Qbittorrent: File extension filter

Sounds useful :thumbsup:

2015? :-( This will very likely never added then, that sucks.

This feature could help security:

If a user downloads only known files (e.g. audio/video), it is wise to block pontentially dangerous extensions, e.g. EXE, COM, BAT, LNK, VBS, (PY?), etc.

Less savvy users can't easily spot a ponetial threat, e.g. Matrix.avi <> Matrix.avi.exe

Also, some video torrents are bundeled with trojans, e.g. "codec.zip" or "driver.exe" containing malware. Today I spotted the attached file, an LNK file, an extension that is hidden on Windows.

None of my users download software via torrent, so I'd like to block it for them, or set blocked extensions; potentially, i'd like to block the whole torrent altogether, if a potential software extension is found in one of its files.

(My personal block list would be: EXE, COM, BAT, VBS, VBE, JS, CMD, PY, CPL, DLL, LNK, SCR)

In the screenshots below:
Windows hides LNK extension, a trojan disguised as AVI video:

Id like to throw my support behind this feature request. Many torrents come with useless .txt files that do nothing but clutter up a directory. Also, a popular site I use has started to include an .exe file that I now have to deselect every time I download something. It would be great to be able to have these files automatically excluded. Being able to blacklist certain file names would also be a great addition to this feature.

Throwing my hat in..

I suggest a feature for a simple list of file names do_not_download.exe and extensions *.exe that get marked as Priority -> Do Not Download automatically for all torrents. List may be accessed in Options -> Downloads.

Searching for references:
https://github.com/qbittorrent/qBittorrent/blob/master/src/base/bittorrent/torrenthandle.cpp#L684
https://github.com/qbittorrent/qBittorrent/blob/master/src/base/bittorrent/torrenthandle.cpp#L2068
https://www.libtorrent.org/reference-Core.html find file_priorities under add_torrent_params header.
https://github.com/qbittorrent/qBittorrent/blob/2d7b833ae6cb2145465cc7e47df398628ac95651/src/base/bittorrent/session.cpp#L1949

Glad i found this post, really like this feature to, are we sure (i couldn't find it) that there is no such option already?

Definitely have my vote. It will also save (not much but) some space and unnecessary Data download for Countries that charge per Mb on top of per Speed.

Love it. You would need to be able to override it on a per torrent bassis,
but for people who download primarily just a couple of different file types
(cough).

On Sat, Oct 6, 2018, 4:35 PM shula notifications@github.com wrote:

This feature could help security:

If a user downloads only known files (e.g. audio/video), it is wise to
block pontentially dangerous extensions, e.g. EXE, COM, BAT, LNK, VBS,
(PY?), etc.

Less savvy users can't easily spot a ponetial threat, e.g. Matrix.avi <>
Matrix.avi.exe

Some video torrents are bundeled with fake "codec.zip" "driver.exe"
containing malware. Today I spotted the attached file, an LNK file, an
extension that is hidden on Windows.

None of my users are downloading software via torrent, so I'd like to
block it for them, or set blocked extensions; potentially, i'd like to
block the whole torrent altogether, if a potential software is found in it.

My personal block list would be: EXE, COM, BAT, VBS, VBE, JS, CMD, PY,
CPL, DLL, LNK, SCR.

In the screenshots below:
How windows hides LNK extension, which is a sure malware when only
downloading media:

[image: lnk-virus]
https://user-images.githubusercontent.com/124651/46575528-43e7c780-c9bf-11e8-9b2a-0cbd5efa8d36.png
[image: virus2]
https://user-images.githubusercontent.com/124651/46575529-43e7c780-c9bf-11e8-8399-db13d6ec90ef.png

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/qbittorrent/qBittorrent/issues/3369#issuecomment-427604310,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AGbY-5e2u-o8-6NhlR-Z9UlUBj9q6YGgks5uiRPzgaJpZM4FT95h
.

