How to verify integrity of MBSetup.exe download file

[anti-virus]

Hello,

Are there PGP signatures for the MBSetup.exe file I've downloaded? (along with the public key)

I would like to verify the integrity of the download to make sure it is safe.

How can we verify the downloads from the website are secure?

Do you have a SHA 256/512 SUM file somewhere? I can't find anyway to verify the file looking through the forum and website.

Any help would be great!

Thanks

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

Greetings,

Please refer to the information in this support article; while that article is about the Mac version, the same logic applies to the Windows version as well.

You can check the digital signature to verify that the file has not been tampered with by right-clicking the file and selecting Properties and verifying the information located in the Digital Signatures tab.

I hope this helps and if there is anything else we might assist with please let us know.

Thanks

[anti-virus]

Thanks for your reply I'll check out the article!

[lmacri]

Hi anti-virus:

If I save the latest Windows version of MBSetup.exe v4.1.1.190 from https://www.malwarebytes.com/mwb-download/ to my desktop and then upload that .exe file to the VirusTotal.com site at https://www.virustotal.com/gui/, VirusTotal calculates the unique SHA-256 hash of that file (d1b822f717f3309973a94dda715c2c4b963d8714f477314f2b0827b834b7c16b) and then submits that SHA-256 hash to multiple virus engines (Bitdefender, Kaspersky, McAfee, etc.) for analysis.  In this case, the MBSetup.exe file I downloaded is reported as safe by 70 of 71  different virus engines, so I can be confident that particular MBSetup.exe installer is safe to use.  Jiangmin (an antivirus I'm not familiar with) is the only virus scanner that flags that MBSetup.exe as potentially unsafe/harmful, which tells me the sole Jaingmin detection is likely a false positive that can be safely ignored.

Note that if I submit the same MBSetup.exe v4.1.1.190 to the MD5 File online hash calculator at https://md5file.com/calculator, it calculates the same unique SHA-256 hash (d1b822f717f3309973a94dda715c2c4b963d8714f477314f2b0827b834b7c16b) as the VirusTotal site.

-------------
64-bit Win 10 Pro v1909 build 18363.1139 * Firefox 82.0.2 * Windows Defender v4.18.2009.7 * Malwarebytes Free v4.2.2.95-1.0.1096
Dell Inspiron 15 5584, Intel i5-8265U@1.60/1.80 GHz, 8 GB RAM, Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

Edited November 5, 2020 by lmacri

[Steve1982]

On 11/3/2020 at 5:36 PM, anti-virus said:

Hello,

Are there PGP signatures for the MBSetup.exe file I've downloaded? (along with the public key)

I would like to verify the integrity of the download to make sure it is safe.

How can we verify the downloads from the website are secure?

Do you have a SHA 256/512 SUM file somewhere? I can't find anyway to verify the file looking through the forum and website.

Any help would be great!

Thanks

They don't post that information and it grinds my gears. It takes like 10 seconds to calculate a SHA256 hash and post it along with the update announcement. Sure, checking the file on VirusTotal is a okay but it's a lot more comforting to match a file hash from the actual vendor's site to a file hash from the VirusTotal scan as well.

BTW, I always look for @1PW's thumbs up on a VirusTotal scan ... knowing that he's installed it already has a calming effect on me 😄

[exile360]

3 minutes ago, Steve1982 said:

They don't post that information and it grinds my gears. It takes like 10 seconds to calculate a SHA256 hash and post it along with the update announcement.

You're not wrong; the issue is that in any instance where the software has been hacked/hijacked/modified by a malicious actor and reuploaded to the servers for distribution, they'd already have the necessary access to alter the textual content of the download page as well, meaning the hashes would still match, making the illegitimate copy of the software look legit.

[Steve1982]

Just now, exile360 said:

You're not wrong; the issue is that in any instance where the software has been hacked/hijacked/modified by a malicious actor and reuploaded to the servers for distribution, they'd already have the necessary access to alter the textual content of the download page as well, meaning the hashes would still match, making the illegitimate copy of the software look legit.

