totalcmd.net

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: white, sheep, Hacker, Stefan2

Post Reply
User avatar
Usher
Member
Member
Posts: 129
Joined: 2011-03-11, 10:11 UTC

Re: totalcmd.net

Post by *Usher » 2018-08-03, 11:47 UTC

Flint wrote:
2018-08-02, 22:01 UTC
Here they are.
Let's see:
* TC_FavMenu2 - It is provided with sources so it can be reviewed and recompiled.
* BootScreenView - It seems to dig in system files so it may be hard to make replacement or some workarounds.
* TCPlayer - It is currently maintained on Github so it should be replaced with the newest version. You can also remove plugin file and make clickable link to github.
* SVI_Eliminator -It patches or deletes system files (digitally signed) and folders, so it will be always marked as potentially malicious tool. It was written for Windows XP and may crash newer systems. "Deletion Delay Eliminator", another tool made by the same author http://totalcmd.net/authors/4373853.html may be marked as malicious for the same reasons. Note that both of them are NOT TC plugins – they are independent hacking tools.
Regards from Poland
Andrzej P. Wozniak

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36500
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: totalcmd.net

Post by *ghisler(Author) » 2018-08-09, 09:14 UTC

2Flint
Could you please at least consider a temporary solution? People complain that they can't download plugins any more. :(
Author of Total Commander
http://www.ghisler.com

User avatar
Flint
Power Member
Power Member
Posts: 3159
Joined: 2003-10-27, 09:25 UTC
Location: Moscow, Russia
Contact:

Re: totalcmd.net

Post by *Flint » 2018-08-09, 10:43 UTC

2ghisler(Author)
I've already been doing this for several days, but each time I remove the files and ask it to revalidate it complains at something else. Yesterday I launched another iteration, waiting for the results now.

Why, oh why did you have to remove "Don't be evil", Google!
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 9.21rc1 / Win7 x64 SP1, Win10 x64

User avatar
Usher
Member
Member
Posts: 129
Joined: 2011-03-11, 10:11 UTC

Re: totalcmd.net

Post by *Usher » 2018-08-09, 13:12 UTC

You have removed files, but you haven't removed download links. In many cases you can use such links to download files from archive.org.
For tests remove "a href=link" tags and change active links into text. It may be enough for Google.
Regards from Poland
Andrzej P. Wozniak

User avatar
Flint
Power Member
Power Member
Posts: 3159
Joined: 2003-10-27, 09:25 UTC
Location: Moscow, Russia
Contact:

Re: totalcmd.net

Post by *Flint » 2018-08-09, 14:07 UTC

2Usher
I don't think presence of anything on archive.org affects its decision, it would be too stupid even for Google. Nobody can directly affect what appears on archive.org.

The actual fact is, now you cannot download any of those files either directly, or via download.php, because the file is physically not there. The links now load the error page instead of the file, it should be enough to mark it as non-malicious. Besides, on each validation Google did remove from the report those links which I broke by deleting the files. At least, most of them. Some of them remained, and only disappeared after one more validation request (without any changes). The main problem was, it added more "malicious" links which were not there on previous reports, so I had to iterate over and over again. And the last time, the one and only download link reported as malicious was in fact Total7zip which is absolutely, 100% clean on VirusTotal. I have no idea what the heck is going on with their detect engine…
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 9.21rc1 / Win7 x64 SP1, Win10 x64

User avatar
Usher
Member
Member
Posts: 129
Joined: 2011-03-11, 10:11 UTC

Re: totalcmd.net

Post by *Usher » 2018-08-09, 19:18 UTC

One thing for sure:
Total7zip contains old 7-zip version with known security holes, just google "7-zip security vulnerabilities" or "7-zip CVE". Replace old 7-zip files with the newest ones (version 18.05 now).

You can use similar keywords for other blocked software.