Please add this feature since lot's of trackers now put lots of "junk files". Yes we can use other clients but qb has a lot to offer and you can always disable this feature if it bothers you, so it's a win-win.

I'd love this, too.

This please! We need this!

Is it possible now to completely fail specific torrent if it contains not appropriate file name?

+1 on the feature request.
In the meantime, I wrote a short cmd script which can be referenced in the _Tools->Options->Downloads->Run external program on torrent completion_ which renames files with a suspicious extension (.exe \ .scr \ .cmd \ .bat) to prevent them from running when double clicked.

rem Find suspicious files in directory and rename them
rem Usage: fsus.cmd <dirname>

@echo off
SETLOCAL
set extensions="\.lnk \.exe \.cmd \.scr \.bat"
echo looking in %1 for %extensions%
for /f %%F in ('dir %1 /s /b') do (
    (echo %%F | findstr /r %extensions% > NUL) && move %%F bad_%%F.BAD && echo Renamed %%F
)
ENDLOCAL

Plugin in python3 for this:
https://gist.github.com/oltodosel/566e051191f3a58b905db2cc6980656f

Has there been any updates if/when this feature would be added?

Since 2015 and this still isn’t added yet? Come on. This would be such a useful feature.

I would love to have this feature implemented. There could be a global file extension filter, or have the filter setup by category (so categories can have different filters).

2015-2020 is not create this function. qBit - Shit!

Why isn't this issue considered critical?

Distracted users shouldn't run viruses so easily.

Why isn't this issue considered critical?

To be fair, the "better" motivation for this feature request should be some kind of automation purpose like "typically I download a lot of ebook pack torrents with epub + azw3, but I don't want any azw3", and not "distracted users clicking files with hidden extensions" - that is a Windows problem, easily fixed by disabling Hide extensions for known file types in the control panel. If you still click "dangerous" files accidentally, that's PEBCAK. Alternatively, just use better sites and download better torrents.

This is why this isn't "critical".

To be fair, the "better" motivation for this feature request should be some kind of automation purpose like "typically I download a lot of ebook pack torrents with epub + azw3, but I don't want any azw3"

That's definitely my motivation for wanting this feature. I use the RSS downloader and it would be nice to automatically exclude unnecessary files.

Why isn't this issue considered critical?

that is a Windows problem, easily fixed by disabling Hide extensions for known file types in the control panel. If you still click "dangerous" files accidentally, that's PEBCAK.

As shown above, this isn't enough for .lnk files. Windows hides the .lnk extension. If you usually use smaller thumbnails, the minuscule difference in the icon is barely visible.

Also, it is arguably because torrent clients aren't smart that these types of malicious torrents are still going around, and that's why I think qBittorrent should provide this feature.

IMHO certain extensions should also be skipped by default, for the same reason. It would be a great security and usability improvement.

This also allows you to skip certain extensions because you prefer so, but the security issue should be considered prominently.

As shown above, this isn't enough for .lnk files. Windows hides the .lnk extension. If you usually use smaller thumbnails, the minuscule difference in the icon is barely visible.

If you are downloading torrents with malicious .lnk files, you need a solution for a more urgent problem: don't download such torrents, use better sites/sources, or pay more attention. After all, it is the user's responsibility to not fall for phishing emails as well. Inspect URLs/files you click.

Alternatively, you could try to enable showing .lnk extensions: https://www.tenforums.com/customization/111886-how-show-lnk-extension.html
But because Windows is Windows, this might lead to undesirable presentation elsewhere (such as the start menu).

Your solution is for power users, has usability drawbacks, and doesn't address the fact that malicious users are taking advantage of an easily fixable flaw in qBittorrent.

I think the qBittorrent team should step up and fix this. There is almost never a good reason to download certain file extensions, and users should actively check those files for download.

You can't expect people that execute random files to know how to use power features. That something can (and should) be done another way isn't a reason to not include a security feature.
These are the same people that download from the first torrent site that shows up in Google search. So the "use a better site" isn't a valid argument either.

