Tim,
I am posting this response to the public users@ openoffice.apache.org where
others may be interested in the same situation and have further suggestions. I
will forward this message to you privately, since your original message was to
a private list.
I performed the same download on Windows 10. I did not receive any warnings
from the Internet Explorer 11 download security check.
I also downloaded the Digital Signature file at
<
http://archive.apache.org/dist/openoffice/4.1.2/binaries/en-US/Apache_OpenOffice_4.1.2_Win_x86_langpack_en-US.exe.asc>,
the secure location for the signature at the Apache Software Foundation.
I used signature-verification software (GnuPG for Windows) to confirm that
language-pack .exe is the file that was signed, without any discrepancies. I
used the cryptographic signature check because it is the most difficult to
forge and it will fail if there were any alterations after the signature file
was computed. Verification of the signature also confirms that there was no
file corruption during download. And it verifies that the signature was
produced by one of the Apache OpenOffice release managers using their personal
secret key to produce it.
Antivirus software will sometimes make false positive determinations. Without
seeing the exact message from your Norton Antivirus software, I do not know the
basis that it’s programmer used for deciding to quarantine the file. However,
some antivirus software uses “reputation” to determine whether a file should be
assumed guilty until considered innocent. If there have not been many separate
downloads of the English US language pack (since downloading the full
installation is typical), that may be what happened. And if Norton did not
give a name for a specific malicious content, it may likely have been a
reputation misfire.
SUGGESTION: In your Antivirus Options, see if you can have quarantined files
not be automatically deleted. Also, see if you can have downloads only be
quarantined after checking with you first. This will allow you to decide
whether you want to allow a particular download and use other methods to
determine a file’s authenticity when the download is something you know to be
from an usually-reliable source.
That and other measures all give you more work to do to distinguish between
false positives and actually-malicious software, unfortunately.
It is difficult to do much about this at the project itself, although there
might be improvements that could be made in how Apache OpenOffice programs and
updates are made available. Personally, I don’t expect that any time soon.
- Dennis
From: tim
Sent: Wednesday, November 18, 2015 06:22
To: secur...@openoffice.apache.org
Subject: Norton Antivirus Quarantines Open Office English Language Pack
I was surprised that my Norton antivirus software quarantined and removed file
http://sourceforge.net/projects/openofficeorg.mirror/files/4.1.2/binaries/en-US/Apache_OpenOffice_4.1.2_Win_x86_langpack_en-US.exe/download
