Compiled Streamlink.exe - Positive Matches by antivirus software

[S-ed]

Checklist

• [x] This is a bug report.
• [ ] This is a plugin request.
• [ ] This is a feature request.
• [x] I used the search function to find already opened/closed issues or pull requests.

Description

Streamlink.exe that compiled by "Streamlink for Windows.exe" (Updater) Have high count of Positive Matches by antivirus software https://www.virustotal.com/en/file/ff223506d546477c3bdd9a25ca35e3a89c38e9bcc2ef7ee3bc601870a0491550/analysis/1491575201/

Expected / Actual behavior

Low or 0 positive rating.

Reproduction steps / Stream URLs to test

1. Download https://github.com/streamlink/streamlink-portable/archive/master.zip
2. Extract the “Streamlink for Windows (Compiled)” folder from the ZIP file
3. Run Streamlink for Windows.exe
4. Pick "Portable EXE" > "Start downloading" > "Start building"
5. \Releases\Streamlink.exe will be produced

Environment details (operating system, python version, etc.)

Windows 10

Comments, logs, screenshots, etc.

No logs found.

VERSION.txt --- v0.5.0 - Git 3ff6284

[gravyboat]

This issue has occurred previously for the portable build (https://github.com/streamlink/streamlink/issues/632). Unfortunately there isn't a lot we can do about it and it's caused by the small install base. All of our code is freely available to browse either here in the portable repo, or in the main Streamlink repository. You can see that @RosadinTV tested the main Streamlink installer here: https://github.com/streamlink/streamlink/issues/632#issuecomment-292102718 and it came up with only 0/61 when he tested, and 1/61 when I refresh it. If you have any suggestions on how to address this I'm happy to discuss it, but I don't have any concrete solutions since these are always false positives.

[ghost]

@gravyboat Wow, this is getting more weird. I did not explain myself well, yesterday i tested the latest streamlink portable build (generated with the portable builder) Here are more detailed scans: Streamlink for Windows.exe (Portable Builder): https://virustotal.com/es/file/378f25090ff49aa8c9a39ad837fc5c220e7a49c3d9374ccd34f5e787ce8edb50/analysis/ (0/61) Portable EXE (v0.5.0 - Git 6a42453) : https://virustotal.com/es/file/ba4042b0168a7d8daa53077be5db6737cd273d7119274904364d3a7645c7910e/analysis/ (0/61) Portable EXE (v0.5.0 - Git f6648da): https://virustotal.com/es/file/eaaf2a9548b987210adbcac41a9485448be6cbf8d74cf4adee62914e3360a8a5/analysis/ (0/60 - First try) https://virustotal.com/es/file/37543913b4d72ed45f0ccdb04a2e4bb26fa5de3329049e044c51987b415a5f84/analysis/ (1/61 - Second try) Not sure why this is happening, @S-ed do you have the latest "Streamlink for Windows.exe" version? I've attached the samples. Streamlink_EXE_Git_f6648da.zip Streamlink_EXE_Git_f6648da.zip Streamlink_EXE_Git_6a42453.zip

[S-ed]

@gravyboat Yep. I've tested files from the installer, and those were safe. It only appeared when compiled by Streamlink for Windows.exe

I've downloaded the last version of streamlink-portable-master.zip CRC: 123934C3 MD5: d1b067961ba4de337fa4c0eaccd86aa7

Inside it Streamlink for Windows.exe: CRC: 19C30E36 MD5: bdfa1f858caa0ae5eaa5ec1959f16703 https://www.virustotal.com/en/file/378f25090ff49aa8c9a39ad837fc5c220e7a49c3d9374ccd34f5e787ce8edb50/analysis/1491591814/

It downloads Streamlink_Latest.zip: CRC: E5BD9D29 MD5: 310eb3ebb7c9fb473e59f600487b2914 Streamlink_Latest_MD5.txt MQ6z67fJ+0c+WfYASHspFA==

Once compiled, Streamlink.exe produced: CRC: 6662137D MD5: a4446e22a510384e8cf49ca12b980bd0 https://virustotal.com/es/file/682b726edce2bc8c843f008b8613a13ed642cd3fa28e16e02847782db1ad7d02/analysis/

VERSION.txt v0.5.0 - Git f6648da

Notice, Only 1/62 today. So weird.

The Streamlink_Latest.zip I've tested before was v0.5.0 - Git 3ff6284. CRC: 0A9A2185 MD5: 4ced0f984ea7b1e83a5a048c64228fed Streamlink_Latest_MD5.txt TO0PmE6nseg6WgSMZCKP7Q==

And Streamlink for Windows.exe rewrited existing files. I've lost the originals. Sorry. Also, every time the hash of compiled file is different cause of single line in binary:

