Well, no, not really. The GitHub thread is based on a mis-understanding of what Windows is doing and how Windows AV works. Windows uses a system very similar to those used for spam filters, except for binaries. That system is "reputation". It tries to learn over time to classify software into wanted and malware.
Just like with email, to build binary reputation you need to cooperate by using cryptography. With email you sign your mail using DKIM and publish your DKIM keys in DNS. This lets spam filters associate the mails you send together and learn that a stream of mails, even though they may all be very different, are in fact all "good". With Windows programs you have to sign your software. This lets Windows know that different versions of your program are actually all "good".
Authenticode certificates cost money. QBitTorrent is open source. Unsurprisingly they'd rather not pay for a code signing certificate, so their installers are unsigned. From Windows' perspective every new version resets the clock and is "unknown" because the binaries have different hashes. It then has to start learning reputation all over again. New binaries are described as "potentially unwanted" rather than explicitly as malware because malware is polymorphic, exactly to evade blacklisting, so binaries that haven't accumulated any reputation yet might or might not be malicious. Windows just doesn't know yet. That's why some users report it happens and others don't.
This isn't QBitTorrent's fault exactly but they're experiencing the same problem you'd get if you tried to run a popular mailing list off a site that didn't use SPF or DKIM. You aren't signing, so, you get lumped in with all the other people who don't sign and many of them are malicious.
tl;dr It's got nothing to do with being a BitTorrent client.
> to build binary reputation you need to cooperate by using cryptography.
You need to get your software signed by Microsoft because it wants to be the arbiter of allowed software.
This is blatantly misrepresenting the issue and is technically wrong. And it disregards that this is mainly a mechanism to protect and conquer hegemony in software. This is not at all comparable to DKIM or SPF.
> tl;dr It's got nothing to do with being a BitTorrent client.
That's simply not true. It's got everything to do with it being a BitTorrent client.
> Microsoft uses specific categories and the category definitions to classify software as a PUA.
> Torrent software (Enterprise only): Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
Microsoft explicitly include "Torrent software" in their article for what's considered by them to be PUA.
> In a background article on what’s considered unwanted software, torrent clients are specifically mentioned, along with advertising software and cryptominers. The article suggests that it applies to “enterprise” only, but the complaints we have seen apply to other Windows versions as well.
As pointed out by TorrentFreak, the Microsoft article suggests that it only applies to the "enterprise" version of Windows however as we've seen this doesn't appear to be true. It at least explains why some experience this user hostile behaviour while others don't.
If your Windows isn't joined to an AD domain then the enterprise stuff doesn't apply. Maybe some of the users complaining about QBitTorrent are trying to install it at work, but it's much more likely to be simply because they don't sign their software. It's more or less guaranteed that not doing that will cause spurious and inconsistent security warnings.
If you check the github thread then the very first post says it was flagged as PUA but the actual error they show is clearly a malware classification. The fact that they have one naming scheme and QBitTorrent got dumped in the PUA section (because it's not malware) doesn't mean it automatically gets opted out of the reputation system. And they observe themselves that people are re-bundling qbittorrent binaries into third party re-packagings that are probably adware or malware, which in the absence of signing will confuse Windows because it can't tell the re-packaged versions apart from the upstream versions.
> If you check the github thread then the very first post says it was flagged as PUA but the actual error they show is clearly a malware classification.
Are you sure that's what you're seeing? The image in the first post of that GitHub thread shows that Defender did indeed flag the qBittorrent installer as PUA.
I think it looks like that because each program gets a single name to identify it in the Defender namespace, and that namespace seems to include a sort of general categorization. But then a program can be classified in multiple ways and blocked for multiple reasons. The people on that thread don't seem to be on corporate networks, so it seems like Defender is marking it as a "threat" for other reasons.
The whole thing is annoyingly confusing and opaque, but, I don't think the issue here is some sort of conspiracy against BitTorrent. Unsigned software is gonna trigger AV false positives, it's been that way for decades. Now they're getting AV false positives. If they started signing their code then eventually Windows would learn it's not malware. Corp networks might still opt to block it because they don't want their employees torrenting, but that's a separate issue.
Just like with email, to build binary reputation you need to cooperate by using cryptography. With email you sign your mail using DKIM and publish your DKIM keys in DNS. This lets spam filters associate the mails you send together and learn that a stream of mails, even though they may all be very different, are in fact all "good". With Windows programs you have to sign your software. This lets Windows know that different versions of your program are actually all "good".
Authenticode certificates cost money. QBitTorrent is open source. Unsurprisingly they'd rather not pay for a code signing certificate, so their installers are unsigned. From Windows' perspective every new version resets the clock and is "unknown" because the binaries have different hashes. It then has to start learning reputation all over again. New binaries are described as "potentially unwanted" rather than explicitly as malware because malware is polymorphic, exactly to evade blacklisting, so binaries that haven't accumulated any reputation yet might or might not be malicious. Windows just doesn't know yet. That's why some users report it happens and others don't.
This isn't QBitTorrent's fault exactly but they're experiencing the same problem you'd get if you tried to run a popular mailing list off a site that didn't use SPF or DKIM. You aren't signing, so, you get lumped in with all the other people who don't sign and many of them are malicious.
tl;dr It's got nothing to do with being a BitTorrent client.