Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

Highly Suspected Virus Report - Crystal Disk Info Download

Aug 28, 2011 2:12PM PDT

To reproduce this issue.
Go to cent.com
click the Downloads tab
Type in Crystal Disk Info and hit search
Scroll down to the bottom and click the CrystalDiskInfo link
http://download.cnet.com/CrystalDiskInfo/3000-2086_4-10832082.html?tag=mncol;10
Click the "Download Now" Button. (This button says the file should be 1.62MB), however, I get a file 444KB, filename "cnetCrystalDiskInfo4_0_2a-en_exe.exe"

Discussion is locked

- Collapse -
No, NOT a virus
Aug 28, 2011 9:24PM PDT
- Collapse -
Question
Aug 29, 2011 2:31AM PDT

Did your AV alert to it being a virus or did you find it suspicious that CNET is now using a wrapper, ( that delivers toolbars, homepage being change, a new search engine and after examining your install makes recommendation to you for more programs ), to install your program for you?

- Collapse -
RE: Question
Aug 29, 2011 1:20PM PDT

If you upload this "cnetCrystalDiskInfo4_0_2a-en_exe.exe" (which you get by clicking on the green download button on cnet" to virustotal.com for analysis.
You'll see that NOD32 report this file as a trojan, and a few other AV report as some other trojan/suspicious etc.

- Collapse -
Is there a "direct download" under the big DOWNLOAD?
Aug 29, 2011 1:28PM PDT

Try the direct download next time.
Bob

- Collapse -
They have good PR
Aug 30, 2011 2:02AM PDT

If you read my reply to the sticky, I see this as spyware. Others disagree with me because this is a revenue generator and it is not stealing passwords or financial information. It is my believe that it is powered by OpenCandy and your AV program should alert to it to. I know my last AV did not alert me and it was my firewall alerted me that a program was trying to access the net. I now have a new AV. lol

You can read OpenCandy FAQ below.

http://forums.cnet.com/7723-12543_102-539662.html?refresh=1314719096280

It is my believe that their FAQ just screams to the reader that they are spyware. I guess ir depends on which side of the fence your on and how you want to generate revenue. I find the most important line from their FAQ is the statement below.

<b>When you run an installer powered by OpenCandy, it asks our servers for a list of applications that the developer of the software you're installing has chosen to recommend for your language, operating system and country. Our plug-in (OCSetupHlp.dll) then selects the first valid recommendation to show. Recommendations must pass certain criteria to be
valid (such as, "Is this software already installed?", "Are the necessary files needed to install this available?", etc.). For each recommendation in the list, an anonymous "Yes" or "No" is sent back to our servers so we can collect aggregate data to improve our recommendations.</b>


If the CNET wrapper is not powered by OpenCandy it behaves just like it and that is why your AV alerted on it. Just be thankful you have an honest AV that has not bowed down to the PR and pressure applied to allow this to exist in the wild.

You can read how one of my favorite sites I use to keep up with what is going on feels about this wrapper.

http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations

I, myself and me will never use a wrapper like this and will never sign in just to download something. All this is designed to track, collect, and keep for ever what we do online.

- Collapse -
Two things to note...
Aug 30, 2011 3:49AM PDT

1.) The wrapper may be flagged by some security software because it advertises advertisements and downloads/installs other software (the software you requested and the offer if you didn't opt out).
2.) Of those 5 flags, only one of them is from a generally well-respected vendor (NOD32). Generally, I classify as a false positive with those results, though I can see the argument in this case.

John

- Collapse -
Define Spyware
Aug 30, 2011 7:21AM PDT

Since my definition of spyware is not good enough, lets see what the official sites say.

Merriam Webster says it is software that is installed in a computer without the user's knowledge and transmits information about the user's computer activities over the Internet.

http://www.merriam-webster.com/dictionary/spyware

Dictionary.com says it is software, installed unknowingly, that gathers information about an Internet user's browsing habits or intercepts personal data, transmitting this information to a third party for commercial gain.

http://dictionary.reference.com/browse/spyware

We know that those coming to CNET download.com do not know they have changed how you download the programs they want and are surprised they find this wrapper but run it anyway thinking that they can trust download.com. When the wrapper runs it executes a dll that phones home and transmit data about the user. Now I admit, it is not stealing passwords or financial data but it is transmitting data. After it is done doing its dirty work, closes itself out and removes all traces of it ever being there so it can not be examine. By both definitions above and mine it is spyware hence NOD32 is not presenting a false positive.

