For the amd64 at least, I have the same file but it has a different size / SHA256 and a different outcome in the scan results
I've installed Go via the .msi installer. Looking at the archive it matches the file I have on my machine (both size/SHA256).

Is the archive downloaded from https://storage.googleapis.com/golang/go1.9.1.windows-amd64.zip or some other place?

I've verified the file at https://storage.googleapis.com/golang/go1.9.1.windows-386.zip has the correct SHA256 and does contain the x.exe file at the path OP listed.

my plugin loads archives through web api from https://storage.googleapis.com/golang/
also I have checked both manually loaded archives from standard page https://golang.org/dl/

@raydac can you try on a third party system? Maybe from a Linux based OS?

@dlsniper what do you mean? I have loaded manually zip golang sdk archives 1.9.1 for windows under Ubuntu and x.exe is presented in both zip archives, calculated sha256 are the same like described on the main download page
ea9c79c9e6214c9a78a107ef5a7bff775a281bffe8c2d50afa66d2d33998078a ./go1.9.1.windows-386.zip
8dc72a3881388e4e560c2e45f6be59860b623ad418e7da94e80fee012221cc81 ./go1.9.1.windows-amd64.zip

Cool, so now upload the exe files from the Ubuntu machine to that website and see what results you have. The sums for the archives seem to be correct, see if anything changes for that file, x.exe

@dlsniper
report for x.exe from amd64
report for x.exe from 386

My amd64 x.exe in the MSI installed tree has a go.buildid of 07f043544a1febd4867dcccd5eb032f2249449db. Maybe a quick search for that in the official build logs will locate it?

All scans here say it's benign. Smells like an intermediate artifact that was packaged in error.

This embedded path gives an additional hint: C:/Users/gopher/AppData/Local/Temp/gotest628958634/src/x/main.go

I checked go1.9.1.windows-amd64.zip downloaded from golang.org/dl on Ubuntu.

But x.exe not exists.

@mattn the path is a bit incorrect, you need to run ls -la go/src/cmd/go not ls -la go/bin.

Sorry, I found it on go/src/cmd/go. As far as I can see, it is built by go. And C:\workdir\go\src\cmd\go is embeded in binary.

BTW, It seems that *_test.go in go/src/cmd/go have some string x.go.

CC @broady

Specified download URL redirected from golang.org.

https://www.virustotal.com/#/url/be8bdf89ebaff51c56824ab6074db008e91161bdd5973af110140c4221cfb0ac/detection

https://www.virustotal.com/#/url/de7cb91aeb171dedeb9a3f56e77c6a6eaff4cc70f8a4d7b98f3a733a5e2ea952/detection

This seems not bad. One of the antivirus software seems to detect always.

And I uploaded x.exe contained the zip, but not detected.

https://www.virustotal.com/#/file/d9c1b0aee3cc3f3a5cce0208438103e27664d18f53961e21f6c29f275ce01b94/detection

The result page which I posted was redirected to the page which is already reported by another user.

So, currently, what I can say is that x.exe I uploaded is not same file as x.exe uploaded by raydac.

@mattn this seems to be limited to the 386 distribution only. The file is present both in amd64 and 386 distros but only flagged as malicious in the 386 archive. Unfortunately does not make that very clear. Maybe someone with edit rights can change the issue name / description accordingly?

@mattn a lot of antiviruses are red for version of x.exe from 386 version of golang sdk 1.9.1 and user of plugin also detected such signal for 32 bit version

@raydac I checked 386 zip file.

https://storage.googleapis.com/golang/ go1.9.1.windows-386.zip

https://www.virustotal.com/#/url/8704d418b889c02947d23530317fb1f14f039fbd1e81d9e6067826f5fdccc41e/detection

https://storage.googleapis.com/golang/ go1.9.1.windows-386.msi

https://www.virustotal.com/#/url/53e0087623755b8eb2962fa46496805b318422da9e1e4730978d73142777ef74/detection

x.exe extracted from go1.9.1.windows-386.zip

https://www.virustotal.com/#/file/ffb4f32afbb23131a68a55a3b3692299489d75ad12e82af72bc938c66023fb8f/detection

I wonder why the URL is not detected.

But... what is x.exe?

I uploaded exe file that is compiled with GOOS=windows, GOARCH=386 on Ubuntu.

https://www.virustotal.com/#/file/96735a9738dab2e256067c5b1919220da6550203bef5f4391f59ffbb2d878969/detection

package main

import (
        "fmt"
        "log"
        "net/http"
)

func main() {
        http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
                fmt.Fprint(w, "Hello Gopher")
        })

        log.Fatalln(http.ListenAndServe(":12345", nil))
}

It seems some antivirus ware detect binary compiled with GOOS=windows GOARCH=386 on Linux as malicious.

The binary is left over from running TestImportMain in cmd/go. It's harmless. We should remove it, but it's harmless. Any virus scanner that thinks the binary is a virus is wrong.

Change https://golang.org/cl/71410 mentions this issue: cmd/go: clean up x.exe properly in TestImportMain

CL 71410 OK for Go 1.9.2.

Change https://golang.org/cl/71490 mentions this issue: [release-branch.go1.8] cmd/go: clean up x.exe properly in TestImportMain

Change https://golang.org/cl/71530 mentions this issue: [release-branch.go1.9] cmd/go: clean up x.exe properly in TestImportMain

go1.9.2 has been packaged and includes:

• CL 71410

The release is posted at golang.org/dl.

— golang.org/x/build/cmd/releasebot, Oct 26 21:09:24 UTC