Results 1 to 8 of 8

Thread: irfanview 32bit-installer - Riskware detected by 1 on Virustotal.com

  1. #1

    Default irfanview 32bit-installer - Riskware detected by 1 on Virustotal.com

    Hi there!

    Before installing the latest version of the 32-bit installer downloaded from irfanview.com via cnet.com, I checked the installer file on virustotal.com, where 1 engine detects Riskware.PEMalform: See screenshot linked below!

    https://www.bilder-upload.eu/bild-e4...24382.jpg.html

    I guess it's a false positive, but still...

    What's your take on this?

    Thanks!

  2. #2
    Moderator Enterprise User Bhikkhu Pesala's Avatar
    Join Date
    May 2007
    Location
    East London
    Posts
    6,108
    OS
    64-bit Win 10
    CPU Cores
    1

    Default

    If you use the search box at top right, you will find several previous topics. Yes, or course, it is a false positive.

    Virustotal Results

  3. #3

    Default

    Thank you for your reply!

    I must admit I do not particularly like the wording
    "Yes, o[f] course, it is a false positive."
    You never know for sure, the more so if a file is downloaded _via_, i.e. actually _from_ a different site, as is the case here.
    I prefer what you said in another thread https://irfanview-forum.de/showthread.php?t=12100 on this topic, that I discovered only this morning:
    "In my experience, these alerts are always false positives."
    Just like you, I assume these are false positives, but as a security sensitive person I guess I won't be able to get the following picture out of my mind, which is the virustotal result for the versioin I am _currently_ using, giving me even worse results, ironically, haha:

    virustotal results for my present version also downloaded via irfanview

    I love my IrfanView, but unfortunately this leaves some bad taste in my mouth.

    The present installer is downloaded from cnet, and the following thread gives me some more doubts in that respect:
    some more doubts unfortunately

    In the end, I guess everybody has to make up their own minds whether they will be irritated by such doubts or continue to use IrfanView.

    Thanks again for your reply.

  4. #4

    Default

    You do not not need to download it from CNET, in fact I'd urge you not to as that site is, allegedly, notoriously slack in regards to policing what may be included with its downloads. That IS probably why the IRFV download is being reported as a problem - it is not the installer it is where you're downloading from that is the trouble.

    The recommendation is always to download IRFV from the author's web site. Why that is not at the top of the list is probably because the others' inclusion is a revenue generator. But if you scroll down to the bottom of that list and click on "Other Download Sites (Mirrors)" and then scroll down to the bottom again you'll see: Alternative IrfanView download site.........

    This is, or should be, a link to the IRFV author's own web site and the one it is suggested you use. If you are worried about what you're downloading then make use of the SHA-256 checksums provided on the IRFV main download homepage. That is what they are there for.

    BTW you will need an up to date browser to enable the download - it does not like older versions of Firefox.
    Last edited by BadRobot2018; 13.09.2019 at 10:27 PM. Reason: typo

  5. #5
    Multiple User Jacal's Avatar
    Join Date
    Jun 2013
    Location
    Europe
    Posts
    329
    OS
    64-bit Win 10
    CPU Cores
    4

    Default

    Here are the fresh results for 32-bit installer, just downloaded from FossHub: link

    A single positive - and from Yandex - while all the reputable services see no problem, this is a normal result, no need for bad taste in mouths.
    Using development versions of some open source programs - like RawTherapee - I tend to get much worse results, all kinds of "generic" alerts - these installers are unique, unsigned and often change on daily basis. On the other hand, they are built by experienced and trustworthy people. And since I am not a programmer, the least I can do is to report a bug here and there.

    And, as said, one can check the hashes and stay as safe as possible. There are many more dangerous things in this world.

    Have a nice day!
    IrfanView 4.53 (64-bit as the default image viewer, 32-bit for comparison)
    PC: Windows 10, i5 CPU, 16 GB RAM, GPU 4 GB RAM
    Laptop: Windows 10, i3 CPU, 8 GB RAM, no dedicated GPU

  6. #6

    Default

    @BadRobot2018
    Thank you for your comments which sound very reasonable!
    I didn't know about the download reputation of CNET alluded to, just rememberd I went there for tech news many years ago, so sounded like a household name to me.

    If, what you are writing and the negative comments in the article linked above are true, then I have to say I think it's kind of unethical to provide that source as the _main_ download link on the home page, because that surely is the source most people will go to, no question about that.

    Following your reasonable suggestion to download just from the Irfanview path you are describing, unfortunately, I do get the same results (1 Riskware.PEMalform detected) on virustotal.com for both the present English and the German latest 32-bit installer version downloaded from irfanview.info.

    BTW, the version I am presently running (risks detected by even 3 on virustotal, linked in my previous post), was downloaded exactly from the path you are suggesting (from irfanview.info). I still have the screenshots as I always keep them until I uninstall in order to remember where I downloaded the files from:
    downloaded from irfanview.info 01
    downloaded from irfanview.info 01

    I'be been running that version for a year now and never experienced any suspicious behaviour or even any Trojan as detected by 1 on virustotal.com, but I guess I wouldn't have installed it in the first place if I had seen these virustotal results at the time.

    So, again, I also think these are false positives, even because none of the big names detects anything suspicious, but it leaves some bad taste in my mouth and I'll have to make up my mind about how to proceed from here on.

    Thanks again for your comments!


    Edit:

    Thanks to @Jacal, too!
    Last edited by Nilreb91; 13.09.2019 at 01:54 PM.

  7. #7

    Default

    Almost certainly a false positive then.

    A few 'bad reputation' reports can get a download blacklisted across a variety of AV/AM platforms with no diligence undertaken to determine the veracity of those reports or which particular web sites hosting the download were used. There is a better safe than sorry philosophy at work here but it can cause a domino effect as more AV/AM platforms simply add it to their blacklist rather than check it themselves.

    That maybe what has happened.

    Although it is not impossible that the download has been compromised it is highly unlikely. If the checksums on the IRFV homepage match what you've downloaded from the author's web site then you can be pretty sure it is safe and any reports are false positives.
    Last edited by BadRobot2018; 14.09.2019 at 11:20 PM.

  8. #8

    Default

    Quote Originally Posted by BadRobot2018 View Post
    Although it is not impossible that the download has been compromised it is highly unlikely. If the checksums on the IRFV homepage match what you've downloaded from the author's web site then you can be pretty sure it is safe and any reports are false positives.
    I've now downloaded program and plugins from irfanview.info and both checksums do match, so I've decided to keep my beloved IRFV and install the latest versions.
    Thanks again to everybody who replied to my question.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •