Update 07Jan2017. As of January 2017, all binaries are signed as Cyotek Ltd
Every so often, we'll receive a Google alert which has a link to HerdProtect or TotalVirus with a page merrily listing one of Cyotek's executable files are being a virus. I'll duly check these pages only to discover that while it might be one of our files (or a file with the same version information), it has been modified, renamed and then dumped in one of the Windows system folders attempting to masquerade as another component.
Official Cyotek programs don't go anywhere near your Windows system folders, nor do they try and pretend to be Windows Update or any other program. Finally, (with the exception of CopyTools (and not by default)), Cyotek programs don't try and run themselves at system start up.
This sort of thing isn't really great advertising for Cyotek, so I thought I would write this post reminding users to take caution when downloading files and to use common sense, along with outlining how you can check if the files are valid.
Firstly, try to download them direct from the software vendor themselves, or a trusted mirror. Cyotek setup programs do not include additional third party programs, they don't try and change your default browser, or install any browser extensions. If you download from a mirror, then make sure it's not a mirror that has that re-wrapped our setup program in their own "Download Manager" (even though it's against the license agreement to do that) that then tries to sneak in some other software.
All Cyotek products released since 2013 (bar a few exceptions around the end of 2014) are digitally signed - both the setup program and all EXE/DLL files within them that we have created. Third party program files may or may not be signed by their own authors, that isn't something we can control.
So what does this mean? It means that the files are guaranteed to have been created by Cyotek and so therefore in theory are safe. (Unless of course Cyotek has managed to distribute the certificate and keys outside the organisation, or our computers themselves are infected with nasties).
Currently the software is signed with my own personal code signing certificate, although that should hopefully change to a proper company one in the new year. We used to validate the certificates on start-up then refuse to run if they were invalid, but we disabled that check after the incident.
For the technically savvy, you can also check the file hashes - if the hash of the file you have download doesn't match the hash published by the software vendor then the file has been modified and should be suspect.
And of course, make sure your system is protected at least via UAC, firewalls and anti-virus / anti-malware.
To check if the file you have downloaded is digitally signed, right click the download and choose Properties from the context menu. This should then display a dialog similar to the one below. (These screenshots are from Windows 10, but the dialog hasn't changed much since Windows 95)
If the Digital Signature tab is not present, then file isn't signed.
If the tab is present, then it is signed - but that doesn't mean all is well.
To view the certificate, select it from the Digital Signature tab and click the Details button. This will then present a dialog similar to this image
The first page of this new dialog should state if the signature is valid or not, and who signed it. Currently for Cyotek products this will appear as
- Name: Cyotek Ltd
- Email: firstname.lastname@example.org
Products signed before January 2017 may have the following details instead
- Name: Richard Moss
- Email: email@example.com
(Although as StartCOM timebomb their certificates this is now a moot point)
If you then click the View Certificate button, yet another dialog will be displayed, this time displaying the certificate itself. All Cyotek products are either signed with StartCom certificates for recent releases, or Comodo for older builds.
If the digital signature isn't valid, this should be clearly shown on the properties dialogs of both the digital signature and the certificate itself.
If the file has been modified, the signature will be automatically invalidated - don't run the program, just download a fresh version from a trusted source.
Another reason why a signature could be invalid is because the certificate itself was revoked, as I have found myself. Letting the software vendor know there's an issue with their certificate would most likely be appreciated as they might not even know!
I couldn't actually take a screenshot of the Windows 10 protected desktop, but I did capture the Windows XP and Windows Vista prompts from our testing VM's. These prompts appear when you run an installation program that is digitally signed. Assuming you are sensible and haven't switched UAC off, you should see these sort of prompts whenever you run installation software.
As a I mentioned at the start, probably the best place to get Cyotek files is directly from Cyotek.com. While some mirrors pick up our files, we don't actively monitor mirrors or update them ourselves. And we never stick them on torrent sites. If you do download from third parties, check the digital signatures are present and intact.
- 2015-10-27 - First published
- 2017-01-07 - Added note about new certificate
- 2020-11-23 - Updated formatting