I just purchased FU 2.5.  Keep in mind that I've used the freeware version that was at SourceForge for a long time, and I know it's good software.  I've never had it fail me.

Figured I'd upgrade and get the improvements.

One problem:  AVG7 Free Edition swears both the Lite and Full edition setup .exe files are virus-infected.

I've gone through the threads here regarding the matter, and I'm not satisfied with the "answers".

The simple truth (and I'm a security consultant) is that the development and/or distribution sites -could- have been compromised.  The system on which the builds are made could have been compromised in such a way as to infect any packages built with whatever setup bootstrap creator is used.  I do -not- tacitly accept the claim that it's "clean" because it came from official channels.  Official channels can be compromised.

I want one of two things:

1) A version that passes virus checks.  I cannot even begin to enumerate the amount of software I download that is cleared by AVG.  This is the first and only time I've seen an alert.  If it can't pass a virus scan, I err on the side of caution.  Therefore, it's not getting installed until we get a clean version that will pass virus and spyware checks under -all- virus scanners.  (I wholly reject the notion that just because it checks clean under, say...avast!...that it's clean; perhaps avast! isn't as stringent as AVG, and "doing it anyway" on the assumption of a false positive is potentially harmful.)  If we do not see such a release, this leads to...

2) A refund of the funds paid.  I could force a PayPal resolution right now.  I'm giving the vendor a chance to do something about it before I have to play a little rougher, especially in light of how good the original program was before it went commercial.  As far as I'm concerned, unless a clean version is forthcoming, I made a good faith effort in paying for a product I cannot use without potentially endangering my computing security--something that will not happen under my watch--and I was just defrauded.

I would expect a response within one (1) week.

And to all those that claim, "It's just AVG," -how do you know-?  You have no idea.  Without careful forensic analysis, you have zero idea of whether or not the alert is authentic or a false positive.  Play roulette if you wish, but I consider it foolhardy.

1) What's your implication as regards my professionalism versus using or not using AVG?  In general, I've never had issues with the software.  Due to the fact that email NEVER touches my systems except as ASCII text through a terminal emulator connection to a Solaris server, I only use known-good web sites, and I only download from trusted sources, I don't even use active monitors--I don't need to because I don't practise risky behaviour, and I therefore don't need to take the sometimes >30% performance hit something like McAfee will incur.  I scan downloads automatically from my download manager as I get them, and I scan once a week for good measure, just in case.  I've had AVG catch things on other people's systems, and it's been 100% accurate until now.  I see nothing wrong with the product in general.  In fact, your statement about using Norton is rather ironic, since if -you- do a Google search for BSOD alongside a few other terms, you'll find that Norton actually BSOD's systems, interferes with applications, and in general is nothing I would ever put near a system.  The first thing I did after getting my laptop was -remove- the trial version of Norton that came with it, specifically because it's a known problem-causing application suite.

2) The fact remains that FU didn't used to have this issue.  I just rescanned the FU-Setup_LE.exe for FU 1.2 LE, and it comes up crystal clear on the same AV software.  Yet -both- 2.5 LE and 2.5 Full come up as infected.  You know, given that the actual triggering signature should change if the contents of a self-extracting bootstrapper -change- if it were the actual wrapper causing the problem, I'm thinking it's something about the contents.  Especially given that 1.2 LE is clean.  I've read that even 2.0 and I think 2.1 were clean--that this started at 2.5.

3) The fact that this showed up -after- the product has been taken off SourceForge only adds more suspicion that it could possibly be maliciously included by the developer.  I'm not saying it has been, I'm saying it could have been.

Bottom line:  There is no way in hell that I'm going to put it on a system from which I enter system passwords and other sensitive information when it could be installing a keylogger, trojan, or other nasty bits.

Your flat-out assertion that it's uninfected via a 3:1 report comparison only holds partial value.  I could install avast!, even get McAfee, and a couple other scanners.  The fact is, it tests positive on one, and I maintain--there is NO WAY without careful analysis of the file and its contents in a safe, controlled environment (that one doesn't care about losing...and I don't happen to have an extra system laying about for this purpose) to tell whether it's a false positive, or whether it's a bad signature triggering the alert.  You -can't- know.  You have no idea how avast! and Norton and NOD32 are written any more than you do how AVG is written.  You have no idea whose signature files are more inclusive or lax.  You have no definitive way (besides blind and unfounded faith) to tell whether those other three just lack signatures for a virus and your systems are actually more at risk of infection than you previously thought.

In short, you can attack my professionalism all you like; -I-, however, am not the person taking foolish risks with my systems and the sensitive information with which I'm entrusted, based on this mythical belief that the -other- software must not be wrong.  If AVG could be wrong, then the other three could all be wrong.  The odds don't favour it, but it's -possible-.  And I take it seriously enough to refuse to risk it.

