Saturday, November 21, 2015

MacUpdate Interviewed By MacNN:
What's up with the 'MacUpdate Installer'?

--

MacNN has published an excellent story, well worth reading, about the changes going on at MacUpdate.com. Specifically discussed is the switch out of actual application installers for the 'MacUpdate Installer' that attempts to install more than what the user intended, to be gentle about the issue. Our pal Thomas Reed of Malwarebytes is featured as well as the founder of MacUpdate, J. Mueller:

MacUpdate tests changes in face of challenging specialist market
Optional additional installs, app discovery at forefront of changes
- updated 04:00 pm EST, Fri November 20, 2015
. . . "Fear not," Mueller said in response to a question about whether long-time users should be concerned about MacUpdate's testing of similar techniques. "We are not planning to go in the same direction [as CNET and Softonic]. We are learning about this process ... and testing it on only one percent of our hosted apps. We are focused on problem-solving, and the Mac community is very important to us." He added that more information would be made available to users once the testing phase is further along, but that the goal of the optional install offers is to learn about how the process works, how users who see it respond to it, and how to avoid the mistakes rivals have made."
I hope that is indeed the case.

Apart from the unintended installations foisted on MacUpdate users and the scary requirement of your admin password, both highly NOT recommended practices, what I don't like is that the user does NOT end up with the actual application installer. The 'MacUpdate Installer' does all the installing for the user. There is no opportunity to KEEP the desired installer. I personally do not deal with that.

Why do I want to keep the actual update installer?

1) I have three Macs I run simultaneously with a total of five different partitions I maintain. I don't typically install applications on just one Mac. I usually install on two Macs. Going through the MacUpdate Installer adware foisting process twice is not in my interest.

2) I archive ALL the current update installers for applications. I collect them on my main Mac in a 'Move Out' folder, along with all the contemporary research I've been collecting from the net. I usually weed out the older update installers and only keep the latest. Periodically, I then write all of this data out to optical disk for permanent storage. I then catalogue each new disk collection into a database of my entire collection. Whenever I want some piece of software from back in the past, I search the catalogue and it tells me where to find it. This system has saved me many headaches and has often saved my backside.

Needless to say, hanging onto a bunch of MacUpdate Installers that do NOT incorporate the desired actual installer is NOT going to work for me. I want nothing to do with them.

Thankfully, as you'll read in MacNN's article, paying (and at the moment logging-in) members of MacUpdate are kindly prevented from having to deal with the MacUpdate Installer rubbish. For now, I can entirely avoid the problem by simply logging in. MacUpdate also know I've bought piles of software through them as a member. I have no reason to feel I am not contributing to their financial success.

Would I become a full fledged, fee paying member of MacUpdate.com? I don't know of any valid reason to do so. I would never use their MacUpdate Desktop software specifically because of the reasons I want to keep update installers. Recently, MacUpdate Desktop has greatly improved and can be VERY useful! I'm grateful MacUpdate finally got it into good shape. (It used to be extremely clunky). But I don't need it or want it.


~ ~ ~ ~ ~

This situation will play out in the months to come. I'm grateful that the folks at MacUpdate are being professional about this situation and at least promise not to inadvertently or purposely install crapware of hardcore malware onto user's Macs. There are good intentions. But I personally find nothing to appreciate about the MacUpdate Installer system.

As for MacUpdate.com, the website, as long as there is a convenient and friendly way for me to avoid the MacUpdate Installer, I'm happy and will continue to help them out with reviews and purchase their deals whenever possible. They've been a terrific asset to the Mac community.

:-Derek


--

12 comments:

  1. After I installed VUWER from MacUpdate, I noticed that the small green light that indicated that the camera is on never went off. Shortly after that, Intego's Virus Barrier told me that it had found a piece of malware, that is OSX/RobSnap.A in the file imagesnap. The location was /usr/local/bin/imagesnap
    I removed it, and VUWER could no longer take a picture of me working in front of the computer. Virus Barrier told me that imagesnap was in the VUWER installer, too.
    Is this dangerous?

    ReplyDelete
  2. A couple months back, I noticed this situation with VUWER. I wrote to my contacts at Intego about RobSnap.A because there is NO reference to it on the Internet (via Google anyway). Intego never wrote me back. I wrote them a second time. Nothing.