...\.V.E.R.S.I.O.N...t.x.t..1[.S.t.r.e.a.m.l.i.n.k. .f.o.r. .W.i.n.d.o.w.s. ...]..1[.S.t.r.e.a.m.l.i.n.k. .f.o.r. .W.i.n.d.o.w.s.]..3\.P.y.t.h.o.n. .3...5...2.\.p.y.t.h.o.n...e.x.e."..K\.S.t.r.e.a.m.l.i.n.k.\.S.t.r.e.a.m.l.i.n.k...p.y.". .-.-.c.o.n.f.i.g. ."..A\.s.t.r.e.a.m.l.i.n.k.r.c.". .-.-.r.t.m.p.-.r.t.m.p.d.u.m.p. ."..i\.S.t.r.e.a.m.l.i.n.k.\.r.t.m.p.d.u.m.p.\.r.t.m.p.d.u.m.p...e.x.e.". .-.-.f.f.m.p.e.g.-.f.f.m.p.e.g. ."..?\.S.t.r.e.a.m.l.i.n.k.\.f.f.m.p.e.g.\.f.f.m.p.e.g...e.x.e.". ...U.s.e.S.h.e.l.l.E.x.e.c.u.t.e...S.t.a.r.t...W.a.i.t.F.o.r.E.x.i.t..?[.E.n.d. .o.f. .S.t.r.e.a.m.l.i.n.k. .f.o.r. .W.i.n.d.o.w.s.]...E.x.i.t.C.o.d.e......м§V#ю]C€РЏqДђmA..·z\V.4а‰.°?_..Х Exit Code varies. So can't rely on hashes.

[ghost]

@S-ed Really weird, looks like from one day to another, AV engines no longer detect the program as false-positive (Although it would be very unlikely). "You've just crossed over into... the Twilight Zone." 😆 PS: You can build old/specific commits versions in "Streamlink for Windows.exe" pressing right click under "Start downloading" button and then entering the desired url. Example for Git 3ff6284: https://github.com/streamlink/streamlink/archive/3ff628463d1eadfab7c4b7ca37f2ee4e98aaa777.zip But still 1/61 currently: https://virustotal.com/es/file/400b61d3f8123b1c406d9e2b1f156f2439ccf764f807f62cab5c7d986647741e/analysis/1491674155/ The first time (when the AV detected 16/60) you built the 3ff6284 did you use the latest version of Streamlink for Windows.exe (MD5 bdfa1f858caa0ae5eaa5ec1959f16703) ? Streamlink_EXE_Git_3ff6284.zip

[S-ed]

@RosadinTV To be honest, I'm not sure. It always showing v1.0.0.0 no matter what release it was. But probably it wasn't the latest one. I've only paid attention to Streamlink.exe distro, not to the patcher's one.

And seems that was the reason! I've downloaded this version: https://github.com/streamlink/streamlink-portable/tree/acba2270b8589fc4791003837c4d4c23afa26af3

And then compiled the streamlink.exe from https://github.com/streamlink/streamlink/archive/3ff628463d1eadfab7c4b7ca37f2ee4e98aaa777.zip

And got this: https://www.virustotal.com/en/file/37f2edc6a449601a21017a2c3a13b1117e0c50d9f018e18eaf2da222e9d5ab90/analysis/1491686745/

So, Pycryptodome was the probable issue, I guess. And seems it's the same Build was mentioned in https://github.com/streamlink/streamlink/issues/632 So, sorry for all this fuss.

[gravyboat]

@S-ed No problem. I think the issue is we really don't know what to do about it to fix it! Sometimes it's a problem, sometimes it isn't, and there really haven't been any changes that make it obvious why it's getting flagged.

[S-ed]

@gravyboat I'm reverse engineering software sometimes. There's a lot of apps for preventing that. Many tools producing code that being used in Viruses (or much more likely in Trojans). Then 'Antivirus Companies' collecting the data and defining particular 'fingerprints' of the malwares. Many of them are just fingerprints of those tools, and not specific for a trojan. As example binary packers/compressors/encryptors/obfuscators. Same goes for cracks/keygens/memory hook libs.

Pycryptodome may be used for making https://en.wikipedia.org/wiki/Ransomware

[ghost]

@S-ed You are right the issue is related to the commit acba2270b8589fc4791003837c4d4c23afa26af3 (and older) But the problem isnt Pycryptodome, is "Files\Resources\PORTABLE_BUILD.vb", i tried replacing current file with the oldest one (https://raw.githubusercontent.com/streamlink/streamlink-portable/acba2270b8589fc4791003837c4d4c23afa26af3/Streamlink%20for%20Windows%20(Compiled)/Files/Resources/PORTABLE_BUILD.vb) and AV's start detecting false-positives again. The strange thing is that the files are almost the same (left is the old and right is the current): https://www.diffchecker.com/eRx1bqXs PS: In a upcoming update i will include file version details inside executable (along with other improvements)

[S-ed]

@RosadinTV Just IMO, but I think button with "V"/"▼" (dropdown) near "download" instead of "right click" may be more user friendly (Who even reads the readme our days? =P)

[ghost]

@S-ed Great idea, i will include this in the next version 😉

[ghost]

I will close this issue because currently is only detected by 1/61 AV's: https://virustotal.com/es/file/34af5c8a44588a6821ab476ed1921cb475c392d8036e4b9182386ba217385345/analysis/1492303797/ Also i applied most of the @S-ed suggestions in https://github.com/streamlink/streamlink-portable/commit/cc965bd3707a7a707a059f41ae7f55f63bf44b29