kMyMoney vcpkg - probable viruses

I am trying to build kMyMoney locally in Linux and also in Windows 11. For Windows, I am using the procedure shown on the Office > kMyMoney > Wiki > Build Environment page. I am using the vcpkg.json file referenced on that page and a CMake command appropriate to my system. The procedure has now stopped twice, on two different packages, when both Kaspersky and Windows Defender detect the malware Trojan.Win32.sdun.gen. This is very serious software that can put both my machine and my identity at risk. I can’t proceed unless someone can verify whether this is a false positive (unlikely) or a real threat in which case it needs to be disinfected.

The first instance arose May 22 in GMP and I believe it is in one of the packages referenced in the following. I looked at repo.msys2.org and can’t find any contact information. Maybe someone here can. I also contacted MSRC but they refused to do anything.

– Downloading https://repo.msys2.org/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst;https://www2.futureware.at/~nickoe/msys2-mirror/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst;https://mirror.yandex.ru/mirrors/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst;https://mirrors.tuna.tsinghua.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst;https://mirrors.ustc.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst;https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst;https://mirror.selfnet.de/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst;https://mirrors.sjtug.sjtu.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst → msys-mingw-w64-i686-libwinpthread-git-9.0.0.6373.5be8fcd83-1-any.pkg.tar.zst…

In response, I deleted the reference to GMP in the .json file and tried again this morning when the second incident happened with the package “installed = libiconv-1.16-2-x86_64.” The second process completes Configuring both x86-windows-static-dbg and x86-windows-static-rel but then is interrupted by virus detection software trying to build x86-windows-static-dbg.

I was actually getting this to work so I’m very disappointed I can’t proceed until this is resolved.

@ostroffjh,

In terms of Windows AV results, in my relatively small experience actually using Windows, my anti-virus hits were probably near half false positives. I consider that due to my being very careful with what I downloaded, and with using lots of FOSS software. If you search for any variant on “windows anti-virus false positives” you should find lots of stories. I won’t go as far as to say any positive is a false positive, but if you search for any other folks getting the same result, and you trust the source of the file being flagged, you are likely safe.

I have a couple questions. Which version of Windows and anti-virus software were you using? More to the point, what procedure did you use to determine they were false positives? Maybe I can do the same thing with my problem. Did you just Google for false positive results?

In this case, Googling “trojan.win32.sdum.gen” results in several links of particular note. One is to the Kaspersky website which describes the virus and its effects. Another is one on Jackett · GitHub which describes an incident where someone excluded Kaspersky’s warning and suffered the consequences. Another is a website malwarefixes.com which identifies Kaspersky as one of the AV programs that can reliably detect and eliminate this virus. I’m not going to ignore the warnings when there is testimony that Kaspersky works properly and effectively.

Apparently however, no one is going to actually scan these files and now, with all the denials, I’d want to know what was used to do the scan because the virus is a real thing and Kaspersky can reliably detect it. On the Windows side, I will continue to try work arounds to try and build kMyMoney.

Over the years, I’ve used Windows from 3.0 to 10. I’ve used a variety
of AV programs, and would be inventing it I claimed I remembered which
ones I actually used. I’m pretty sure one of them was MalwareBytes.
I do understand that the threats to Windows are real, and am not
suggesting to ignore or minimize any warnings.

Whenever I got a positive hit, I searched for information on that hit
for that program. Not just a search for the AV program, or for the
virus/bug it said was present, but specifically for the file/program it
said was infected. How seriously I took any particular search result
saying that the hit was a false positive depended on where it was, and
how reliable I considered that site. For example, I tend to trust
forums and mailing lists of well known, open source projects more than
sites I never heard of. I also considered whether the posts tended
toward informative and well reasoned from experienced users, vs often
wrong advice from beginners who clearly didn’t know very much. My
opinions of that sort simply depended on my long history of having
browsed such sites. I started using Linux in the early 90’s, but for
various reasons was mainly stuck with Windows PCs, so I’ve been
compiling under Windows for a LONG time. Multiple, agreeing posts were
also more likely to convince me than a single first post from a new
user of that forum.

It also had to do with where I downloaded the program. If I got it
from some random Windows download site (which I rarely used) I would be
much more suspicious. If I downloaded it from the github site of a
known open source project, I was more likely to trust the source. I
know such sites can be compromised, but I don’t believe it happens very
often.

I don’t want to say anything against Kaspersky or other major AV
vendors, but they are commercial operations. I don’t claim to
understand their methods for detecting malware, but it’s obviously not
foolproof. In many cases, you could submit something their program
says is infected so they can evaluate it and either confirm infection
or modify their detection or add an exception. The problem is that
they are not likely to be interested in doing that for an obscure, low
use programs, which is what I suspect they consider most open source
projects. Yes, I do admit having an attitude about this.

On your specific mentions of Kaspersky and any specific virus they
claim to find, searching on the virus itself is not relevant. I do
believe the virus is real, and potentially very damaging to an infected
system. The question is whether that virus is truly present in the
file you want to use. Going back to your first post, you didn’t say
which packages were suspected of containing the malware and where you
downloaded them. You than mention gmp (which I believe IS necessary
for KMyMoney) but again, not where you downloaded it. More
specifically, if you are using msys2 packages, have you looked at their
site (https://www.msys2.org) and their page on getting help
(Support & Contact - MSYS2) ?

Sorry to be so long-winded, but by trying to compile KMyMoney on
Windows, you have entered an arena that still has lots of unknown paths
and alley ways, and no definitive best practices to follow.

No, don’t apologize for helping me. You have been very patient with an old man and provided much needed information. The tactics you outline here are very helpful. Now that I’ve repaired a bug in my genealogy website generator, I’m off to see what I can do with these comments. Thanks, again.

-Don