False report of Trojan in Tribler installer - PyInstaller issue

[xoriole]

We recently received a report from one of our users that his antivirus reported Tribler installer of the latest 7.8.0-RC1 (x86 version) to contain malware. Upon further investigation, we found out that it was indeed flagged by some of the antiviruses.

Here is a scan report from VirusTotal of the installer file. https://www.virustotal.com/gui/file/81459ff68a6df81b43aaccc7b5907171877bdf4e4b4daaea3192697da4b591c0/detection

After checking the build infrastructure, we detected no malware in our build machines. Instead, the root cause was found to be a build library we used for creating the installer file. We have been using PyInstaller (https://github.com/pyinstaller/pyinstaller) for many years without issues. We recently updated to the latest version (v4.2) where the executables generated appear to be falsely flagged to contain malware. Downgrading to the older version (v3.6), the executables generated are reported safe by antiviruses.

Here is another scan report from VirusTotal. https://www.virustotal.com/gui/file/a1da3a1361708db4f522b30d5ea1217aa03698b6938f5af15afaf518eda5f598/detection

For now, all the binaries for the latest RC release 7.8.0-RC1 have been rebuilt and published.

For future assurance that such a situation does not arise, here are a few tasks to do:

• [x] Compile our own bootloader in PyInstaller
• [x] Set up a Jenkins job that scans the release binaries using VirusTotal API and only do a release if reported safe.
• [ ] Fix the outdated digital signing of Tribler executable with a new signature in the build process.

[xoriole]

Build job in Jenkins now does malware checks using VirusTotal API. Whether or not to enable the check is determined by a build job parameter VIRUS_CHECK. The parameter itself is disabled by default on dev builds and enabled on release builds. It takes on average 4 extra minutes to perform the checks, totaling around 9 minutes to complete the job.

Here is a link to a job with virus check enabled. https://jenkins-ci.tribler.org/job/Build-Tribler_release/job/Build/175/

For each artifact, an *.analysis.json file is generated that contains the results of the checks. The current behavior is if any of the antivirus engines detect malware, the job also fails.

[xoriole]

Update: Tested Windows 32 bit Tribler binary built with a custom PyInstaller (v4.2) bootloader for Windows 32bit but still reported unsafe by two antivirus engines.

https://www.virustotal.com/gui/file/136a66f28b4daaa3a0278a4db9fe6faa76073465713987693316ba8f3f5d754d/detection

[xoriole]

I have tested a PyInstaller build with a script that simply prints Hello World without any dependencies and scanned the binary (.exe). The binary was still flagged to include malware here. This was still the case when build was done using Github actions to exclude the possibility that the builder machine was somehow infected. My conclusion is: PyInstaller is no longer a good packaging solution for us.

As an alternative, I have started to explore PyOxidizer which so far seems interesting. Once I have a build working, I plan to check if it is still flagged to contain malware. If that is reported safe, then will continue with building the full binary for Tribler.

[xoriole]

Update: I've got a binary build using Cx_Freeze working on a test machine (Win10 64-bit machine). Uploading the build to VirusTotal did not report any malware but many of the engines also timed out. https://www.virustotal.com/gui/file/80ba414e59adc0fcbc8990169f72c13a89483467a50a89626bd38106340a32ae?nocache=1

A notable difference in binary built with Cx_Freeze compared to PyInstaller is its size. The Cx_Freeze final binary is twice as large as of PyInstaller build.

• Cx_Freeze: 145,1 MB
• PyInstaller: 74,8MB

I think 145MB is still an acceptable size, worth for being reported safe.

[drew2a]

Duplicate:

• 7929

[qstokkink]

This issue has high overlap with #5648. I'll close this issue and let's move the discussion over there.