[windwake12]

It's pretty common for programs compiled by "uncommon" compilers, and since the D compiler is selfhosted, it would fall into that category. AV software isn't magic, they probably just look for stack/calling/allocation patterns that don't look "right" meaning none of the major compilers generate such code, and it "might" be bad somehow.

I've a few flags from npm with Kaspersky, because there's so many packages that include some little binary, and since this is npm, it's often "unusual", like go.

[ynik]

The AV might not be even looking at patterns in the executable code. We've had an issue where we accidentally ran the msys strip tool over binaries compiled with the MSVC compiler. A quarter of the scanners on virustotal went crazy and "detected" our program. The same unstripped program was fine with them. And by "the same", I literally mean the same: virustotal showed that all sections in the "malicious" stripped executable had identical hashes to those in the clean unstripped executable. The only difference was some header bits that were irrelevant to the runtime behavior (I think it was the "linker version" field, and maybe some others).