Hi,

First, the program and the install work fine. However, I had this one
possible new client that when he downloaded our demo, and even our real
program, I got a certificate fail. So I managed to bypass the fail
through windows, then got the message from setupbuilder that the
integrity check failed.. at which point I quit.

I copied our install via our screen sharing program, and it worked fine.

When I looked at the downloaded files, they seemed to be there, right
number of bytes, digital signature looked good, but they failed anyway.
I checked our download out, and it worked fine.

So obviously there was something on the computer that did something to
the file. I thought I'd run it by you on this thread to see if anyone
else has had an issue like this. It's only happened this one time, so
far, but if I can get an answer, that would be great to understand it.

Thanks,

--
Ray Rippey
VMT Software

Ray,

You have two things telling you the same story -
the file your potential client downloaded does not exactly match the
file you created.

Typically that would be because his internet connection choked or his
antivirus mangled your file.

But if you have either a certificate fail or a SB integrity fail,
there's no point in having someone try to install that file.

What happens if he tries again on a different computer?

jf

It was a new computer.. I don't think he had another one. We tried it
and we knew it worked on other clients computers. I used our screenshare
to copy the install over to his computer, and it worked fine.

We're pretty sure the download messed it up. But it was weird. The file
showed the 78mb of the file (files.. we did it 3 times, even once on a
completely different file). We realized later that the downloads took
about 2 seconds, so that was a good indication the file couldn't have
downloaded correctly.

However, how the file(s) all showed the 78mb size in windows explorer
remains a mystery to me.

I'm just curious more than anything.

Ray Rippey
VMT Software


> What happens if he tries again on a different computer?

> I'm just curious more than anything.

What version of windows were they using and what browser was used to
download your installer?

What you describe is quite likely a compromised installer or your
program inside.

If you still have the installer, if you can setup a vmware guest with
no network access, could you install this dodgy installer and find out
if your program hashes have changed? If they havent, then its possible
the installer maybe compromised in some way, it might be doing stuff to
windows like creating a new user with remote access or any number of
things to compromise a system.

Thing is installers are perfect attack vectors to compromising a system
so you & I and every other software company is an attack vector.

Has your customer seen any of these weird behaviours?

Since the latest updates to Win10 1903 came down which forced all users
of VMware to upgrade to Player/workstation 15.5 (see a thread in
c.l.c.), I have been experiencing at least once or twice a day, website
certificate errors with MS Edge for some international big companies,
eg MS and Dailymail.

I've never seen so many website certficate errors happening over so
many days now, but I would suspect web browsers are primary attack
vectors.

Youtube (a google company) also seems to do some pretty funky stuff to
the computer, where the cpu fan spins up to max for periods of time and
it has crossed my mind that they might be testing windows systems,
considering how Google likes to embarrass MS over zero days etc and
Google does also have the best intelligence website for zero days,
namely virustotal. A bit conspiratorial of me, but other big business
have done questionable things in the past, so why not Google?<vbg>

It is a case of who do you trust.<g>

--
-- Richard

Hi Richard,

> I've never seen so many website certficate errors happening over so many
> days now, but I would suspect web browsers are primary attack vectors.

Those are very rare. Been years since I saw one last time.

> Youtube (a google company) also seems to do some pretty funky stuff to
> the computer, where the cpu fan spins up to max for periods of time and
Video and buffering require quite a bit of power, so it's no big
surprise that the CPU may heat up a bit. The only time I can hear the
CPU fan in my machines rev up is at initial startup and when I'm
rendering videos or doing image processing on large images.

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

> Those are very rare. Been years since I saw one last time.

Attached is a screen shot of one from last night trying. Whats
interesting is MS Edge opens automatically when I log in and loads a
webpage up which is not a book marked window and not my home page or
blank new tab. There is also nothing the sysinternals Autoruns which
show MS Edge is supposed to run when logging in so I need to find out
whats been done to this laptop. The amount of hacking on my systems is
one of the reasons why I had to shut my company down. I'm also mindful
of events that took place when I was a kid as well which could all be
related.

In the zip is also a screenshot of the sysinternals tcpview where I
have connections going to 1.1.1.1 yet I my nic is setup to get the dns
from the router.

Something going on and I dont know what, but it stinks more than a
manure pile of incompetence.<vbg>

--
-- Richard

Well, it wasn't our installer. I bypassed the security certificate
through windows... then the installer started to work, but the built in
checksum check in setupbuilder said it didn't pass muster, so I quit. So
really the certificate and setupbuilder both did their job perfectly.

That narrowed it down to the download. I used their google chrome to
download it. I don't suspect google is the problem. I should have tried
the edge browser though, just as an experiment. Then again, it was a
possible new client and didn't have time to mess around that much. He
was very patient though. In the end I copied it via screenconnect.

