Jump to content

Download Infected - File different from mirrors


kb1234

Recommended Posts

Hi,

 

I downloaded ImgBurn today, but found my anti-virus blocking the download and flagging it as a trojan.  I decided to investigate further and there does appear to be an issue with the download links.

1) The download direct from imgburn.com (Mirror 7) is flagged as a trojan.  The hash does match the one listed on your downloads page.

2) The download from imgburn.com is a different file than the one you get from the mirrors Digital Digest, Softpedia, and TechSpot.  I did not check the others.

3) All three of the mentioned mirrors provide the exact same file, and it does not set off the virus scanner, however the hash does not match the one listed on your site.

 

Could you please confirm which download is correct?  I suspect imgburn.com has been compromised, both the file and the displayed hash.

 

Thanks

Link to comment
Share on other sites

You suspect wrong. Use the search. It's flagged never of the opencandy dll. Which is responsible for the ad offers. No more, no less. Neither the site nor download are compromised. You can disable the offers multiple ways, the search will tell you.

 

Sent from my Nexus 6P with Tapatalk

Link to comment
Share on other sites

You suspect wrong. Use the search. It's flagged never of the opencandy dll. Which is responsible for the ad offers. No more, no less. Neither the site nor download are compromised. You can disable the offers multiple ways, the search will tell you.

 

Sent from my Nexus 6P with Tapatalk

Please address the concern of the download being different from the mirrors.  Clearly something is going on here.

 

​Some additional details on the detentions for those that are interested.

 

A PUA.InstallCore threat is identified.  This is an application that potentially installs unwanted applications on the computer, this could be open candy.  Symantec identifies this as a security risk as it should.  I see this occasionally in freeware/shareware downloads at it is expected.

 

A Trojan.Gen.2 is also identified by Symantec.  This is not classified by Symantec as only a security risk, but it has a full out virus classification.  This is not a warning you would ever expect from a freeware/shareware.

Link to comment
Share on other sites

There's nothing going on. The direct mirror download is different to the others and may indeed flag up as PUA.InstallCore. It's nothing to worry about and as has already been mentioned, it just offers 3rd party software during the installation process - which you can of course opt out of installing without it making any difference to ImgBurn itself.

 

As for the Trojan.Gen.2 detection... well, I don't know anything about that one. A false positive I expect. Is it actually reporting that for the setup exe itself? Seems weird it would report the PUA and that for the same file.

Link to comment
Share on other sites

There's nothing going on. The direct mirror download is different to the others and may indeed flag up as PUA.InstallCore. It's nothing to worry about and as has already been mentioned, it just offers 3rd party software during the installation process - which you can of course opt out of installing without it making any difference to ImgBurn itself.

 

As for the Trojan.Gen.2 detection... well, I don't know anything about that one. A false positive I expect. Is it actually reporting that for the setup exe itself? Seems weird it would report the PUA and that for the same file.

I recommend indicating that the downloads are different and why, especially considering a hash is provided which won't match them.  When I encountered the problem of the hash mismatch, and subsequently noticed the downloads are different, I did search the forum but found nothing.  Perhaps I missed it, but either way I would expect the information to be front and center on the download page.

 

The Trojan.Gen.2 does come from the setup.exe.  I can't say whether or not it is a false positive related to OpenCandy, but it may very well be.

Link to comment
Share on other sites

Now that I have dug into this more and discovered the right keywords to search with I see a number of similarly confused users, most of them appearing to remain confused, with only a partial explanations ever given.  These could all be resolved by a clear statement on the downloads page.

 

http://forum.imgburn.com/index.php?/topic/24171-imgburn-2580-virus-found-hashs-do-not-match/?hl=%2Bopencandy

 

http://forum.imgburn.com/index.php?/topic/24647-download-from-imgburn-mirror-reported-infected-from-symantec/?hl=%2Bopencandy&do=findComment&comment=160259

 

http://forum.imgburn.com/index.php?/topic/24578-checksums-on-the-homepage-changes-often/?hl=%2Bopencandy

Link to comment
Share on other sites

Well I did say in the first reply it was opencandy and the file itself was just fine.

 

Sent from my Nexus 6P with Tapatalk

 

You can keep saying OpenCandy all you want, but it does not address any of the concerns people are having with the setup file being different on the mirrors and hashes not matching.  That is a huge concern for me.

 

I'm not concerned about OpenCandy.  Products like it are part of the freeware/shareware world, but the 'trust me I know the file is safe even though your security software says it is not' does not really fly these days.  Trust me kids, get in my car, I promise you will get a piece of candy.  I'm just coming off a project where I was called in to help a large commercial software vendor who made the same claim, and then were required by law (US) to issue recall notices later on when it was discovered there was really a security risk in the software.  It was not a cheap mistake.

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.