PUA:Win32/QBitTorrent!torrent

[alien901]

Well on my Windows 11, it says it's a PUA, which gave me a scare. The latest release needs a little fixing it seems.


Sunday October 31st 2021 - qBittorrent v4.3.9 and v4.4.0rc1 release

[Zoloft]

Did you download it from here? Then it's fine, a false positive. Did you download it somewhere else? Why would you do that?

[lezerogan]

How can you be sure it is a false positive?
Microsoft insist this version includes a trojan

[Switeck]

"Potentially unwanted app removed" implies Microsoft KNOWS this isn't a trojan...it's only potentially unwanted, such as in a business office.

[Peter]

How can you be sure it is a false positive?
Microsoft insist this version includes a trojan

This is a months old issue. Microsoft at some point just decided to mark a lot of things "Unwanted" and also enabled "Unwanted" as disabled. It's just ridiculous at this point. Feels like using Comodo which flags everything that's not signed. Unfortunately, code signing is a really expensive (and cumbersome) process. It costs 300 EUR+ a year, just the cert alone. And someone has to manage it, safeguard it, sign stuff with it, yadda yadda.

Btw I'm not trying to represent the whole project here, I'm just saying that code signing is still super awful in 2021. At least website certificates (and thus HTTPS) got "fixed" by the Let's Encrypt project. But Microsoft is not really eager to do something about code signing. Bet they really enjoy the yearly money from it.

See: https://shop.globalsign.com/en/code-signing
"Immediate reputation with Microsoft SmartScreen Filter"

[8bits1byte]

Hi
I have Windows 10 saying the new version of QBT is infected, and my glasswire firewall and malware bytes were all over it. It must be the way its designed because previous builds have been fine, don't think its MS just trying to stop torrenting, otherwise they would have done it with EVERY BUILD of a Torrent app.
and it doesn't matter where you get it from, even from your direct links
regards
Paul

[Peter]

Please always double-check with Virustotal: https://virustotal.com

For 4.3.9 x64 Win: https://www.virustotal.com/gui/file/e1c ... 0ccfebf1c8
As you can see, NO virus in it whatsoever.
4.4.0 rc1? Again, nothing: https://www.virustotal.com/gui/file/893 ... 2ac23cfd3e
Oh but maybe the evil 32-bit contains the worst virus ever! Oh wait, it does not: https://www.virustotal.com/gui/file/014 ... d6ede6afb5

Please note:
- MalwareBytes since 2.0 is just junkware. It _was_ good way back then, but they (ab)used their former reputation to build up a pretty much just upsell/junkware software that MB currently is. Post 2.0 is trash. If you are really afraid, prepare a "Live scanner pendrive" from a safe PC (lot of vendors offer one, ESET does too) and scan your PC with that. That's as safe as it gets.
- Microsoft Defender is good, but please check the exact hit.
Ie.: If its just "PUA", that's not a virus. And of course it also makes FP mistakes.
Defender is also pretty stupid in this regard - no offense. It flags software like qBittorrent, because... I don't know. It does not have ads, adware or anything of that sort bundled. But. When I check a regular Joe's computer, it has malware notifications in their browser, they have the default search engines redirected, they have like 10-20 unidentified software running on their PC.. but yea, these are totally safe you know. Just malware, who could that hurt you know.

I also use Windows 10, latest Defender, latest qBittorrent (just updated) and my Defender found NO issues with the files, installer whatsoever.
Don't take this personally. My tone is meant for everyone spreading this whole FUD since Microsoft went nuts with their detection. It's pretty much like AdBlock Plus. Pay the extortion money, or your software is dead. "Microsoft <3 Open-source" my arse.

[8bits1byte]

https://www.virustotal.com/gui/file/e1c ... 1635853723

[Peter]

https://www.virustotal.com/gui/file/e1c ... 1635853723

As you can see, "PUA". Ie.: Not a virus.
Why PUA? Your guess is good as ours. They flagged a bunch of software, not just qBittorent a few months ago and they released no information about their decision ever since.

Ps.: Virustotal is a tool you must "learn to use". You should always check which applications flag something (ie.: trusting major, big, known brands is always a good bet) and see what it says about it. Like "GENERIC", or "PUA", or "KEYGEN" are not a virus. That's like "maybe that's something? maybe? maybe not but hey, lets flag it."

[FoolishCookie]

I just downloaded QBitTorrent x64 from the official FossHub and as soon as the file was downloaded, Windows Defender flagged it as potentially unwanted software.

Looking at VirusTotal (https://www.virustotal.com/gui/file/e1c ... avior/C2AE) there is some behavior that concerns me. It seems the QBitTorrent installer kills a Windows Error Reporting service and makes registry changes to no longer back up a log file related to the Background Intelligent Transfer Service.

I'm curious why QBitTorrent needs to kill the error reporting service and prevent the system from backing up log files related to BITS? That seems like odd behavior for a torrent client.

[Peter]

.. It seems the QBitTorrent installer kills a Windows Error Reporting service and makes registry changes to no longer back up a log file related to the Background Intelligent Transfer Service.

I'm curious why QBitTorrent needs to kill the error reporting service and prevent the system from backing up log files related to BITS? That seems like odd behavior for a torrent client.

I am fairly sure that's not what happens.
Thankfully, since qBittorrent is completely open-source, you can check what is happening behind the scenes.

