Virus scanner look for patterns seen in known viruses. However, legitimate software may have the same pattern as other software and thus also in viruses.

Did you download it from gpg4win.org? If you have any doubts please check the integrity of the package using an older gpg4win version or by comparing the provided checksum.

Yes, I downloaded from "gpg4win.org".
Notice that the SHA256 from VirusTotal and gpg4win.org for "gpg4win-3.0.1.exe" are identical.
SHA256: f05e5d272a794002149effc516f4b32f62fa575563f632b084bd044017b1206f

False positives are possible, but having two anti-virus programs identify a virus is not good.

Since most projects include source code from other third party projects, it is difficult to track so much code. Knowing this, foreign governments are inserting source code into previously safe source code hoping no one will notice. If that source code is shared by other projects, viral source code could easily spread.

Someone needs to determine which software package contains the virus and make sure there is no adware or other bad stuff in it.

In summary, everyone needs to be careful and show proof that it truly is a false positive i.e. with viruses, you are guilty until proven innocent.