Setup bundled - warning?

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
boco
Contributor
Posts: 24424
Joined: 2006-05-01 03:28
Location: Germany

Re: Setup bundled - warning?

#16 Post by boco » 2018-06-13 16:33

Of course not. botg just explained that the hash is for another file (hence the file name is different).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

dylanh724
500 Command not understood
Posts: 3
Joined: 2016-08-02 04:36

Re: Setup bundled - warning?

#17 Post by dylanh724 » 2018-06-23 09:37

botg wrote:
2018-01-04 23:39
Two reasons for this kind of behavior: Fraud prevention and side-stepping false-positives.

The reason for the former is simple, preventing malicious customers from fraudulently generating fake clicks.

The reason for the latter is also simple if you consider that AV products compete in the market of installer monetization. It's an open secret that AV companies purposefully block offers from or for competing companies.



All that being said, the choice is with the end-user. If you do not wish to use the offer-enabled installer, have a look at the additional download options page. Even if you do use the offer-enabled installers, nothing unwanted is being installed without your consent.
Fairly confident that creates a red target for GDPR complaints, let alone the sketchy factor of not clearly disclosing this.

Someone should probably take this thread to Reddit.

dbrown
500 Command not understood
Posts: 1
Joined: 2018-06-23 11:20
First name: d
Last name: brown

Re: Setup bundled - warning?

#18 Post by dbrown » 2018-06-23 11:29

botg wrote:
2017-12-29 22:42
The hash doesn't match because the filename doesn't match.
Dangerously ignorant answer.

Guyfromreddit
500 Command not understood
Posts: 1
Joined: 2018-06-23 14:58

Re: Setup bundled - warning?

#19 Post by Guyfromreddit » 2018-06-23 15:02

Well. This is interesting. Linked here from Reddit. Guess I won't be using filezilla anymore. I also happen to work at a very large tech vendor who uses filezilla as the tool of choice for our hundreds of thousands of clients. I have a suspicion that will be changing after this news gets around.

User avatar
boco
Contributor
Posts: 24424
Joined: 2006-05-01 03:28
Location: Germany

Re: Setup bundled - warning?

#20 Post by boco » 2018-06-23 16:09

dbrown wrote:
2018-06-23 11:29
botg wrote:
2017-12-29 22:42
The hash doesn't match because the filename doesn't match.
Dangerously ignorant answer.
Dangerously ignorant user. Not matching filename = the checksum is NOT for that file. Checksums can only be provided for the non-bundled packages, because they're static. Bundled installers are not.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 32064
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#21 Post by botg » 2018-06-23 18:00

There's something better than the checksums: Digital signatures. You will find the files signed.

BrassRhino
500 Command not understood
Posts: 1
Joined: 2018-06-23 17:47

Re: Setup bundled - warning?

#22 Post by BrassRhino » 2018-06-23 18:06

I just scanned the file FileZilla_3.34.0_win64-setup_bundled.exe with Eset antivirus. I got this warning

"C:\Users\User\Downloads\FileZilla_3.34.0_win64-setup_bundled.exe » NSIS » Fusion.dll - a variant of Win32/FusionCore.Z potentially unwanted application - action selection postponed until scan completion"

When I compare this installer to the installer I downloaded yesterday the name is different: "FileZilla_3.34.0_win64-setup.exe" yesterday 2018-06-22 5:04 PM vs "FileZilla_3.34.0_win64-setup_bundled.exe" today 2018-06-23 10:22 AM. Of course the hashes don't match, newer file is 955KB bigger.

I think there may have been a breach.

User avatar
botg
Site Admin
Posts: 32064
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#23 Post by botg » 2018-06-23 18:23

It's a tautological false-positive, by the very definition of the term, _everything_ is potentially unwanted.

Forget about the hashes, check the digital signature of the file.

Locked