I mean, here is the source code, literally, in its entirety:
https://github.com/qbittorrent/qBittorrent

And as you can see, the installer has not been modified lately: https://github.com/qbittorrent/qBittorr ... st/windows
(minus translations)
You can see all changes for the installer by clicking History (or any tree): https://github.com/qbittorrent/qBittorr ... st/windows

Of course if you think the distributed file is modified (most likely is not), you can:
- Verify the exe files by using the SHA values and the PGP signature.
(these are available on the main website, on the Download page.)
or
- Compile the project by yourself, by hand. https://github.com/qbittorrent/qBittorrent/wiki (scroll down for Compilation.)

Oh and one more thing.
If you use Sysinternals "Procmon", you can track _EVERY_ change qBittorrent's installer is doing, making. Like literally every little teeny tiny step. Every registry entry it touches, everything.

[snacky347]

I am somewhat new to verifying PGP signatures, having done so only a few times.

I don't know how I can verify qBitTorrent's binary file for Windows (qbittorrent_4.3.9_x64_setup.exe). The QBitTorrent website features a link to download the signer's public key (qbittorrent_4.3.9_x64_setup.exe.asc), but does not include a link to download the associated PGP signature file (*.sig).

My understanding is that I need to verify that missing PGP signature file (*.SIG) against the signer's public key (qbittorrent_4.3.9_x64_setup.exe.asc) by typing ...
C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --verify *.SIG qbittorrent_4.3.9_x64_setup.exe
... but I cannot do this until I acquire the missing PGP signature file (*.SIG) and substitute its name in the command.

Please help me complete this process.

[Peter]

So, you need gpg. For me, "Cygwin" is the easiest option. But you have native Win32 GPG available too.
* Note that Cygwin is just a "base environment". In the installer you have to pick "gpg" and "wget" for example.

1) Grab the public key from the top of Download page.
I downloaded it like so:

Code: Select all

wget -O key.asc https://raw.githubusercontent.com/qbittorrent/qBittorrent/master/5B7CC9A2.asc

2) Import it into gpg.

Code: Select all

gpg --import key.asc

2) Grab the x64 or x86 installer.
3) Grab the .asc from Downloads page, it's the "Sourceforge" one.
4) Verify the installer like this:

Code: Select all

gpg --verify ./qbittorrent_4.3.9_x64_setup.exe.asc ./qbittorrent_4.3.9_x64_setup.exe

(I had to use ./ because of Cygwin.)

As you can see from output:
gpg: Good signature from...

Aaaand that's it.
You also have to verify the SHA256 value. It's on the Downloads page as well.
Get our sum:

Code: Select all

sha256sum.exe ./qbittorrent_4.3.9_x64_setup.exe

And it gives us: e1c63b0b1b1ea646bad7bb844426fab55c7178de167268ac8d76190ccfebf1c8 *././qbittorrent_4.3.9_x64_setup.exe

Aaand now we check the website..
Checksum SHA2-256
32-bit installer 01487a0e2594a5065e4d780eb012dcd0dafadc218d1b6aba69528bd6ede6afb5
64-bit installer e1c63b0b1b1ea646bad7bb844426fab55c7178de167268ac8d76190ccfebf1c8
32-bit installer (rc1) 0a2120e9ef5607b08a540962065a16cf3ee03f77d7a03ebc2f7256b6de811078
64-bit installer (rc1) 893170761cad5224b110d4032123a335e64ca48c6af13797edfb222ac23cfd3e
64-bit installer (rc1-qt6) 5f3d9d686423bc236d443964f18fe0ae2c42d4e8a752367b7dd694afc0bfe433

Aaaand it's a perfect match.
tl;dr: The latest version is just as safe as the previous releases for years now. In case someone is super afraid (I mean I am not trying to mock people, it's not a bad habit honestly), you can always set up a virtual machine with all the build tools and fire it up each release. Grab the release from git directly, compile it and just install/use that.

[alien901]

Ohh

For now, I am using the last clean version. I will wait for your next update.

thank you for this.

[snacky347]

So, you need gpg. For me, "Cygwin" is the easiest option. But you have native Win32 GPG available too.

Thank you for your reply, Peter.

I never heard of Cygwin, even though I've watched several tutorials and read several articles about doing PGP signature verification.

During the setup of Cygwin, I am told to select packages. What should I choose? kGPG (KDE GnuPG frontend) and pwget?

I am somewhat familiar with GPG, having used the GPG4Win package to verify signatures for Linux distributions. Doing so was relatively straightforward since the websites of those distros hosted both the PGP signature file (*.sig) and the signer's public key (*.asc)

I don't understand why the website for qBitTorrent doesn't mention nor host a PGP Signature file (*.sig). Why is that?

1) Grab the public key from the top of Download page.
I downloaded it like so:

Code: Select all

wget -O key.asc https://raw.githubusercontent.com/qbitt ... 7CC9A2.asc

Where did you get the URL for that ASC file from? I know that the qBitTorrent website has a few links to ASC files, but none of them match with the URL you provided when I move my mouse over the text linking me to where the ASC files are located.

Anyway, since I was able to download the ASC file directly from the qBitTorrent website, I navigated Cygwin to the folder containing the binary and the ASC file, and then typed this command: gpg --import qbittorrent_4.3.9_x64_setup.exe.asc

The output was:
gpg: keyring `/home/***/.gnupg/secring.gpg' created
gpg: keyring `/home/***/.gnupg/pubring.gpg' created
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0