Streamlink 2.1.0 getting flagged as trojan by windows defender and 2 other AVEs

[suburbanbourbon]

Checklist

• I understand that Streamlink Twitch GUI is just a launcher for Streamlink
• I have read the contribution guidelines
• I have checked the list of open and recently closed issues
• I have checked the commit log of the master branch

Streamlink Twitch GUI version

2.1.0

Streamlink version

5.0.1

Operating system, environment and configuration details

WIN10 21H2
Security intelligence version (Windows Defender definitions version) - 1.377.471.0

Description

The executable is got flagged as a trojan by 3 AVEs
Virustotal link - https://www.virustotal.com/gui/file/80efa793f91af6fc5a119307db036ab627d23230f3d6036b42e02819c34c5613
I checked virustotal after I got a notification from window defender
I have installed the program using scoop

Debug log

No response

[bastimeyer]

Report it as a false positive, this is nothing that I can fix here... Or better yet, don't use snake oil software like anti virus software.

If you don't trust the pre-builts for whatever reason, then build the application yourself. This is a free software project. The application code is also reproducible, and the NW.js binaries are official ones, downloaded by nw-builder from the NW.js developer site, which are signed by the developer, Roger Wang.

https://dl.nwjs.io/v0.64.1/SHASUMS256.txt
https://dl.nwjs.io/v0.64.1/SHASUMS256.txt.asc
https://github.com/nwjs/nw.js#verifying-binaries

And btw, this is Streamlink Twitch GUI, and not Streamlink.

[suburbanbourbon]

I don't mean to be rude and try to label this project's thing as malware or anything. I had a feeling that this might be a false positive. Good to know

[bastimeyer]

All good. This is not the first time this has happened. The Streamlink installer has also already been flagged as malicious multiple times. What's annoying about this is that most users simply don't understand how any of this works at all, especially those without any software development background, and we've also already had users which had to be banned from the issue trackers because they kept insisting that we would ship malicious code, despite this all being open source software under a free software license, with public build configs and build logs. As said, if anyone doesn't trust any pre-built binaries by Streamlink or Streamlink Twitch GUI, then they can build the stuff themselves.

Btw, the checksum of the main application executable won't match, because on Windows, icons are embedded in the portable executable format (.exe) (which is ridiculous btw), and the default NW.js icon needs to get replaced with the Streamlink Twitch GUI icon by nw-builder's winresourcer dependency when building the app. This is the only modification of the NW.js stuff. Anything else is application code and assets, so basically JSON data, HTML, JS, CSS, fonts and images. On Windows, there's also the SnoreToast dependency for being able to dispatch modern desktop notifications. These are official binaries taken from the KDE developers. This is linked in the dependencies as well.

I've also already commented on Gitter/Matrix yesterday that it probably would make sense signing the Streamlink Twitch GUI builds myself via gpg, but that wouldn't have any use because on Windows, executables have a different signing mechanism that allows embedding developer signatures based on paid certificates from Microsoft and partners, and this costs a lot of money, hundreds of dollars each year. As you can probably guess, I am not interested in this as a FOSS developer.