While it may be possible for bad actors to get access to Malwarebytes' entire network and have free reign to do as they please, it is far more likely that someone with a compromised DNS is trying to download the setup file and is served an infected file from another server entirely. In this scenario the bad actor doesn't need to have compromised Malwarebytes's servers, they just need to have compromised the user's DNS settings (or their router). 

Verifying the integrity of a file you download from a site is paramount to staying safe online. For the price of 10 seconds worth of work Malwarebytes can provide us with another way to check these files. Not saying this is bulletproof either, but every little bit helps.

[exile360]

That's why you check the digital signature, because that's far harder to spoof (and if a malicious actor were to use a DNS poisoning attack or similar method, they could just as easily show a spoofed version of the Malwarebytes site, which would be far more likely than just redirecting the download).

[anti-virus]

Yes I find it shocking to be honest.
A company who are specializing in security that don't upload signatures of the software for people to verify that the software downloaded has at least been signed by malwarebytes private key.

Hopefully this will be added in the future very soon as it is a bit silly for a malware company to not lead by example and following security best practices. (Especially with something that can relatively trivially be fixed. EG: publishing pub key (on main site + social media) + a signed SHA sum of the software with each release.)

Hopefully someone working for them can link to this thread so that the feature will be added.

 

Also thanks to above posters (Imacri) trying to help!

[exile360]

Each Malwarebytes executable is digitally signed and can be verified before executing any installer or file from Malwarebytes:

I'm not aware of any method to fake a digital signature, though I have heard of a few legit signatures that got issued that were leaked into the wild, however they could not be used to sign it as Malwarebytes.

Edited November 6, 2020 by exile360

[Porthos]

Just to add that file is just a downloader not the actual installer. It has to be able to access Malwarebytes download server to actually install Malwarebytes. I doubt a faked installer could that and even if it did, It is still only able to download the actual program.

[Steve1982]

19 minutes ago, exile360 said:

That's why you check the digital signature, because that's far harder to spoof (and if a malicious actor were to use a DNS poisoning attack or similar method, they could just as easily show a spoofed version of the Malwarebytes site, which would be far more likely than just redirecting the download).

Notes, but a digital signature is not bulletproof either. For one thing, getting executables signed is trivial and while it may not match the Malwarebytes signature exactly it will be good enough to fool most (especially if you have the backing of a state actor). Also, I would say it's far more likely someone would just hijack the download. Why setup an entire web site if all you want is for the victim to download the malicious file? Especially when the web site makes it easier for you by not publishing a hash. If they published the hash .... well then you're going to have to put in some extra effort to replicate the web site too so there's actually another reason to publish the hash 😉

Anyway, I appreciate your input but I fear we're venturing off course here ... this is not about replacing everything else with a file hash on the web site. It's simply about adding another way to verify the file, one that takes all of 10 seconds. It's a method advocated by many in the security industry and used by thousands of software vendors and it really shouldn't be controversial. In fact, if memory served me right, AdwCleaner did exactly this before they were bought by Malwarebytes.

[Steve1982]

35 minutes ago, anti-virus said:

Yes I find it shocking to be honest.
A company who are specializing in security that don't upload signatures of the software for people to verify that the software downloaded has at least been signed by malwarebytes private key.

Hopefully this will be added in the future very soon as it is a bit silly for a malware company to not lead by example and following security best practices. (Especially with something that can relatively trivially be fixed. EG: publishing pub key (on main site + social media) + a signed SHA sum of the software with each release.)

Hopefully someone working for them can link to this thread so that the feature will be added.

In addition to VirusTotal I also use this service from Kaspersky:

https://whitelisting.kaspersky.com/advisor

What I like about it is that it tells you how many people using their AntiVirus have downloaded and installed the file you're scanning, and if they trust the file or not. What's more, the number of people rating the files are usually much larger than VirusTotal and it is pretty especially handy with new files.

