I am considering installation of a squared antivirus free on one of my home computers as I found excellent reviews. I am sure you are doing great work.
I was not able to find any means to verify the integrity and authenticity of installation file.
My personal opinion is that anti virus package is integrity sensitive software (actually everything is, but as this will guard your integrity here i'd go for best available means to protect this).
I got quite puzzled, after I found a few mutually "uncompatible" facts:
- Page http://www.emsisoft.com/en/software/free/ refers to a-squared Free 4.5 Version 184.108.40.206 - 10/7/2009
- Download buttons from that same page take me to http://download.cnet.com/A-squared-Free/3000-2239_4-10262215.html where 52,45 Mb (older - I do not have exact verison at hand) version is presented, submitted May 19, 2009. No cryptographic signature is available (such as Authenticode or at least MD5).
- I found 220.127.116.11 as a google hit on http://www.filehippo.com/download_asquared/ . But I could not get any reference form official a squared site to FileHippo. FileHippo itself provides MD5 signature, but no reference from a squared. FileHippo site is also hidding it's "physical identity" - no reference to legal entity on home page, domain is registered through proxy, ... so - no trust hook to grab. Even no HTTPS anywhere...
I would really like to see distribution digitally signed by you using a trusted code signing certificate, or at least SHA1 or SHA256 signature posted on your official HTTPS page.
As you operate as a "virtual company", i am sure you do inplement internal security controls to assure the integrity of your final deliverables, to mitigate the obvious risk for integrity. But it is really needed to demonstrate it at the front-end, at least in your branch.
I hope you take this as an useful hint. Thank you.
Tadej Vodopivec, CISSP, CISA, CBCP
BTW, there is a thread Corrupted A-Square Updates on your forum, where the user is concerned about the integrity of updates. If the updates were signed, your statement about this being avira's FP, would sound much stronger in the ears of an average information security skepticist :-) Which mechanism do you use to protect the updates integrity?
I'd also appreciate using HTTPS when I am logged into your forum, to protect my session cookies flying around. Since I decided to use my real name for registration, the identity is concern.