    Anything that is making the iSight camera (assuming that's what you have) green light come on all by itself, without at least a setting you've made, is BAD. Let VirusBarrier remove it, if you haven't already.

    I've downloaded Vuser from MajorGeeks. I've downloaded it directly from Vanderbilt University (the developers).

    http://stumpy.vuse.vanderbilt.edu/VUWER.htm

    They all are reported to have RobSnap.A.

    The next thing to do is to write to the developer and try to get some insight into what's going on. That would be:

    Tim Holman (tim.holman vanderbilt.edu)

    I'll try to get in touch with him for feedback. If I learn anything new, I'll add another reply here.

    My best guess is that RobSnap.A is potentially surveillance-ware that could be abused if snuck onto someone's computer. But it may be inside of VUWER intentionally, and what you're seeing with the green light permanently on is just a bug in the application.

    I note that version 1.7.5 of VUWER was just released. If that's the one with the green light trouble, you could drop back to version 1.7.4, or vice versa. I have 1.7.4 if you can't find it. I know it is still the current version listed at MajorGeeks (as of this moment anyway).

    ReplyDelete
  3. Thank you very much for your detailed answer. In the menawhile, I have wrote to the Intego VirusBarrier support and I am waiting for their answer.
    I can't fall back to 1.7.4, because I use El Capitan, and VUWER used to rely on access to folders that are now verboten. So it was completely broken. This is why I installed 1.7.5 as soon as it was released.
    I was very unhappy about the green light coming on. I also noticed that it remained on. In VUWER 1.7.4 it used to come on, and then go off. It bothered me excessively to see that light on: I also thought of surveillance-ware. Then VirusBarrier decided for me that the file was infected. I looked in System Preferences for a way to switch the green light off, but I couldn't do it. Eventually, I had to delete the file and restart. At that time I was already spooked enough.
    Thank you again.

    ReplyDelete
  4. I am the developer of VUWER, and another Intego user have contacted me about this issue. There is no malware in the Imagesnap binary included on the VUWER installer.

    This binary is only 66 kB in size, and I have scanned it with McAfee Endpoint Protection after downloading it directly from the SourceForge repository. It is the same binary included with earlier versions of VUWER, which you can verify for yourself. I'll be glad to provide a link to an older installer if you want to check this.

    My opinion is that this is a false positive by the Intego software, particularly given that there is no mention of this particular piece of malware anywhere on the web that I can find. It may be that some malware writer somewhere incorporated the Imagesnap code into his own creation, and that is why it is being flagged by Intego.

    Try this: download Imagesnap yourself and scan it. Or, compile it, and then scan it. Does Intego still show it to be malware? If so, the problem is clearly on Intego's end.

    ReplyDelete
    Replies
    1. Thank you Tim! I downloaded ImageSnap-v0.2.5.tgz directly and found it tested positive in up-to-date VirusBarrier v10.8.7 for "OSX/RobSnap.A", whatever that's supposed to be. To quote VB's log:

      "11/25/15, 4:26:10 AM | Infected (OSX/RobSnap.A): Home ▸ Desktop ▸ ImageSnap-v0.2.5.tgz ▸ ImageSnap-v0.2.5 ▸ imagesnap"

      IOW, it is the imagesnap binary itself that is triggering the response.

      HOWEVER, after the most recent update of malware definitions from Intego, contradicting my results with VB on 11/23, neither VUWER v1.7.4 nor v1.7.5 now trigger any detection of malware. I went directly into the disk image of each and tested their copies of imagesnap. NEITHER triggered a response.

      I'm going to press this issue with Intego further to see if I can get anyone to comment. I know they read this blog and apparently have responded to Palantir's experience. I wish they had originally responded to mine, months back. This would appear to be an an admission and correction of an error on their part, but I cannot speak for them.

      In the meantime, my only real concern is Palantir's odd experience: "I noticed that the small green light that indicated that the camera is on never went off." I wish we knew more about his version and installation setup.

      Delete
    2. I'm pleased to hear that Intego seems to have fixed the issue with the latest definition update. It seems peculiar that a piece of malware that no one else has ever heard of can trigger a warning in a vendor's scanner, but stranger things have happened in the anti-virus world.

      I can only hope that Intego hasn't done any permanent damage to VUWER's reputation. As for the camera light not going off, I'll check to see if the Intego update has somehow resolved that issue as well.