- Collapse -
Opt out?
Aug 30, 2011 7:35AM PDT

The 'always used' argument is that if there is an option to "opt out" of these additions, then the user did, in fact, have knowledge of the addition, whether they opted out or not.

It's the same with EULA's. It's all there, somewhere, but who reads them?

I am always telling people relatives, friends, users in these forums and elsewhere, "Watch the install process carefully". Sadly it seems the message doesn't get through. But that is all I can do, warn them, then the rest is up to them.

Mark

- Collapse -
User input required
Aug 30, 2011 7:54AM PDT

That is why we now have the term user input required. I have not tried this wrapper nor will I, but it is my understanding that the user can opt out of the toolbar, homepage change, search engine change but can not opt out of the transmission of data required for the program to make a recommendation for another program. I keep making the statement that it is my believe that this wrapper is powered by OpenCandy. The fact that no one has came out and denied this strengthens my believe that it is. If CNET had developed something different they should be on here denying any connection to OpenCandy. It is also strengthen by the fact that NOD32 jumps all over this. They did not bow to the PR and pressure applied to the other AV companies who are allowing their customers to fail pray to this kind of spyware.

- Collapse -
Several notes...
Aug 30, 2011 1:45PM PDT

1.) The CNET Installer does not need, nor can it be, installed - it is a portable, self-standing executable. It does not report browsing habits or personal data, and it only runs with the user's knowledge. Thus, by the definitions you cited (though I find insufficient), it cannot be spyware.

2.) The CNET Installer does not "close itself out and remove all traces of it ever being there so it can not be examine" - it is a single executable that exists in the same state both before and after it has been executed.

3.) The CNET Installer is not powered by OpenCandy, though CNET has partnered with OpenCandy for use elsewhere. (See TechTracker) Thus, it doesn't make sense for CNET to deny any/all connection to OpenCandy.

4.) Other security software vendors, including Microsoft, Symantec, and McAfee, detect & report OpenCandy in various downloads from CNET, but state the CNET Installer is clean. Not to mention that the CNET Installer does not have the same hashes, create the same files, or conduct the same set of activities as either InstallCore.b, which NOD32 reported, or OpenCandy, which none reported in the CNET Installer. All of that points to it being a false positive.

I am not looking to defend the CNET Installer, just point out the holes in these particular claims/suspicions/beliefs concerning it. It is one of the reasons I created the sticky on the recent changes - there are reasons to be upset, but also a lot of FUD surrounding the changes that detracts attention from the real issues. Peeling back fact from speculation will hopefully help get the real issues addressed.

John

- Collapse -
How I enjoy bullet points
Aug 31, 2011 1:34AM PDT

1. If it is downloaded it exist on the hard drive. If it is executed it exist in memory. I know that some think that a program must have a folder created and changes to the registry stating it is exist to consider it "installed". My definition of installed is anything that is placed on the hard drive and can then be executed to perform the task it was written for. As we have read thru out a lot of these post most user did not know what this was and their confusion and trust of CNET download.com led them to run it. The fact that CNET download.com places in a very large font for the download link for the wrapper and in very small font the download link that requires the user to log in to do a direct download says 2 things. First is that they want a user to use the wrapper without knowing what they are getting into. Second is that the fact they make you sign in to do a direct download states they are going to track ( spy) on what we are going to download. If the links where the same size and clear explanation of what the wrapper was going to do and also lets the user to do a download without signing in would show they did not want to keep track ( spy ) on our download habits. How you can state that Merriam Webster or any of the other dictionary site that state the same thing can not be sufficient?

2. As I have stated, I have not used it so I will concede this point until further evidence comes forward.

3. It is good someone states that it is not powered by OpenCandy. I would feel better if CNET employee had made the statement. OpenCandy, by its own FAQ, states it collects data as does the FAQ for CNET wrapper. This line is in a paragraph titled Downloads that use the CNET Installer. Any data we collect is in strict compliance with our privacy policy. If it is collect data it is spyware.

4. The biggest reason other sites are not jumping on this is because they are also involved in data collection on their user. Microsoft and Symantec being the worst offenders. That was the primary reason I dropped Nortons AV as my main protection. McAfee I can not comment on because I have never used it and have never consider them a major player in the AV market. I know they have a lot of user but who swear by them but that is one AV company that will never protect anything I setup.

