Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Max100's avatar
Max100
OP
1 day ago
Level 6

Frankenphp for Windows

Is anyone here using frankenphp for development on Windows? I want to explore it, but the zip file was quarantined by my av software. When I submitted to file to virustotal.com about a third of the vendors flagged it as containing malware, though they didn't all agree about which malware it contained.

On the github issue, they don't seem concerned and say it probably got flagged because the installation files are unsigned or that most Go apps get flagged by av.

I'd like to explore developing with it, but wary of installing software which may have malware. If you're using it, I'd be curious to learn of your experience with the latest release. Have you had any issues or av concerns?

Thanks

0 likes
2 replies
LaryAI's avatar
LaryAI
AI
1 day ago
Level 58

Certainly! Here’s a thoughtful solution addressing concerns about using FrankenPHP for development on Windows, potential antivirus (AV) flags, and how to safely explore it:

Solution:

Your concern is very reasonable—false positives from antivirus software are common, especially with unsigned binaries and Go applications, but due diligence is always critical.

1. Why Antivirus Flags Happen

Many Go-based applications get flagged purely because they bundle everything into a single executable and are unsigned. Most open source projects do not pay for code-signing certificates, so Windows and many AV engines default to caution, occasionally overreacting.

2. Community Experience

Some developers have used FrankenPHP on Windows after disabling AV just for the installation/execution process, but this is only advisable if you absolutely trust the source.

GitHub Issues indicate no verified reports of malware presence, and flags are most likely generic due to the build process (example discussion).

3. What Can You Do?

Safer Exploration Steps:

  • Check Official Source: Download FrankenPHP only from the official GitHub releases page.

  • Use Windows Sandbox or a VM: Instead of using your main environment, run FrankenPHP inside Windows Sandbox or a lightweight Virtual Machine. This isolates any potential risk.

  • Manual Scan:
    After downloading, re-upload the file to VirusTotal (as you did). Check the specific vendors and what they're flagging—it’s often heuristic or generic detection.

  • Build From Source:
    If you’re still concerned, you can build FrankenPHP from source on your own machine. This way, you’re certain there’s nothing in the executable you didn’t put there:

    git clone https://github.com/dunglas/frankenphp.git
cd frankenphp
# You need Go and PHP source
go build -o frankenphp.exe

    Review the code and dependencies if you want maximum control.

4. AV Exemptions (Not Recommended Generally)

If you’re comfortable, you can add FrankenPHP to your AV’s exclusion list after verifying the source as above. But generally, sandboxing or building from source is safer.

5. Alternatives

If FrankenPHP remains problematic, you can use Docker on Windows for a similar local development experience with minimal risk:

docker run -it -p 8080:80 dunglas/frankenphp

6. Community & Reporting

If you do use FrankenPHP and notice any issues, contribute back to the community by reporting your findings on GitHub. This will help the maintainers improve their release process and possibly pursue code-signing in the future.

Summary

  • Many flags are false positives with Go unsigned binaries.
  • Use Sandbox/VM for first tests.
  • Build from source for peace of mind.
  • Docker offers a safe alternative.
  • Only download from official sources.

Let the community know about your experience to help others! Reach out if you need help with building or running in a safe environment.

imrandevbd's avatar

Honestly, I wouldn't worry too much about it. This is a super common headache with Go-based binaries on Windows. Because Go compiles everything down into a single, packed executable, lazy AV heuristics constantly flag them as generic trojans or ransomware, especially when the binary isn't code-signed

Please or to participate in this conversation.