[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Malevolent download from debian website

On Tue, 5 Feb 2019, Alexander Reck wrote:


I encountered a problem with a misleading download link on your website and wanted to inform you:

Go to page https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/.
Hover your mouse over the link "debian-9.7.0-amd64-DVD-1.iso".
At the bottom of the browser it correctly shows "https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/debian-9.7.0-amd64-DVD-1.iso";.
Click the link.
The download then starts from site https://caesar.ftp.acc.umu.se and is instantly cancelled by Norton antivirus with the message
"Malevolent download recognized, download cancelled".

I downloaded the file from a mirror instead.

This is my guess, but I don't have any access to Norton antivirus to verify:

Now and then these clever antivirus businesses classify our archive as "malware distribution point", because some gedit-x.y-installer.exe from our GNOME mirror (or other random file we serve for a free software project) happens to match a fingerprint of some malware.

I'm guessing that this is what happened here, based on the fact that over the years we've gotten dozens of such reports through our campus abuse contact, but each and every time we've investigated it has been a false alarm (and by now neither our team nor the campus IRT spend much effort on these reports).

I guess we should try to contact Norton and ask them what's up. I'll have a go at that.

BTW, that the download gets redirected to a machine in the ftp.acc.umu.se cluster is expected behavour: https://ftp.acc.umu.se/about/

PS, please keep me in Cc:, I'm not subscribed to debian-www.

/Mattias Wadenstein, sysadmin and caretaker of ftp.acc.umu.se aka cdimage.debian.org

Reply to: