Antigravity language_server.exe Malware Warning: Safe to Restore?

Brendan Smith
Brendan Smith - Cybersecurity Analyst
11 Min Read
Antigravity language_server.exe verification before restoring an antivirus detection.
Verify the Antigravity build, source, path, and SHA-256 before restoring its language server.

Antigravity language_server.exe with SHA-256 05a9c443cb7e3d6e5f2bc0f65e02d106786c6f6dec201a042f49f8ca38b40768 is the legitimate language server bundled in the official Google Antigravity 2.3.1 Windows x64 package. We extracted that build from Google’s current download, verified the Google LLC signature on the outer installer, and matched the reported file byte for byte. For this exact hash from that official package, a heuristic Trojan or backdoor warning is a false positive. Do not apply that verdict to a different hash, an unexpected path, or an installer from a lookalike site.

If the antivirus has already quarantined the file, leave it contained until you complete the checks below. Restoring a verified file can repair Antigravity; restoring the wrong one can allow malware to run.

What we verified in Antigravity 2.3.1

We downloaded the Windows x64 installer through the official Google Antigravity download page, then extracted it without executing the installer. These facts apply to build 5358163105546240 released as Antigravity 2.3.1:

Component Verified value
Outer installer Antigravity-x64.exe, SHA-256 100d785a83778268fb522f67dce4449966db8ce6579d51e23442bd18d5ef896f
Installer signature Valid Authenticode signature from Google LLC through DigiCert, timestamped July 16, 2026
Bundled component resources\bin\language_server.exe, 130,642,432 bytes
Language-server SHA-256 05a9c443cb7e3d6e5f2bc0f65e02d106786c6f6dec201a042f49f8ca38b40768
Inner-file signature No separate Authenticode signature on language_server.exe

The unsigned inner file is not automatically malicious. Many desktop applications sign the installer or application bundle rather than every internal executable. Antigravity’s language server also has broad agent functions involving files, terminals, browsers, repositories, credentials, and project context. Those capabilities can resemble suspicious behavior to a heuristic engine even when the exact binary came from Google’s signed package.

The opposite rule matters too: a familiar filename does not prove a file is safe. Malware can copy language_server.exe or use a trojanized Antigravity installer. The hash and delivery source are the identity checks.

How to check your Antigravity language-server hash

  1. Record the antivirus evidence. Copy the full detection name, file path, file size, Antigravity version, and detection time. Do not delete the quarantine record yet.
  2. Confirm the product source. Antigravity should have come from antigravity.google or its Google-hosted update path. A search ad, hyphenated lookalike, mirror, message link, or third-party wrapper changes the decision.
  3. Locate the exact file without running it. Current package layout uses resources\bin\language_server.exe. Older builds and reports can use resources\app\extensions\antigravity\bin\language_server_windows_x64.exe; an older filename must not be compared with the 2.3.1 hash as though it were the same build.
  4. Open PowerShell and calculate SHA-256. Replace the example path with the path recorded by your antivirus:
Get-FileHash "$env:LOCALAPPDATA\Programs\Antigravity\resources\bin\language_server.exe" -Algorithm SHA256

If the file exists only in quarantine, use the antivirus details or export/submission workflow rather than restoring it merely to calculate a hash. Treat source, signature, hash, path, and behavior as one evidence set rather than trusting the filename alone.

Should you restore Antigravity language_server.exe?

What you find Safest action
Antigravity 2.3.1 came from the official Google path and the file SHA-256 is exactly 05a9c443...b40768 The reported heuristic verdict is a false positive for this file. Restore the exact item or reinstall the same official build, then update and rescan before adding any exception.
The source is official but the version or hash is different Do not reuse the 2.3.1 verdict. Keep the item quarantined, update Antigravity and the antivirus, calculate the new hash, and submit the file to the detecting vendor for review.
The path is unexpected, such as a random Temp, Downloads, Startup, or unrelated application folder Do not restore it. Trace the process and installer that created it and run a full system scan.
The installer came from a lookalike domain, ad, mirror, chat link, or unknown repository Treat it as a possible fake installer. Disconnect the PC if it ran, preserve the URL and file, scan the system, and rotate exposed accounts from a clean device.
The file was restored before the source and hash were checked Re-quarantine it if possible, collect the hash and signer evidence, and review recent tasks, services, startup entries, browser changes, and account sessions.

Prefer reinstalling or repairing Antigravity from the official source over excluding the whole %LOCALAPPDATA%\Programs\Antigravity tree. A broad folder exception would also trust a future changed file placed there. If an exception is unavoidable after verification, make it as narrow and temporary as the antivirus allows.