Obviously all this is only true if your target is the mass and not just tech-savvy people.

Your solution is for power users, has usability drawbacks,

Fighting phishing emails is something everyone has to learn to do, no matter the occupation. I think it is reasonable to demand a certain level of proficiency and common sense.

and doesn't address the fact that malicious users are taking advantage of an easily fixable flaw in qBittorrent.

"Malicious users are taking advantage of distracted/careless users" would be a more accurate statement. Do you think the possibility of receiving phishing emails is a flaw of E-mail? If so, is the possibility of hearing the voice of a scammer in real life, believing what they say, and giving them money, a flaw of your ears? Should your auditory system should autoblock certain words/sentences on its own? Perhaps it should be the brain acting on the information instead.

Furthermore, the greater issue of downloading these kinds of torrents should not be underestimated. You have to go out of your way, even when searching for illegal content, to find these kinds of torrents. And no, the .exe in RARBG torrents does not count as an example of this practice in a popular site; it is actually just a harmless text file with the .exe extension designed to prevent mirroring by software that, ironically, relies on "file extensions" to make assumptions about their content.

Not to mention that if anyone actually accidentally clicks a dangerous exe, it should be caught by UAC anyway. If the user has disabled UAC or blindly clicks through it, then they either know what their doing or they "know enough to be dangerous", in which case whatever happens is their own fault and there's nothing we can really do.

You can't expect people that execute random files to know how to use power features. That something can (and should) be done another way isn't a reason to not include a security feature.
These are the same people that download from the first torrent site that shows up in Google search. So the "use a better site" isn't a valid argument either.

Obviously all this is only true if your target is the mass and not just tech-savvy people.

First of all, it is indeed a shame that the Windows default is wrong, and that the way to change it requires some knowledge to do so. But that is a Windows problem. One can post an issue on the relevant forum/issue tracker about that, not here.

Secondly, regardless of such setting, I'm not really keen on catering to this kind of ignorance/stupidity of "I'm carelessly clicking on stuff and ignoring warnings and expecting it to work". If someone doesn't care to learn how to properly use a saw, should their complaints to the manufacturer be taken seriously when they cut themselves?

We should strive to make things easier to use. But not to the point of bending over backwards to a level of stupidity/ignorance/carelessness that shouldn't be endorsed or excused, at the expense of time, effort, and other important things.

Not to mention that if anyone actually accidentally clicks a dangerous exe, it should be caught by UAC anyway. If the user has disabled UAC or blindly clicks through it, then they either know what their doing or they "know enough to be dangerous", in which case whatever happens is their own fault and there's nothing we can really do.

You don't need to click through anything. Once you've clicked the .lnk file an .exe will download in the background without any warning in less than a second, and it will run again unnoticed at the next restart. There are virtually endless possibilities to the harm that can be done by these attacks.
Furthermore, they're not even detected by most antivirus software.

If the qBittorrent team needs an example, I can provide it.

You don't need to click through anything. Once you've clicked the .lnk file an .exe will download in the background without any warning in less than a second, and it will run again unnoticed at the next restart. There are virtually endless possibilities to the harm that can be done by these attacks.
Furthermore, they're not even detected by most antivirus software.

If the qBittorrent team needs an example, I can provide it.

There are always exceptions to the rule. I am sure there are some examples of software bypassing UAC, or just being dangerous enough without needing to do so in the first place. But this is a secondary point anyway.

I should add to https://github.com/qbittorrent/qBittorrent/issues/3369#issuecomment-652597093:

Again, I'm not saying it would be bad to have this feature. It would be good for automation purposes, for example. But I don't think it is fair to consider it "critical due to user security considerations.". Of course just by being there it could serve as an additional safety net. But that's not the main purpose and it's by no means critical for that purpose.

