I added one dependency to my project which added another and another - in the end, I got the crate pelite. This crate has a "blob" file which was marked by Windows as "Trojan:Win32/Fuery.B!cl"
I assumed that this was a false positive, but it wasn't shown as a "maybe/possible" trojan. I found the crate on GitHub and downloaded the "blob" file from GitHub and it is ok. If I download it from crates.io (either via Cargo or manually) then I get the trojan warning.
My problem is that cargo run downloaded and ran it as the antivirus couldn't stop it or delete the file.
Your first step should be to establish that the malware was not run on your system. Nothing inside of Cargo or Rust will run that specific file automatically, but the crate might contain a build script
The next step is to ascertain if it actually is malware. pelite has an issue where this has been raised:
Ugh this dumb issue, it's a false positive which I already tried to make go away once.
That file contains like 200 PE samples for testing pelite against. These are fairly unusual samples because I wanted to see how pelite would fare and due to their unusual nature tend to get picked up by anti virus.
If you trust the author that it's not really an issue, then there's nothing else to do.
If the author isn't aware of the issue, you can try reaching out to them, following any security contact information they might have (relatively rare for most crates) or opening an issue.
If you don't trust the crate owner or they are unreachable, your final step should be to contact the Rust Security Team via email. Be complete and thorough about the issue and provide as much information as you can.
In my personal opinion, the particular warning you are asking about is a false positive and I would not worry about it. Running an online virus scanner (which I don't know the quality of) reports it as a large number of possible things, in line with what the author said about being a large number of samples.