totalcmd.net

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: white, Hacker, petermad, Stefan2

Post Reply
User avatar
petermad
Power Member
Power Member
Posts: 14739
Joined: 2003-02-05, 20:24 UTC
Location: Denmark
Contact:

Post by *petermad »

Here is how the warning looks in SeaMonkey: http://madsenworld.dk/tcmd/totalcmdnetwarning.png

I just click "Ignore this warning"
License #524 (1994)
Danish Total Commander Translator
TC 11.03 32+64bit on Win XP 32bit & Win 7, 8.1 & 10 (22H2) 64bit, 'Everything' 1.5.0.1371a
TC 3.50b4 on Android 6 & 13
Try: TC Extended Menus | TC Languagebar | TC Dark Help | PHSM-Calendar
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

It's probably a false positive in one of the plugins, e.g. because it's packed with UPX or so. Only the site owner can fix it by removing the problematic plugin and reporting the site to Mozilla.
Author of Total Commander
https://www.ghisler.com
User avatar
petermad
Power Member
Power Member
Posts: 14739
Joined: 2003-02-05, 20:24 UTC
Location: Denmark
Contact:

Post by *petermad »

Today I only get the warning when browsing on http://totalcmd.net/ niot on https://totalcmd.net/

It is only when I enter a page for a plugin, not on the category pages and the main page.
License #524 (1994)
Danish Total Commander Translator
TC 11.03 32+64bit on Win XP 32bit & Win 7, 8.1 & 10 (22H2) 64bit, 'Everything' 1.5.0.1371a
TC 3.50b4 on Android 6 & 13
Try: TC Extended Menus | TC Languagebar | TC Dark Help | PHSM-Calendar
User avatar
Flint
Power Member
Power Member
Posts: 3487
Joined: 2003-10-27, 09:25 UTC
Location: Antalya, Turkey
Contact:

Re: totalcmd.net

Post by *Flint »

Sorry for the delay with replying, I was on vacation and then had to catch up with many things… Some users in the meantime already contacted me about this issue and I replied to them, but I think I should also explain the situation publicly.

The problem is caused by 4 plugins which, although I cannot guarantee it, I myself am sure are false positives. (Why I think so: because on virustotal all the major antiviruses show the files as clean, and only several little-known tools show them as malicious, and, at that, not as a specific identified known malware, but a generic threat detected by heuristics which is known to give false positives now and then.) Since totalcmd.net uses a script for downloading, the Google panel declared as malicious not the particular archives but the whole download.php script, and now marks all pages with download links as dangerous. Kinda stupid in this situation, but logical, them having no knowledge of the internal code of the web-site.

Now, the main problem is, I have no real means to alleviate the problem. In the early days in a similar case I tried writing to several of those antivirus developers about false positives. Most of them were even hard to find in the Internet, some of them don't even have a means of giving feedback or reports (or I failed to find them); and even those whom I managed to contact, mostly ignored me, just one or two actually replied. So the only thing that remains available to me, is to do something with those files. Either remove them from the server completely, or encrypt the archives and specify the password in the description, just to break the automatic virus checks. Both these solutions are very ugly, and I'm not sure it's worth it, and in any case, since plugins on our site are managed by their authors themselves, it's not right to do it without the authors' consent. I have not yet decided what's the best route here.

If somebody has any useful ideas, I'm all ears.
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 10.52 / Win10 x64
User avatar
ts4242
Power Member
Power Member
Posts: 2081
Joined: 2004-02-02, 20:08 UTC
Contact:

Re: totalcmd.net

Post by *ts4242 »

Are these plugins popular? Are they regularly update? If yes, contact authors and ask them to fix, otherwise encrypt them as you said.

Another solution is hosting such problematic files at dedicated Google Drive, One Drive, DropBox or whatever service.
User avatar
Flint
Power Member
Power Member
Posts: 3487
Joined: 2003-10-27, 09:25 UTC
Location: Antalya, Turkey
Contact:

Re: totalcmd.net

Post by *Flint »

The link will still be there, and Google will continue to report it as malicious. Not to mention, our site tries hard to avoid keeping files on external resources. It happened many times in the past that a file was deleted and users were left with a broken link and no means to get the plugin from anywhere (some plugins got lost forever this way), so now all files must be present on the server, if not as a primary source, then at least as a mirrored copy.