SO, what we come down to is that the definition offered by 2 dictionary sites is not sufficient on how we define spyware. My definition has always been and always will be anything that transmits data that will be collected and saved for ever on what I do or have on my hard drive. I agree that we have to peel back the speculation on this but by just looking at how they have set up the font size of the 2 methods to do a download indicates that CNET knows the old trick that the human eye and brain is always drawn to the larger of 2 items and will go that route. In my opinion they are usimng questionable methods to get the user to download it and use it. That alone speaks volumes about this new wrapper.

- Collapse -
Definitions...
Aug 31, 2011 5:42PM PDT

Webster's definition of install ("to set up for use or service") is vague; most computer users would lean more toward Wikipedia's explanation, excluding standalone executables from performing installation, though not a point I wish to argue as people's interpretations vary widely. Regarding insufficiency, though, consider:

1.) There are 100+ words added every year. Last year, Webster said "I tweeted that to all my followers" meant you "chirped" it, like a bird. I'd call that an insufficient explanation, since expanded to include the word's new meaning. Unfortunately, dictionaries have to play catch-up to words we invent/repurpose over time.

2.) Dictionary definitions are often vague to keep them short and allow for variations. For instance, look at Webster's definition of computer - by that, many televisions, microwaves, calculators, and even watches are computers. Which may be technically accurate since they perform those functions through use of a computer chip. However, few would say "I just bought a new computer" and then show off the $20 watch that can store people's names & phone numbers. Just goes to show the disconnect between "official" definitions and how people actually define/use words.

3.) Those spyware definitions exclude spyware that does not require installation, collects information aside from browsing habits/personal data, does not result in commercial gain, is installed with a user's knowledge, and/or stores the data locally instead of transmitting over the internet. For instance, if I installed spyware on your computer to record your chats (for non-commercial gain) and had the logs stored on a hidden flash drive that I swapped out weekly, both definitions would say it is not spyware at all though I believe we'd both agree it would be spyware.


Now, you're right that many sites/companies will not criticize the CNET Installer because they use similar tactics. Regardless, name a "major player" aside from NOD32 and the scan will turn up clean. Or look at the characteristics of NOD32's detection and note that they do not match those of the CNET Installer. Either way, still a false positive.

Bottom line: I too believe the intention is clear - get most people to use the installer and accept the unrelated software it offers. However, the CNET Installer being flagged in the VirusTotal scan was a false positive.

- Collapse -
I am not sure
Sep 1, 2011 1:13AM PDT

I think we agree with each other, we are just saying it in different ways. While you use the word virus to say that it is a false positive I use the word Spyware to say it is not a false positive.

In the end I think we both agree that this is not a good way for CNET download.com to behave. My biggest problem with it is how it is being distributed and the use of the font sizes to direct the user to the wrapper. It is my believe that they are abusing the trust people have developed over the years. I will steal a line from another moderator who has defended OpenCandy and this wrapper. Let the users vote with their mouse clicks.

I will also give a word of warning to all who wants to listen. Take your Firewall out of the auto mode and make your own decisions on what gets access to the net. Programs like this are going to be in the white list and you will not even know they are phoning home.

- Collapse -
Two things...
Sep 1, 2011 6:39AM PDT

First, I didn't use the word virus; that was the original poster. All I said was VirusTotal, which is a site that scans files using multiple virus/spyware/adware/etc. scanners. And I'm saying it's a false positive for all of the above - it's not a virus, it's not spyware, and although it displays ads it's not adware either. Hence my #4 on the evening of 8/30.

Second, I would never recommend anyone but experienced users take their firewalls out of auto mode simply because most users don't know enough about what to allow and block, and to what degree. They should ideally learn enough to make such decisions, but to just flip the switch without such knowledge is a foolish decision.

John

- Collapse -
Ok Maybe we do not agree
Sep 1, 2011 7:37AM PDT

Agreed, you never used the word virus and I apologize for making the statement in the form that I made it.

From the beginning, I have made the claim that I, keyword is I, see it as spyware because it phones home with data. What the data is I do not know. I also used 2 sites with basically the same definition as spyware as I do. CNET admits that they collect data from the wrapper. They have this statement in a paragraph titled Downloads that use the CNET Installer.