      Delete
  5. Tim, I am sorry to say that my installation of VirusBarrier keeps telling me that the same file is infected in the same way:
    30/11/15, 09:20:04 | Infected (OSX/RobSnap.A): Home ▸ Downloads ▸ updates ▸ VUWER.dmg ▸ imagesnap
    It did with: 26/11/15, 18:53:21 | Malware Definitions Update: 26/11/15
    It still does with: 26/11/15, 18:53:21 | Malware Definitions Update: 26/11/15
    I dont' know what to say. I am just and end-user pointing to a problem that I can't solve.

    ReplyDelete
  6. Derek, what is the date of your VirusBarrier definitions? I've had someone tell me that his latest definitions (11/15) are still flagging the ImageSnap binary as RobSnap.A. You can find the thread on the VUWER page in Macupdate.

    This is incredibly frustrating, to say the least. Somehow, a piece of open source software has been flagged as a piece of malware that no one except Intego has ever heard of, and it doesn't seem as if Intego is in any hurry to do anything about it, or communicate with anyone about it.

    When you think about it, it's a great technique for harassing the author of an open source software package. Submit his code as malware to some cooperative vendor like Intego, then let them do the dirty work of ruining someone's reputation.

    ReplyDelete
  7. CORRECTION: Intego has NOT, sadly, removed the false positive when VirusBarrier scans VUWER. Above I posted what was an error. It was caused by my re-scanning the same copies of VUWER on both the 24th and 26th of November. VirusBarrier had marked these copies to have the imagesnap app ignored. Scanning fresh copies of VUWER were scanned later and again were reported as 'positive' for 'malware' specifically because of the imagesnap app. APOLOGIES for my misdiagnosis!

    Meanwhile, I have heard nothing back from Intego. Tim Holman and I have exchanged email privately about this situation, which prompted me to scan fresh copies of VUWER and correct my error. I'm going to go into pester-mode with Intego as this an annoying issue that is unfairly hurting Tim as well as potential VUWER users.

    Intego: Please solve this issue!

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. Thank you for your warnings about MacUpdate malware but as a paid member for over 10 years they're giving me a hard time. yesterday I tried to purchase, "Tidy Up<" on sale for $9.99 through MU desktop but when firefox MU page opened they also added the cyberMonday deal. When I attempted removing It from the MU checkout order the page was automatically hijacked to the cyber-Monday deal page. I tried unsuccessfully five more time yesterday with the same bogus results and gave in frustration.
    I've experienced similar Issues this past year with MU and emailed them several times but they never reply! I'm now fed up as a paid customer. Something Is gravely wrong at MU. It feels to me as though nobody Is In charge on a sinking ship!

    ReplyDelete
    Replies
    1. It is, as I've mentioned previously, my impression that MacUpdate has a marketing consultant involved with overhauling the site. There has been a progression of changes over the last few months. Another I notices was swapping the links on every app page for 'Install' and 'Download'. This focuses visitors on using their MacUpdate Desktop app of which I have no interest.

      If MU really is rigging purchases with hijacking Javascripts, I could not be more disappointed. That, if true, is on the level of what I call Marketing Morons, whereby the customer is victimized by the company. It's a great way to kill your company.

      Another change I've noticed over this past week is a lack of diligence reporting updates on their home page. MU is consistently late reporting the latest developer updates, sometimes by days or even a week in a couple instances I noticed.

      The alternative site I now visit each day, before MU, is:

      http://mac.majorgeeks.com

      The guys running the site are local to me and I enjoy supporting them. It's nowhere near as completist as MU. The person updating the page occasionally goes on week long holidays, allowing the page to stagnate. (I had an interesting debacle with MajorGeeks over this unprofessional behavior). But they don't pull any tricks and they're often right up to date with updates, versus MU's recent tardiness.

      In all, with this succession of negative changes at MU, including apparently the nightmare of abuse you describe, I'm not optimistic about their future. It appears, at the moment, that MU has stopped replacing further developer updates with their adware installer. So, perhaps there is hope. I seriously don't want to be stuck using Apple's awful, clunky, dysfunctional Mac App Store app to updated my Mac applications. Neither do I want to have to scour through every developer website on my own or depend upon developer's in-app updaters. I want MU to stay the great place it was before their marketing consultant (or whatever is going on) started ruining the place with user abuse.

      Delete