holdingthehead

Polaris office install

Recommended Posts

When I install Polaris Office on my computer, I get a flag to the effect that it is  not safe.  Could I get some feedback on this?  Is it because of the sync feature or is it not what it purports to be?

Share this post


Link to post
Share on other sites
17 hours ago, holdingthehead said:

When I install Polaris Office on my computer...

You mean the Polaris Office distributed via the website at the following address?

https://www.polarisoffice.com/en/

 

17 hours ago, holdingthehead said:

... I get a flag to the effect that it is  not safe.

It's probably just the Behavior Blocker taking action because they didn't digitally sign their files like they should have. Can you take a screenshot of the notification for me? If I know what to look for, and what version of Windows you're using, then I can take a look at it and see if it's safe.

Share this post


Link to post
Share on other sites
8 hours ago, holdingthehead said:

Here is the main notice, I believe.

That first screenshot shows a SHA1 hash. Copy it and paste it here, and I can search for it on VirusTotal.

Share this post


Link to post
Share on other sites

5/5/2019 9:02:02 PM
Behavior Blocker detected suspicious behavior "CryptoMalware" of C:\Users\David\Downloads\PolarisOfficeInstaller_1553102723.exe (SHA1: 9B72078130CD2C3197ECFE5019B099C9E6167C71)

5/5/2019 9:02:08 PM
A notification message "Suspicious behavior has been found in the following program: C:\Users\David\Downloads\PolarisOfficeInstaller_1553102723.exe" has been shown

5/5/2019 10:40:03 PM
Behavior Blocker detected suspicious behavior "HiddenInstallation" of C:\Users\David\AppData\Roaming\PolarisOfficeLink\Update\POLinkUpdaterSwitcher.exe (SHA1: B64AC14B2FEDA312781DBA1C3401CD7A0F41C8C2)

5/5/2019 10:40:08 PM
Behavior Blocker detected suspicious behavior "HiddenInstallation" of C:\Users\David\AppData\Roaming\PolarisOfficeLink\POLinkUpdater.exe (SHA1: F27F9E7F34E213DF3503655E0F9840705B381B4C)

5/5/2019 10:40:18 PM
Behavior Blocker detected suspicious behavior "HiddenInstallation" of C:\Users\David\AppData\Roaming\PolarisOfficeLink\POLink.exe (SHA1: 38B87CEFF2EB7BFDBC2D95CF4342D940A4C1F73E)

5/5/2019 10:40:25 PM
Behavior Blocker detected suspicious behavior "Spyware" of C:\Users\David\AppData\Roaming\PolarisOfficeLink\POLinkSync.exe (SHA1: 365B8AC2878C85F85A94EF646BA20DCB6F08552B)

 

Share this post


Link to post
Share on other sites

Plugging the first of your SHA1 hashes into the search field at VirusTotal finds their existing results page:

https://www.virustotal.com/en-gb/file/a5b4aa8ac10f289291a7a494aab6382060628a23d3b471323d299e7d386ccc1c/analysis/

which shows that on the day that file (which doesn't have the exact same name as your one, but apparently has the exact same contents, according to the hash) was first seen and analysed by VirusTotal (5th May), eight anti-malware products, not including EAM,  thought it was suspicious.  

 

I just downloaded from: https://www.polarisoffice.com/en/download    a file named:   PolarisOfficeInstaller_1553102723.exe - the same name as the file your screenshots show... but it does not have the SHA1 hash that your one does.  I wonder why?    Mine has: fb42449eab0d95ff76cb044a3e5cd5486b0061e2.   When I uploaded my copy of the file to VirusTotal to be scanned,  14 products thought it was infected.  See

https://www.virustotal.com/en-gb/file/0709dfd4a10ae08c6507ee77d483aef19b4726e12d090a1fe8d6960109b4f13b/analysis/1557406501/

(note that I when I downloaded the file, I gave it a name starting with today's date: "20190509 PolarisOfficeInstaller_1553102723.exe" - but that will have made no difference to its contents.)

 

The fact that 8 (for your file) and 14 (for mine) products think the installer contains malware would make me steer well clear of it.

 

@GT500 - Maybe you can say whether the "hidden installation" warning is because the installer is running silently, or because it is also installing something as well as Polaris?   

 

Share this post


Link to post
Share on other sites
8 hours ago, JeremyNicoll said:

Maybe you can say whether the "hidden installation" warning is because the installer is running silently...

If it's running "silently", then that will trigger a Behavior Blocker alert as long as the file isn't digitally signed (or if we have the certificate they signed it with blacklisted).

I'll ask our malware analysts about this.

Share this post


Link to post
Share on other sites

Our malware analysts have told me that the free version of this software is considered a Potentially Unwanted Program (PUP) due to the usage of InstallCore in its installer.

Would LibreOffice work as a replacement? They don't bundle questionable things with their installer.
https://www.libreoffice.org/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.