Any data we collect is in strict compliance with our privacy policy

I also question how they determine what program to recommend to you for a second download. I am sure they are not going to recommend a program you already have. Are they just taking a shot in the dark about what you have and do not have, or are they generating a list and and then asking the wrapper if that program is already installed. I think that each reader needs to ask themselves if they want a program that may or may not be collect data and phoning home to make recommendation to them.

As far as the firewall is concerned, I will stick with my advice to all who want to listen. Turn off the auto mode and learn how to use the firewall. Using a firewall does not require a user to have a PHD or a any other high level of education. When a firewall is in the manual mode it will alert you to any program that will try to access the net and ask you if you want this to happen. The only Windows 7 program that needs access is the Windows Process for Windows Services. I have it and 2 browser, 1 chat client, and a sub program for a browser. That is 5 total that gets total access to the net. It does not take rocket science to know these things. I have 4 set to ask if they can access the net. One of them is java. That alone have saved me more then once. Some version of malware will open java to download and deliver its load. When I get an alert that java is trying to access the net and I know that java should not be open I get real suspicious. I can then go to the firewall log and look at the IP that it is trying to access and know if it is going to be good or bad. If I had it in auto mode java would have been allowed out and then it would have been up to my AV program. The rest of the programs on my puter are black listed and do not have access

Security on a puter or anything else is suppose to be layered approach and the more layers the better you are. By having it in manual mode one layer of security caught the problem and I did not have to count on another layer. . Very simple. Just remembet that the most important piece of puter security is the object between the chair and keyboard.

If your using a firewall in the auto mode your saying that you trust these companies to make these kinds of decision for you. Big mistake! I once sat down at a puter that the firewall was in the auto mode and open up the white list of what was allowed out of and into the puter. Just about everything on the puter had been white listed. It took me a total of 15 minutes to teach the user on the fundamentals of how a firewall worked and they now have a much securer puter.

If you or anyone else places total trust in major corporation who sole position is to make profit at all cost even at the determinant of the user, That is fine with me. I just like to ask why? Just remember, the reason that the major corporation want your firewall in the auto mode is so that their spyware that makes them money can gain access to the net.

- Collapse -
RE: Ok Maybe we do not agree
Sep 1, 2011 10:47PM PDT

Reached the thread depth limit, so continuing here...


"I see it as spyware because it phones home with data. What the data is I do not know. I also used 2 sites with basically the same definition as spyware as I do."
-> That's my point exactly. Those definitions, as I previously explained, are too simplistic, as is yours. Your browser 'phones home with data' every time it checks for updates. So does your security software, chat client, Windows, etc. You don't classify those as spyware, do you? Your points about not knowing what data's transmitted and not being able to use the CNET Installer without that step are noted as legitimate concerns, but those by themselves don't make it spyware. After all, can you tell me exactly what your security software (and other software) transmits when it activates or updates? And can you still get the updates without allowing that transmission? I think the issue is your written definition of spyware does not adequately represent your actual definition, creating disconnects like this.


"I also question how they determine what program to recommend to you for a second download. I am sure they are not going to recommend a program you already have."
-> Actually, they do. They have a list of offers, presumably which vary based on the type of software you're downloading, and recommend one at random. That's why they recommended CNET TechTracker, even though I already have it (Plus version, actually), and made toolbar offers I had already accepted previously. (I installed in a clean virtual machine and watched all data/changes.)


"As far as the firewall is concerned[...]"
-> Agreed, but "learn how to use the firewall" is the key phrase. Until the user has done that, fully understood the ramifications, and learned how to properly research programs before making a decision (not all are as simple as your default browser), it's counterproductive to disengage auto mode. And in truth, most users don't want to put forth the effort such would take to do correctly.


John

Note: This post was edited by a forum moderator to fix forum formatting glitch on 09/02/2011 at 5:48 AM PT

- Collapse -
I enjoy debating you the most
Sep 2, 2011 2:12AM PDT

The reason why is how you always make my points for me.

First, if you knew me well enough you would know that I do call some of the things you have mentioned spyware. You would also know that nothing on my puter is set to auto update anything, If a update occurs I am sitting at the keyboard as it happens and after it is done I do a full check on anything it can affect. I have said previously that security begins with the object between the chair and the keyboard. Let me cover how I view some of the things you mentioned in your first paragraph.

