How to check if my filezilla.exe is legit and not compromised spyware from a fake filezilla-like-website?

[ConcernedUser]

Hi!
I have a filezilla version 3.57.0 that has absolutly NO "Update" entry in the settings dialog.
In another thread (viewtopic.php?style=246&p=168746) I have read "Site Admin" botg and "Contributor" Boco insist there should be an update setting, unless specific other settings are made in some .xml-files (which are not made at my version) - the only other reason of a totally missing update-entry would be a compromised filezilla-download or -exe.

How could I check if my filezilla.exe and the other files are legit, or are as given as possibility in the other thread stem from a fake website? (Someone wrote a fake filezilla-like-website was at some time at the top of the google search results, so I can't exclude the possibility I fell for this trap, too.)

How and which files from my installation to make a checksum of?
Where on the filezilla-project.org website could I check if theses checksums are correct?

Sincerely
Bill, A concerned user

[ConcernedUser]

I just installed 3.62.0 downloaded from [a major german it media outlet] (redacted privacy unfriendly link) and there the download link <redacted> and there the version " FileZilla - FTP-Dateimanager 3.62.0 Client, 64-Bit") directly from the [as redacted before] server.

The installer asked if to take the settings from the existing filezilla-installation. I chose the first option, yes, which was preselected.

The new installation now shows 3.62.0, but there is still no update-entry in the settings at all!

[boco]

To get this out if the way for web-searchers: There is usually a third option where the Update might not be shown, by using a repository version under Linux. Repository versions are centrally managed and updated.

____

Check if either your FileZilla installation directory or the directory containing the settings (%APPDATA%\FileZilla on Windows, ~/.config/filezilla on other OS) contains a file named fzdefaults.xml. That file can be used to remove the Update references from the program.

Downloading the software from this very site and only from here will guarantee that is is the real deal. When using the advanced download page, there are even SHA512 checksums provided for verifying authenticity.

https://filezilla-project.org/download.php?show_all=1

[botg]

If you are on Windows, check the digital signature of the installer to check for authenticity.

Apart from this, unless you are using your Unix(-like) distribution's native package manager, only ever download FileZilla from https://filezilla-project.org/ and use the built-in update mechanism to keep it update.

[ConcernedUser]

Edit: I checked the sha512 of the file I have downloaded from heise.de using the powershell and the command get-filehash -algorithm sha512 'C:\Users\myusername\Downloads\FileZilla_3.62.0_win64-setup.exe' | Format-List , and the sha512 matches the sha512 given on your webpage https://filezilla-project.org/download. ... -setup.exe !
Edit2: Because I want to use the program, let me put forward a suggestion that might be an improvement: If the autoupdate function is that important - and I fully understand it is for some or many users, those who at other times click on everything - then just put the turn-on-off-option in the menu line, and if autoupdate-checks (checks!) are turned off, then give that menu entry a red background. And whereever the nag-screen is called, just add an additional line to check the menu-line setting, and if turned to off, put a break before opening the nagscreen.

1. I'm running filezilla on Windows 10. So the Linux question is already out of the way.
1.b) I downloaded from the given website at heise.de. Edit: SHA512 matches that of your details page!

2. Of course I tried the solutions given in the linked thread about the fzdefaults.xml
I also tried to change in the other xml-file, which according to another thread is not the right place to have any effect - but I tried anyway at least.

3. I have a debug option in the menu line, and there I used "Autoupdate-Daten löschen" (Delete autoupdate data). That didn't work.
3.b) The nag screen even appeared if closing and restarting filezilla multiple times after a change of settings or deleting autoupdate data.

4. When starting the program today, the nag-screen didn't appear! Because of 3.b) that cannot be solely the result of the restart. But it's the same version today as the one I installed yesterday.

Conclusion: If the nag screen doesn't appear anymore today, that MUST have something to do with some sort of timer in the program code.
If filezille publishers don't want to look into the code and answer in the "official" forum, then that's it.

I also downloaded another ftp-program yesterday, and if the nag-screen ever again pops up, I just switch to that one.

It's a pity that basically all indeed VERY GOOD free or open source programs after many years of good usage suddenly on one day start with such "oddities", and we - the users - have to move on.
For example another one is VLC, which nowadays (at least last I checked some months ago) uses more than double as much CPU power for playing my mp3 or mp4 files than the old 1.x version. Pity me! - I now use the Windows 10 video player to play mp4 and Windows 10 music player to play mp3. Those have awful usability. - Or before that, what they have done to winamp. Do you still remember winamp?)

I hope it doesn't end one day with the question: Do you still remember Filezilla?

--

Edit: When going to "FileZilla_3.62.0_win64-setup.exe"'s detail page https://filezilla-project.org/download. ... -setup.exe that page shows a "SHA-512 hash". When right clicking in my windows explorer on the downloaded same named "FileZilla_3.62.0_win64-setup.exe" file, I can only find a sha256 signature and a sha384 signature and hash when clicking through the dreadful windows property popup windows.

[boco]

That post is confusing. We did talk about the missing "Update" functionality in Settings and under Help. We did not talk about nag screens at all.

Using an up-to-date FileZilla, no nag screen is shown (except the Welcome screen shown once). If it finds a higher version online, it will ask you to update.

The other nag screen is only shown after more than 90 days without updating. It is there for reminding you to update FileZilla via an alternative way (like using the installer) if you don't like auto update or in case auto update is blocked. Not updating is NOT an option and not a supported use case.

[ConcernedUser]

That post is confusing. We did talk about the missing "Update" functionality in Settings and under Help. We did not talk about nag screens at all.

Using an up-to-date FileZilla, no nag screen is shown (except the Welcome screen shown once). If it finds a higher version online, it will ask you to update.

The other nag screen is only shown after more than 90 days without updating. It is there for reminding you to update FileZilla via an alternative way (like using the installer) if you don't like auto update or in case auto update is blocked. Not updating is NOT an option and not a supported use case.

"To get this out if [sic] the way for web-searchers" you wrote above, and indeed!
You now managed to to get this out of the way for web-searchers:
1. You weren't able to explain why the newest version downloadable on a major download hub (heise.de) does not show in the menu any "Update" section.
2. You pointed out that the nag screen can not be stopped unless updating.
3. About 1.: You did not search in the source code where this "error" could come from. (Or you did search, but will not tell the users.)

Without going into detail in what regard I hold this software now, I just conclude: It was good years ago. But this type of software it obviously has become has no place on my computer.

Bye Bye

[boco]

I'm not a developer, I'm a user. And I don't know what's going on on your PC. And no, Heise is not an officially trusted download portal for FileZilla software. Wipe out settings, and install the version downloaded from here, and you will neither see a nag nor will you have missing Update functionality (that is, unless your computer is totally wonky). If what you see was a common bug by any stretch, these forums would explode.

But as you seem to have made your choice, let's just leave it at that. I'm out of this topic, except for moderation. Good luck.