Tadej Vodopivec

  • Content Count

  • Joined

  • Last visited

Everything posted by Tadej Vodopivec

  1. Ocasionally, I get damaged/malicious version from FileHippo and CNET (from CNET I also noticed they they serve me with insted of without signature. I kept one such version so I can submit it to you if necessary. Using Firefox today (via network 1), i always got signed version. On saturday I used network 2 and got unsigned (maicious? counterfeited?) versions. Using IE, i got several unsigned versions from CNET and FileHippo. When accessing your site, I experienced several errors - forum not available once, and complete site unavailable serving a quite descriptive error (I can submit the screen shot if needed). I have a signed version that I'm pretty sure it's authentic, so I solved my basic problem. Best regards and thank you, Tadej
  2. Ummmm... I do not get any Digital Signature tab, as I do for TrueCrypt for example (screenshot images can be sent via e-mail). Is digital signature in the exe itself or in something that extracts out of exe? Here is SHA256 checksum of the file I trasfered from FileHippo. fsum -sha256 a2FreeSetup.exe SlavaSoft Optimizing Checksum Utility - fsum 2.52.00337 Implemented using SlavaSoft QuickHash Library <www.slavasoft.com> Copyright © SlavaSoft Inc. 1999-2007. All rights reserved. ; SlavaSoft Optimizing Checksum Utility - fsum 2.52.00337 <www.slavasoft.com> ; ; Generated on 10/12/09 at 12:16:14 ; 7dc35e23150e855ba4f21476a4985fdce1e6a67b54bc01df38eab95065d93a36 ?SHA256*a2FreeSetup.exe Can you please check if this is OK for a squared free Thank you. Tadej
  3. Hi! I am considering installation of a squared antivirus free on one of my home computers as I found excellent reviews. I am sure you are doing great work. I was not able to find any means to verify the integrity and authenticity of installation file. My personal opinion is that anti virus package is integrity sensitive software (actually everything is, but as this will guard your integrity here i'd go for best available means to protect this). I got quite puzzled, after I found a few mutually "uncompatible" facts: - Page http://www.emsisoft.com/en/software/free/ refers to a-squared Free 4.5 Version - 10/7/2009 - Download buttons from that same page take me to http://download.cnet.com/A-squared-Free/3000-2239_4-10262215.html where 52,45 Mb (older - I do not have exact verison at hand) version is presented, submitted May 19, 2009. No cryptographic signature is available (such as Authenticode or at least MD5). - I found as a google hit on http://www.filehippo.com/download_asquared/ . But I could not get any reference form official a squared site to FileHippo. FileHippo itself provides MD5 signature, but no reference from a squared. FileHippo site is also hidding it's "physical identity" - no reference to legal entity on home page, domain is registered through proxy, ... so - no trust hook to grab. Even no HTTPS anywhere... I would really like to see distribution digitally signed by you using a trusted code signing certificate, or at least SHA1 or SHA256 signature posted on your official HTTPS page. As you operate as a "virtual company", i am sure you do inplement internal security controls to assure the integrity of your final deliverables, to mitigate the obvious risk for integrity. But it is really needed to demonstrate it at the front-end, at least in your branch. I hope you take this as an useful hint. Thank you. Tadej Vodopivec, CISSP, CISA, CBCP BTW, there is a thread Corrupted A-Square Updates on your forum, where the user is concerned about the integrity of updates. If the updates were signed, your statement about this being avira's FP, would sound much stronger in the ears of an average information security skepticist :-) Which mechanism do you use to protect the updates integrity? I'd also appreciate using HTTPS when I am logged into your forum, to protect my session cookies flying around. Since I decided to use my real name for registration, the identity is concern.