failed download ( not the right topic I know)

[MrBcx]

Hi James and MrBcx:

The bc.exe in BCX830.zip is now clean on VirusTotal. 

You recall that this happened before with some harsh words and hurt feelings. Hopefully, we've moved beyond that and can find some way to deal with this.

I was thinking a sha256sum on the .exe but if the problem is a Man-In-The-Middle then even that is not going to help.

Anyway, I'm glad that, for now, the problem has been resolved and we can get back to bit-twiddling at whatever risk-aversion level we choose.

Hi Robert,

The reason for providing a sha256 hash check for downloads is to guarantee that the files
have not been tampered with.  If even 1 bit is changed in the zip, the sha256 hash won't match.

I want people to do what they are comfortable doing.  That's all.
 
GROK gives an informative summary on the subject of using SHA256 file hashes:
-----------------------------------------------------------------------------


SHA-256 hash checks are highly reliable for zip file verification, as they provide a robust way
to ensure file integrity and authenticity. Here's a breakdown of their reliability and considerations:

Why SHA-256 is Reliable:

Collision Resistance: SHA-256, a cryptographic hash function, produces a 256-bit (32-byte) hash value
that is practically unique for every distinct file. The chance of two different files producing the
same SHA-256 hash (a collision) is astronomically low (approximately 1 in 2^128, or 10^38), making it
highly reliable for verifying file integrity.

Integrity Verification: If even a single bit in the zip file changes—due to corruption, tampering, or
transmission errors—the SHA-256 hash will differ significantly. This ensures you can detect any
alterations or errors in the file.

Widely Trusted: SHA-256 is part of the SHA-2 family, which is widely used in security applications
(e.g., SSL/TLS, blockchain, and software distribution). It is considered secure and reliable by
cryptographic standards as of October 2025.

Deterministic Output: For the same input file, SHA-256 always produces the same hash, ensuring
consistent verification across systems and platforms.



Limitations and Considerations:

While SHA-256 is highly reliable, there are some factors to consider:

Source of the Hash:

The reliability of the verification process depends on obtaining the correct SHA-256 hash from a
trusted source. If an attacker provides a tampered file along with a matching (but fake) hash,
the verification could be misleading. Always retrieve the hash from a trusted source, such as
the official website or a verified distributor.

No Confidentiality: SHA-256 ensures integrity but does not encrypt or protect the file's contents.
If confidentiality is needed, additional measures (e.g., encryption) are required.

Tampering Detection Only: SHA-256 can confirm whether the file matches the expected hash but cannot
repair a corrupted file or indicate what caused the mismatch.

Computational Overhead: Calculating the SHA-256 hash for large zip files can be computationally
intensive, though this is rarely a significant issue with modern hardware.

Theoretical Vulnerabilities: While SHA-256 is currently considered secure, future advancements in
cryptography (e.g., quantum computing) could theoretically weaken it. However, as of October 2025,
no practical attacks on SHA-256 have been demonstrated.

Best Practices for Using SHA-256 for Zip File Verification:

Verify the Hash Source: Obtain the reference SHA-256 hash from a secure, trusted source (e.g., the
official website of the software provider).

Use Secure Tools: Use reliable tools to compute the hash (e.g., sha256sum on Linux, Get-FileHash on
PowerShell, or trusted third-party utilities like 7-Zip).

Secure Transmission: Ensure the zip file is downloaded over a secure channel (e.g., HTTPS) to prevent
man-in-the-middle attacks.

Combine with Other Checks: For critical applications, consider additional verification methods, such
as digital signatures (e.g., GPG or code signing), to confirm authenticity and integrity.

Practical Example:
To verify a zip file using SHA-256 on a Linux system:

Obtain the expected SHA-256 hash from the trusted source.
Run the command: sha256sum filename.zip.
Compare the computed hash with the expected hash. If they match exactly, the file is intact and untampered.

Conclusion:

SHA-256 hash checks are extremely reliable for verifying the integrity of zip files, provided the reference
hash comes from a trusted source and the verification process is performed correctly. It is one of the most
robust methods available for ensuring a file has not been altered or corrupted. For added security, combine
SHA-256 verification with other cryptographic methods like digital signatures when authenticity is critical.

[Robert]

Hi James and MrBcx:

The bc.exe in BCX830.zip is now clean on VirusTotal. 

You recall that this happened before with some harsh words and hurt feelings. Hopefully, we've moved beyond that and can find some way to deal with this.

I was thinking a sha256sum on the .exe but if the problem is a Man-In-The-Middle then even that is not going to help.

Anyway, I'm glad that, for now, the problem has been resolved and we can get back to bit-twiddling at whatever risk-aversion level we choose.