Windows = When It is time to do the update the only data transferred from my puter to the Windows update server is what files need to be updated. Now I do not know these for fact because I have never bothered to actually captured the data and take a look see but this is how it has been explained to me. The first thing that happens is that my update history is sent to the update server and windows server compares that list to the updates that are available. It determines what updates I need and then sends that list back to my puter. I then check the updates I want and the updates begins. That part I do not see as spyware. Just a simple transfer of what i need to be updated. Now I do see another part of Windows as spyware. It is called Customer Experience Improvement program. It is design to monitor how the customer uses his puter and then phone home with the data. That is turnoff on my puter and I use to monitor the files it generated to make sure that it is not collecting the data. I no longer do because I am confident that it is disabled and will not phone home. I could be wrong. Part of Windows 7 has a spyware feature by my defintion but it is not the update feature.

Browsers = While I can not say for sure what my broswer is or not phoning I have a high degree of confidence that is not phoning home to check on anything. I have all auto updates turned off.

Security software = The reason I no longer use Symantecs Nortons AV is because it was turned into one gigantic piece of spyware. They use the excuse of being powered by the cloud to phone home about anything. I could not even download anything without it reporting back on it and coming up with some sort of recommendation on the download. If you use your host file to block data collection servers they have ( they call it the cloud ) the program will turn the tray icon red and tell your not fully protected and on my puter shut everything down. I could go on for 3 more paragraphs on Symantec and their AV and Nortons 360 but yes I do consider some of our security products Spyware. ZoneAlarm being another glaring example. Keep in mind that I am referring to the ZoneAlarm Pro, the version you pay for and is just a firewall. With the release of v10 they have decided that a firewall must be able to phone home to work. When I used my host file to shut down communication to what they call the cloud the firewall shut down and would not allow internet traffic. My current AV program does need to phone home to keep working. I am confident that when I ask it to update that all it does is send what was my last update was and then it send from that point on what I need to be current.

I do not consider sending what my last update was so the update server can determine what to send me to keep me current spying. This should cover your first paragraph.

Your second paragraph has one glaring word in it. The word is presumably, is that the same as we should assume this. We all know what happens when we assume something. While you might be a trusting person who think the internet is all roses and is a safe place to play in, I have learned that you have to keep your eye on everything. I do not think for one minute they are just guessing at what program they are going to offer the user. As far as Tech Tracker, that is a program I would not use because as you have stated earlier it uses OpenCandy. I have no problem with others using it because they openly admit what is involved and they do not trick you into its use. I use the word tricked because, as I have stated in past post, they have the CNET secure download button in REALLY BIG FONT and the sign in and direct download is in really small font. That is a subliminal trick used by many to GUIDE the user to click here. It is my most humble opinion that screams just what the motive is for this wrapper.

I agree that the user needs to learn how to use the firewall. As I stated it is not rocket science. The biggest thing the user needs to learn is when a window pops up and says this program is trying to access the net did he start that program. The only program period that I have had trouble trying to explain java. There is a number of sites that use java and if the user is not familiar with which ones do it its gets them confused. I have had many who have been trick into one of the user must approve malware sites which downloaded a package that then sought to access another site. When the firewall, which was set in manual mode pop up a window saying this program was trying to access this new site they know they had fallen for something bad and denied access. I think the most surprising thing I have found while teaching this approach was how many times they have said to me that they had no idea how many programs are designed to phone home. In the end they found out that what I told them was true and that all are designed to phone home and report some sort of user activity. I will stress that it does not take a rocket science to learn these things. The sad thing is the big corporation online are pushing control over to the auto mode so they can spy on the user. I like to explain it by asking the user if they had a home security system would they turn over the keys to their house to the security company and allow them to decide who gets into and gets out of their house. All of them say no and then I ask them why do they allow a firewall determine who gets into and out of their puter.

To close out, I do consider a lot of the programs you mentioned spyware. To offer a contrast, I do not consider Tech Tracker spyware because of the information about it is available to the user. I do consider the CNET wrapper spyware because of how it is delivered and the lack of information available to the user. I also consider some of the security software offered today, because it use of the cloud and its desire to phone home and report what the user is doing, spyware. In the end it comes down to how it is delivered and how much information is revealed to the user.