qBittorrent
qBittorrent copied to clipboard
qbittorrent
qBittorrent 4.5.4 release flagging by Microsoft Defender as having a trojan
qBittorrent & operating system versions
qBittorrent 4.5.4 x64 OS Windows 10 Home 22H2 (10.0.19045) x64
What is the problem?
Release downloaded from linked Fosshub being flagged by Windows Defender as testing positive for Trojan:Win32/Wacatac.H!ml
Virustotal (and their version of Defender) says otherwise but my Windows Defender including having updated it's definitions 10 minutes ago is flagging and removing qBt 4.5.4
Can't register on the forums to post this since the security questions seem to be unanswerable (ie it asked current year + 1 and apparently 2024 is wrong)
Steps to reproduce
No response
Additional context
No response
Log(s) & preferences file(s)
No response
I believe that Microsoft's Defender is the scapegoat here as it also says that Daemon-Tools Lite sporadically gets flagged for virus/trojan even though it doesn't have it.
Nope, there is really a problem with the installer. Missed the file signature maybe ?
Can confirm also file is flagged with chrome safe browsing. That did not happened with previous version.
I just downloaded it like minutes ago and had 0 issues. Windows 11 x64.
Only the reputation (SmartScreen) pop-up appeared where you just click it and you can open the file normally.
Upd1.: Checked both lt20-qt6 and normal x64 builds, none of them triggered Defender and I am also running the lt20-qt6 version since upgrading, no problems whatsoever. Upd2.: Quickly checked on an other Windows 11 computer, same thing, zero issues, no detection, no problems, clean upgrade.
@ralinchan Could you post a screenshot from Windows's Settings -> Security -> Windows Security, and show us what kind of detection you got from Defender? It should show the latest detections, etc. It's also possible that Microsoft fixed the issue since.
I heard AV vendors are really struggling now due to generative AI is being adopter by malware authors as well.
On chrome and Windows 10
https://pasteboard.co/dZ3fjOz2e82z.png https://pasteboard.co/SSJD5fwEXjpI.png
(Error says "Unknow editor")
@Preciel-ES That's not a virus flag.
First screenshot: That's Chrome, it pops up for "unknown exe files". You just either go into Chrome's Downloads and allow, or click that little arrow and allow. Second screenshot: That's Windows's "SmartScreen" which warns on every rare file. Click execute.
These are not anti-virus warnings, neither thinks it's a virus, they just kinda warn you that the executable is not known, thus you should be careful. They are trying their best to protect regular users, who usually don't even install software on their computer at all. They usually just use a browser and in case they'd suddenly download an .exe file, it is a good thing that multiple layer are trying to save them because it is actually a harmful program.
Hell, normal users only encounter .exe files when the scammers try to get their remote / RAT software installed by the poor victim.
@Balls0fSteel, I'm not the one who said it was a virus, the OP did. My comment said it was most likely the package signature.
Usually such thing happen because of the package signature is not what it should be. A small check need to be done, most users get freaked out just by a small warning like this one.
Trojan:Win32/Wacatac only the Windows defender has been seen doing this and it is his signature paranoia in many cases for "unwanted" programs, which are not viruses in most cases. Presumably this signature was created a long years ago and is now also used by their AI scanner, which is periodically experiencing "paranoia".
So I get now why no more actual antivirus detect something in the file. Mine Avast too. I think google also saw this signature from Microsoft defender and flagged file for 2 days. It's strange for me cause I should have caught this alert too cause Microsoft and Avast is sharing AV databases somehow.
Windows Defender as testing positive for Trojan:Win32/Wacatac.H!ml
7-Zip appears to be flagged for similar....
https://sourceforge.net/p/sevenzip/discussion/45797/thread/3f550826d8/
I would consider this issue a false positive
Can confirm also file is flagged with chrome safe browsing
This seems to only happen with FossHub links, SourceForge is ok.....from my testing.
This isn't the first time this has happened & usually occurs on initial release prior to/in-between av/malware etc definition updates.
This seems to only happen with FossHub links, SourceForge is ok.....from my testing.
2 days later even SF links are now OK tried every version. Apparently they figured it out there at least on Google that it is a false positive.
In case you don't know, I am the person doing the builds/releases/installers.
