youtube-dl-gui icon indicating copy to clipboard operation
youtube-dl-gui copied to clipboard

Published 20 hours ago verified publisher icon oleksis

Virus warning from Microsoft defender and Virustotal

Open Pareidol opened this issue 2 years ago • 11 comments

I downloaded the latest portable version for windows (like I did for the 0.4 version a long time ago). As I tried to run it i got a Windows warning ("pc protected trough windows" or similar). Next I tested the downloaded file via virustotal, and there I also got some warnings. I also tested the .msi and got warnings as well.

https://www.virustotal.com/gui/file/71d4fc4eea97199218fdde36717e90326ed0fd4bd980c6afbffc263514e34be9 https://www.virustotal.com/gui/file/52151f4964b9da2ba96dadb2050491e26f89ef4291ce9a5e08c60093a7532aef

Pareidol avatar Mar 29 '22 21:03 Pareidol

But strangely, if I test the link for the exe directlly, it shows no virus. https://www.virustotal.com/gui/url/d91b515ec94916cb97c2e410b4ecc5a3727978a5782650738d8ce3004df5ace5

Pareidol avatar Mar 29 '22 21:03 Pareidol

Unsigned files will always give a smartscreen warning, until their alternate data stream contains information marking that you've accepted the risk of running an 'unknown' exe at least once. You can read more about that here.

As for the VT results, that's a false positive and can't really be avoided, as the application is built with pyinstaller. More info about why that happens here.

Every time I release my ChocolateyUpdate binary I have to report it as a false positive to Microsoft, otherwise it's automatically quarentined during the self update process, which is obnoxious for the users. Not everyone can afford to sign their binaries.

Technetium1 avatar Mar 29 '22 22:03 Technetium1

This release is reviewed by Community and Microsoft rules. Check the validation here: https://github.com/microsoft/winget-pkgs/pull/41279#issuecomment-1015617246

oleksis avatar Mar 30 '22 00:03 oleksis

I downloaded the latest portable version for windows...

FYI: Just because it is the EXE instead of the MSI does not mean it is a portable version. Be aware that it does leave files on the C drive. See the following topic on a portable version enhancement request:

https://github.com/oleksis/youtube-dl-gui/issues/10

If you (or anyone else reading this) would also find a portable version useful then upvote the enhancement request above or offer your help if you have coding skills.

githottub avatar Apr 01 '22 10:04 githottub

sorry for bothering you, where does it leave files on the c drive? I apologize I am new in these things...

eli-se avatar Apr 06 '22 12:04 eli-se

sorry for bothering you, where does it leave files on the c drive? I apologize I am new in these things...

In this comment see where located the settings and the CLI Backends

oleksis avatar Apr 06 '22 16:04 oleksis

I jump into the discussion, as someone in my entourage took a deeper look into virustotal and found some possible suspicious data: Contacted Domains and Contacted IP addresses to IP addresses that itself could be links to malware: https://www.virustotal.com/gui/file/71d4fc4eea97199218fdde36717e90326ed0fd4bd980c6afbffc263514e34be9/relations

I have no clue if this a false alarm of virustotal (personally I think so) or not, but I think that a real problem with malware would have been discovered long ago. Is there an idea, where this IP addresses may come from?

carlkl avatar May 26 '22 20:05 carlkl

You can check the steps for build the yt-dlg-20220118.3.msi MSI package using Azure Pipelines

oleksis avatar May 27 '22 20:05 oleksis

The IPs belong to Microsoft, https://asrank.caida.org/asns/8068 & https://asrank.caida.org/asns/8075 confirm as much. False-positive for sure.

Technetium1 avatar May 28 '22 17:05 Technetium1

Avast also seems to block the website used to download the exe

Catscrath25 avatar Apr 06 '23 16:04 Catscrath25

For Windows users can install yt-dlg from the Store: https://apps.microsoft.com/store/detail/ytdlg/XP9CCFSWS911F5

oleksis avatar Apr 10 '23 20:04 oleksis