And now some guesses:
1. I think that Google just keeps blocked download links and will block web pages if you don't change those links. Archive.org is just a sample than allows to understand such Google actions.
2. When you force validation of some pages more than once, Google just start with validation of those pages, but after that it starts to validate all the site, I suppose.
3. Blocking more and more pages may be also some kind of "joe job"or (D)DoS attack - they may be reported as malicious by some people manually or by some bots automatically.
Regards from Poland
Andrzej P. Wozniak

User avatar
Flint
Power Member
Power Member
Posts: 3159
Joined: 2003-10-27, 09:25 UTC
Location: Moscow, Russia
Contact:

Re: totalcmd.net

Post by *Flint » 2018-08-09, 22:50 UTC

Usher wrote:
2018-08-09, 19:18 UTC
One thing for sure:
Total7zip contains old 7-zip version with known security holes, just google "7-zip security vulnerabilities" or "7-zip CVE". Replace old 7-zip files with the newest ones (version 18.05 now).
Having security issues is not the same as being a malicious software.
1. I think that Google just keeps blocked download links and will block web pages if you don't change those links. Archive.org is just a sample than allows to understand such Google actions.
I still don't unsderstand your reasoning. The link no longer poses a threat, why would it still be considered malicious?
Anyway, whatever the reasoning, it doesn't look like it works that way. wincmd.ru has been marked as clean already. If what you said were true it would have remained marked as tainted.
3. Blocking more and more pages may be also some kind of "joe job"or (D)DoS attack - they may be reported as malicious by some people manually or by some bots automatically.
If that's the case I probably won't be able to do anything, the attackers would just keep reporting other, completely legitimate files and pages. However, I don't think that's what's happening, because up until now all the downloads listed in the Google Console were actually detected by some antiviruses as malicious (putting aside the question of how reasonable those detects actually were), apart from Total7zip which has already been "cleared" and is no longer displayed as problematic.

I think in the end the current course will have the site removed from the malicious list, but I really, really, really don't like the way it's going. Some stupid known-by-nobody antivirus yells completely invalid claims, and 99% of your web-site gets virtually blocked, just because most users stick to Chrome or other browsers that stick to that Google detector. I'm not even sure it's wise to do what I'm doing, in the long term; it makes people think "he removed those files, so they really were malicious, precious Google saved us all!" instead of "hey, Google, what the heck, there's nothing wrong there, we'll be better off with another browser which is not so paranoid".


Added:
Minutes after I posted this, the final check on totalcmd.net was reported as success, the site is marked clean. I'm not sure how this works, might take a bit of time for the browsers to catch up, but in my Firefox it is now opened without warnings.

Still, the question what to do with the problematic files remains open. I don't want to lose useful plugins just because of false positives from some vague unknown AVs…
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 9.21rc1 / Win7 x64 SP1, Win10 x64

User avatar
Usher
Member
Member
Posts: 129
Joined: 2011-03-11, 10:11 UTC

Re: totalcmd.net

Post by *Usher » 2018-08-10, 02:24 UTC

Flint wrote:
2018-08-09, 22:50 UTC
Having security issues is not the same as being a malicious software.
Outdated software with security holes may be abused by malware - like Flash Player or Adobe Reader.
Flint wrote:
2018-08-09, 22:50 UTC
Anyway, whatever the reasoning, it doesn't look like it works that way. wincmd.ru has been marked as clean already. If what you said were true it would have remained marked as tainted.
It was just a guess, as I clearly stated earlier. Indexing/checking is a time consuming operation, so web spiders read time stamps of web pages and may NOT reindex/recheck pages if the timestamps are unchanged. They may also keep and compare checksums - if the webpage has newer timestamp, but the same size and the same checksum, it won't be reindexed/rechecked.
Flint wrote:
2018-08-09, 22:50 UTC
Added:
Minutes after I posted this, the final check on totalcmd.net was reported as success, the site is marked clean. I'm not sure how this works, might take a bit of time for the browsers to catch up, but in my Firefox it is now opened without warnings.
Glad to read it. Now it's OK also from my Firefox. So it's probably been just another type of Google dance, depended on time needed to propagate changes to all Google servers and to download updates by web browsers.
Flint wrote:
2018-08-09, 22:50 UTC
Still, the question what to do with the problematic files remains open. I don't want to lose useful plugins just because of false positives from some vague unknown AVs…
Save the copies of problematic files to Google Drive, link them on your site and wait a month. The files are small, so every download will force AV check. If Google Drive and Google don't issue any warning in this time, re-upload the files to your site (but don't delete copies from Google Drive).
You can also look at the download statistics - are those files still downloaded?
Regards from Poland
Andrzej P. Wozniak

Post Reply