Glasswire install file not digitally signed and hash doesn't match

Downloaded the install file from glasswire official website and it is not digitally signed. In addition to this, the hash for 3.3.4.99 doesn’t match the sha-256 hash of the file I’ve download:

The glass wire site lists the sha-256 hash as:
916CD2F3ED8B599F7ACE7639DC6763B272FDB21805F33DA5B72B446899AA1C22

The hash I get from virustotal with the file I download is: a693c2c6d577eaf5e4d36b0195e449b2840710aa0c14fce282fa1f459b3d9e6d

They don’t match. Is this typical?

So the hash you’ve given above is mentioned under the change list page and the link to the file that gives the corresponding hash is available for download via the hyperlink next to the most recent change list entry.

As for the other hash you’ve provided, I can only assume you downloaded that from the Glasswire homepage where it says “Free Download”? If I click that, I get a download file with a completely different hash to yours, that isn’t listed anywhere on their website, and when I submit it to VT I need to upload it and it appears that it is the very first submission for that particular file, ever. Perhaps they’ve made changes to the file since you posted here? Do you get a file with a hash of 317 something if you download it again now? It is also unsigned, whilst the one from the change list is signed.

Very strange, but given the extremely lackluster support I’ve witnessed in these forums for paying customers having issues with Glasswire losing its VT functionality, it not installing properly for a lot of people for over a year, and it making compromising changes to people’s Windows Firewall without ever notifying them or being fixed, I’m sadly not surprised.

I’ve periodically re-downloaded the file from the “free download” link and I get a different hash… sometimes. None of these are signed. Users from a different forum also get different hashes from me. Each file (except the one with the correct hash) received a Edge smart screen warning for being not commonly seen. Since were on the almost on the eve of the 3CX supply chain hack I don’t feel comfortable running this file. Is it malware? Is it legitimate?

What do you mean by compromising changes?

So I was speculating over the possibility of individual versions of the installer being dished out to each person downloading it, too, but it sounded unlikely and whilst far from an expert, it sounds logistically impossible unless all these hundreds/thousands of files were pre-compiled and kept in a repository until downloaded.

Your reports however of people on other forums also getting other hashes does make it all sound a bit odd. I’ve been using GW (paid) for a few years and it hasn’t been uncommon for me to encounter an unsigned file (I have about 7 installers collected over the past year or two, some signed, some not, last downloaded at the end of March), but I don’t recall ever having Smartscreen tell me that any of the installers where potentially sus. That said, I also don’t know whether a small operation like GW would be a target for something as large scale as what you were mentioning, but who knows.

As for compromising changes - there’s a thread on the forum somewhere about how the GW installer was setting Windows Firewall by default to accept all incoming connections when connected to a public network.

@Katie_GlassWire Some input from an official rep would be appreciated regarding the above mentioned matter.

I got the same problem. That’s why I want to follow the thread.

Ok, so this is weird.

I just re-downloaded the file again from the “Free Download” button on the main page, and got the same signed hash variant as per the changes page. Then 10 seconds later downloaded it again, from EXACTLY the same page, without even refreshing it, and I got a completely different unsigned hash. This is definitely something that needs to be responded to by @Katie_GlassWire.

10 seconds apart I got -
916cd2f3ed8b599f7ace7639dc6763b272fdb21805f33da5b72b446899aa1c22
and then
317050dfe5affb0748c1780ffbcd0ecd28428c9a37ed3c737f6fab6b15a4c8c5

If the file we’re being served (from the product’s main download page) isn’t digitally signed (when in my experience it typically is) and doesn’t match the hash listed on the site, that’s really suspicious.

When it initially happened, I figured they just forgot to update the hash but getting a different one multiple times is very strange. The softpedia glasswire download serves up the signed file with the correct hash… so you now have the peculiar situation where it might actually be safer to download and run the glasswire installer from a third-party site.

Here is what VirusTotal says about those 2 hashes:

916cd2f3ed8b599f7ace7639dc6763b272fdb21805f33da5b72b446899aa1c22

317050dfe5affb0748c1780ffbcd0ecd28428c9a37ed3c737f6fab6b15a4c8c5

For what it’s worth, I have multiple copies of a year old version from the same link, that have different hashes and are unsigned, so it’s not an instant red flag, though it is still most peculiar and an unusual practice to say the least.

Still waiting on word from GW.

Hi all,

The version which is available to download from the main page is patched with utm tags. The original installer is available at the change list page and its hash is equal to the one we publish.

Best,
Katie