kb1234 Posted October 12, 2017 Posted October 12, 2017 Hi, I downloaded ImgBurn today, but found my anti-virus blocking the download and flagging it as a trojan. I decided to investigate further and there does appear to be an issue with the download links. 1) The download direct from imgburn.com (Mirror 7) is flagged as a trojan. The hash does match the one listed on your downloads page. 2) The download from imgburn.com is a different file than the one you get from the mirrors Digital Digest, Softpedia, and TechSpot. I did not check the others. 3) All three of the mentioned mirrors provide the exact same file, and it does not set off the virus scanner, however the hash does not match the one listed on your site. Could you please confirm which download is correct? I suspect imgburn.com has been compromised, both the file and the displayed hash. Thanks
Ch3vr0n Posted October 12, 2017 Posted October 12, 2017 You suspect wrong. Use the search. It's flagged never of the opencandy dll. Which is responsible for the ad offers. No more, no less. Neither the site nor download are compromised. You can disable the offers multiple ways, the search will tell you. Sent from my Nexus 6P with Tapatalk
kb1234 Posted October 13, 2017 Author Posted October 13, 2017 You suspect wrong. Use the search. It's flagged never of the opencandy dll. Which is responsible for the ad offers. No more, no less. Neither the site nor download are compromised. You can disable the offers multiple ways, the search will tell you. Sent from my Nexus 6P with Tapatalk Please address the concern of the download being different from the mirrors. Clearly something is going on here. Some additional details on the detentions for those that are interested. A PUA.InstallCore threat is identified. This is an application that potentially installs unwanted applications on the computer, this could be open candy. Symantec identifies this as a security risk as it should. I see this occasionally in freeware/shareware downloads at it is expected. A Trojan.Gen.2 is also identified by Symantec. This is not classified by Symantec as only a security risk, but it has a full out virus classification. This is not a warning you would ever expect from a freeware/shareware.
LIGHTNING UK! Posted October 13, 2017 Posted October 13, 2017 There's nothing going on. The direct mirror download is different to the others and may indeed flag up as PUA.InstallCore. It's nothing to worry about and as has already been mentioned, it just offers 3rd party software during the installation process - which you can of course opt out of installing without it making any difference to ImgBurn itself. As for the Trojan.Gen.2 detection... well, I don't know anything about that one. A false positive I expect. Is it actually reporting that for the setup exe itself? Seems weird it would report the PUA and that for the same file.
kb1234 Posted October 13, 2017 Author Posted October 13, 2017 There's nothing going on. The direct mirror download is different to the others and may indeed flag up as PUA.InstallCore. It's nothing to worry about and as has already been mentioned, it just offers 3rd party software during the installation process - which you can of course opt out of installing without it making any difference to ImgBurn itself. As for the Trojan.Gen.2 detection... well, I don't know anything about that one. A false positive I expect. Is it actually reporting that for the setup exe itself? Seems weird it would report the PUA and that for the same file. I recommend indicating that the downloads are different and why, especially considering a hash is provided which won't match them. When I encountered the problem of the hash mismatch, and subsequently noticed the downloads are different, I did search the forum but found nothing. Perhaps I missed it, but either way I would expect the information to be front and center on the download page. The Trojan.Gen.2 does come from the setup.exe. I can't say whether or not it is a false positive related to OpenCandy, but it may very well be.
kb1234 Posted October 13, 2017 Author Posted October 13, 2017 Now that I have dug into this more and discovered the right keywords to search with I see a number of similarly confused users, most of them appearing to remain confused, with only a partial explanations ever given. These could all be resolved by a clear statement on the downloads page. http://forum.imgburn.com/index.php?/topic/24171-imgburn-2580-virus-found-hashs-do-not-match/?hl=%2Bopencandy http://forum.imgburn.com/index.php?/topic/24647-download-from-imgburn-mirror-reported-infected-from-symantec/?hl=%2Bopencandy&do=findComment&comment=160259 http://forum.imgburn.com/index.php?/topic/24578-checksums-on-the-homepage-changes-often/?hl=%2Bopencandy
Ch3vr0n Posted October 13, 2017 Posted October 13, 2017 Well I did say in the first reply it was opencandy and the file itself was just fine. Sent from my Nexus 6P with Tapatalk
kb1234 Posted October 13, 2017 Author Posted October 13, 2017 Well I did say in the first reply it was opencandy and the file itself was just fine. Sent from my Nexus 6P with Tapatalk You can keep saying OpenCandy all you want, but it does not address any of the concerns people are having with the setup file being different on the mirrors and hashes not matching. That is a huge concern for me. I'm not concerned about OpenCandy. Products like it are part of the freeware/shareware world, but the 'trust me I know the file is safe even though your security software says it is not' does not really fly these days. Trust me kids, get in my car, I promise you will get a piece of candy. I'm just coming off a project where I was called in to help a large commercial software vendor who made the same claim, and then were required by law (US) to issue recall notices later on when it was discovered there was really a security risk in the software. It was not a cheap mistake.
Recommended Posts