Install Package Integrity

[Tadej Vodopivec 0]

Hi!

I am considering installation of a squared antivirus free on one of my home computers as I found excellent reviews. I am sure you are doing great work.

I was not able to find any means to verify the integrity and authenticity of installation file.

My personal opinion is that anti virus package is integrity sensitive software (actually everything is, but as this will guard your integrity here i'd go for best available means to protect this).

I got quite puzzled, after I found a few mutually "uncompatible" facts:

- Page http://www.emsisoft.com/en/software/free/ refers to a-squared Free 4.5 Version 4.5.0.21 - 10/7/2009

- Download buttons from that same page take me to http://download.cnet.com/A-squared-Free/3000-2239_4-10262215.html where 52,45 Mb (older - I do not have exact verison at hand) version is presented, submitted May 19, 2009. No cryptographic signature is available (such as Authenticode or at least MD5).

- I found 4.6.0.21 as a google hit on http://www.filehippo.com/download_asquared/ . But I could not get any reference form official a squared site to FileHippo. FileHippo itself provides MD5 signature, but no reference from a squared. FileHippo site is also hidding it's "physical identity" - no reference to legal entity on home page, domain is registered through proxy, ... so - no trust hook to grab. Even no HTTPS anywhere...

I would really like to see distribution digitally signed by you using a trusted code signing certificate, or at least SHA1 or SHA256 signature posted on your official HTTPS page.

As you operate as a "virtual company", i am sure you do inplement internal security controls to assure the integrity of your final deliverables, to mitigate the obvious risk for integrity. But it is really needed to demonstrate it at the front-end, at least in your branch.

I hope you take this as an useful hint. Thank you.

Tadej Vodopivec, CISSP, CISA, CBCP

BTW, there is a thread Corrupted A-Square Updates on your forum, where the user is concerned about the integrity of updates. If the updates were signed, your statement about this being avira's FP, would sound much stronger in the ears of an average information security skepticist :-) Which mechanism do you use to protect the updates integrity?

I'd also appreciate using HTTPS when I am logged into your forum, to protect my session cookies flying around. Since I decided to use my real name for registration, the identity is concern.

[Christian Mairoll 227]

All our binaries are digitall signed. Open the file properties and switch to the Digital signature tab. If the signature is shown 'valid', you can be sure that the file was published by Emsi Software and not manipulated.

[Tadej Vodopivec 0]

All our binaries are digitall signed. Open the file properties and switch to the Digital signature tab. If the signature is shown 'valid', you can be sure that the file was published by Emsi Software and not manipulated.

Ummmm...

I do not get any Digital Signature tab, as I do for TrueCrypt for example (screenshot images can be sent via e-mail). Is digital signature in the exe itself or in something that extracts out of exe?

Here is SHA256 checksum of the file I trasfered from FileHippo.

fsum -sha256

a2FreeSetup.exe

SlavaSoft Optimizing Checksum Utility - fsum 2.52.00337

Implemented using SlavaSoft QuickHash Library <www.slavasoft.com>

Copyright © SlavaSoft Inc. 1999-2007. All rights reserved.

; SlavaSoft Optimizing Checksum Utility - fsum 2.52.00337 <www.slavasoft.com>

;

; Generated on 10/12/09 at 12:16:14

;

7dc35e23150e855ba4f21476a4985fdce1e6a67b54bc01df38eab95065d93a36 ?SHA256*a2FreeSetup.exe

Can you please check if this is OK for a squared free 4.5.0.21?

Thank you.

Tadej

[Fabian Wosar 388]

I do not get any Digital Signature tab, as I do for TrueCrypt for example (screenshot images can be sent via e-mail). Is digital signature in the exe itself or in something that extracts out of exe?

We use embedded authenticode signatures. And in fact if I download the a-squared Free setup from our servers (http://download1.emsisoft.com/a2FreeSetup.exe) I do in fact have a file with a digital signature:

sigcheck v1.60 - sigcheck
Copyright (C) 2004-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\users\administrator\downloads\a2FreeSetup.exe:
       Verified:       Signed
       Signing date:   12:54 PM 10/12/2009
       Strong Name:    Unsigned
       Publisher:      Emsi Software GmbH

       Description:    a-squared Free Setup

       Product:        a-squared Free

       Version:        4.5
       File version:   4.5
       MD5:    61c8facbf9d6d1233a8e3e9f5988cd35
       SHA1:   6fdc843de2bf6e31ca4db3e4c07c16e8e2985f62
       SHA256: 5d4288e80533d1116aec1da2d5b1abe543ba77ae9ff3948eb9908835eaa8b249