[MrBcx]

You changed the bc.exe file didn't you

James

I know you're kidding James but you would know if I edited the post because the forum
leaves a tattle-tale on the top of the post.  For example, here's a tattle-tale from a
post that JBK edited yesterday:


October 24, 2025, 04:25:07 AM            Last Edit: October 24, 2025, 04:28:58 AM by jbk

[jcfuller]

Kevin,
  I followed your suggestion.
Created a folder and excluded it.
Came here and instead of just clicking on the download link I right clicked and selected Save link As
Bcx830.zip was saved no issued.
Opened it with 7-Zip and saved it to my BcxSource folder.
Copied bc.exe to my BcxAdp Folder
Compiled a couple apps no issues.

But it appears I did not need to do that!
I tried a normal click on your download link and all went fine.

You changed the bc.exe file didn't you

James

[MrBcx]

I think it's important that people decide for themselves the level of risk that they can tolerate.

One part of all decision making should come from being informed.

I downloaded Bcx830.zip to an excluded folder, unzipped the contents, and moved Bc.exe
to a newly made, Windows Defender monitored folder off my root.  From inside Windows Explorer,
I right-clicked on Bc.exe and selected "Scan with Microsoft Defender".  The scan took 1 second.

MS Defender reported: 

No current threats
Last Scan: 10/25/2025 1:47 PM (custom scan)
0 threats found.
Scan lasted 1 second
1 file scanned.

[Robert]

Thanks Kevin, I did do a refresher but like Robert I still have issues.
Defender flags it right after it's downloaded so I can't designate bc.exe as ok.
I will not have Defender ignore my download folder.

I am no longer set up to compile the source so I'm SOL.
Time to retire completely from coding I guess.

James

Hi James:

If I can get a clean BCX 8.3.0 compiled, I will send you a copy.

Like you, I do not possess the hubris to allow myself to think that I know better than my security so I do not white-list anything.

[MrBcx]

Thanks Kevin, I did do a refresher but like Robert I still have issues.
Defender flags it right after it's downloaded so I can't designate bc.exe as ok.
I will not have Defender ignore my download folder.

I am no longer set up to compile the source so I'm SOL.
Time to retire completely from coding I guess.

James

James,

Don't be a quitter.

If you already have an excluded folder, just temporarily change your browser's
download folder to that, download the file, the reset your browser's download folder.

Easy Peezy

[jcfuller]

Thanks Kevin, I did do a refresher but like Robert I still have issues.
Defender flags it right after it's downloaded so I can't designate bc.exe as ok.
I will not have Defender ignore my download folder.

I am no longer set up to compile the source so I'm SOL.
Time to retire completely from coding I guess.

James

[MrBcx]

James,

You probably know this ... on a Windows 10/11 machine, you can create exclusions for files and folders.
Exclusions tell Microsoft Defender to keep its nose out of your business.


Step-by-step guide

Open the Windows Security (Settings | Privacy & Security | Virus & Threat Protection 

Inside Virus & threat protection.

Under Virus & threat protection settings, click Manage settings.
Scroll down to the Exclusions section and click Add or remove exclusions.
If a User Account Control prompt appears, click Yes.
Click the + Add an exclusion button.
From the dropdown menu, select Folder.
Use the file explorer to locate and select the file or folder you want to exclude
 

[Robert]

I have not coded in quite some time but I do try to keep up with updates.
I retired all but one of my Win10 boxes and set up a small Win11.
I have Bcx829 up and working fine on the Win11 setup.
I just followed the prompts when setting it up using my MS account.

I spent a lot of time trying to figure out how to allow Bcx830.zip without completely turning off defender without success.

Just to see how many other Virus apps flagged the Bc.exe in Bcx830.zip I fired up my Linux machine, downloaded Bcx830.zip (without being logged in?), extracted bc.exe and submitted it to Virus Total. Microsoft was the only one out of 70 that flagged it.


James

Hi James:

I have had the same experience.

To get around the immediate problem, I downloaded BCX830.zip on an atomically secure Linux, stripped out the .exe and ported the source code to the Windows machine.

If you decide to do that, even then, be cautious after compiling and be sure to check your compiled .exe on VirusTotal to be sure it's clean. Do that from your Linux machine because Wacatac and Wacapew can totally destroy Windows security and send you to places you really don't want to be. These are top level state-actor stealth infections.

[jcfuller]

I have not coded in quite some time but I do try to keep up with updates.
I retired all but one of my Win10 boxes and set up a small Win11.
I have Bcx829 up and working fine on the Win11 setup.
I just followed the prompts when setting it up using my MS account.

I spent a lot of time trying to figure out how to allow Bcx830.zip without completely turning off defender without success.

Just to see how many other Virus apps flagged the Bc.exe in Bcx830.zip I fired up my Linux machine, downloaded Bcx830.zip (without being logged in?), extracted bc.exe and submitted it to Virus Total. Microsoft was the only one out of 70 that flagged it.


James