Tadej Vodopivec 0 Posted October 12, 2009 Report Share Posted October 12, 2009 Hi! I am considering installation of a squared antivirus free on one of my home computers as I found excellent reviews. I am sure you are doing great work. I was not able to find any means to verify the integrity and authenticity of installation file. My personal opinion is that anti virus package is integrity sensitive software (actually everything is, but as this will guard your integrity here i'd go for best available means to protect this). I got quite puzzled, after I found a few mutually "uncompatible" facts: - Page http://www.emsisoft.com/en/software/free/ refers to a-squared Free 4.5 Version 4.5.0.21 - 10/7/2009 - Download buttons from that same page take me to http://download.cnet.com/A-squared-Free/3000-2239_4-10262215.html where 52,45 Mb (older - I do not have exact verison at hand) version is presented, submitted May 19, 2009. No cryptographic signature is available (such as Authenticode or at least MD5). - I found 4.6.0.21 as a google hit on http://www.filehippo.com/download_asquared/ . But I could not get any reference form official a squared site to FileHippo. FileHippo itself provides MD5 signature, but no reference from a squared. FileHippo site is also hidding it's "physical identity" - no reference to legal entity on home page, domain is registered through proxy, ... so - no trust hook to grab. Even no HTTPS anywhere... I would really like to see distribution digitally signed by you using a trusted code signing certificate, or at least SHA1 or SHA256 signature posted on your official HTTPS page. As you operate as a "virtual company", i am sure you do inplement internal security controls to assure the integrity of your final deliverables, to mitigate the obvious risk for integrity. But it is really needed to demonstrate it at the front-end, at least in your branch. I hope you take this as an useful hint. Thank you. Tadej Vodopivec, CISSP, CISA, CBCP BTW, there is a thread Corrupted A-Square Updates on your forum, where the user is concerned about the integrity of updates. If the updates were signed, your statement about this being avira's FP, would sound much stronger in the ears of an average information security skepticist :-) Which mechanism do you use to protect the updates integrity? I'd also appreciate using HTTPS when I am logged into your forum, to protect my session cookies flying around. Since I decided to use my real name for registration, the identity is concern. Quote Link to post Share on other sites
Christian Mairoll 237 Posted October 12, 2009 Report Share Posted October 12, 2009 All our binaries are digitall signed. Open the file properties and switch to the Digital signature tab. If the signature is shown 'valid', you can be sure that the file was published by Emsi Software and not manipulated. Quote Link to post Share on other sites
Tadej Vodopivec 0 Posted October 12, 2009 Author Report Share Posted October 12, 2009 All our binaries are digitall signed. Open the file properties and switch to the Digital signature tab. If the signature is shown 'valid', you can be sure that the file was published by Emsi Software and not manipulated. Ummmm... I do not get any Digital Signature tab, as I do for TrueCrypt for example (screenshot images can be sent via e-mail). Is digital signature in the exe itself or in something that extracts out of exe? Here is SHA256 checksum of the file I trasfered from FileHippo. fsum -sha256 a2FreeSetup.exe SlavaSoft Optimizing Checksum Utility - fsum 2.52.00337 Implemented using SlavaSoft QuickHash Library <www.slavasoft.com> Copyright © SlavaSoft Inc. 1999-2007. All rights reserved. ; SlavaSoft Optimizing Checksum Utility - fsum 2.52.00337 <www.slavasoft.com> ; ; Generated on 10/12/09 at 12:16:14 ; 7dc35e23150e855ba4f21476a4985fdce1e6a67b54bc01df38eab95065d93a36 ?SHA256*a2FreeSetup.exe Can you please check if this is OK for a squared free 4.5.0.21? Thank you. Tadej Quote Link to post Share on other sites
Fabian Wosar 390 Posted October 12, 2009 Report Share Posted October 12, 2009 I do not get any Digital Signature tab, as I do for TrueCrypt for example (screenshot images can be sent via e-mail). Is digital signature in the exe itself or in something that extracts out of exe? We use embedded authenticode signatures. And in fact if I download the a-squared Free setup from our servers (http://download1.emsisoft.com/a2FreeSetup.exe) I do in fact have a file with a digital signature: sigcheck v1.60 - sigcheck Copyright (C) 2004-2009 Mark Russinovich Sysinternals - www.sysinternals.com c:\users\administrator\downloads\a2FreeSetup.exe: Verified: Signed Signing date: 12:54 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Free Setup Product: a-squared Free Version: 4.5 File version: 4.5 MD5: 61c8facbf9d6d1233a8e3e9f5988cd35 SHA1: 6fdc843de2bf6e31ca4db3e4c07c16e8e2985f62 SHA256: 