Exaile 4 Windows Installer flagged as Trojan

[dangmai]

Steps to Reproduce (for bugs)

1. Download the RC4 installer at https://github.com/exaile/exaile/releases/download/4.0.0-rc4/exaile-4.0.0-rc4.exe
2. Run it on Windows 10
3. Windows Defender kicks in and Quarantine the file
4. Here's a screenshot.

Expected Behavior

The Installer should not be flagged :)

Current Behavior

Exaile cannot be installed.

Possible Solution

I've looked up this issue and it seems that other open source software has run into it as well. Obviously we should look into the release process to make sure that it does not contain virus/trojan, but I'm leaning towards Windows Defender flagging some unsigned binaries right now.

Environment

• Operating System and version: Windows 10 version 1809

• Exaile Version: 4.0.0 RC4

[virtuald]

It does seem that Windows defender is a little too eager to flag here, and lots of other software projects have ran into it.

One other project suggested scanning with VirusTotal, so I did (and it looks like someone else has too): https://www.virustotal.com/#/url/854658600f17774187d90ac1e1285e9a62cd5a01bee7f6077915b5c0e55a3e6f/detection .. no viruses. Try again?

[virtuald]

Ah, but scanning the hash leads to a different result (3 say it's a virus): https://www.virustotal.com/#/file/fe87bf47d54d1bd00e45810cd1a3d449a71d0f2e61fbfeaf1bac0bf4a78573f4/detection ... I dunno. Maybe they don't like NSIS?

[dangmai]

Yeah I already allowed the installer and got it installed. This ticket is just to let you know about the issue and hopefully we can find a solution before 4.0 drops.

[virtuald]

I presume a scan of the installed contents didn't yield anything?

[dangmai]

I haven't tried scanning the folder content yet, but I ran exaile fine so I'd assume that Windows defender had no issue with the actual binary content

[sjohannes]

Could either of you try uploading the whole Exaile install directory to VirusTotal? Or if it doesn't support uploading dirs, a .zip archive of it. (I'm not keen on trying this on my shitty Australian internet.)

If everything is ok then maybe we can also provide a non-installer download option.

[dangmai]

Here's the result for the zipped Exaile's folder: https://www.virustotal.com/#/file/3c2a5b7f4bb6abdcdf03fc2684d152e9d27af2a910259c4cfa760be5a81f7f07/detection

Some of the engines do detect the same virus/trojan.

I'm trying to do a bit more research about this, this page shows what the virus is supposed to do, and the directory structure resembles what PyInstaller packages a lot. Here's another open source software that runs into this exact same virus warning with PyInstaller: akej74/grid-control#29

[sjohannes]

There's a way to report Windows Defender false positives, but I don't know what that entails or how long it takes.

[virtuald]

Looking at the pyinstaller issues tracker, there are lots of reports of trojans/etc. My guess is that this occurs because pyinstaller is so good at what it does, and it makes it really easy to write something complex in python and deliver it without any dependencies on the remote system. That makes pyinstaller really attractive for trojan writers.

Short of not using pyinstaller, I don't think there's a whole lot we can do. I suppose we could sign the code, but I don't really want to pay $70/year or whatever for that.

[dangmai]

I think we should at least put some notice on the Release page and the Website to notify users of the false positive. Something along the line of "If the executable you download matches his MD5 hash, that's the correct one and you can safely reverse Windows Defender action"; otherwise a user's first impression of Exaile will be that it contains a virus.

[virtuald]

It seems that you can do self-signing of an application, which will give a warning but at least show a publisher... which might be good enough?

[sjohannes]

I doubt it will change much, since anyone could have signed the file. Self-signing could help with SmartScreen (e.g. #401), which runs on reputation, but probably not for the Antivirus component of Windows Defender.

[virtuald]

How about RC5? I don't have a Windows 10 system available to me.

[dangmai]

It runs fine! There is still the SmartScreen warning which is now in blinding red, but Windows Defender is okay with the installer. I'm not sure whether it's because I allowed the RC4 installer though - they might have some form of heuristic detection based on your action.

[genodeftest]

Is this issue still true for the final release?

[dangmai]

The final release works fine for me, no antivirus warning at all.

[genodeftest]

Thank you for the feedback!