Page 2 of 2

Re: Setup bundled - warning?

Posted: 2018-06-13 16:33
by boco
Of course not. botg just explained that the hash is for another file (hence the file name is different).

Re: Setup bundled - warning?

Posted: 2018-06-23 09:37
by dylanh724
botg wrote:
2018-01-04 23:39
Two reasons for this kind of behavior: Fraud prevention and side-stepping false-positives.

The reason for the former is simple, preventing malicious customers from fraudulently generating fake clicks.

The reason for the latter is also simple if you consider that AV products compete in the market of installer monetization. It's an open secret that AV companies purposefully block offers from or for competing companies.



All that being said, the choice is with the end-user. If you do not wish to use the offer-enabled installer, have a look at the additional download options page. Even if you do use the offer-enabled installers, nothing unwanted is being installed without your consent.
Fairly confident that creates a red target for GDPR complaints, let alone the sketchy factor of not clearly disclosing this.

Someone should probably take this thread to Reddit.

Re: Setup bundled - warning?

Posted: 2018-06-23 11:29
by dbrown
botg wrote:
2017-12-29 22:42
The hash doesn't match because the filename doesn't match.
Dangerously ignorant answer.

Re: Setup bundled - warning?

Posted: 2018-06-23 15:02
by Guyfromreddit
Well. This is interesting. Linked here from Reddit. Guess I won't be using filezilla anymore. I also happen to work at a very large tech vendor who uses filezilla as the tool of choice for our hundreds of thousands of clients. I have a suspicion that will be changing after this news gets around.

Re: Setup bundled - warning?

Posted: 2018-06-23 16:09
by boco
dbrown wrote:
2018-06-23 11:29
botg wrote:
2017-12-29 22:42
The hash doesn't match because the filename doesn't match.
Dangerously ignorant answer.
Dangerously ignorant user. Not matching filename = the checksum is NOT for that file. Checksums can only be provided for the non-bundled packages, because they're static. Bundled installers are not.

Re: Setup bundled - warning?

Posted: 2018-06-23 18:00
by botg
There's something better than the checksums: Digital signatures. You will find the files signed.

Re: Setup bundled - warning?

Posted: 2018-06-23 18:06
by BrassRhino
I just scanned the file FileZilla_3.34.0_win64-setup_bundled.exe with Eset antivirus. I got this warning

"C:\Users\User\Downloads\FileZilla_3.34.0_win64-setup_bundled.exe » NSIS » Fusion.dll - a variant of Win32/FusionCore.Z potentially unwanted application - action selection postponed until scan completion"

When I compare this installer to the installer I downloaded yesterday the name is different: "FileZilla_3.34.0_win64-setup.exe" yesterday 2018-06-22 5:04 PM vs "FileZilla_3.34.0_win64-setup_bundled.exe" today 2018-06-23 10:22 AM. Of course the hashes don't match, newer file is 955KB bigger.

I think there may have been a breach.

Re: Setup bundled - warning?

Posted: 2018-06-23 18:23
by botg
It's a tautological false-positive, by the very definition of the term, _everything_ is potentially unwanted.

Forget about the hashes, check the digital signature of the file.