Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

February 12th, 2014

Frustrating user experience from a shady download portal

frustrationWe received a message from a customer informing us that when she installed avast! Free Antivirus, she also got an unwelcome toolbar installed from Conduit. After an investigation, we found that there are some shady characters providing our popular free antivirus protection with unwanted toolbars and other scams. Thomas Salomon, head of AVAST Software ‘s German Software Development team, looked into it further.

Today I was informed that some download portals have wrapped our avast! Free Antivirus with their own installer using our logos and brand name without even asking. From past experience, I know that this typically causes a lot of trouble and annoys users. So I thought to myself: OK, let’s be “John Doe” and test it out.

Unfortunately the experience I had was even worse than expected…

Download

First, I needed to think how a typical user would download avast! Free Antivirus. I guessed that it might be to simply type “avast download” into the search engine of his choice. I used Google in this case, and it came up with our own (avast) download page on top and some ads in the right column. These ads looked suspicious to me, but it’s possible that some users would be convinced to download avast! from these sites. One click later, I ended up at a site called softm8.com. I quickly spotted and clicked the avast! download option. Interestingly, the download was pretty small – actually too small to be an official avast! Antivirus installer. Anyway, I continued in my role as “John Doe” and ran the installer.

The experience begins

After starting the downloaded file it took a second or two for Windows to check the signature. Next, I noticed that the program I just downloaded was not issued by AVAST Software but by a company called “AVSoftware EOOD”.  This is definitely not us:

1

Ideally, this small piece of information would give someone the first hint that the software is not what he expects, therefore he should probably abort the download. For the experiment’s sake,  I continued by clicking “Run.” As a result, I ended up in a non-AVAST installer:

2

Please notice that it says “Copyright StartInstall.com.” How can avast! Free Antivirus be “Copyright” by that company? Why does that company have any right to use our brand within their product? Well, I didn’t care and clicked “NEXT” and got this screen:

3

Now the cloak of deceit parts slightly. Please note the grayed checkboxes underneath “Custom Installation.” They show what’s really done under the hood. A new search provider, a homepage, and a toolbar – each called “SafeSearch”– are going to be installed. Most users might assume that “SafeSearch” belongs to the security application they intend to install. But again, John Doe would probably click “NEXT,” so I did as well:

4

Another piece of software “SoftPlanet Software Assistant” was offered. It looked like a Software Updater (a functionality which – by the way – is already included in avast! Free Antivirus). The software is opt-out, which means if you don’t remove the check before “I agree to the Terms and Conditions, please install this offer,” you’ll get that software installed as well.

Behind the scenes

I clicked “NEXT” once more and got rewarded with the final product download:

26

But something was strange again. Please look at the 1.54 mb total download size: A full-featured antivirus like avast! Free Antivirus is much larger than this. So what are they doing here? I got the answer a couple of seconds later. This time the installer told me that it was ready to install the software on my computer:

5

However, shortly before the next screen got displayed, I noticed my mouse cursor turning into a spinning wheel for a few seconds. This normally shows that Windows is active in the background – but for what reason? Remembering that this installer was going to install “SafeSearch” into my Internet browser, I became curious. Maybe they had installed the toolbar, search provider, and homepage already silently in the background? A quick check by opening my browsers confirmed my suspicion. The homepage and default search provider of Firefox, Internet Explorer and Chrome were all redirected to “SafeSearch.” Additionally, IE and Firefox silently got a new toolbar as well. Only Chrome showed a blinking icon which informed me that a new add-on was available for install (which is one reason why we recommend Chrome.)

27

Nice one. Thank you. Now all my browsers are filled up with an unwanted search provider, homepage, and toolbar. Additionally, I got another software tool named “SoftPlanet Software Assistant” installed. But there was still no avast! Free Antivirus.

28

Nothing in the end

I decided to continue in the (lengthy) installation process and clicked “NEXT” in order to finally achieve my goal: Getting avast! Free Antivirus installed. Unfortunately I got … nothing. Just a blank, black console Window. Even after waiting for several minutes nothing else happened:

6

What had happened? After some investigation, I noticed that the executable in question (SSDL46~1.EXE) looked corrupt as it had only a few hundred bytes in size. After looking into it directly, it became obvious what was going on: The “corrupt executable” actually was an HTML page which says “File not found.” (I opened the file manually in the browser and took the screenshot from there in a second test – so please ignore the different filename and file extension).

10

The only explanation for this result is that softm8.com removed our binary from their servers for some reason. Unfortunately, they did not remove the complete wrapper + our logo and description as well.

Summary

Nowadays a lot of reputable software gets bundled with some more or less strange software tools and/or toolbars against the will of the authors of the useful tools. In most cases this bundling is done by wrapping the original (good) installer of the reputable software with another installer and bundling it with third party software that nobody would install unless a trick like the one here is used. The user then gets “convinced” to install this software. It seems to be a profitable business for a lot of vendors and some download portals – otherwise they wouldn’t continue to do it.

On the flipside of the coin the PC’s user experience is seriously affected by all this, especially if this happens several times on the same computer:

  • Windows boot time increases into several minutes instead of just a couple of seconds.
  • The system becomes sluggish and sometimes almost unusable.
  • Tens of programs run in background and ask the user to pay for a solution (“cleanup”) for something which they basically caused themselves.
  • Browser experience suffers; Internet search results are full of ads and misleading links. The results the user was actually looking for are hidden behind popups, slide-in Windows and other annoying ads.
  • Every couple of minutes another popup asks for attention and steals the user’s time.
  • What all these tools are doing in terms of privacy is unclear as well.

The reputation of the author of the original product, whose name has been misused for this dirty business, gets seriously harmed. He has to deal with countless complaints from victims of this scam, like the one we received. With Windows and their PC becoming more and more unusable there’s a lot of complaints about bad Windows, bad PC, etc. I guess that a lot of affected users will move from Windows to another OS like Linux or even replace the PC with something different like a Mac or a tablet. Does the PC/Windows industry really appreciate that?

What users could do

There are a couple of things users could do in order to prevent such install experience:

  • If possible, download software from the original vendors homepage
  • When running the downloaded installer, Windows typically asks for permission, “Do you want to run this file?” Compare the displayed publisher name with the vendor name before you click “Run.” If the vendor sounds suspicious, it’s better to abort the installation process.
  • During installation you should always run a custom installation. Although this requires some technical knowledge it shows you the “side dish.” Especially if something is grayed or written in small characters, you should become suspicious. Think twice about everything that sounds like “recommended to install,” “Accept offer,” “I agree to install,” etc.
  • Carefully read each page in the install wizard before you click “Next.”

If you follow these tips you’ll stay (hopefully) clean from unwanted software.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

 

Categories: General Tags: ,
  1. realtebo
    February 13th, 2014 at 00:09 | #1

    I want to tell you I read your blog because of high tech level I found in your posts. Thanks.
    After this post, I can trust you and I’ll try for the first time avast on my win 8.1
    There is only one problem, for me, as italian. To download avast, I need to walk through html.it download server… why don’t you offer a direct download? It’s more professional and you can avoid we can download someothing else even from html.it.

    Just a suggestion.. I hate 3rd party download ‘bloat’ web sites…

Comments are closed.