5d4288e80533d1116aec1da2d5b1abe543ba77ae9ff3948eb9908835eaa8b249 As have all files included in the setup: c:\program files (x86)\a-squared free\a2cmd.exe: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Command Line Scanner Product: a-squared Version: 4.5.0.0 File version: 4.5.0.8 c:\program files (x86)\a-squared free\a2framework.dll: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared framework module Product: a-squared Version: 4.5.0.0 File version: 4.5.0.15 c:\program files (x86)\a-squared free\a2free.exe: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Free Product: a-squared Free Version: 4.5.0.0 File version: 4.5.0.21 c:\program files (x86)\a-squared free\a2freecontmenu.dll: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Free shell extension Product: a-squared Free Version: 4. 5. 0. 0 File version: 4. 5. 0. 1 c:\program files (x86)\a-squared free\a2freecontmenu64.dll: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Free shell extension Product: a-squared Free Version: 4. 5. 0. 0 File version: 4. 5. 0. 1 c:\program files (x86)\a-squared free\a2service.exe: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Service Product: a-squared Version: 4.5.0.0 File version: 4.5.0.31 c:\program files (x86)\a-squared free\a2upd.exe: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared replacement tool Product: a-squared Version: 4.5.0.0 File version: 4.5.0.2 c:\program files (x86)\a-squared free\a2update.dll: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared update module Product: a-squared Version: 4.5.0.0 File version: 4.5.0.23 c:\program files (x86)\a-squared free\engine.dll: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Engine SDK Product: a-squared Version: 4.5.0.0 File version: 4.5.0.41 c:\program files (x86)\a-squared free\t3.dll: Verified: Signed Signing date: 10:42 AM 9/2/2009 Strong Name: Unsigned Publisher: IKARUS Security Software Description: T3 Extended Virus Engine (EVE) Product: T3 Version: 1.1.72.0 File version: 1.1.72.0 c:\program files (x86)\a-squared free\unins000.exe: Verified: Signed Signing date: 12:58 PM 10/12/2009 Strong Name: Unsigned Publisher: n/a Description: Setup/Uninstall Product: n/a Version: n/a File version: 51.50.0.0 c:\program files (x86)\a-squared free\vdbupdate.dll: Verified: Signed Signing date: 9:51 AM 2/13/2009 Strong Name: Unsigned Publisher: Ikarus Software GmbH Description: vdbupdatedll Product: VdbUpdate Version: 1.32.6 File version: 1.32.6 Quote Link to post Share on other sites
Fabian Wosar 390 Posted October 12, 2009 Report Share Posted October 12, 2009 The download available at FileHippo is signed as well: sigcheck v1.60 - sigcheck Copyright (C) 2004-2009 Mark Russinovich Sysinternals - www.sysinternals.com c:\users\administrator\downloads\a2FreeSetup (1).exe: Verified: Signed Signing date: 1:06 PM 10/12/2009 Strong Name: Unsigned Publisher: Emsi Software GmbH Description: a-squared Free Setup Product: a-squared Free Version: 4.5 File version: 4.5 MD5: 61c8facbf9d6d1233a8e3e9f5988cd35 SHA1: 6fdc843de2bf6e31ca4db3e4c07c16e8e2985f62 SHA256: 5d4288e80533d1116aec1da2d5b1abe543ba77ae9ff3948eb9908835eaa8b249 Quote Link to post Share on other sites
Tadej Vodopivec 0 Posted October 12, 2009 Author Report Share Posted October 12, 2009 Ocasionally, I get damaged/malicious version from FileHippo and CNET (from CNET I also noticed they they serve me with 4.5.0.0. insted of 4.5.0.21) without signature. I kept one such version so I can submit it to you if necessary. Using Firefox today (via network 1), i always got signed version. On saturday I used network 2 and got unsigned (maicious? counterfeited?) versions. Using IE, i got several unsigned versions from CNET and FileHippo. When accessing your site, I experienced several errors - forum not available once, and complete site unavailable serving a quite descriptive error (I can submit the screen shot if needed). I have a signed version that I'm pretty sure it's authentic, so I solved my basic problem. Best regards and thank you, Tadej Quote Link to post Share on other sites
Lynx 34 Posted October 13, 2009 Report Share Posted October 13, 2009 Ocasionally, I get damaged/malicious version from FileHippo and CNET Hi Tadej Vodopivec, Welcome to the forum. First of all, none of the downloads mentioned and available are "malicious" What makes you think they are? All are digitally signed as Fabian said, and that applies to downloaded Setups and installed Software (just check the "Properties") The only problem that exists currently is the following: Late last night I downloaded files from Hippo; from EMSI server; and from Cnet The hashes are equal for Hippo setup, as Fabian posted and for the file from Emsi server. The CNet one still has just the older version. The hashes are different. But that's mainly it That's not good enough,... but again - there is nothing "malicious" as well My regards Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.