[Caution] Download link serving different different hash variants of the same file, some signed, some unsigned

As per another conversation I’m having with another fellow on these forums, the “Free Download” link button on the main page is serving a range of different hashes to different people. Occasionally the hash matches the one that is listed on the “changes” page, and is signed. The other times, it’s a completely unknown hash that is not signed and according to the other user is getting flagged by Smartscreen as unknown and potentially sus.

Anecdotally, I received two different file variants with two different hashes, one signed, one unsigned, 10 seconds apart. No page refreshes, no different links. This strikes me as particularly odd and given the recent 3CX supply chain hack, should probably be approached with caution until Glasswire responds @Katie_GlassWire @Sean_GW

For reference, I received both of these files from the same link on the main page, seconds apart.

Official signed hash as per changes page - 916cd2f3ed8b599f7ace7639dc6763b272fdb21805f33da5b72b446899aa1c22

And then this unsigned, unknown hash, which was supposedly first seen in the wild several hours ago -

The other user was served an entirely different unsigned hash from exactly the same button on the same page.

Copying in two other affected users @hfew @daneknanek

Hi @Glass8723476834,

The version which is available to download from the main page is patched with utm tags. The original installer is available at the change list page and its hash is equal to the one we publish.


Hi @Katie_GlassWire, and thanks for the reply.

Could you explain to me (I genuinely want to understand because I’m perplexed) why there are so many different hashes for the same file? If hypothetically you were to patch one version with UMT tags, it still doesn’t explain why there are now 4 hashes for the current version (that I’m aware of - may be more). Also, are your UMT patched versions signed or unsigned? Lastly, why does the very same “Free Download” button on the main page serve completely different versions within seconds of reclicking it? I get unsigned unknown hash one time then signed official hash another time. There seems to be no consistency to how all this is working which is making it hard for me to understand.

Thank you.

I had the same issue with the “download glasswire” button in the management console, another user linked me to this thread, all I really want to know is, give all of the recent malware files hiding in official looking downloads and the hacks of companies, is the file that I’ve downloaded (via the management console link) and installed safe? Is there a way to check?

Submit the downloaded file to VirusTotal.com.

Have done that, what am I looking for? Nothing was marked as malicious but the hashes still don’t match

You asked how to tell if a file is safe. It’s pretty obvious that a consensus of that many AV engine scans saying it’s clean should give you peace of mind and all the assurance that you need.

Katie already explained that file hashes vary depending on where you download the file from. As long as VirusTotal shows the file in your hands as clean, you should be good to go.

Awesome! That’s a very good thing to hear :slight_smile:

Hi guys,

Thank you @zzz00m for your assistance :slight_smile:

1 Like