[exile360]

Checking with a service like VT or Kaspersky is a good idea as an additional measure.  As for the idea that spoofing a site is a pain, I'd argue that this is precisely what bad actors have been doing for decades and is one of the most commonly used methods of social engineering to infect unsuspecting users.  In fact, one of the reasons Malwarebytes Premium includes a Web Protection module in the first place is due to the common occurrence of spoofed sites and malicious advertisements.  On the other hand, successfully faking a digital signature requires far more effort and is next to impossible.

I wouldn't mind seeing them add the hashes to the site for downloads, but at the same time I have never relied on hashes published on public websites as a security measure either (even when they are provided).  If I don't trust a file, I scan it with VT (in addition to Malwarebytes, of course), and if the file is untrusted, has no digital signature and it's supposed to be an installer for an AV/AM, I don't run it.

[exile360]

Also, if you're dealing with a state actor, spoofing a website would be trivial for them and much easier (and less costly) than trying to fake/match the legitimate Malwarebytes digital signature.

[Steve1982]

1 minute ago, exile360 said:

... but at the same time I have never relied on hashes published on public websites as a security measure either (even when they are provided).  If I don't trust a file, I scan it with VT (in addition to Malwarebytes, of course), and if the file is untrusted, has no digital signature and it's supposed to be an installer for an AV/AM, I don't run it.

Nobody is recommending you rely solely on hashes as a security measure. I wouldn't recommend relying solely on a VirusTotal scan either, even if it's digitally signed. This is especially true of brand new files containing zero day exploits. So once again, posting a file hash on the vendor site (and on their Twitter feed in case their site is compromised - good suggestion there by "anti virus") is just another tool in the toolbox. Nothing more, nothing less. 

[Steve1982]

10 minutes ago, exile360 said:

Also, if you're dealing with a state actor, spoofing a website would be trivial for them and much easier (and less costly) than trying to fake/match the legitimate Malwarebytes digital signature.

Not fake it, or match it. Just sign it using a corporate identity that looks something like "MalwareBites". 

[exile360]

1 hour ago, Steve1982 said:

Not fake it, or match it. Just sign it using a corporate identity that looks something like "MalwareBites". 

Who would such a measure be for?  If the user is not knowledgeable enough to recognize a faked digital signature, they likely won't have the first clue how to check/verify a hash/checksum either.  Only more technically adept users would use a hash as a validation method/security measure, and such users should know full well that not only are such measures virtually useless (because the site/hash can be spoofed), but also that any regular users concerned about the validity of files being downloaded from a security vendor's website would be much better served by simply scanning the file with a service like VT and checking the digital signature of any files being downloaded, and of course only to download files direct from the vendor's site or a known good/trusted source for downloading it (places like BleepingComputer and MajorGeeks).

The hypothetical worst case scenario of dealing with a state actor or massively financed malicious actor delves into the realm where no amount of security measures can truly guard against any possible infiltration or deception because with unlimited resources and the right access/exploits, anything can be faked to the point that even the user's own system and connection cannot be trusted which is why entertaining such scenarios and then stating that publishing hashes is to protect users who are less adept with security/aren't capable of verifying the digital signature doesn't make a whole lot of sense, at least to me personally.

Edited November 6, 2020 by exile360

[Steve1982]

24 minutes ago, exile360 said:

Who would such a measure be for? 

Me, the OP, users who asked for it over the years on the forum ... basically anyone who thinks that providing more ways of verifying a files authenticity is a good thing, not a bad thing? If a poll was conducted I'm sure most users would be in favor of it. Your reasons for not postings hashes is simply not compelling enough. We all use VirusTotal. We all check the digital signatures. Let's move beyond that. I (and many others) would like to compare vendor provided hashes too. If you don't want to, you don't have to.