And nobody can possibly ask you to risk your system (and indeed, a slew of other systems to which you connect) based on you having paid $19.99.  In fact, for $19.99, I expect software that doesn't set off red lights and sirens on -any- detector that works well; and AVG has never generated a false positive on me to date--not to mention past FU versions cleared it just fine, and I'm -not- the only one having issues with this.  In fact, I -did- do some reading yesterday, and several people using other virus scanners reported infection of 2.5 LE and Full.  They not only said what they were using in one case, but the actual reported virus name was entirely different, which means we're definitely not using the same software.  The fact that there is more than one AV out there flagging this is disheartening at best, and definitely a red flag to me.

I -did- some searching yesterday.  There were posts on videohelp.com that said people had actually confirmed that it's infected.  I don't know how much weight that carries, but I know what my software (which gets definition updates FAR more often than my old, bloated McAfee ever did) is telling me.  And again, some of those people were using different software, and not AVG.

As a developer myself, I'd also expect some responsiveness.  If this were my software (and I do publish software...ranging in the $250-2000 range), I'd have already addressed this and released new versions that test clean--or at least REPLIED to the private email that I sent to fairuse@fairusewizard.com and told someone that I'd check into it.  I haven't heard a peep since I emailed that address directly yesterday, right before posting here.  You start taking money for something, you start to bear a certain responsibility, no matter how many escape hatches your EULA contains.

Incidentally, as I understand it from a perusal of this forum, you're not even the developer.  "Ump" is.  Unless you're involved in development, system administration of the build systems -and- the distribution servers, or in charge of the build process, your steadfast claims that it's "clean" holds...oh, about zero water with me.  Unless those things are true and just unstated here in any thread I've read so far, you don't have the ability to vouch for it in any capacity other than as an enduser using software potentially just as fallible as you claim AVG is (which is actually so far a baseless claim--prove it IS fallible -WITHOUT- doing it by comparison to other products; prove that the file is actually not infected in a totally isolated fashion, manually, and I might actually believe something you have to say about it).  This isn't about scanner wars.  This is about one thing:  IS the software clean, or is it NOT?  In the absence of conclusive data where all scanners read one way or the other, it's in question without manual forensic analysis.

And obviously, -something- about it is different since earlier versions.  The developer doesn't actually have to do forensic analysis, assuming his source doesn't contain malware intentionally.  All the developer has to do is scan his system with AVG and find any problem it reports.  If it comes up clean and -then- the build still comes up 'dirty', I'd then look at the bootstrap compiler and make see what's going on.  As it is, it seems almost certain it's the contents that are in question.

And finally, frankly it's NOT the endusers' (all of us) responsibility to do the vendor's job.  He's releasing software.  He's taken software from entirely free to GPL free but commercial.  I've been in Linux since '93, and using FSF software (EMACS being the first that comes to mind) since '89.  I've nothing against the GPL, FSF, or charging for commercial versions of the software licensed under the GPL.  But the second he started mandating money for the full version, he put the onus on himself to release a quality product reasonably free of defect, and certainly free of infection.  I'll tell you something--if my interpretation of the law is correct (IANAL, admittedly), and someone -knowingly- distributes something with a virus and takes no steps to rectify the situation, they're in almost as much trouble as the actual author of the virus.  It's irresponsible, and it's unethical to ignore even the possibility.  They may or may not have written whatever may be the potential payload.  However, if the problem has been brought to their attention and they do nothing to address it, that's called negligence, and as far as I can tell from past cases about which I've read, they're potentially liable for damages.  It's not OUR job to vet HIS software.  It's his burden of responsibility--and he gets paid to do it.  If the price is too low, fine...I have no problems paying $49.99 instead of $19.99 for the software--if it scans verifiably clean.  If anyone should be going to AVG, it's -him-, not us.  It's his product that's being dragged through the mud based on AVG's (and apparently ewido and others') results.  Again, his problem as far as getting a clean bill of health or getting vendors to recognise his software as clean.  Not our problem.

OUR problem is that we've payed money (whatever sum...it could be $0.01, and it would be an issue) for software, in good faith, and it's currently flagged as unusable.  Nobody should be just ignoring a warning blithely if they're responsible about computing.  Sure, AVG -could- be faulty.  I  have no proof of that.  Frankly, it's not my job to obtain it, nor to convince AVG that something may be wrong with their software.  That's the job of the vendor whose software is flagged as infected.  You may not like that assertion, but -we- are paying -him- for software that is expected to have no malicious payload.  The burden of getting the situation resolved lies on him, not us.  We're the potentially injured party here.

