1
Plugins / Re: Desktop Lyrics: Display lyrics on your desktop!
« on: July 17, 2023, 07:55:10 PM »@CharlieJiang
Running your Desktop Lyrics plugin (dll v1.8 ) through VirusTotal, it gets triggered by 14 antivirus engines saying it contains a Trojan virus:
Can you comment on this?
I too tried to run the dlls in VirusTotal and got the same result, which is rather weird. The project has its source code publish at https://github.com/cqjjjzr/MusicBee-DesktopLyrics and the codebase is small (not so small as NeteaseLyrics, ~1900 SLOC of C#, but still quite controlable) so it can be easily audited, and you can build the project and again put it into VirusTotal.
I rebuilt the project from scratch using VS2022 (17.6.1) and the result is the same, so I believe it's either
1. False positive from Antivirus engines. I used Fody Costura to weave dependency DLLs into single DLL so this is highly likely the case! (see https://github.com/Fody/Costura/issues/161 );
2. The dependency is posioned. Again the dependency details is published in the GitHub repo (in packages.config). The project has only 5 dependencies (Costura.Fody 3.2.2, Fody 3.3.5, MSBuildTasks 1.5.0.235, Newtonsoft.Json 13.0.1, Cyotek.Windows.Forms.ColorPicker 1.7.2), and none has been reported as posioned as far as I can search, so the possibility for dependency posioning is slim.
I severly doubt that this is a case of false positive. Could you try to rebuild the project from source and see if the virus flags persist?
Reposted from the replies of the NeteaseLyrics plugin:
Someone in the GitHub issue suggested changing the GUID of the dll in AssemblyInfo.cs, and it did fixed the problem. The original one (c1acdbd8-6b22-4807-bba3-d0237ccd74c1) in my plugins are surprising the same since I copied the AssemblyInfo.cs from the MusicBee SDK demo untouched. Changing them to different ones solved the issue.
It seems that the AV softwares are indeed to be blame. I'll release further versions of those plugins with new GUIDs, but I'd like not to bother to release a version just for rolling the GUID.