Why Antigravity gets stuck on Working after quarantine

The language server is not an optional document file; it is a core Antigravity component. When antivirus software removes or isolates it, the interface can still open while prompts remain stuck on Working, agents stop responding, or developer tools show a missing-language-server error. A June 2026 user report in the Google AI Developers Forum documents this exact failure after Avast quarantined language_server_windows_x64.exe as IDP.Generic.[2]

That symptom proves only that Antigravity cannot find its component. It does not prove every quarantined copy is safe. Repair the application only after the installed source, build, path, and hash agree. If the alert is specifically IDP.Generic, the IDP.Generic false-positive checklist covers the generic detection logic; this page supplies the Antigravity-specific build evidence.

What if the hash or installer source is different?

Stop at the first mismatch. A different hash may be a newer legitimate build, a damaged file, or a malicious replacement; the 2.3.1 result cannot distinguish those cases. Check the current official release, reinstall from Google, and compare again. Do not let a scanner-count majority or a familiar filename replace the identity check. The multi-engine false-positive guide explains why a detection ratio is evidence, not a safety vote.

Fake Antigravity download pages are a confirmed risk. Broadcom documented a typosquatted domain distributing a malicious installer that imitated the real developer tool.[3] If an unofficial installer ran, quarantine of one visible file may leave a loader, scheduled task, service, browser change, remote-access component, or stolen session behind.

  1. Disconnect the affected PC from sensitive work accounts and do not rerun the installer.
  2. Preserve the download URL, filename, hash, timestamp, and antivirus record.
  3. Run a full security scan and inspect Startup apps, Task Scheduler, services, browser extensions, remote-access tools, and recently created files.
  4. From a clean device, revoke active sessions and rotate passwords, API keys, Git credentials, package tokens, cloud keys, and wallet access that the PC could reach.
  5. Use the fake developer-tool malware cleanup when the installer, repository, or command came through a recruiter, coding test, ad, or copied setup instruction.

A second scan is useful in this branch because quarantining the visible executable does not remove a separate downloader, startup entry, scheduled task, service, browser modification, or bundled module. Gridinsoft Anti-Malware can check those persistence points and related files before you restore anything or trust the PC with developer credentials again.

Scan before you restore or allow the file.

A false positive is possible, but restore only after checking that the system has no companion detections, startup entries, scheduled tasks, or hidden files tied to the same source.

Scan before restoring a different file

Why the older ThreatInfo result does not contradict this verdict

Gridinsoft ThreatInfo has an older record for language_server_windows_x64.exe identified by MD5 01e3298fe12d6d6591b32f7a8fce0186. That page remains the evidence record for that exact sample. It is not the same identity as Antigravity 2.3.1 language_server.exe with SHA-256 05a9c443...b40768. File verdicts attach to exact bytes and context, not merely to a reused filename. Use the older ThreatInfo sample record only when the local file matches that record.

FAQ

Is Antigravity language_server.exe malware?

The Antigravity 2.3.1 file with SHA-256 05a9c443cb7e3d6e5f2bc0f65e02d106786c6f6dec201a042f49f8ca38b40768 is a legitimate component from Google’s signed package. A different hash, unexpected path, or unofficial installer needs its own investigation.

Why is the inner language server unsigned if Google made it?

The outer Antigravity installer is validly signed by Google LLC, while the bundled language server is not separately Authenticode-signed. Software packages do not always sign every internal executable. The missing inner signature can contribute to heuristic suspicion, but the official package source and exact hash provide the stronger build-specific identity evidence.

Can I exclude the entire Antigravity folder?

A broad permanent exclusion is not the safest first fix because it also trusts future changed files placed in that folder. Verify the exact build and hash, prefer an official reinstall or repair, update the antivirus, and use only the narrowest exception required after vendor review.

Does stuck on Working mean the quarantine was a false positive?

No. It means Antigravity cannot use its language server. Confirm the source, path, version, and hash before restoring the component. Malware using the same filename could produce a similar application failure when removed.

What should I do after running a fake Antigravity installer?

Disconnect the PC from sensitive accounts, preserve the installer evidence, run a full scan, inspect persistence and remote-access changes, then revoke sessions and rotate developer, cloud, browser, and wallet credentials from a clean device.

References

  1. Google. “Download Google Antigravity.” Google Antigravity, accessed July 16, 2026. Official Antigravity download page.
  2. Sai_Srivatsava_Kunta. “FIX: Antigravity IDE stuck on ‘Working…’ indefinitely.” Google AI Developers Forum, June 16, 2026; accessed July 16, 2026. Antivirus quarantine symptom report.
  3. Broadcom Security Response. “Typosquatted Domain Targets Developers with Malicious Antigravity Installer.” Broadcom Protection Bulletin, 2026; accessed July 16, 2026. Fake Antigravity installer bulletin.
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?