Alert from VirusTotal.com to file 'gencfu.exe'

6 views
Skip to first unread message

Mäx

unread,
Apr 30, 2025, 4:12:41 AMApr 30
to icu-support

Mihai Niță Ⓤ

unread,
Apr 30, 2025, 1:08:41 PMApr 30
to Mäx, icu-support
Hi Mäx, thank you very much for reporting this.

I did my own submission to virus total, with the file from the GitHub release zip, just to be 100% sure:

I reported this as a false positive to BitDefender only (at least for now).

It looks like the most well-known scanner, and they have a page to report false positives that is really easy to find.

See below the explanation I used.

I'll post any updates here, if they answer.

Best regards,
Mihai

==========

TLDR: this is very-very sure a false positive. It is produced from known sources, of a reputable open source project, built in the cloud on a GitHub owned runner, at a known git tag, digitally signed by a member of the ICU team, all artifacts traceable.

---

This is an utility that is part of the official release of the International Components for Unicode library.

It is inside the official zip file icu4c-77_1-Win64-MSVC2022.zip at https://github.com/unicode-org/icu/releases/tag/release-77-1
PGP signed by a member of the ICU team (icu4c-77_1-Win64-MSVC2022.zip.asc)

It was built from the sources here: https://github.com/unicode-org/icu/tree/main/icu4c/source/tools/gencfu
At Git tag `release-77-1`

And it was built "in the cloud", on a GitHub runner, not on some local dev machine that might be infected.

You can even download the artifact of the cloud run here:
https://github.com/unicode-org/icu/actions/runs/13841950059
Download icu4c.Win64.run_#2386 and unzip it, it contains an icu4c-77_1-Win64-MSVC2022.zip file that is byte to byte identical to the one in the GitHub release.

Mihai


On Wed, Apr 30, 2025 at 1:12 AM Mäx <mae.m...@gmail.com> wrote:
https://www.virustotal.com/gui/file/6f1cab0b18eb98d9fa9fc957cb31edf7842bafa221f0337ca6c336f0e1b7440a

--
You received this message because you are subscribed to the Google Groups "icu-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to icu-support...@unicode.org.
To view this discussion visit https://groups.google.com/a/unicode.org/d/msgid/icu-support/24d96b7f-a896-4f26-aeaa-eaf6fb238e7dn%40unicode.org.

--
You received this message because you are subscribed to the Google Groups "ICU - Team" group.
To unsubscribe from this group and stop receiving emails from it, send an email to icu-team+u...@unicode.org.
To view this discussion visit https://groups.google.com/a/unicode.org/d/msgid/icu-team/24d96b7f-a896-4f26-aeaa-eaf6fb238e7dn%40unicode.org.

Mihai Niță Ⓤ

unread,
Apr 30, 2025, 1:23:46 PMApr 30
to Mäx, icu-support
I also submitted to GData, with a similar description.

---

The submission at lionic fails with an error, even after checking 3 tims that all fields are correct:
format error: Key: 'Data_CreateFalsePositive.Message' Error:Field validation for 'Message' failed on the 'lte' tag

---

Other vendors are surprisingly difficult to contact.
Most have only some email address.
And one required me to download an application and run it on my machine. No, thanks!

Here is the list of contacts from virustotal:

Regards,
Mihai


Reply all
Reply to author
Forward
0 new messages