Now, even if I were irresponsible enough to ignore the warning and install it anyway, on your word (for what that's worth)...  If it turned out you and all your other AV software are all wrong and there -is- a Trojan, and then sensitive data was destroyed or captured, that would be negligence on -my- part for not exercising due diligence when there's even a doubt.  But there would be culpability on the vendor's part for continuing to distribute something of which they have been made aware contains a problem.  That could be some hefty legal exposure, depending on how much damage was done as a result, were a trail documented.  The best bet is for the -vendor- to take their multiple $19.99 payments (it's no longer a donation...the button on the web site says "Buy"), get their act together, and contact AVG to work this out, vendor-to-vendor.  Of course, that assumes it's -only- Grisoft and formerly Ewido that have issues with it.  From what I read yesterday, it's not.  It's going to be cheaper to go back and forth with them on this themselves than it would be for me to do it and then charge  for the time I spend doing it (possibly proving he has to scrub his build/distribution systems after all, when he should have checked in the first place at the first report)--or worse, to be the defendant in a multi-thousand dollar (or worse) suit if something went tremendously wrong, despite everyone's best intentions, glowing reviews, and words of assurance.

That you would even presume to question my competance or professionalism by questioning my use of AVG as opposed to the alternatives is hilarious.  At least I'm -paying attention- to my software.  Lacking the resources to bear a burden that quite frankly is not mine to bear and fix the vendor's problem, I'm reporting it responsibly.  That you would recommend just blithely ignoring -any- positive reading without forensic analysis, based on a 3:1 (give me 20:1 with the 20 coming from recognised and respected vendors and I might buy into it) comparison, and saying I should install it anyway...is wholeheartedly irresponsible.  The fact that it's at least 3:2 based on what I read yesterday is even worse for your case.  You can hardly criticise my professionalism when you're recommending a wholly irresponsible course of action yourself.  At least I'm erring on the side of caution and prudence.  I just think you don't happen to like hearing where the responsibility lies on this one.  That usually happens in one of three cases:  1) someone has a personal vested interest in a product, 2) the product is almost religiously revered, or 3) it's a case of fanboy-ism where the vendor can do no wrong.  In any event, -I'm- being responsible in following up on this.  That's more than I can say for your flat-out dismissal based on flimsy "proof" that AVG is flawed in some way.

Okay, the -short- version of my above post?  Four words:

Due diligence.  Customer relations.

That sums it up.  -IF- there is a virus payload, and he's been made aware, he's at least partly responsible for further dissemination after that point.  You're very quick to attribute false positives to things, from the sounds of it.  I wonder just how little research and testing you actually do before jumping to those conclusions.  Hey, it's your system(s)...  I'm not risking mine.

As for that fabled 1%, that's the bit that'll bite you the hardest most times.  I connect to remote systems on a regular basis.  I can NOT afford to have my own systems compromised.  I'm staying on 1.2 LE until I get a decent 2.x that scans as clean.

As for the GPL, source being available, and the service of compiling, I'm not buying your argument.  There is zero guarantee that the binary dists are even built off the same source as is distributed, for one.  I haven't seen the 2.x series yet, but I thought I saw references to registration within the program--I can't imagine that source being made public, as it would defeat the whole purpose of any protection.  But that's beside the point.  If we pay for the service of getting a compiled dist, it's reasonable to assume due diligence was followed and that the dist is free of malware, period, the end.  It's also reasonable to assume that someone you pay money to actually -has- some sort of responsive customer service.  Or perhaps I'm just a holdover from the days when companies and individuals actually stood by their work on a regular basis, as I still cling to this belief.  I could buy busy.  I could buy personal issues--God knows I have several that prevent immediate responses, although I shoot for 24hr max turnaround.  But even long-term, 'vacation' autoresponders have been around since I've had email ('89) and before.  There's no reason one can't be set up.  Let me bottom line this:  He's not so tied up he won't still take the money.  General wisdom amongst the OSS/FSF crowd (and I was a regular on #linuxnet for 5+ years, know Alan Cox, Karl Asha, sct, quartic, and a bunch of people you'd likely recognise as contributors to the linux kernel, filesystems, GIMP, etc.) is that if you take GPL software and start charging for it, there had better damned well be Value Added.  That's more than compiling, that's -service- when something's amiss with the dist.  Sure, you can charge $1k for free GPL software--but you had better damned well stand behind it to justify it.