This is yet again a false positive. We have those occasionally. Let me explain some things:
There are mainly 2 types of warnings people see when using the installer. Either the browser(eg Chrome) or the system doesn't recognize the URL and file as "harmless" or the AV suites are tripped up by some irregularities of the installer.
Either the browser(eg Chrome) or the system doesn't recognize the URL and file itself as "harmless"
This happens with files that aren't signed with a code-signing certificate AND are new in the web. Broswers/OS use centralized scanning services which in turn use a reputation system for each file they scan. Unsigned files start with a low reputation. As more and more people start using them, scan them, and not report them as harmful the reputation starts rising until the scanning service shuts up about the files. The files have essentially become "old" and implicitly trusted due to user usage.
This probably works in a similar way for flagging URLs as untrusted. It wouldn't surprise me if Chrome has whitelisted the SourceForge domain as a whole, since it has served open source for many decades now and has built a very good reputation (about malicious content). This could explain the discrepancy with FossHub regarding URL flagging.
or the AV suites are tripped up by some irregularities of the installer
The software used for making the installer is NSIS (Nullsoft Scriptable Install System). It is basically a program that wraps our program(qbittorrent.exe) and runs a series of commands to "install" our program in the correct place and make any necessary changes to the system to reflect the installation of our program. The NSIS scripts for our installer are here.
The AV suites probably don't like our installer for these reasons:
- It is unsigned software
- The UAC/privilege escalation is handled in a weird way by the installer. When you start the installer it runs as a normal process, which forks itself and runs again as a process requesting UAC. Now you have 2 processes running. The two processes communicate with each other during installation, because some actions should be performed with normal privileges while others should be performed with escalated privileges. However, this whole setup is frowned upon by some AV suites.
- I am not sure how exactly this is implemented behind the scenes but it is entirely possible that the UAC process above creates a temporary .exe (in tmp) and launches it. This .exe file is unsigned. Both the fact that we emit a temp .exe and the fact that it is unsigned is seen as malicious by strict AV heuristics.
- Once the installer finishes installing, it needs to write the uninstaller, which is another .exe which is unsigned. You get the idea.
As I said, our installer wraps our program (qbittorrent.exe) inside it. You can use 7-zip, open the installer as an archive, extract qbittorrent.exe and upload it for scanning. You probably won't get any red lights even from heuristics.
How to be sure that you have an official release and not a tampered one by a 3rd-party?
On the Downloads page of our website we publish the sha256 hashes of each installer of the current version. You can compare it with the sha256 hash of the downloaded file.
Additionally, each installer is signed with a PGP signature. How to verify PGP signature.
Wait, how do I know that you yourself don't distribute malicious software?
OK, you can verify that my downloaded file is an official release. How do you know that I don't distribute malicious software?
There's not much I can say about that, except that:
- Historically, I haven't done so for many many years already. All releases of qBittorrent until now were clean. There wasn't a virus/miner/whatever found in any of the installers to date.
- Is it OK to ignore the multitude of AV vendors that give a green light on a scan and instead focus on 1-2 vendors that complain about their heuristics finding icky behavior?
Hello @sledgehammer999, and thanks for all the clarification.
As I said myself from the start, unlike the OP, to me the problem was the signature. Maybe, for some reason, Chrome/Windows, has come to not trust NSIS.
Unfortunately, it's easier to be flagged as high risk/untrusted than the opposite. Not on the same subject, but I also got a false positive with a website. My server IP took less than 1 hour to be flagged high risk, and over 2 months to get back in the low risk range.
It's indeed not OK to take 1~2 AV scans for granted, it's, more often than non, a false-positive indeed. But there was also cases where only 1~2 vendors were able to truly see the threat, which is why it will never be ignored.
For now, it's best to wait and see. Either NSIS or FossHub (or both) could have been flagged for some reason, and it will take some time to get back to normal.
Hello @sledgehammer999, and thanks for all the clarification.
As I said myself from the start, unlike the OP, to me the problem was the signature. Maybe, for some reason, Chrome/Windows, has come to not trust NSIS.
Unfortunately, it's easier to be flagged as high risk/untrusted than the opposite. Not on the same subject, but I also got a false positive with a website. My server IP took less than 1 hour to be flagged high risk, and over 2 months to get back in the low risk range.
It's indeed not OK to take 1~2 AV scans for granted, it's, more often than non, a false-positive indeed. But there was also cases where only 1~2 vendors were able to truly see the threat, which is why it will never be ignored.
