Reply to topic

Chrome/FF Say KDE Neon UE ISO contains Virus/Malware!

rstrube
Registered Member
Posts
6
Karma
0
Hi Everybody,

I've been really impressed with KDE Neon - and I've recenently installed the User LTS edition on my girlfriend's laptop. I wanted to set myself up with the non-LTS User Edition. After downloading the latest ISO, my browser alerts me that the ISO file contains a virus / malware. Not sure if this is a false positive, but it's definitively not good for PR. Can somebody on the Neon team take a look at this? I'm reluctant to install it at this point.

https://i.imgsafe.org/13985212e2.png

Rob
User avatar subdiff
Registered Member
Posts
59
Karma
0
OS
I just downloaded the iso, got no warning, checked the signature and it was allright. But you downloaded from a different mirror, so it could be that this specific mirror is corrupted (seems to be a university in Poland).

To check the specific file you downloaded on integrity (it's easy!) open Properties in Dolphin on your own PC, go to Checksums tab and fill in the shasum from the website:
http://files.kde.org/neon/images/neon-u ... .sha256sum

Indeed if the mirror is corrupted in fact, you verifying it by the checksum would help us all.

Note, that this shasum file is hosted directly on the kde servers, so an attacker would need access to the mirror and the kde servers, if he wanted to fake it... Which minimizes the risk.
rstrube
Registered Member
Posts
6
Karma
0
Looks like the SHA256SUM matches the link that you provided. I'm creating the bootable USB drive in windows at the moment, so I downloaded a checksum utility. See the screenshot below:

https://i.imgsafe.org/162373a57a.png

The real question is why does both FF and Chrome say the iso file contains a virus / malware?
rstrube
Registered Member
Posts
6
Karma
0
Couple things,

    I discovered that both FF and Chrome use Google's SafeBrowsing system. So if there's a false positive on that system, it will show warnings in both browsers.
    I tried to download the ISO from a specific mirror this time and I did NOT get the warning message from both FF and Chrome. Before I was letting the website automatically select a mirror for me.

The mirror that I explicitly chose which did NOT give me a warning message was: http://mirror.its.dal.ca/kde-applicationdata/neon/images/neon-useredition/20170119-1018/neon-useredition-20170119-1018-amd64.iso I also confirmed the checksums and everything looks good.

Unfortunately, I didn't record the mirror I downloaded from when I received the warning message. Perhaps Google SafeBrowsing has blacklisted that particular host? That's the only thing I can think of. Either way I think the report is a false positive for the ISO. I did try to connect to each of the mirrors via their TLDs and I did not get any warning messages. I don't have time to download the ISOs from each separate mirror, but I'll try to me more cognizant of where I download the ISOs from in the future.

It would be great to identify the host which caused the warning message.
User avatar subdiff
Registered Member
Posts
59
Karma
0
OS
Thanks for further investigating! You can see the mirror you downloaded the "problematic" iso from on your screenshot. Indeed we found out, that this whole server by some polish scientific institute was categorized as "Dangerous Downloads" by Google: https://www.google.com/transparencyrepo ... icm.edu.pl

The reason was maybe some random other file on the server not in any way related to the Neon images. So no worries. :)
nalvarez
Registered Member
Posts
7
Karma
0
OS
rstrube wrote:Not sure if this is a false positive, but it's definitively not good for PR. Can somebody on the Neon team take a look at this? I'm reluctant to install it at this point.

Let us know if you find a way to report a false positive to Google Safe Browsing. I haven't found anything.
User avatar bcooksley
Administrator
Posts
19765
Karma
87
OS
In regards to this thread:

a) We've notified all of our mirrors, asking them to check themselves against Google Safe Browsing, and provided details on what site operators can do to identify the URL(s) which Google objects to.

b) We've notified the mirror(s) directly which have been specifically identified as being flagged in this thread and have asked them to investigate and resolve the issue.

c) The file has been re-reported to Avast for additional review, as it would appear they haven't resolved the issue.


KDE Sysadmin
[img]http://forum.kde.org/content/bcooksley_sig.png[/img]
User avatar kde-jriddell
Registered Member
Posts
73
Karma
2
OS
Reports of KDE neon Downloads Being Dangerous Entirely Exaggerated
http://jriddell.org/2017/01/21/reports- ... aggerated/
rstrube
Registered Member
Posts
6
Karma
0
Just to clarify, It wasn't my intention to exaggerate or be sensationalistic, I was only trying to help.

I'm a new KDE Neon user, and I thought that if I encountered a warning message about malware, others would too. I was hoping that by bringing it up, we could quickly get to the bottom of the issue.

 
Reply to topic

Bookmarks



Who is online

Registered users: Awang Ruoto, Baidu [Spider], bgroper, Bing [Bot], cylverbak, Don B. Cilly, funkyskywalker, gfielding, Google [Bot], ineuw, ipwizard, Majestic-12 [Bot], mawoka, maxmu, peje, Sogou [Bot], sylvainrousseau, YaCy [Bot]