Announcement

Collapse
No announcement yet.

irfanview 32bit-installer - Riskware detected by 1 on Virustotal.com

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Solved irfanview 32bit-installer - Riskware detected by 1 on Virustotal.com

    Hi there!

    Before installing the latest version of the 32-bit installer downloaded from irfanview.com via cnet.com, I checked the installer file on virustotal.com, where 1 engine detects Riskware.PEMalform: See screenshot linked below!

    https://www.bilder-upload.eu/bild-e4...24382.jpg.html

    I guess it's a false positive, but still...

    What's your take on this?

    Thanks!

    #2
    If you use the search box at top right, you will find several previous topics. Yes, or course, it is a false positive.

    Virustotal Results
    Before you post ... Edit your profile • IrfanView 4.62 • Windows 10 Home 19045.2486

    Irfan PaintIrfan View HelpIrfanPaint HelpRiot.dllMore SkinsFastStone CaptureUploads

    Comment


      #3
      Thank you for your reply!

      I must admit I do not particularly like the wording
      "Yes, o[f] course, it is a false positive."
      You never know for sure, the more so if a file is downloaded _via_, i.e. actually _from_ a different site, as is the case here.
      I prefer what you said in another thread https://irfanview-forum.de/showthread.php?t=12100 on this topic, that I discovered only this morning:
      "In my experience, these alerts are always false positives."
      Just like you, I assume these are false positives, but as a security sensitive person I guess I won't be able to get the following picture out of my mind, which is the virustotal result for the versioin I am _currently_ using, giving me even worse results, ironically, haha:

      virustotal results for my present version also downloaded via irfanview

      I love my IrfanView, but unfortunately this leaves some bad taste in my mouth.

      The present installer is downloaded from cnet, and the following thread gives me some more doubts in that respect:
      some more doubts unfortunately

      In the end, I guess everybody has to make up their own minds whether they will be irritated by such doubts or continue to use IrfanView.

      Thanks again for your reply.

      Comment


        #4
        You do not not need to download it from CNET, in fact I'd urge you not to as that site is, allegedly, notoriously slack in regards to policing what may be included with its downloads. That IS probably why the IRFV download is being reported as a problem - it is not the installer it is where you're downloading from that is the trouble.

        The recommendation is always to download IRFV from the author's web site. Why that is not at the top of the list is probably because the others' inclusion is a revenue generator. But if you scroll down to the bottom of that list and click on "Other Download Sites (Mirrors)" and then scroll down to the bottom again you'll see: Alternative IrfanView download site.........

        This is, or should be, a link to the IRFV author's own web site and the one it is suggested you use. If you are worried about what you're downloading then make use of the SHA-256 checksums provided on the IRFV main download homepage. That is what they are there for.

        BTW you will need an up to date browser to enable the download - it does not like older versions of Firefox.
        Last edited by BadRobot2018; 13.09.2019, 11:27 PM. Reason: typo

        Comment


          #5
          Here are the fresh results for 32-bit installer, just downloaded from FossHub: link

          A single positive - and from Yandex - while all the reputable services see no problem, this is a normal result, no need for bad taste in mouths.
          Using development versions of some open source programs - like RawTherapee - I tend to get much worse results, all kinds of "generic" alerts - these installers are unique, unsigned and often change on daily basis. On the other hand, they are built by experienced and trustworthy people. And since I am not a programmer, the least I can do is to report a bug here and there.

          And, as said, one can check the hashes and stay as safe as possible. There are many more dangerous things in this world.

          Have a nice day!
          IrfanView 4.62 64-bit

          Comment


            #6
            @BadRobot2018
            Thank you for your comments which sound very reasonable!
            I didn't know about the download reputation of CNET alluded to, just rememberd I went there for tech news many years ago, so sounded like a household name to me.

            If, what you are writing and the negative comments in the article linked above are true, then I have to say I think it's kind of unethical to provide that source as the _main_ download link on the home page, because that surely is the source most people will go to, no question about that.

            Following your reasonable suggestion to download just from the Irfanview path you are describing, unfortunately, I do get the same results (1 Riskware.PEMalform detected) on virustotal.com for both the present English and the German latest 32-bit installer version downloaded from irfanview.info.

            BTW, the version I am presently running (risks detected by even 3 on virustotal, linked in my previous post), was downloaded exactly from the path you are suggesting (from irfanview.info). I still have the screenshots as I always keep them until I uninstall in order to remember where I downloaded the files from:
            downloaded from irfanview.info 01
            downloaded from irfanview.info 01

            I'be been running that version for a year now and never experienced any suspicious behaviour or even any Trojan as detected by 1 on virustotal.com, but I guess I wouldn't have installed it in the first place if I had seen these virustotal results at the time.

            So, again, I also think these are false positives, even because none of the big names detects anything suspicious, but it leaves some bad taste in my mouth and I'll have to make up my mind about how to proceed from here on.

            Thanks again for your comments!


            Edit:

            Thanks to @Jacal, too!
            Last edited by Nilreb91; 13.09.2019, 02:54 PM.

            Comment


              #7
              Almost certainly a false positive then.

              A few 'bad reputation' reports can get a download blacklisted across a variety of AV/AM platforms with no diligence undertaken to determine the veracity of those reports or which particular web sites hosting the download were used. There is a better safe than sorry philosophy at work here but it can cause a domino effect as more AV/AM platforms simply add it to their blacklist rather than check it themselves.

              That maybe what has happened.

              Although it is not impossible that the download has been compromised it is highly unlikely. If the checksums on the IRFV homepage match what you've downloaded from the author's web site then you can be pretty sure it is safe and any reports are false positives.
              Last edited by BadRobot2018; 15.09.2019, 12:20 AM.

              Comment


                #8
                Originally posted by BadRobot2018 View Post
                Although it is not impossible that the download has been compromised it is highly unlikely. If the checksums on the IRFV homepage match what you've downloaded from the author's web site then you can be pretty sure it is safe and any reports are false positives.
                I've now downloaded program and plugins from irfanview.info and both checksums do match, so I've decided to keep my beloved IRFV and install the latest versions.
                Thanks again to everybody who replied to my question.

                Comment

                Working...
                X