Forget about the users level of experience ... it doesn't matter and it's not for you to decide who is or isn't technically savvy. And forget about state actors. My original comment was just to underscore a point. State actors are the least of my concerns, and is the least likely to affect the average person. State actors target specific political opponents and/or other government entities. In the interest of time I'm not going to unpack the rest of it ... it's not that important to the topic at hand and we're just beating dead horses now.

So instead of wasting more time on the thousands of hypothetical what-if scenarios we can conjure up where a hash may or may not have helped, can we please just acknowledge that some of your users would like to have the hashes posted?

[exile360]

Yes, and that has already been acknowledged and addressed by the information in the link I provided originally in response to this topic.  If you have not read it yet, I recommend doing so as it explains the logic of the company in deciding not to post the hashes.

Please keep in mind that I am not the one who makes these decisions, I was simply responding in an attempt to explain the reasoning behind the decision not to post them.

[lmacri]

On 11/3/2020 at 6:08 PM, exile360 said:

...  Please refer to the information in this support article; while that article is about the Mac version, the same logic applies to the Windows version as well.

You can check the digital signature to verify that the file has not been tampered with by right-clicking the file and selecting Properties and verifying the information located in the Digital Signatures tab....

Hi exile360:

From that Malwarebytes support article Verify Malwarebytes For Mac v3 Hasn't Been Tampered you referenced, which states in part:

Quote

"We do not publish checksums of Malwarebytes for Mac on our website, for a couple reasons. First, checksums are a poor method of verifying the integrity of an app. If you suppose that a hacker has replaced the app on a developer’s website with a hacked copy, then the checksum could just as easily have been replaced...A code signature is a far better option. Code signatures can be validated independently, and are an important aspect of security on macOS...

A code signature might be a better validation method than the SHA-256 checksum, but that doesn't help if the installer is compromised by a malicious actor before the installer is digitally signed and the SHA-256 hash is submitted to antivirus companies for whitelisting. Many of us still recall the fiasco in September 2017 when Avast distributed a "legitimate" signed version of CCleaner v5.33 from their download servers for almost a month before someone realized that the installer been modified with a Floxif backdoor trojan (see Catalin Cimpanu's 19-Sep-2017 BleepingComputer article Avast Clarifies Details Surrounding CCleaner Malware Incident about this supply chain attack).  I was one of the  ~ 730,000 CCleaner users who had their Windows registry altered by this Floxif trojan (see my 18-Sep-2017 post <here> in the Norton forum), although the second part of the payload that did the real damage was only uploaded to computers at a small number of select technology and telecom companies in a more targeted attack.

At the end of the day, I still have to trust that Malwarebytes has a robust build environment that ensures their digitally signed installers and applications haven't been compromised in this type of supply chain attack prior to their official release.
-------------
64-bit Win 10 Pro v1909 build 18363.1139 * Firefox 82.0.2 * Windows Defender v4.18.2009.7 * Malwarebytes Free v4.2.2.95-1.0.1096
Dell Inspiron 15 5584, Intel i5-8265U@1.60/1.80 GHz, 8 GB RAM, Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

Edited November 6, 2020 by lmacri

[Steve1982]

8 hours ago, exile360 said:

 If you have not read it yet, I recommend doing so as it explains the logic of the company in deciding not to post the hashes.

Please keep in mind that I am not the one who makes these decisions, I was simply responding in an attempt to explain the reasoning behind the decision not to post them.

Apologies if it sounded like I was coming at you personally, not my intention at all.

I did read the article. Let's just say that the reasons provided in the article are not compelling at all. Hashes aren't supposed to replace digital signatures as a means of verifying the integrity of an app. Period. These aren't two competing concepts, they complement each other. You can - and should! - have both. Hashes are more a chain of custody check to me personally. Also, the example provided of a web site being compromised therefore the posted hashes can also be altered to match the fingerprint of the downloaded file is not the only scenario where a hash would be useful, and in the case of Malwarebytes*, it's not even the one I'm most concerned about.  I'm more concerned about bad downloads from a compromised PC (bad DNS, code injection, etc). Also, the article literally saying that keeping hashes updated is a "pain" is just cringe. Seriously? This can easily be automated.

