On March 14, 2025, we noticed an alert—Trojan:Win64/Rugmi.MV!MTB—from Microsoft Defender Antivirus on our build machine. This alert is identical to the one previously reported by our customer. We immediately began investigating and, after some analysis, we suspect it is a false positive. Here are the details:
-
We ensured that Microsoft Defender Antivirus was up to date and performed a full disk scan. The only files flagged as threats were
docinsight.exeand the installers (there were no reports for Delphi DLLs or EXEs).
-
We then focused on
docinsight.exe, which is built using the Rust stable toolchain. After rebuilding the project and attempting to copy the generated executable from the target folder, the operation was blocked:
scripts/build_di.cmd
Build docinsight server (win-x64)
Compiling docinsight v0.1.0 (...)
Finished `release` profile [optimized] target(s) in 9.82s
Copy docinsight.exe to C:\dev\docinsight\bin\
Operation did not complete successfully because the file contains a virus or potentially unwanted software.
-
We ran
cargo auditand found no relevant vulnerabilities in the codebase. -
We suspected the issue might be related to compressed or obfuscated code. After commenting out related code, we traced the cause to
include_cryptcrate. We checked into the source code of the crate but found nothing special. (Some details omitted…) -
Finally, when we just extracted the suspicious code into a separate module, no alerts appeared. Based on these findings, we believe this alert is a false positive.