For now, it's best to wait and see. Either NSIS or FossHub (or both) could have been flagged for some reason, and it will take some time to get back to normal.
it will never go back to normal especially when Yumi just flagged file for windows 7 commands. The only thing is the vendors will whitelist it. But with every other release it will be flagged for couple of days.
I already told about this here https://github.com/qbittorrent/qBittorrent/issues/19203#issuecomment-1598423963
Torrents programs are now considered as PUP. Through all of the scanners cause it's p2p and you can download unsafe program through it. It's not new. to be honest.
I am more concerned of the BAZAR backdoor signatures that is some Security providers discovered when new release went up.
it will never go back to normal especially when Yumi just flagged file for windows 7 commands. The only thing is the vendors will whitelist it. But with every other release it will be flagged for couple of days. I already told about this here https://github.com/qbittorrent/qBittorrent/issues/19203#issuecomment-1598423963 Torrents programs are now considered as PUP. Through all of the scanners cause it's p2p and you can download unsafe program through it. It's not new. to be honest. I am more concerned of the BAZAR backdoor signatures that is some Security providers discovered when new release went up.
Did we ever figure out why this is being flagged as a BAZAR backdoor?
Following up here. The 4.5.5. flags as that "bazar" malware whereas older versions do not?
I'm wondering if it's not related to the libraries used.
The default download (Qt5 and libtorrent 1.2.x) has 3 flags on VirusTotal
Then I tried the version with Qt6 and libtorrent 2.0.x, no flags at all. no matter the download source.
Maybe there are some kind of dangerous hack possible with the old libraries, which is why the app is flagged ?
I'm wondering if it's not related to the libraries used.
The default download (Qt5 and libtorrent 1.2.x) has 3 flags on VirusTotal
Then I tried the version with Qt6 and libtorrent 2.0.x, no flags at all. no matter the download source.
Maybe there are some kind of dangerous hack possible with the old libraries, which is why the app is flagged ?
It's weird because version 4.5.4 have 2 flags, but don't have the bazar loader flag. That was new with 4.5.5. Is it safe to assume that these are all false positives?
I assume it's safe to assume this is all false positives?
I'm wondering if it's not related to the libraries used. The default download (Qt5 and libtorrent 1.2.x) has 3 flags on VirusTotal
Then I tried the version with Qt6 and libtorrent 2.0.x, no flags at all. no matter the download source.
Maybe there are some kind of dangerous hack possible with the old libraries, which is why the app is flagged ?
It's weird because version 4.5.4 have 2 flags, but don't have the bazar loader flag. That was new with 4.5.5. Is it safe to assume that these are all false positives?
I assume it's safe to assume this is all false positives?
This is not actual AV screens and software. It's sandboxes which flags files even with reputation model or similarity with download domain. Also it maybe that person that found "something" did authorize it with other samples of actual ransomware models but without actual full report - it's near useless as like "community scores".
Can confirm Windows Defender on Windows 11 Pro flagged the standard x64 version as a virus. Will add screenshots to my post soon.
https://www.virustotal.com/gui/file/96bac43faac2b1fa5e0bc495975b2e642af5da181e313a9c8f541912b83c0edb
Bkav Pro W32.AIDetectMalware
https://www.virustotal.com/gui/file/96bac43faac2b1fa5e0bc495975b2e642af5da181e313a9c8f541912b83c0edb
Bkav Pro W32.AIDetectMalware
on your link there is 0 detections
https://www.virustotal.com/gui/file/96bac43faac2b1fa5e0bc495975b2e642af5da181e313a9c8f541912b83c0edb Bkav Pro W32.AIDetectMalware
on your link there is 0 detections
I was submitted and scan for virus since 28 April 2024 or more than 1 month ago. The result can changed depend on their antivirus updated.
https://www.virustotal.com/gui/file/96bac43faac2b1fa5e0bc495975b2e642af5da181e313a9c8f541912b83c0edb Bkav Pro W32.AIDetectMalware
on your link there is 0 detections
I was submitted and scan for virus since 28 April 2024 or more than 1 month ago. The result can changed depend on their antivirus updated.
yes and that only shows that antiviruses can false flag files, that's why there is a "report false flag" button on the antiviruses support or in quarantine.