No virus free builds since 1.3.1

[freddy2659]

Before posting

Please follow the steps below and check the boxes with [x] once you did the step.

• [x] I checked the issue tracker for similar issues
• [x] I checked the changelog if the issue is already resolved
• [n/a] I tried the latest Clementine build from here

System information

Please provide information about your system and the version of Clementine used.

• Operating System: Windows
• Clementine version: below releases as .exe files

1. ClementineSetup-1.4.0rc1
2. ClementineSetup-1.4.0rc1-211-g949c20abd
3. ClementineSetup-1.4.0rc1-289-g834b1d451
4. ClementineSetup-1.4.0rc1-296-g68d375c43

Expected behaviour / actual behaviour

Virus scans on VirusTotal.com would come up clean, however ever since the initial 1.4.0rc1 release in Jan 2nd 2020, there has always been at least 2 detecting as malware/trojan for every version I tested (above). I know these could be false positives, but it's interesting that at least 3 would have results for a lot of the recent builds.

• Jiangmin detects TrojanSpy.Stealer.cqy
• Comodo detects Malware@#3qjufngsyohqo
• Comodo detects Application.Win32.Instally.DA@6ay5tf
• Ikarus detects Trojan.Win32.Rozena
• More recent versions have C2AE show as UNKNOWN_VERDICT (might be ok)

The previous releases 1.3.0rc1, 1.3.0.2, 1.3.1 all came up clean.

Steps to reproduce the problem (only for bugs)

Download any version between 1.3.1 and current. Upload to virustotal.com and as for a rescan/check the previous scan results.

[jbroadus]

This person found the same with mingw cross-compiled executables. https://security.stackexchange.com/questions/229576/program-compiled-with-mingw32-is-reported-as-infected

Some of those appear to be pretty old, so I would expect them to be pretty well known by the security groups, but the majority, including the big ones there, don't find anything. Also, when I ran with a newer build, Comodo didn't detect anything.

[Tutul-]

On the last preview as for today, only Jiangmin and Ikarus are detecting it. After a quick search, it's look like both Trojan's name are for two very different malware. As for Comodo, I submitted the program for checking by their team

[freddy2659]

I'll be honest, I haven't tried to compile Clementine from source myself. Is it easy enough to compile it with a different compiler? I feel like that would offer a strong indicator if the detected viruses are false positives from the compiler, or from the source itself.

[MrAureliusR]

I mean, the source is open. It's very easy to check if Clementine actually has viruses. These are clearly false positives and can safely be ignored. It's only worth paying attention to VirusTotal results if the major engines detect something.

[freddy2659]

I agree, it's possible to check the source and it is most likely due to false positives. People who are familiar with the code might find this doable, but a vast majority of users don't have the time to read, process and fully comprehend the code.

The fact remains that the program is coming up as dirty, when before it was clean. Some change has caused multiple antivirus vendors to flag it - eroding trust in Clementine. Even if it's a false positive, shouldn't the solution be to find the cause and address it somehow rather than ignore the warnings?

[Tutul-]

A lot of antivirus use pattern or just checksum (md5) to find malware. Both may just provide false positive by accident and need to be reported to the antivirus software team so they can fix that problem. It may be something within the latest mingw and not even in Clementine's code as other project where detected recently as false positive.

[matkoniecz]

@jonohein Please, change highly misleading title. This is about false positive in third-party software, not about any problem in Clementine.

Even if it's a false positive, shouldn't the solution be to find the cause

Stop trusting what low quality antiviruses report? That is a bug/problem in antivirus, not in Clementine. (BTW, I am not sure whatever there is any antivirus qualifying as high quality and whatever using antivirus is at all useful anymore)

[MrAureliusR]

I would echo what @matkoniecz said and again request @jonohein to change the title of this issue.

The specified "virus engines" that are shown are, essentially, unreliable garbage. Unless you see some of the major engines reporting something (Symantec, Intel, Malwarebytes, etc) then it's not worth reporting. You'll notice that every single engine is reporting a different malware. That's a huge sign that it's a false positive. For a real virus, multiple engines would recognize the same malware and it would be very clear that it's infected.