Max Source (After Download Ltd.) – 9% Detection Rate – InstallCore

Hello readers! Just a short post on a publisher called Max Source (After Download Ltd.) that I found while downloading “FileZilla” from SourceForge. Big thanks to Peter for letting me know about this download.

This is how Max Source (After Download Ltd.) appears when running the file:

Max Source After Download  Ltd in the User Account Control dialog

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that Max Source (After Download Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Max Source After Download  Ltd certificate

It turns out that SourceForge.net has been into bundling for quite some time. Here’s a blog post dated July 2013 which describes the DevShare bundling program.

The reason I’m writing this blog post is that the Max Source (After Download Ltd.) file is detected by some of the anti-malware software at VirusTotal. Avira detects FileZilla_3.10.1.1_win32-setup.exe as Adware/InstallCore.765232, DrWeb classifies it as Trojan.InstallCore.52, ESET-NOD32 reports a variant of Win32/InstallCore.WI potentially unwanted, K7AntiVirus calls it Trojan ( 004b52261 ) and K7GW calls it Trojan ( 004b52261 ).

Max Source anti-virus report

Did you also find a file digitally signed by Max Source (After Download Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Here’s how the download screen looks like for FileZilla at sourceforge.net. It hints that something will be bundled by saying “provide you some options during the installation process…”

sourceforge downloader

Thanks for reading.