If the files would have been 0bytes or less than normal, I would have
just said the download failed. But since it was 78mb, I was curious.

He could have had some kind of virus that injected code into our
installer while it was downloading. I didn't run a virus check on his
computer.

We may never know... the mystery continues.

Ray Rippey
VMT Software

> What you describe is quite likely a compromised installer or your
> program inside.

Did you do a binary comparison of the downloaded file to the original?

Did you try zipping the exe and downloading the zip?

Jeff Slarve
www.jssoftware.com


Bits and Bytes are Dy-No-Myte

No, I should have.. but was in a hurry... potential customer and didn't
want to look like a complete idiot because our software didn't download
right.

Even though it may not be our fault, it's our fault.

But I'll bet the file was not the same... or it would have worked. And
we had customers that had downloaded the same file earlier in the day,
plus we downloaded it and installed it to be sure.



Ray Rippey
VMT Software

On 10/16/19 11:15 AM, Jeff Slarve wrote:
> Did you do a binary comparison of the downloaded file to the original?

> And we had
> customers that had downloaded the same file earlier in the day, plus we
> downloaded it and installed it to be sure.

Was this downloaded all from the same internet connection with
different machines, or different locations/offices?

If the latter, then different internet routes to your server hosting
the installer could explain the problem. I'm beginning to wonder if
there is some sort of infrastructure insertion attack taking place.
Considering the number of young people in IT today, experience is
lacking.

--
-- Richard

Hi Ray,

> Even though it may not be our fault, it's our fault.

We've been in this long enough to know that it is ALWAYS our fault, even
if it was the customer who unplugged the computer and crashed
everything<g>

Best regards,


--
Arnor Baldvinsson
Icetips Alta LLC

Every now and again a customer will call on the phone and tell me their
computer is getting an error and won't boot up. Way back when we'd get
people calling us to tell us about the 'blue screen of death'.

And with this project, early on we were helping people setup their
LAN's. We found that's all we were doing. Fortunately one of our
customers had a computer guy that knew how to setup a network. He's
totally independent and we send our customers to him to get their
networks setup.

It took us a while to train our customers that we don't do network
setup, but it was easier because we had a guy that did it. So he's
making money, and we're less burdened.

Ray Rippey
VMT Software

> It took us a while to train our customers that we don't do network
> setup, but it was easier because we had a guy that did it. So he's
> making money, and we're less burdened.

That's one of the smartest decisions you ever made.

Back when I was in the hardware business we had a working relationship with
a top accounting firm that also sold high end accounting software.

They sent us all their business (and recommended us to everyone).

They had no hardware headaches and we made a lot of money from the
relationship.

When we first entered into a gentleman's agreement with them the owner of
the company said that as long as we took care of their customers they would
use us.

He also stipulated that he never, ever, ever, ever wanted to hear the words
PRINTER DRIVER from any of our people under any circumstance!

So that was one of the most important things we had to train all our techs
on<g>.

:-)

Charles

--
-------------------------------------------------------------------------------------------------------
Charles Edmonds

cjeByteMeSpammers@lansrad.com (remove the "ByteMeSpammers" to email me)

www.learnh5fast.com - Master building web and mobile apps with Clarion H5!
www.clarionproseries.com - ProDocument, ImageEx, ProScan, ProImage, ProPath
and other Clarion developer tools!
www.seal-soft.com - The xProduct Clarion templates - xWordCOM, xToolTip,
xDataBackup Manager and more!
www.ezchangelog.com - "Free ChangeLog software to manage your projects!"
www.setupcast.com - "A revolutionary new publishing system for software
developers - enhanced for SetupBuilder users!"
www.ezround.com - "Round Corner HTML tables with matching Banners, Buttons
and Forms - Now with PNG support!
www.fotokiss.com - "World's Best Auction Photo Editor"
www.lansrad.com - "Intelligent Solutions for Universal Problems"
-------------------------------------------------------------------------------------------------------

> That's one of the smartest decisions you ever made.

Two rules I have learnt if you can do so:

[1] Never touch a network.

[2] And now get your clients into the cloud as soon as you can so that
you escape IT techies and network issues. The he says she says vanishes.

We are starting to do the latter - it is like a breath of fresh air.

Andre Labuschagne

For me, one of the biggest problems I would face (going to an online
system) would be when I make a change, and everyone gets it all at once,
and I published a bug.

Very scary.

Currently I put out the downloads and people update slowly. I have some
that update right away and so updates trickle out. If I have a bug
(which I'll admit, I've had a few), then I find it before it becomes a
problem for hundreds of businesses.

I'll need to figure that out first.

Ray Rippey
VMT Software