The plugins are not new. Contacting the authors is in my mind, yes, but I don't see what they can do either. If a plugin or a program does something "suspicious" there's not much you can do apart from writing to the antivirus devs and asking to exclude the signature from detection (and keep doing it for every new version of the program). As I explained, it's not easy with those AV products that actually reported the positive in this particular case.
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 10.52 / Win10 x64
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: totalcmd.net

Post by *ghisler(Author) »

2Flint
Please create an account with Google Webmaster Tools:
https://www.google.com/webmasters/tools/home?hl=de
It works by uploading a small file provided by Google to your web space.

It should show you exactly which files they find suspicious. Then remove those files and resubmit the page via the control panel. That's what i did when Chrome suddently found our older installers suspicious, and it worked.
Author of Total Commander
https://www.ghisler.com
User avatar
Flint
Power Member
Power Member
Posts: 3487
Joined: 2003-10-27, 09:25 UTC
Location: Antalya, Turkey
Contact:

Re: totalcmd.net

Post by *Flint »

2ghisler(Author)
I already have it and I have the exact list of problematic plugins, that's not the problem. The problem is, removing the files without authors' consent is unethical (providing they are not actual malware, of course). Since our site content is managed by authors themselves, it's quite a different situation from yours.
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 10.52 / Win10 x64
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: totalcmd.net

Post by *ghisler(Author) »

Maybe you could move them elsewhere, or link to the wincmd.ru page for them, which is apparently not blacklisted? The way it is now, the site is unusable for most people.
Author of Total Commander
https://www.ghisler.com
User avatar
Flint
Power Member
Power Member
Posts: 3487
Joined: 2003-10-27, 09:25 UTC
Location: Antalya, Turkey
Contact:

Re: totalcmd.net

Post by *Flint »

2ghisler(Author)
I'm sure wincmd.ru will soon get hit too. For example, when the issue arose, only http version of totalcmd.net was reported and not https, but now there are https links in the list too. wincmd.ru and totalcmd.net are actually the same site with the same DB and files, just different languages and skins, so it's just a matter of time when Google notices that wincmd.ru/download.php downloads the same "malicious" file as totalcmd.net/download.php.

Moving them to other place won't help either, Google will check that the same "malicious" file is downloaded and will keep the "bad boy" flag on.

I think I'll try and contact the authors and if they don't suggest anything better, I'll just stick to the "password-encrypt" workaround.
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 10.52 / Win10 x64
User avatar
Usher
Power Member
Power Member
Posts: 1675
Joined: 2011-03-11, 10:11 UTC

Re: totalcmd.net

Post by *Usher »

@Flint
Can you ask the authors of those plugins to recompile them with different (newer) compiler version (or settings)? It helps in many times.
Andrzej P. Wozniak
Polish subforum moderator
User avatar
Flint
Power Member
Power Member
Posts: 3487
Joined: 2003-10-27, 09:25 UTC
Location: Antalya, Turkey
Contact:

Re: totalcmd.net

Post by *Flint »

2Usher
I'll include this suggestion, but I wouldn't hold my breath. Some of those files are from 2006, so I'm not sure if the author is even available…
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 10.52 / Win10 x64
User avatar
ts4242
Power Member
Power Member
Posts: 2081
Joined: 2004-02-02, 20:08 UTC
Contact:

Re: totalcmd.net

Post by *ts4242 »

2Flint
Can you tell us name of these plugins?
User avatar
Flint
Power Member
Power Member
Posts: 3487
Joined: 2003-10-27, 09:25 UTC
Location: Antalya, Turkey
Contact:

Re: totalcmd.net

Post by *Flint »

Here they are. I broke the auto-links so that Google didn't strike this forum as well (not sure if it does second-level maliciousness flagging).

_http://totalcmd.net/plugring/TC_FavMenu2.html
_http://totalcmd.net/plugring/BootScreenView.html
_http://totalcmd.net/plugring/TCPlayer.html
_http://totalcmd.net/plugring/SVI_Eliminator.html
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 10.52 / Win10 x64
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: totalcmd.net

Post by *ghisler(Author) »

2Flint
Could you temporarily remove these 4, so the site gets going again, and put a note on the 4 pages that the plugin is temporarily unavailable? Who knows how long it takes until the authors will reply. I could also ask "progman13" to write replacement plugins (paid), he has already created a lot of replacements for us, for plugins which were abandoned and only exist in a 32-bit version.
Author of Total Commander
https://www.ghisler.com
Post Reply