how confident can I be about it? If it was (2) or (3), I would expect it to infect all executables. Now the suspicious files aren't even the most likely ones to be used by users. Even if it is a false alarm, I wonder if I should remove the files from GitHub so that GitHub won't suddenly think that this project is distributing malicious files.