Setup bundled - warning?

[boco]

Of course not. botg just explained that the hash is for another file (hence the file name is different).

[dylanh724]

Two reasons for this kind of behavior: Fraud prevention and side-stepping false-positives.

The reason for the former is simple, preventing malicious customers from fraudulently generating fake clicks.

The reason for the latter is also simple if you consider that AV products compete in the market of installer monetization. It's an open secret that AV companies purposefully block offers from or for competing companies.



All that being said, the choice is with the end-user. If you do not wish to use the offer-enabled installer, have a look at the additional download options page. Even if you do use the offer-enabled installers, nothing unwanted is being installed without your consent.

Fairly confident that creates a red target for GDPR complaints, let alone the sketchy factor of not clearly disclosing this.

Someone should probably take this thread to Reddit.

[dbrown]

The hash doesn't match because the filename doesn't match.

Dangerously ignorant answer.

[Guyfromreddit]

Well. This is interesting. Linked here from Reddit. Guess I won't be using filezilla anymore. I also happen to work at a very large tech vendor who uses filezilla as the tool of choice for our hundreds of thousands of clients. I have a suspicion that will be changing after this news gets around.

[boco]

The hash doesn't match because the filename doesn't match.

Dangerously ignorant answer.

Dangerously ignorant user. Not matching filename = the checksum is NOT for that file. Checksums can only be provided for the non-bundled packages, because they're static. Bundled installers are not.

[botg]

There's something better than the checksums: Digital signatures. You will find the files signed.

[BrassRhino]

I just scanned the file FileZilla_3.34.0_win64-setup_bundled.exe with Eset antivirus. I got this warning

"C:\Users\User\Downloads\FileZilla_3.34.0_win64-setup_bundled.exe » NSIS » Fusion.dll - a variant of Win32/FusionCore.Z potentially unwanted application - action selection postponed until scan completion"

When I compare this installer to the installer I downloaded yesterday the name is different: "FileZilla_3.34.0_win64-setup.exe" yesterday 2018-06-22 5:04 PM vs "FileZilla_3.34.0_win64-setup_bundled.exe" today 2018-06-23 10:22 AM. Of course the hashes don't match, newer file is 955KB bigger.

I think there may have been a breach.

[botg]

It's a tautological false-positive, by the very definition of the term, _everything_ is potentially unwanted.

Forget about the hashes, check the digital signature of the file.