Ungoogled-chromium: Chromium Framework (Mac) Infected

Hello, this is probably my build you're referring to, I'm guessing 81.0.4044.92-2

I repeated your test and got the same result: one (AegisLab) of 60 virus engines finds a potential threat called Trojan.Win32.IRCBot.l3vP in Chromium.app/Contents/Frameworks/Chromium Framework.framework/Versions/81.0.4044.92/Chromium Framework

The only other mentioning of this specific threat I could find was in a forum post from the MacInTouch Community, which gave me the idea to test other binaries of the same release version.
I also tested the same release versions (.92) from FreeSMUG and Marmaduke/ungoogled as mentioned on chromium.woolyss.com and got the same warning for the Marmaduke/ungoogled binary but not for the FreeSMUG binary

Given the same result for the two ungoogled binaries built on different machines makes it unlikely that my build system has been compromised. Rather it seems that compiling ungoogled chromium for macOS produces a pattern in the binary that is recognized by one anti-virus engine as possible threat.

I would guess this alarm refers to a Windows trojan, as for the Win32 in the name, maybe the Backdoor.Win32.IRCBot, the TROJAN.WIN32.IRCBOT, or the Backdoor:Win32/IRCbot.BH – anyway, a very Windows specific piece of binary code that could not perform the same actions on a macOS system.

Therefore, given that it's detected only by one out of 60 anti-virus engines, in two different binaries of ungoogled chromium built on different systems, it seems most likely to me that this is a false positive result of the AegisLab engine on VirusTotal, i.e. no actual infection with Trojan.Win32.IRCBot.l3vP and hopefully no other malware…

You got me scared a bit there, but it's always a good idea to run some extra tests (like scanning for viruses in the binaries)

Perhaps it's a false positive, but the same framework from the FreeSMUG build and Google's build don't trigger any false positive so that gives me concern to why this is occuring.

Anti-virus systems are always susceptible to false-positives. I bet they are probably doing some pattern matching on the machine code or assembly.

If you are really concerned about this, I'd advise you to contact VirusTotal why this occurs (or find a way to build ungoogled-chromium yourself in a trusted environment). I think @kramred's explanation is sufficient here.

@Sonny-Fox, note also that the two versions (ungoogled vs. FreeSMUG/Google) are quite different in size: the binary of the ungoogled framework is ~170 MB whereas the FreeSMUG binary is about 260 MB
The binary pattern that is (falsely) recognized in the ungoogled version is not (fully) present in the much larger version as there is other code interspersed or surrounding it.

Also, only one out of 60 anti-virus engines generates a warning (which is for a very different operating system).
Therefore I would raise your "perhaps it's a false positive" to a "most likely it's a false positive"

As we don't know the pattern that triggers the warning it's difficult to argue using the binaries. But if you have access to a macOS build system or we get the GitHub Actions build working you can use a build you trust more and upload it to VirusTotal and most likely you will get the same result, as I got for the Marmaduke-ungoogled binary - which should confirm it's a false positive as you can/could inspect all the source code and there is no code for the Trojan.Win32.IRCBot.l3vP