I find myself frequently having to blacklist downloads because someone is uploading malware to various sites for usually next week’s episodes, so sonarr is downloading that as it’s not released yet. All these are large .lnk files which run some CMD command presumably to crypto lock the computer. Sonarr is correctly warning that there is no applicable video file, but it’d be great if it could automatically delete and blacklist that release too.
2 Likes
Getting a .ink file file actually coming through is a rare instance, just as rare as peeps creating bad video files. As for running anything ONLY if you actually explicitly click the item. If you’re on Windows or Apple you must have security software, software which would catch any .ink files and remove them.
EDIT:
Try going to Settings, Profiles, Release Profiles and create a new one to exclude .ink and see if that works. I just added .ink to the one I created for other words to exclude.
It’s lnk, lowercase L, and adding it in “must not contain” is pointless. That just looks at the release name and allows/blocks if it contains or doesn’t contain any of those words.
Probably better to keep an eye on the GHI here, which discusses mostly the same issue (different extension): Treat Downloads with Executable Files as Failed · Issue #7369 · Sonarr/Sonarr · GitHub
What also might help is set the minimum size sliders for all qualities to something you actually expect. At least they should never be set to 0. Even setting it to e.g. 50mb is plenty to filter out fake releases with a virus or other nefarious file of a few (mega)bytes.
1 Like
Ok that’s probably why I rarely see it cause my minimum is set to 450 mb for 42 minutes.
The problem with the minimum size setting is that they’re somehow spoofing the size to be large files, so my client ends up downloading a GB or two only for sonarr to say it can’t import it once it’s completed, which is a good thing in itself. I ended up just writing a cronjob that looks for .lnk files in my downloading files and deletes it once it finds it and it ends up failing the download, albeit in a dirty way. It’s not elegant but it works. Thanks for the idea though.
if anyone else cares here’s my cron job, first part deletes .lnk.part which my client adds .part to the end of files currently downlading, this kills the download, then the second one deletes empty directories, so far all the malware I’ve seen is the only file in the directory. This runs every minute which is probably way too often, but my server is idle almost all the time and I haven’t had issues, YMMV.
* * * * * find /<downloading directory> -iname '*.lnk.part' -delete; find /<doiwnloading directory> -empty -type d -delete
The latest Sonarr versions have incorporated a commit to " Treat Downloads with Executable Files as Failed · Issue #7369 · Sonarr/Sonarr · GitHub" thanks to the excellent work by @markus101. Seeing a failed download should clue the user in to looking at the download and checking the executable. If it is a .zipx extension delete it immediately.
You can protect your system from malicious executable code by using Windows Software Restriction Policies in the Local Group Policy Editor (Software Restriction Policies | Microsoft Learn) on Windows 10-11 or Windows Server.
Add your downloads and downloading folders to the list of protected folders by creating new path rules, set the folders as disallowed and then verify or add unwanted extensions for (potentially) malicious code to the Designated File Types list of filename extensions.
I’m not aware of any way to automatically update the list of designated file types. So, you’ll need to manage the list yourself from time to time.
It would still be good for Sonarr to automatically detect malicious files or unwanted extensions and fail, block and redownload the content so the process is automated.
OK just got 2 .lnk files on Saturday. Each over 500 megs. I questions the downloads in qBittorrent cause each of those episodes were to air this Tuesday and Wednesday and are shows that there are never early releases of.
Agreed I’m getting this on every episode release of Severance (being uploaded one week before its release). I don’t know if there’s a way of stopping auto-download for episodes that should not be released yet.
1 Like
I’m simply not buying that the file extension cannot be looked at and blocked by the arr’s.
The linked github item was closed 2 months ago with an update that adds this functionality but okay…
If that’s the case why are we still getting the files? I literally just got one in the last 5 minutes prior to this post. Then we have the fact that on this forum I was told that wasn’t possible to do.
If you vaguely understood how any of this works, you’d know that there is no way to know the actual contents of a download until after you download it, despite what an indexer claims it is.
So after it’s downloaded, sonarr can report to you that the files downloaded may not, in fact, be your latest favorite series episode, but a 90’s style of clumsy “virus” like a .bat or .lnk file, or an executable with a media icon, which the makers hope will be blindly doubleclicked by people. Not before.
You do realize we are talking about lnk fires that are not hidden in a folder. Those should be able to be blocked. I also get maybe we should of been more specific. As for peeps actually not checking in their torrent client before playing them that’s on them for not paying attention.
Just got two malware downloads yesterday (in folders), that were scheduled to air later that day - fortunately due to the recent commits to fail these, I was able to confirm them both showing in their folders as ‘shortcuts’. The point here is that the bad actors are narrowing in their time frames, in the second case, yesterday, within a few hours of the actual broadcast time. Pays to be vigilant about ‘failed’ downloads. They’re trying to be smarter …
Joining to this thread with the same issue. I just notice that some of the files come with “Me Gusta” in the name, so when Lunasea notifies me a new episode that hasn’t aired yet and has that name, I go and delete the download directly. I will check upon the blocking file extensions on qbittorrent while a permanent solution comes up
As @drowse7en suggested, you can use the Microsoft ‘Group Policy Editor’ (gpedit.msc) to block malware .lnk files. Refer to the following article: Using Group Policy to block malwares and ransomwares
Note: If not already installed, the ‘Group Policy Editor’ can be downloaded from Microsoft.
In “Run”, type in ‘gpedit.msc’ (without quotes) and hit OK. Navigate to ‘Computer Configuration’ > ‘Windows Settings’ > double click on ‘Security Settings’ > then ‘Software Restriction Policies’ > then ‘Additional Rules’ and enter the path as %userprofile%\downloads\ .lnk (for example. Note: there is no space between the forward slash and .lnk - for some reason the \ slash doesn’t like a period right after it when putting the text in here), if this is your main download location and set it to ‘Disallowed’ with description as ‘potential malware executable file’.
The only drawback I believe, is if you have created a shortcut from your downloads folder to your desktop for an app that you want to keep. In my case it was ‘rufus’, so I deleted the shortcut on the desktop for it and then copied and pasted the file directly from the downloads folder on to the desktop screen. You will have to check that any apps that you have on your desktop or elsewhere that are shortcuts are not linked to your ‘downloads’ folder.
I think that setting up Windows Software Restriction Policies, specifying unwanted filename extensions in your bittorrent client and configuring Sonarr to fail releases with executable files, should be enough to protect users.
Where isbthat option? I can’t find it anywhere in sonarr
Advanced Settings per Indexer