Win 11 Defender detected Trojan in strutils/readFile: Win64/ReverseShell.YCA!MTB
Nim version:
Nim Compiler Version 2.2.2 [Windows: amd64]
Compiled at 2025-02-06
Copyright (c) 2006-2025 by Andreas RumpfUsed the example from the tutorial:
import strutils
let contents = readFile("people.txt")
echo contents
let people = contents.splitLines()
echo peopleFalse positive (unless you got your Nim compiler from some sketchy place). It happens all the time on windows. I believe you can configure Windows Defender to ignore your Nim projects folder.
You can also submit your file to Microsoft, maybe if we bug them enough, they'll stop marking half the programs written in Nim as malware.
If i recall correctly, some individual or group, found Nim and used it with malicious intent. Ever since then, we have these problems. The reason they did it, was because new languages and how their code is compiled, is not in virus scanning databases, making them easy new tools for attacks without detection.
Also, this would be a non problem, if Microsoft would just do their job at recognizing Nim is a programming language, and not a malicious tool. It could be that nobody actually reads the reports, or worse, they do and don't care.
Does this forum have sticky posts capabilities ? If yes, we need to sticky a post about these false positives and some forum posting rules, e.g. you are complaining about some problems, state your OS, it makes it easier for both sides.
Building the Nim compiler yourself using a fresh toolchain may avoid the problem, but it's hard to say for certain.
Can you try the following?
Now run it and check if it trips Defender on your machine. If not, copy the executable you compiled to a different Windows computer and try running it there.
For what it's worth, other non-mainstream and mainstream languages can run into this problem: Go, D, Crystal, ...
For step (4) I gave above, before running ./build_all.sh in the cloned Nim repo, you'll need to modify that script like this:
diff --git a/build_all.sh b/build_all.sh
index 83848f41a..8b785e426 100755
--- a/build_all.sh
+++ b/build_all.sh
@@ -8,10 +8,14 @@
set -u # error on undefined variables
set -e # exit on first error
+export CC=clang
+
. ci/funs.sh
nimBuildCsourcesIfNeeded "$@"
-echo_run bin/nim c --noNimblePath --skipUserCfg --skipParentCfg --hints:off koch
-echo_run ./koch boot -d:release --skipUserCfg --skipParentCfg --hints:off
-echo_run ./koch tools --skipUserCfg --skipParentCfg --hints:off
+export CC=clang
+
+echo_run bin/nim c --noNimblePath --skipUserCfg --skipParentCfg --hints:off --cc:clang koch
+echo_run ./koch boot -d:release --skipUserCfg --skipParentCfg --hints:off --cc:clang
+echo_run ./koch tools --skipUserCfg --skipParentCfg --hints:off --cc:clangTo be clear: I'm only suggesting those changes for building in the MSYS2 CLANG64 environment.
Seems like that shouldn't be necessary. I don't remember needing to do that in the past, but maybe I've just forgotten.
Any core devs reading: thoughts on if fixing it? Seems like gcc.exe is getting hard-wired in a number of places, not sure if it's because of Windows detection or something else.
Here's one person who had success with it just by using clang or zig (as a cross compiler): https://forum.nim-lang.org/t/12669#78109
There's tools out there that also obfuscate programs: https://github.com/eshard/obfuscator-llvm
Ironic that some of the techniques virus developers need to be used for legitimate apps just because anti-virus programs are so crap.
Here's one person who had success with it just by using clang or zig (as a cross compiler)
Great point, and actually... I conflated a couple of things yesterday, so to clarify:
The main thing is having Nim use a different toolchain than the one provided by Install Nim on Windows: Compiler dependencies. It's anecdotal, but there is evidence that can make a difference for anti-virus false positives. Installing clang with MSYS2 is a simple and convenient way to setup an alt compiler toolchain on Windows.
You also need a compiled Nim compiler. How it was compiled to run on Windows may not make much or any difference with respect to anti-virus false positives when it's handing off C compilation of your Nim programs to clang, so you can probably still download and use the official builds. But if you've setup MSYS2 CLANG64, it's simple to build the Nim compiler yourself and is what I recommend for that setup.