Preamble: let me say, first of all, that my previous post wasn't intendend as a moralizing rant, notwithstanding the tone, that may indeed sound a little "harsh": nor was it intended to set up a fire. So, I apologize for any misunderstanding I could have caused. That said:
If DrWeb said it is infected, it really is, but may be it was infected somewhere on the way... My DrWeb reports it is all OK.
P.S. We use DrWeb and it is much better than avast or AVG: it is updated daily and can really heel damaged files that are corrupted afte AVG
First of all, I believe the probability for a program to be infected "along the way", during a transfer, is very low. Or, at least, I can't imagine how this could happen.
As to the "antivirus quality issue", instead, my opinion is that, until the day when finally somebody will come out with some sort of
objective measure of antivirus scanners' efficiency, unquestioned and with which to objectively state an undisputed "hierarchy" of the products, any product will continue more or less to be worth any other - with the obvious exception of the rogue/fake scanners, which make more harm than nothing.
In order to claim that the antivirus X is better than Y, again in my opinion, one should effectively have been able to compare them "on the battlefield", by making them scan two or more machines infected with well-known (and not-so-well-known) viruses, and see what happens. Then, one should statistically analyze the data collected in such a way, and only at this point, on the basis of the results of such a comparison, a final judgement of the kind "X is
probably better than Y" could be given. Otherwise, it's just a matter of taste.
As to this latter issue, I personally have been quite satisfied, in the past, with Antivir: but I left it and "converted" to AVG, mainly because 1) at that time a friend of mine, administrator of a huge Windows system, told me it was worth the try, 2) the main sectorial reviews, here, on the web, told it was worth the try, and finally 3) because I was tired of being forced, under Antivir, to substitute the whole program every time I decided to update just the definitions.
Are these objective criteria? Of course, they aren't. However, until now I have been quite satisfied with AVG, even if I must add that my Windows systems are quite protected (I don't use Windows to go online, and I always try to be utmostly careful when I import on my PCs files "from abroad"), so it's very likely that my satisfaction is grounded on mere personal, subjective and self-deceptive criteria, not much more effective than a pure wishful thinking.
In the very end, this is one of the two main reasons why I have "converted" to Linux, more than six years now. Am I more protected because of this? I don't think either... but, one can't spend his/her whole life to worry about this kind of issues ;^D
Hashing/signing executables works as little as virus scanners do. It's treating the symptom, not the cause. If someone can hack into one server to upload a patched executable, he can as well hack into another server to update a hash (or a signature and spread a fake public PGP key). It is more work of course, but it's possible. On the other hand, the vast majority of people doesn't check hashes at all and very very few would probably check a PGP signature (I would not, for example) unless it's done automatically.
I agree with you as to the "symptom vs. cause" issue: but let me disagree on the rest.
True, if one is skilled enough to break into a server and substitute a legit program with a fake, he/she will also be able to change a hash/signature/whatever with whatever else. But, that will unquestionably be
his/hers, and
not yours, or the one of the C::B development team. The personal (and
unique) data of your private GPG key, against which every public key claiming to be yours should be compared, would always be the definitive proof of the legitimacy of what I'm downloading, or of the contrary. I download the C::B installer, GPG-check it, see that it is apparently signed by the C::B development team, but that the signature I'm checking doesn't actually correspond to any
legitimate public key by the team: and the thing ends there. Period.
Yes, I agree: this is still a cure for the symptoms, and doesn't yet attack the causes.
But even an aspirin can be of some relief if you suffer from rheumatoid arthritis. At the opposite, you can keep on doing nothing, because aspirin is just, well, aspirin (and a big business for
Bayer & co.), in the hope that one day a final cure for arthritis will be found, and go ahead with your stoicism and your pain.
In other words - and I close: I believe that crypto-signing software would at any rate be a security improvement, even in the Windows open source community - where, on the contrary, it still seems to remain a great "distrust" on this issue (I'm talking in general, here). This, even if, in the very end, users don't want any hassle and probably wouldn't check the signatures anyway, and the whole thing would be not much more effective than aspirin with arthritis...
But, again, this is just my opinion...
_____________________________________
P.S.: anyway... was it infected, or not?