search

qbittorrent / qBittorrent

qBittorrent BitTorrent client
https://www.qbittorrent.org
Other
27.75k stars 3.92k forks source link

qBittorrent v4.4.3.1 Virus #17105

Closed PCbIX closed 2 years ago

PCbIX commented 2 years ago

qBittorrent & operating system versions

qBittorrent v4.4.3.1

What is the problem?

New version qBittorrent v4.4.3.1 detected by antivirus as virus, be carefull

Steps to reproduce

No response

Additional context

No response

Log(s) & preferences file(s)

No response

PCbIX commented 2 years ago

Install package was downloaded from this link https://www.fosshub.com/qBittorrent.html?dwl=qbittorrent_4.4.3.1_x64_setup.exe

Legendarion commented 2 years ago

Says who?! Avast, Norton, McAfee...?

Microsoft Defender doesn't say anything about that.

gkaiser commented 2 years ago

The SHA256 hash for the 64 bit installer from Fosshub matches what it's listed as on the qBittorrent website's download page (07f1777b4508c5629e26bb592050dfd4421169b76de79001d2f0350f92010f23).

I think it's fine. Chrome did warn me when the download finished on Fosshub, saying something along the general line of "not sure if this file is safe, not many people have downloaded it yet", but that's not necessarily unexpected or indicating anything's wrong.

AlperShal commented 2 years ago
Windows shows a "Windows protected your PC" pop-up and says Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk. App: qbittorrent_4.4.3.1_x64_setup.exe
Publisher: Unknown publisher

So I think it is not a virus problem but a license problem.

The5kull commented 2 years ago

Windows shows a "Windows protected your PC" pop-up and says Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk. App: qbittorrent_4.4.3.1_x64_setup.exe Publisher: Unknown publisher

So I think it is not a virus problem but a license problem.

SmartScreen pops up almost everytime when you install a program not coming from MS Store so that's nothing new.

ahhj42 commented 2 years ago

Avast is showing a threat at startup as well.

MiTM:DnsHijack URLS: http://demonii.si/favicon.png http://demonii.si/favicon.ico

Kolcha commented 2 years ago

it is common nowadays that antivirus software marks torrent clients as any malware, qBittorrent is not an exception, see for example this https://torrentfreak.com/utorrent-continues-to-be-flagged-as-severe-threat-and-its-not-alone-210318/ this article even has a link to qBittorrent GitHub issues page discussing that. so, very likely this "intentional false positive".

Kolcha commented 2 years ago

So I think it is not a virus problem but a license problem.

this is not a license problem, that happens because installed is not signed with a very expensive certificate. this is like on macOS.

Kolcha commented 2 years ago

URLS: http://demonii.si/favicon.png

this is definitely not related to qBittorrent. very likely something marked as qBitorrent (or patched qBittorrent) was downloaded from any unknown site, official downloads don't have such URLS.

vodzl commented 2 years ago

Avast is showing a threat at startup as well.

MiTM:DnsHijack URLS: http://demonii.si/favicon.png http://demonii.si/favicon.ico

I had this problem years ago. It is easy to fix. Go to Advanced Setting and disable (uncheck) Download tracker's favicon option and click apply. I think this option should be disabled by default for security reasons.

Kolcha commented 2 years ago

Go to Advanced Setting and disable (uncheck) Download tracker's favicon option and click apply.

in recent versions it is disabled by default (at least was on Linux). maybe behavior is different on other platforms or option was enabled in older version and affected user just has it enabled since that time...

Amtays commented 2 years ago

I got a warning from windows defender when I first tried to install 4.4.3.1, but I couldn't replicate it when I tried again. I got no warning from doing 4.4.3 just three days before

Virustotal showed me this when I scanned 4.4.3.1

https://www.virustotal.com/gui/file/07f1777b4508c5629e26bb592050dfd4421169b76de79001d2f0350f92010f23

That SecureAge APEX warning did not show up when I scanned 4.4.3

PCbIX commented 2 years ago

@PCbIX

If you're not going to provide any screenshots, what security vendor software you are using or anything new on how to reproduce your issue and not even link to virustotal website then this issue should definitely be closed.

In future you better:

  1. Scan with virustotal.com
  2. Share link to virustotal results and name your own security software if you ever plan to blame qBit installers in Fosshub website to be a virus.
  3. Contact your antivirus software provider to relook if they have false positive, false scan results in virustotal and if you maybe really downloaded a virus or if you have completely misunderstood something.
  4. Afterwards contact fosshub about your findings if you still believe you have downloaded a virus.

Ok, I'll send MD5 of downloaded file and screenshots today later.

ghost commented 2 years ago

There is no virus. This is expected for any new .exe file which is not signed and therefore is not trusted by AV or Smartscreen. If you wait 1-2 days then the signature gets updated in AV database and it no longer triggers anything. Just like now it shows 0/65 in virustotal.