As have all files included in the setup:

c:\program files (x86)\a-squared free\a2cmd.exe:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared Command Line Scanner
Product:	a-squared
Version:	4.5.0.0
File version:	4.5.0.8
c:\program files (x86)\a-squared free\a2framework.dll:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared framework module
Product:	a-squared
Version:	4.5.0.0
File version:	4.5.0.15
c:\program files (x86)\a-squared free\a2free.exe:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared Free
Product:	a-squared Free
Version:	4.5.0.0
File version:	4.5.0.21
c:\program files (x86)\a-squared free\a2freecontmenu.dll:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared Free shell extension
Product:	a-squared Free
Version:	4. 5. 0. 0
File version:	4. 5. 0. 1
c:\program files (x86)\a-squared free\a2freecontmenu64.dll:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared Free shell extension
Product:	a-squared Free
Version:	4. 5. 0. 0
File version:	4. 5. 0. 1
c:\program files (x86)\a-squared free\a2service.exe:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared Service
Product:	a-squared
Version:	4.5.0.0
File version:	4.5.0.31
c:\program files (x86)\a-squared free\a2upd.exe:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared replacement tool
Product:	a-squared
Version:	4.5.0.0
File version:	4.5.0.2
c:\program files (x86)\a-squared free\a2update.dll:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared update module
Product:	a-squared
Version:	4.5.0.0
File version:	4.5.0.23
c:\program files (x86)\a-squared free\engine.dll:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	Emsi Software GmbH
Description:	a-squared Engine SDK
Product:	a-squared
Version:	4.5.0.0
File version:	4.5.0.41
c:\program files (x86)\a-squared free\t3.dll:
Verified:	Signed
Signing date:	10:42 AM 9/2/2009
Strong Name:	Unsigned
Publisher:	IKARUS Security Software
Description:	T3 Extended Virus Engine (EVE)
Product:	T3
Version:	1.1.72.0
File version:	1.1.72.0
c:\program files (x86)\a-squared free\unins000.exe:
Verified:	Signed
Signing date:	12:58 PM 10/12/2009
Strong Name:	Unsigned
Publisher:	n/a
Description:	Setup/Uninstall
Product:	n/a
Version:	n/a
File version:	51.50.0.0
c:\program files (x86)\a-squared free\vdbupdate.dll:
Verified:	Signed
Signing date:	9:51 AM 2/13/2009
Strong Name:	Unsigned
Publisher:	Ikarus Software GmbH
Description:	vdbupdatedll
Product:	VdbUpdate
Version:	1.32.6
File version:	1.32.6

[Fabian Wosar 388]

The download available at FileHippo is signed as well:

sigcheck v1.60 - sigcheck
Copyright (C) 2004-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\users\administrator\downloads\a2FreeSetup (1).exe:
       Verified:       Signed
       Signing date:   1:06 PM 10/12/2009
       Strong Name:    Unsigned
       Publisher:      Emsi Software GmbH

       Description:    a-squared Free Setup

       Product:        a-squared Free

       Version:        4.5
       File version:   4.5
       MD5:    61c8facbf9d6d1233a8e3e9f5988cd35
       SHA1:   6fdc843de2bf6e31ca4db3e4c07c16e8e2985f62
       SHA256: 5d4288e80533d1116aec1da2d5b1abe543ba77ae9ff3948eb9908835eaa8b249

[Tadej Vodopivec 0]

Ocasionally, I get damaged/malicious version from FileHippo and CNET (from CNET I also noticed they they serve me with 4.5.0.0. insted of 4.5.0.21) without signature. I kept one such version so I can submit it to you if necessary.

Using Firefox today (via network 1), i always got signed version. On saturday I used network 2 and got unsigned (maicious? counterfeited?) versions.

Using IE, i got several unsigned versions from CNET and FileHippo. When accessing your site, I experienced several errors - forum not available once, and complete site unavailable serving a quite descriptive error (I can submit the screen shot if needed).

I have a signed version that I'm pretty sure it's authentic, so I solved my basic problem.

Best regards and thank you,

Tadej

[Lynx 34]

Ocasionally, I get damaged/malicious version from FileHippo and CNET

Hi Tadej Vodopivec,

Welcome to the forum.

First of all, none of the downloads mentioned and available are "malicious"

What makes you think they are?

All are digitally signed as Fabian said, and that applies to downloaded Setups and installed Software (just check the "Properties")

The only problem that exists currently is the following:

Late last night I downloaded files from Hippo; from EMSI server; and from Cnet

The hashes are equal for Hippo setup, as Fabian posted and for the file from Emsi server.

The CNet one still has just the older version. The hashes are different.

But that's mainly it

That's not good enough,... but again - there is nothing "malicious" as well

My regards