(*As an aside, it's not typical for a company like Malwarebytes to host their downloadable content on the same infrastructure as their public web site so if we assume for the sake of argument that a bad actor manages to compromise the entirety of Malwarebytes' infrastructure - downloads, web sites, update servers, etc. - plus their social media accounts where they should also be publishing the hashes, then we're talking about an extinction level event for the company).

[exile360]

Chain of custody is what digital signatures are all about.

Regarding the security of Malwarebytes' build environment, it is something that the company is extremely serious about and cautious with.  They don't mess around when it comes to their files, Developers, build environments, and especially security.  I have to believe that if it were truly beneficial from a security perspective to publish hashes, they would do so without question.  After all the discussions I've seen around the subject (including with the Developers themselves in the past), I have accepted that hashes are a poor measure of file validation and provide a false sense of security at best.  Digital signatures on the other hand are much harder to implement and provide a much more robust solution for chain of custody and file validation.  I get that it is not an either/or situation and that both could be used simultaneously, however I also know that if someone has gained the level of access necessary to alter or replace one of Malwarebytes' downloads, they could just as easily change the hash printed on the page and this is the primary reason I don't trust hashes.  Spoofing websites is far easier than spoofing digital signatures, and redirecting websites is far easier than infiltrating the Developers' build environment.

For compromised PCs (DNS poisoning/man-in-the-middle attacks etc.), this is precisely why I don't trust hashes, because showing a spoofed/fake version of a website is exactly the most common type of attack when dealing with any sort of malicious redirect or DNS compromise.  This means that publishing a hash becomes moot because the user can no longer reach the 'real' Malwarebytes website (it is also a common tactic for the bad guys to block and/or redirect security sites to prevent users from accessing the tools needed to remove the threats, often making it necessary to download tools from a known clean system/connection and transferring them over via USB or some other external media).

I would also mention that very few, if any, security vendors/AV vendors publish hashes on their websites for downloads (I checked Kaspersky earlier since they were mentioned due to their hash checking for third party files and noted that not even their downloads show hashes).  That said, just because other vendors do or don't do something doesn't necessarily mean that Malwarebytes should or shouldn't.  It's just a matter of interest to me that most don't and I have to think that if it were useful for security most of them probably would.  I suspect that their logic in not doing so is likely similar to Malwarebytes' reasoning, but that's just speculation.  That said, if it were meaningful to do so I believe they would.

[Steve1982]

52 minutes ago, exile360 said:

Chain of custody is what digital signatures are all about.

A digital certificate does not prove that the file you downloaded, came from the site you downloaded it from! It simply proves that the file was signed by the holder of the certificate. What part of this is so difficult to understand? Yes, digital certificates are a very important verification, nobody is disputing this. A file hash on the other hand is just another way to validate chain of custody to me, the end user. The two compliment each other. They offer similar, but slightly different forms of verification. 

Stop harping on spoofed websites, it's a distraction and merely one of many scenarios in which hashes are useful. But for what it's worth ... a savvy hacker is not going to setup a fake website for "www.malwarebytes.com" when all they need to do is redirect DNS for "downloads.malwarebytes.com" or "download.toolslib.net". None of these subdomains resolve to the same server so why bother spoofing the web site when Malwarebytes aren't posting hashes? The really smart hackers aren't that stupid. So ironically, by not putting a hash on the web site Malwarebytes is literally making it easier for them. Furthermore, spoofing the site is easily defeated by posting hashes to social media.

Also, it really doesn't matter that some of the other AV vendors don't publish hashes. Many vendors do. Just do the right thing, regardless.

Anyway, this is getting tedious. I'm out.