More or less good advice on general security that you gave out.  Except firewalls should primarily be in perimiter routers (personal firewalls are notoriously unreliable and easy to shut down via software, and should only be an augmentation to a real perimiter firewall), and I disagree with you on GMail.  The -safest- way to read mail is via ssh to a *nix server and use of a CLI MUA like mutt.  GMail still leaves you open to injection attacks upon your browser, links you can too readily click on, and you could be running it on a 'doze box, which leaves you susceptible to any of those holes.  Those problems go away with a CLI MUA on a remote *nix system.  Firefox is good as a browser, and I do concur about using alternate browsers.  There are rampant issues in the World of Warcraft community right now (and others...) with keyloggers being spread through browsers just by clicking on links to malicious pages.  That problem will exist in any web-based mail scenario; now how well your browser protects you becomes a very relevant point.

You know, I don't want to argue, but one of your points seems contradictory.  You say there's no value added for the $20.  What about the features that aren't enabled in the light version?

You also say that the full source is available at that URL.  Erm...which source?    Light or Full?  I can see where probably most (if not all) of that stuff could be #ifdef'd.  Point is, there's ambiguity.  The very existence of a full version negates your argument.  My additional argument is that if there is going to be a commercial edition, it should be supported at least on a "best effort" basis--which, to your credit, you previously agree with.

Just wanted to point out that the product lineup and your statement were at odds.

As it is, assuming it's just #ifdef'd code and nothing's actually missing (and assuming it's even the same codebase at all...there's no way to tell unless you download and compile it, for which most people don't have the tools), I'm still stuck with 1.2LE until this is verified or cleaned, one or the other.  I'm currently chalking it up to paying $20 postdated after about a year of use or whatnot, in which 1.2 has served me quite well.  I've paid more for less value, honestly.  *cough*Windows*cough* However, I find it naggingly irksome that the $20 didn't actually get me a (verified, non-risky) 2.5 as intended.

I've never meant any disrespect towards Ump or the product.  I'm simply frustrated with the situation, and the lack of a formal, official, indisputable resolution.  It's the indisputable part that's really important.  You admit you're not an official source of the files, and I question your assessment (and rush to judgement that a lot of software gives false positives; I agree some must, but likely not in the quantities you've cited).  As for official sources, two names:  FreeBSD, Jabber.  Both had security compromises on their download sites.  The FreeBSD one led to a full audit of several things.  The Jabber one was a complete fiasco.  Actually, I believe OpenBSD had an issue at one point, and it triggered a full source audit, line by line--which is why it's now arguably the most secure kernel out there.  Point is, "trusted" distribution sites are a misnomer, pure and simple.  In fact, MD5 and SHA1 sum files are a joke when the files are stored beside the very files they represent.  In reality, if you can alter one, you can alter the other -unless- one is protected by the equivalent of FBSD's immutable bit, which requires the system be brought to single-user mode to unset.  I'm not even sure why people bother with MD5 files, honestly, if they're sitting on the same server.  It's totally pointless if they'd take a few minutes to think about their deployment practises.  Bottom line:  Even "trusted" channels get compromised unknowningly--a point I made in my original post, and that you still have no way of verifying one way or the other, apparently.  And nobody's addressed the point.

Well, this is interesting.  AVG update came up when I rebooted today saying I was out of date (I manually update, as I hate the automatic scheduling shifting focus out of other apps).  I got the latest signature database.

Then I decided, on a lark, to re-download the full version of FU 2.5.  Lo and behold, it tests clean--no virus found.  "Well geez, did they maybe reroll the version?"  (I'd deleted the old .exe's on Friday morning.)  I downloaded the LE version and scanned it.  Also clean now.

So here I was, thinking that AVG may have fixed what you said was wrong.  Then I checked the News page on the FU site--and it -has- indeed been rerolled as clean.

I'm now 110% satisfied.  100% with the software, the extra 10% because even if it was a fairly silent reroll, it -was- rerolled in response to complaints.

I'd like to thank Ump for rerolling the distributions in response to this problem.  Profusely.  I know I can grouse a fair amount and be very adamant when I perceive a problem.  I also believe, however, that people deserve equal measure of praise when things are resolved, fixed, or just plain handled well.  I won't take up as much board space praising Ump as I did questioning the problem--but I'd like it formally known that I sincerely appreciate the fix and service as much (more, actually) than I disparaged the initial problem.

BTW, Afonic--good taste in songs.  Arguably my favourite on the album.  (Your signature quote.)

Thanks again, Ump!

How do we go about getting the updated copy?  I sent an email to the two addresses in the Paypal file...one is the same as support address on the website and the same address I sent a message too when this first occured.  The only other choice I see through Paypal is to file a dispute.

mmm... stil had an issue with my mailbox. I just answered you, could you please confirm that you got my mail ?

Cheers,

ump