Clementine: No virus free builds since 1.3.1

Created on 27 Jul 2020  路  8Comments  路  Source: clementine-player/Clementine

Before posting

Please follow the steps below and check the boxes with [x] once you did the step.

  • [x] I checked the issue tracker for similar issues
  • [x] I checked the changelog if the issue is already resolved
  • [n/a] I tried the latest Clementine build from here

System information

Please provide information about your system and the version of Clementine used.

  • Operating System: Windows
  • Clementine version: below releases as .exe files
  1. ClementineSetup-1.4.0rc1
  2. ClementineSetup-1.4.0rc1-211-g949c20abd
  3. ClementineSetup-1.4.0rc1-289-g834b1d451
  4. ClementineSetup-1.4.0rc1-296-g68d375c43

Expected behaviour / actual behaviour

Virus scans on VirusTotal.com would come up clean, however ever since the initial 1.4.0rc1 release in Jan 2nd 2020, there has always been at least 2 detecting as malware/trojan for every version I tested (above). I know these could be false positives, but it's interesting that at least 3 would have results for a lot of the recent builds.

  • Jiangmin detects TrojanSpy.Stealer.cqy
  • Comodo detects Malware@#3qjufngsyohqo
  • Comodo detects Application.Win32.Instally.DA@6ay5tf
  • Ikarus detects Trojan.Win32.Rozena
  • More recent versions have C2AE show as UNKNOWN_VERDICT (might be ok)

The previous releases 1.3.0rc1, 1.3.0.2, 1.3.1 all came up clean.

Steps to reproduce the problem (only for bugs)

Download any version between 1.3.1 and current. Upload to virustotal.com and as for a rescan/check the previous scan results.

picture jonohein
👎3

Most helpful comment

I would echo what @matkoniecz said and again request @jonohein to change the title of this issue.

The specified "virus engines" that are shown are, essentially, unreliable garbage. Unless you see some of the major engines reporting something (Symantec, Intel, Malwarebytes, etc) then it's not worth reporting. You'll notice that every single engine is reporting a different malware. That's a huge sign that it's a false positive. For a real virus, multiple engines would recognize the same malware and it would be very clear that it's infected.

picture MrAureliusR on 20 Oct 2020
👍2

All 8 comments

This person found the same with mingw cross-compiled executables.
https://security.stackexchange.com/questions/229576/program-compiled-with-mingw32-is-reported-as-infected

Some of those appear to be pretty old, so I would expect them to be pretty well known by the security groups, but the majority, including the big ones there, don't find anything. Also, when I ran with a newer build, Comodo didn't detect anything.

jbroadus picture jbroadus on 29 Jul 2020

On the last preview as for today, only Jiangmin and Ikarus are detecting it. After a quick search, it's look like both Trojan's name are for two very different malware. As for Comodo, I submitted the program for checking by their team

Tutul- picture Tutul- on 8 Aug 2020

I'll be honest, I haven't tried to compile Clementine from source myself. Is it easy enough to compile it with a different compiler? I feel like that would offer a strong indicator if the detected viruses are false positives from the compiler, or from the source itself.

jonohein picture jonohein on 17 Aug 2020

I mean, the source is open. It's very easy to check if Clementine actually has viruses. These are clearly false positives and can safely be ignored. It's only worth paying attention to VirusTotal results if the major engines detect something.

MrAureliusR picture MrAureliusR on 30 Aug 2020
👍2

I agree, it's possible to check the source and it is most likely due to false positives. People who are familiar with the code might find this doable, but a vast majority of users don't have the time to read, process and fully comprehend the code.

The fact remains that the program is coming up as dirty, when before it was clean. Some change has caused multiple antivirus vendors to flag it - eroding trust in Clementine. Even if it's a false positive, shouldn't the solution be to find the cause and address it somehow rather than ignore the warnings?

jonohein picture jonohein on 2 Sep 2020

A lot of antivirus use pattern or just checksum (md5) to find malware. Both may just provide false positive by accident and need to be reported to the antivirus software team so they can fix that problem. It may be something within the latest mingw and not even in Clementine's code as other project where detected recently as false positive.

Tutul- picture Tutul- on 2 Sep 2020

@jonohein Please, change highly misleading title. This is about false positive in third-party software, not about any problem in Clementine.

Even if it's a false positive, shouldn't the solution be to find the cause

Stop trusting what low quality antiviruses report? That is a bug/problem in antivirus, not in Clementine. (BTW, I am not sure whatever there is any antivirus qualifying as high quality and whatever using antivirus is at all useful anymore)

matkoniecz picture matkoniecz on 20 Sep 2020
👍1

I would echo what @matkoniecz said and again request @jonohein to change the title of this issue.

The specified "virus engines" that are shown are, essentially, unreliable garbage. Unless you see some of the major engines reporting something (Symantec, Intel, Malwarebytes, etc) then it's not worth reporting. You'll notice that every single engine is reporting a different malware. That's a huge sign that it's a false positive. For a real virus, multiple engines would recognize the same malware and it would be very clear that it's infected.

MrAureliusR picture MrAureliusR on 20 Oct 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

teneri66 picture teneri66  路  4Comments
burtek picture burtek  路  5Comments
LoveIsGrief picture LoveIsGrief  路  5Comments
MiguelTremblay picture MiguelTremblay  路  6Comments
technicaltitch picture technicaltitch  路  5Comments