Re: Malevolent download from debian website
On Tue, 5 Feb 2019, Alexander Reck wrote:
Hello.
I encountered a problem with a misleading download link on your website and
wanted to inform you:
Go to page https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/.
Hover your mouse over the link "debian-9.7.0-amd64-DVD-1.iso".
At the bottom of the browser it correctly shows
"https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/debian-9.7.0-amd64-DVD-1.iso";.
Click the link.
The download then starts from site https://caesar.ftp.acc.umu.se and is
instantly cancelled by Norton antivirus with the message
"Malevolent download recognized, download cancelled".
I downloaded the file from a mirror instead.
This is my guess, but I don't have any access to Norton antivirus to verify:
Now and then these clever antivirus businesses classify our archive as
"malware distribution point", because some gedit-x.y-installer.exe from
our GNOME mirror (or other random file we serve for a free software
project) happens to match a fingerprint of some malware.
I'm guessing that this is what happened here, based on the fact that over
the years we've gotten dozens of such reports through our campus abuse
contact, but each and every time we've investigated it has been a false
alarm (and by now neither our team nor the campus IRT spend much effort
on these reports).
I guess we should try to contact Norton and ask them what's up. I'll have
a go at that.
BTW, that the download gets redirected to a machine in the ftp.acc.umu.se
cluster is expected behavour: https://ftp.acc.umu.se/about/
PS, please keep me in Cc:, I'm not subscribed to debian-www.
/Mattias Wadenstein, sysadmin and caretaker of ftp.acc.umu.se aka
cdimage.debian.org
Reply to: