Hi there,
Just downloaded the osmc-installer for Windows in an attempt to fix my other issue. Malwarebytes flagged it as dangerous and put it in quarantine. I trust the source so marked it as safe and ran it but now I can no longer download any files from the Internet, they are renamed to random characters and it’s saying i don’t have access to my Downloads folder.
I’ll update with any further information but I think you should check at your end just in case.
The file downloaded perfectly, and after removing from quarantine ran and installed on an SD card. However I then noticed the error immediately downloading an unrelated file. I tested it re-downloading the OSMC file and this one also would no longer download.
It appears that something, in that exact moment, removed permissions from my Downloads folder, which I’ve reinstated and resolved the issue.
It will be a false positive. You can check it with a website like VirusTotal or search here where this has been covered many times before over the years.
That’s not a very convincing argument though, 10/71 scanners mark it as bad!
As I’ve said before, if you don’t trust the OSMC installer; you should not trust it as an OS to run on your device.
I refuse to pay antivirus companies money to whitelist us. That is extortion as a service. The limited funds this project does get can be spent better.
They don’t. VirusTotal is reporting 0 known detections. See VirusTotal
Where are you seeing that 10 antivirus programs have flagged the installer as malicious?
Thanks. I was mobile earlier and uploaded the URL from my phone and can see only the URL was tested, not the file.
Indeed the file returns 11/71 reports when directly uploaded. That’s disappointing. But as you can see some are ‘reputation’ based or because of the files format.
My suggestion if you are concerned is to stop using OSMC immediately. The source code for this installer is at GitHub - osmc/osmc: OSMC (Open Source Media Center) is a free and open source media center distribution. But if you think the installer is problematic I would not run an OS by the same distributor on another device with entire access to your network.
See
What usually happens is that every time we update the installer, a lot of AVs flag us initially due to lack of ‘reputation’. Once that installer version matures and has been seen out in the wild for a while, it settles down.
I’m hoping that us getting our installers signed with a digital certificate in the near future will improve our reputation, but otherwise there is not so much we can do. We use WinRar’s SFX module to package the installer and automatically run and I suspect that packing technique is what gets us some unnecessary attention.
Cheers
Sam
Having worked in the security business, much of the findings threat levels are elevated to create FUD to raise subscription numbers.
That being said, running a Windows system in itself is already a security nightmare, because security has to happen in the core, not taped on top of it with an AntiVirus sofware (as bit tech firms tend to tell us). This is just a huge $$$ market and stating otherwise would harm their business.
The big advantage of opensource software really is that you can check the source-code yourself.
if you want to be on the secure side (and that is what I do), is to make sure the md5 sums (or sha256 if available) match those from the download site.
But to be on the very safe side, download the disk-image and install it manually on the device’s sd-card if you want with the software (disk imager) of your choice. Of course, “dd” is your friend too (on the linux command line).
As you’ll see in my original thread, I’d already gone ahead and used the installer because I trusted the source.
I’ve since run Windows Defender, and Malwarebytes Pro, across all drives and found nothing.
Sorry for any worry but I was genuinely worried for a while, the Downloads folder going wrong was a step too far.
No worries. But this is what our “software” society targets to nowadays. And sadly, it tends to work.
This is very big delusion. You CANNOT check the source code yourself. You can do it theoretically, bit in practice it is nearly impossible. It is much safer to use closed source like Windows developed by single company than using open source written by thousands of programmers with unclear motivation. There was fresh example recently when all contributions of one programmer were removed from Linux.
I never said it was easy…
It is true that the sourcecode provided by one developer would be the most secure (as you tend to not change focus and context during the development cycle). But, having a corporation on top, telling developers what to do and how, and especially where most managers are just that, managers (who never coded a bit), getting their news and advice from the hype created by other companies (where the management problem is the same) is exactly the problem opensource does not have.
Those guys on top lead to make top $$$. They don’t care about solidity, security as long as the sales numbers are right.
IMHO, I prefer to have the option to verify the code myself, let thousands of developers check the code because I, as a developer myself, would have missed something. And also, the freedom to use it the way I seed fit.
I don’t agree. I have not worked for MS, but AFAIK their managers are “old” programmers. Young coders write until they are 20-25 years old and when reach 30-35 they become managers. I know in many software companies managers are not (active) programmers but it is not true for all companies.
From experience (35years now), Managers are usually those who remain in position because they find nothing better for lack of skills. And very rare are good managers.
But this is getting off topic. You gave your opinion, I gave mine. So let’s leave it there.