I'm sorry Francisco but I really think you are underestimating the problem.
If we followed your logic, antivirus software and antispam software should be banned, because humans should be infallible and never miss a single malicious file.
This type of attack with torrents is too common, at a certain point client software (qBittorrent) becomes complicit in this kind of exploit, which has been reported as far back as 2018 here above.
If the same arguments were used by browsers, e.g. Firefox, sandboxing bugs shouldn't be fixed because the user should only visit "trusted" websites.

I hope the rest of the team doesn't treat security the same way as you do. This is an overdue feature, requested since 2015.
The team has been asked before for directions on where to look in order to implement a pull request, but no attention has been given to the matter.
If not even this convinces anybody who possesses the knowledge and expertise to propose a fix, I really have nothing more to add. I have seen the developers here dedicate a lot of time and effort to "betterment" projects such as the new webUI and API, therefore I really am surprised such a seemingly small-to-implement but security-critical issue has not been given space in 5 years.

@simo1994

If we followed your logic, antivirus software and antispam software should be banned, because humans should be infallible and never miss a single malicious file.

This is one hell of a strawman fallacy, but ok. Not to mention that you seem to be advocating in favor of antivirus/anti-spyware. In a sane computing environment, a black-box proprietary software made by a for-profit corporation running with administrative privileges (aka """antivirus""") is not considered a layer of security. The true solutions for the problems these programs claim to solve lie somewhere else in the stack - don't use Windows, use Free (as in Freedom) software, package managers with cryptographic signing, etc...

This type of attack with torrents is too common,

These kinds of claims are worthless if not substantiated with data. You can't just claim something and ask others to disprove it. Start by defining what is "too common". 30% of torrents? 40%? 50%? In which sites? The burden of proof lies with you. You're welcome to open a new issue investigating this, with some pretty graphs.

at a certain point client software (qBittorrent) becomes complicit in this kind of exploit, which has been reported as far back as 2018 here above.

• This is not an "exploit"
• "complicit" is a strong word. Are email clients/servers "complicit" for people falling for the Nigerian prince scam?

If the same arguments were used by browsers, e.g. Firefox, sandboxing bugs shouldn't be fixed because the user should only visit "trusted" websites.

Again, ridiculous strawman. Browsers need sandboxing for any kind of user due to the unfortunate way the Web has evolved. In fact, mainstream browsers don't even come secure enough out of the box IMO.

I hope the rest of the team doesn't treat security the same way as you do.

I treat security as seriously as anyone else who really understands it. In reality, you'd be surprised how little of it _you_ actually understand, to be able to make the arguments you make and then accuse others of not treating security seriously. Hopefully one day you'll be able to look back at this and chuckle, it will mean you have evolved and learned.

The team has been asked before for directions on where to look in order to implement a pull request, but no attention has been given to the matter.
If not even this convinces anybody who possesses the knowledge and expertise to propose a fix, I really have nothing more to add.

Anyone is welcome to submit PRs to implement the feature. There isn't any sense of urgency, because likely all of those with the ability to implement it also know that this isn't "security critical".

I have seen the developers here dedicate a lot of time and effort to "betterment" projects such as the new webUI and API, therefore I really am surprised such a seemingly small-to-implement but security-critical issue has not been given space in 5 years.

Again, it's not "security critical". Stop with the fear-mongering and FUD.

I really have nothing more to add.

Me neither. I agree that everything relevant to this feature request has been said. Now it's up to whoever wants to implement it.

TL;DR:

• Anyone is welcome to implement this, and I'm also convinced it won't be rejected if implemented. As mentioned above, it may be useful for certain automation scenarios.
• The default should be to not filter anything, IMO. Otherwise, it would be unexpected behavior - people would wonder why certain files don't download by default. If qBittorrent ever gets some sort of "onboarding" UX, this could be one of the tunables (e.g. do you want to filter "potentially malicious files" by default?).
• No, this is not "security critical" (see discussion above).