I am a recovering user of Filezilla. This wonderful free and open source FTP application has been a workhorse application at Proactive International, Mirye Software and Meshbox Design for several years. It does what it does very well.
But I made a terrible discovery last night. I went to Sourceforge to download the latest version to install on a new Win 10 box and anti-virus software flagged Filezilla as containing malware. Surely it must be a false positive, right?
It isn’t. In fact, SourceForge explains what it is – it is their DevShare Plan to monetize (as in generate money from) applications so that their developers and SourceForge can make money.
In all fairness – SourceForge gives us this warning:
This installer may include bundled offers. Check below for more options.
But most people won’t notice that when they see the big green download button.
And it gets worse if you stray from SourceForge to third party sites, as reported by PC World.
Chrome browser users are saying that Chrome won’t download Filezilla as it is identified as malware.
Sadly, by my own testing, I downloaded the alternative download version that is zipped, and got a warning that Windows 10 identifies Filezilla as malware. This was taken from the page linked from the “check below” warning on the SourceForge download page. So no, you can’t trust their alternative downloads either.
FOSS developers struggle to turn a buck, and I don’t doubt SourceForge has some non-nefarious reasons to using this method to generate revenue from developers and themselves.
But SourceForge is also ignoring what is being clearly stated by the community, Google and Microsoft – that SourceForge is relying on duplicity to install unwanted malware on your computer.